We discussed Splunk configuration files namely, props.conf,transforms.conf,fields.conf,inputs.conf, indexes.conf and mentioned the purpose and goal of each one of them. Splunk configuration files are used to configure log parsing rules, fields extraction and set log storage and retention rules. Use these config files when Splunk doesn’t extract the fields properly from the provided log file or when you have unique format for your logs. For demonstration purposes, we solved TryHackMe Fixit challenge that lets us to practically test our knowledge in configuring log parsing rules with Splunk.
Splunk SIEM Full Course with Practical Scenarios
Core Concepts of Splunk Setup & Usage
The video outlined a clear four-step process for working with Splunk:
- Installation: I learned that Splunk can take on two main roles:
- Main Instance/Splunk Server: This acts as the central hub. It’s responsible for gathering all the logs and serves as the primary platform for analysis. It’s typically installed on a dedicated server (either Windows or Linux).
- Forwarder: This is a lightweight agent that gets installed on individual machines (like Windows or Linux workstations). Its job is to collect logs from these machines and send them to the main Splunk instance.
- Configuration:
- The main Splunk instance needs to be configured to listen for incoming logs. This involves specifying a listener port (the default is 9997) through the “Forwarding and Receiving” settings in Splunk’s interface.
- When installing forwarders, I needed to provide the IP address and port of the main Splunk server so they know where to send the logs.
- Log Collection:
- This step involves telling the forwarders which logs they should send to the main server.
- For Linux systems, this often means monitoring common log directories like
/var/log
. - For Windows, I could add data sources like “local event logs” directly through the main Splunk server interface.
- A crucial concept introduced here was the index, which is where collected logs are stored and organized on the Splunk server.
- Analysis: Once logs are collected and indexed, I can use the powerful Splunk interface to search, filter, and analyze them to gain insights into security events or system behavior.
Data Ingestion Methods
The video highlighted three primary ways to get data into Splunk:
- Manual Upload: Directly uploading log files into Splunk.
- Forward (IP and Port Listener): Configuring network devices (such as firewalls, routers, or Intrusion Detection Systems) to send their logs to a specific IP address and port on the Splunk server.
- Forwarder (Agent): Using the Splunk forwarder agent, which is installed on individual endpoints, to collect and send logs.
Practical Demonstration (Task 10)
The video then provided a practical demonstration by showing how to handle Task 10 from a TryHackMe room, which involved uploading and investigating web server logs.
- Generating Logs: I started by making a few mock coffee orders on a website to generate some web server transaction logs.
- Adding Data via Forwarder: Instead of a manual upload, the video showed how to add this new data by configuring an existing forwarder. This involved specifying the exact directory path containing the web server logs (e.g.,
C:\inetpub\logs\LogFiles\W3SVC...
). The source type was set to “iis” (Internet Information Services) for these specific web server logs, and a new index named “web_logs” was created just for them. - Analyzing Logs & Finding a Flag: After ingesting the logs, I was shown the search interface in Splunk. The challenge’s goal was to find a flag hidden within these logs. I navigated to a specific URL (
/secret-flag
) on the target website, which eventually revealed the flag. To find the corresponding log entry in Splunk, I simply added the keyword “flag” to my search query. This effectively filtered the events and displayed the log entries related to accessing the “secret-flag” page.
Room Answers | Event Analysis and Logs Parsing with Splunk | TryHackMe Fixit
What is the full path of the FIXIT app directory?
/opt/splunk/etc/apps/fixit
What Stanza will we use to define Event Boundary in this multi-line Event case?
BREAK_ONLY_BEFORE
In the inputs.conf, what is the full path of the network-logs script?
/opt/splunk/etc/apps/fixit/bin/network-logs
What regex pattern will help us define the Event’s start?
[Network-log]
What is the captured domain?
Cybertees.THM
How many countries are captured in the logs?
12
How many departments are captured in the logs?
6
How many usernames are captured in the logs?
28
How many source IPs are captured in the logs?
52
Which configuration files were used to fix our problem? [Alphabetic order: File1, file2, file3]
props.conf, transforms.conf, fields.conf
WWhat are the TOP two countries the user Robert tried to access the domain from? [Answer in comma-separated and in Alphabetic Order][Format: Country1, Country2]
Canada, united states
Which user accessed the secret-document.pdf on the website?
Sarah Hall
Video Walkthrough | TryHackMe Fixit