We discussed Splunk configuration files namely, props.conf,transforms.conf,fields.conf,inputs.conf, indexes.conf and mentioned the purpose and goal of each one of them. Splunk configuration files are used to configure log parsing rules, fields extraction and set log storage and retention rules. Use these config files when Splunk doesn’t extract the fields properly from the provided log file or when you have unique format for your logs. For demonstration purposes, we solved TryHackMe Fixit challenge that lets us to practically test our knowledge in configuring log parsing rules with Splunk.
Splunk SIEM Full Course with Practical Scenarios
Highlights
Splunk is a powerful SIEM solution that provides the ability to search and explore machine data. Search Processing Language (SPL) is used to make the search more effective. It comprises various functions and commands used together to form complex yet effective search queries to get optimized results.
Splunk supports all major OS versions, has very straightforward steps to install, and can be up and running in less than 10 minutes on any platform.
Logs can be ingested into Splunk with three methods:
- Manual Upload
- Forwarder Agent
- Through a TCP IP/Port
Splunk needs to be properly configured to parse and transform the logs appropriately. Some of the important aspects are:
- Event Breaking:
- Configure Splunk to break the events properly.
- Multi-line Events:
- Configure Splunk to configure multi-line events properly.
- Masking:
- Some logs may contain sensitive data such as credit card data . To comply with the PCI DSS (Payment Card Industry Data Security Standard) standard, information like credit card numbers must be masked to avoid any violation.
- Extracting custom fields:
To properly parse unique log formats with Splunk, we follow below steps:
Understand the Data Format
Many data types, including CSV, JSON, XML, syslog, and others, are supported by Splunk. Choose the appropriate fields you wish to extract and the format of your data source.
Identify the Sourcetype
The format of the data being indexed is represented by the sourcetype in Splunk. It facilitates Splunk’s use of the proper parsing rules. You can create a new sourcetype in Splunk if your data source doesn’t already have one.
Configure the required files
Namely props.conf, inputs.conf and transforms.conf
Lastly restart Splunk
Room Answers | Event Analysis and Logs Parsing with Splunk | TryHackMe Fixit
What is the full path of the FIXIT app directory?
/opt/splunk/etc/apps/fixit
What Stanza will we use to define Event Boundary in this multi-line Event case?
BREAK_ONLY_BEFORE
In the inputs.conf, what is the full path of the network-logs script?
/opt/splunk/etc/apps/fixit/bin/network-logs
What regex pattern will help us define the Event’s start?
[Network-log]
What is the captured domain?
Cybertees.THM
How many countries are captured in the logs?
12
How many departments are captured in the logs?
6
How many usernames are captured in the logs?
28
How many source IPs are captured in the logs?
52
Which configuration files were used to fix our problem? [Alphabetic order: File1, file2, file3]
props.conf, transforms.conf, fields.conf
WWhat are the TOP two countries the user Robert tried to access the domain from? [Answer in comma-separated and in Alphabetic Order][Format: Country1, Country2]
Canada, united states
Which user accessed the secret-document.pdf on the website?
Sarah Hall
Video Walkthrough | TryHackMe Fixit
