We discussed Splunk configuration files namely, props.conf,transforms.conf,fields.conf,inputs.conf, indexes.conf and mentioned the purpose and goal of each one of them. Splunk configuration files are used to configure log parsing rules, fields extraction and set log storage and retention rules. Use these config files when Splunk doesn’t extract the fields properly from the provided log file or when you have unique format for your logs. For demonstration purposes, we solved TryHackMe Fixit challenge that lets us to practically test our knowledge in configuring log parsing rules with Splunk.

Splunk SIEM Field Notes

Splunk SIEM Full Course with Practical Scenarios

Highlights

Splunk is a powerful SIEM solution that provides the ability to search and explore machine data. Search Processing Language (SPL) is used to make the search more effective. It comprises various functions and commands used together to form complex yet effective search queries to get optimized results.

Splunk supports all major OS versions, has very straightforward steps to install, and can be up and running in less than 10 minutes on any platform.

Logs can be ingested into Splunk with three methods:

  • Manual Upload
  • Forwarder Agent
  • Through a TCP IP/Port

Splunk needs to be properly configured to parse and transform the logs appropriately. Some of the important aspects are:

  • Event Breaking:
    • Configure Splunk to break the events properly.
  • Multi-line Events:
    • Configure Splunk to configure multi-line events properly.
  • Masking:
    • Some logs may contain sensitive data such as credit card data . To comply with the PCI DSS (Payment Card Industry Data Security Standard) standard, information like credit card numbers must be masked to avoid any violation.
  • Extracting custom fields:

To properly parse unique log formats with Splunk, we follow below steps:

Understand the Data Format

Many data types, including CSV, JSON, XML, syslog, and others, are supported by Splunk. Choose the appropriate fields you wish to extract and the format of your data source.

Identify the Sourcetype

The format of the data being indexed is represented by the sourcetype in Splunk. It facilitates Splunk’s use of the proper parsing rules. You can create a new sourcetype in Splunk if your data source doesn’t already have one.

Configure the required files

Namely props.conf, inputs.conf and transforms.conf

Lastly restart Splunk

Room Answers | Event Analysis and Logs Parsing with Splunk | TryHackMe Fixit

What is the full path of the FIXIT app directory?

/opt/splunk/etc/apps/fixit

What Stanza will we use to define Event Boundary in this multi-line Event case?

BREAK_ONLY_BEFORE

In the inputs.conf, what is the full path of the network-logs script?

/opt/splunk/etc/apps/fixit/bin/network-logs

What regex pattern will help us define the Event’s start?

[Network-log]

What is the captured domain?

Cybertees.THM

How many countries are captured in the logs?

12

How many departments are captured in the logs?

6

How many usernames are captured in the logs?

28

How many source IPs are captured in the logs?

52

Which configuration files were used to fix our problem? [Alphabetic order: File1, file2, file3]

props.conf, transforms.conf, fields.conf

WWhat are the TOP two countries the user Robert tried to access the domain from? [Answer in comma-separated and in Alphabetic Order][Format: Country1, Country2]

Canada, united states

Which user accessed the secret-document.pdf on the website?

Sarah Hall

Video Walkthrough | TryHackMe Fixit

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles