Introduction to Splunk

We covered the basic fundamentals of Splunk for beginners. We explored data collection through different methods including but not limited to manual upload. This was part of TryHackMe Splunk: Basics

Splunk is a Security Information and Event Management (SIEM) tool used for collecting, normalizing, analyzing, and alerting on logs and network data.The video provides an overview of how Splunk functions similarly to other SIEM tools, focusing on the collection of logs from various sources, normalizing them into a standard format, and analyzing them for security threats.

Components of Splunk:

Splunk has three main components:

  • Forwarder: Installed on hosts and devices to collect logs and send them to the indexer.
  • Indexer: Processes and stores the collected logs, normalizing the data into key-value pairs (e.g., IP address, port, hostname).
  • Search Head: Enables searching through processed logs, allowing analysts to extract meaningful insights.

How Splunk Collects and Analyzes Logs:

  • Logs are collected from various sources, including Windows event logs, Linux syslogs, and web server logs.
  • The forwarder collects these logs, which are then processed by the indexer.
  • Data is normalized into field-value pairs, making it easier to analyze in the search head.

User Interface and Adding Data to Splunk:

  • The video demonstrates the Splunk user interface, showing how to access different sections like notifications, settings, and installed applications.
  • Adding Data: Users can add data to Splunk using one of three methods:
    • Upload: Upload log files directly into Splunk for analysis.
    • Monitor: Set Splunk to monitor specific locations or devices for real-time log collection.
    • Forward: Forward logs from machines or devices using the forwarder.

Example Scenario: Uploading Data for Analysis:

  • The video guides users through uploading a log file (e.g., VPN logs) and defining the source type, host name, and index for storing the data.
  • After the data is uploaded, it is processed and made available for searching.

Using Splunk’s Search Feature:

  • The Search Head allows users to search through logs using specific search processing language (SPL) syntax.
  • The video demonstrates how to use filters and fields on the left-hand side of the Splunk interface to narrow down searches.
  • For example, users can find the number of events related to a specific user by filtering based on the username field.

Analyzing Specific Events:

  • The video demonstrates answering questions such as “How many log events by the user Melina are captured?” by using the search function and field filters.
  • For each user, the number of associated log events is displayed, helping analysts to quickly pinpoint relevant information.

 

Splunk SIEM Field Notes

 

Challenge Answers

Which component is used to collect and send data over the Splunk instance?
In the Add Data tab, which option is used to collect data from files and ports?

Upload the data attached to this task and create an index “VPN_Logs”. How many events are present in the log file?

 

How many log events by the user Maleena are captured?

 
What is the name associated with IP 107.14.182.38?
 

What is the number of events that originated from all countries except France?

 

How many VPN Events were observed by the IP 107.3.206.58?

 

Video Walkthrough

 
 
About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles