In this article we are going to talk in general about Splunk.
This is going to be the “Starter” page for our discussions. The starter page is simply a landing page with links to various Splunk articles including a walk through. A walk through should consider the basic lifecycle of a product including licensing, installation; initial setup; review common tasks; and updating.
What is Splunk
Installing Splunk in Ubuntu
Installing a SYSLOG server to be used as a source
Installing logging for Windows.
Setting up an alert
Splunk Universal Forwarder
Splunk at it’s heart is a logging and search application. It’s been around since 2003 and you are going to see regular references to it. To be fair it’s an application that allows you to capture log information, index it, and react to it. Over time it has grown and stayed relevant. It now boasts even the Splunk Apps to bolt on additional functionality. This gives it the ability to analyze data from edge routers (Grey Noise) to be able to log alerts via Slack (It is literally named “Slack App Alert Integration”).
I want to take a second to review a key “concepts”. There are going to be a similar “concepts” across the entire market. Simply logging something in one place isn’t enough. It also goes without saying that Simply indexing isn’t going to be enough. And then you probably need to ask your self is the application going to scale. Not to mention how much is it going to cost for this privilege Some of the more deeper concepts should probably discuss how the data is collected and forwarded. While there are simple cases where a Workstation or a firewall forwards data to the application that dutifully logs it and that’s great for relatively small use cases. Think the S in SMB. But even for Medium us there might the a case where “shipping” and/or pre-processing log data might be extremely handy. To be clear I am talking the case where you might have thousands of sources and given network constraints there might simply not be enough bandwidth. Example: Maybe I don’t need all the security logs… only these (x). This pre-processing doesn’t always have to be done at some master control node.
The second concept is that the additional functionality is what helps provide “Usefulness”. Ie. The ability to create an Alert based on an account locked out is going to be a staple of real life usefulness. The ability to “bolt” on a module that takes some data “feed” and then perform a filter/alert function on it. For example: is there any traffic going to IP’s with a bad reputation. Chances are this might be offered as part of the products “core” offerings or it might be marketed as an additional “feature”.