- Log Analysis
- Security Investigation
- Log Monitoring and perform Incident Response
- Customized Dashboards can be created to analysis and investigate Logs
- Analyze data through patterns in a Analytical Manner
- Data Collection:
Splunk efficiently gathers data from diverse sources such as servers, network devices, applications, and sensors. This is achieved through the utilization of agents and connectors.
- Data Indexing:
Collected data undergoes indexing and is stored in Splunk's proprietary format. The indexing process involves breaking down data into events, extracting fields, and creating an index for each field.
- Search and Analysis:
Splunk boasts a robust search and analysis engine, enabling users to query indexed data using SPL (Splunk Processing Language). Users can perform ad-hoc searches or save them as dashboards and alerts for future reference.
- Visualization:
Splunk provides diverse visualization options, including charts, graphs, and tables. Users can effectively comprehend and analyze their data, with customization options available for tailoring visualizations to specific requirements.
- Deployment Options:
Splunk offers versatile deployment options, supporting on-premises, cloud-based, or hybrid setups. Splunk Enterprise can be deployed as a single instance or as part of a distributed environment with multiple indexers, search heads, and forwarders.
- Real-time Monitoring: Enables real-time monitoring and analysis of machine-generated data.
- Scalability: Distributed architecture allows horizontal scaling to handle increasing data volumes.
- Can add multiple Plug-ins so we can create our own customized dashboards
- Search Capabilities - Powerful search language (SPL) for complex queries and analytics.
- Large community support and numerous pre-built apps and integrations.
- Licensing costs can be significant for large-scale deployments.
- Setting up and maintaining Splunk in a distributed environment can be complex.
- Requires significant hardware resources, especially for large deployments.
- There should be enough knowledge to work with search queries and other apps so effectively one can resolve the security breaches
- Search Processing Language (SPL): Allows complex querying and analysis.
- Customized Dashboards: Enables creation of customizable visualizations and dashboards.
- Machine Learning Toolkit: Allows predictive analytics and anomaly detection.
- Data Ingestion: Supports various data sources and formats (logs, metrics, etc.).
- Security and Compliance: Provides features for securing data and meeting compliance requirements.
- First of all install Splunk Enterprise on your host OS can be windows, kali Linux , Mac
- After Installing setup with Username and Password in Splunk Enterprise
- Go into Settings and Configure the universal forwarder to send data to the Splunk Enterprise indexer by adding a new recieving port as 9997
4.Now Start Installing Universal Forwarder in the system where you usually attack in my case i have done in kali linux
- Now start with accepting license and set up username and Password
- Now Configure with 2 parameters
-
./splunk add forward-server :9997
-
./splunk set deploy-poll : (This you have to enable on Universal Forwarder where host ipaddress will be of the system on which universal forwarder is downloaded and management port no. you have to specify)
7.We have to write a command what to monitor
8.Now restart splunk
9.Realtime Logs on SIEM Tool:
