are you looking to analyze all your logs
and events in one location or maybe
you're just looking to learn about a Sim
tool like Splunk to prepare for a job in
it or cyber security well look no
further in this video we're going to
walk through installing and configuring
Splunk which is one of the leaders in
log and data analysis on a Windows
system but first welcome to the channel
or welcome back my name is John good and
on this channel we talk all about cyber
security if you enjoy the content make
sure to like the video subscribe to the
channel and hit the Bell icon so you get
notified for future content and if you
have any questions leave them in the
comment section below also make sure to
check out the description for more
training and resources all right let's
do this in it cyber security and even
devops one of the biggest issues that we
have is monitoring our networks and
being able to look at large amounts of
data at once if we have two computers
yeah looking at the logs individually is
going to be possible but it's going to
be annoying if we have a th systems it's
basically impossible to do that and stay
current with all the events that are
taking place on those systems Splunk is
one of the leaders and helping us
analyze large amounts of data in one
central location so it's a pretty good
idea that you become familiar with how
it works we also refer to Splunk as a
Sim tool which stands for security
information and event management at a
high level Splunk operates basically
like a database with its own specific
language called search processing
language or SPL the better that you can
navigate SPL and Splunk itself the more
desirable that you'll be to employers
there are even jobs that are dedicated
to configuring and managing spunk
installations and even if you had to use
a similar product you'll have a good
idea of what's going on the goal in this
video is to get a free Splunk
installation running on a local system
and then show you some of the basic
features that you should know after this
video you'll be able to learn additional
capabilities of Splunk or at least be
able to talk about Splunk and how to use
similar tools before we dive into the
demo I'm assuming that you already have
a virtual machine or a system to install
Splunk on for this video I'll be using a
Windows Server 2022 virtual machine
since we typically install Splunk on a
server but the process is going to be
the same on any Windows system all right
let's begin okay so the first thing that
you have to do is you have to go to the
Splunk website so splunk.com because we
need to download Splunk so we're going
to go to products we're going to go to
Splunk
Enterprise all right and then we're
going to click free
trial and you'll have to create an
account if you don't already have one in
order to download Splunk and once you
log in you need to go ahead and download
Splunk and get the correct download
depending on which operating system that
you're using okay now that download is
done go ahead and open that file and
we're going to install Splunk and we're
going to use a lot of the defaults in
this but of course if you were in the
real world you might customize some of
these options we're going to go ahead
and check the box to accept the license
agreements and we're just going to hit
next and these are the defaults that
it's going to use so it's going to run
Splunk Enterprise as a local system
account it's going to use this directory
and then it's going to create a start
menu new shortcut so again we're going
to use a defaults we'll hit
next we're going to create a username
and a
password and then we'll hit
next and we'll hit
install so that username and password is
really important because that's what
you're going to use to actually log into
Splunk Okay so we've successfully
installed Splunk Enterprise and we're
going to leave this launch browser with
Splunk Enterprise checked and we'll hit
finish and we'll open it with our web
browser okay do you remember when we
originally installing and configuring
the installation for Splunk and we had
to create a username and password that's
what we need to enter here so we can log
in we've now successfully installed
Splunk and we've logged in now we need
to set up our logs actually being
adjusted into the tool so we're going to
go to settings and then data inputs for
this video we're only going to deal with
local events we're not going to deal
with remote systems so we're going to go
under local event log collection we're
going to select
edit now we need to select the logs that
we want to actually injust into the tool
so I'm going to keep it really simple
and just do application security and
system those are kind of the
foundational logs we'll scroll down and
we'll select
save okay and the status should be
enabled because that's going to ingest
those logs and we'll go back to apps in
Search and Reporting all right in the
search bar here we're going to put in an
asterisk or a star and we're going to
hit return to search for all the events
that it knows about as you can see it's
starting to get events from our local
system again in this video we're just
dealing with the local system not remote
systems so this would be a very basic
kind of search we can do all kinds of
different basic searches in here we can
also get a little bit more advanced with
filters and different queries and
parameters and things like that for this
what I'm going to do is I'm actually
going to open up our Event
Viewer so I've gone to the windows menu
and I'm going to open up Event
Viewer and I'm going to go under Windows
logs and
security I'm going to rightclick this
and I'm going to select clear
log and I'm going to select clear so
it's going to clear the security log and
I'll show you why I'm doing this here in
a second so if if we go back into our
system here in our Splunk
system we're going to actually narrow
this down a little bit and I'm going to
show you how you can do this so all of
these parameters and Fields if I select
one so for instance the host I'm going
to left click on this and I'm going to
do add to
search that's going to add it in this
search bar and we're going to slowly
narrow this search down and then the
next one I'm going to do is source so we
want it from from the security
logs and then the event code I want to
also add in here so I'm going to add
this to our
search and this did not add the full
thing here but that's okay we're going
to add equal sign and then we want 112
is the event that we want to
find and we'll hit
return and that's how you can narrow
down the searches so we've only got this
one particular event
which this event was the audit log being
cleared that's what we just
did great so that's an example of how
you can search in Splunk for specific
things now I'm going to copy this
because we'll need it
later and then I'm actually going to
select create table
view we'll skip the tour because again I
don't care about that and this will
actually put this into a
table and and then on the left here you
can select or deselect different types
of logs so I'm going to actually
unselect raw so it's not going to give
us all that information and I'm going to
hit
done okay and as you can see that gave
us a table with the fields that we've
selected I hope you're enjoying the
content so far if you are make sure to
leave a like comment and subscribe also
check out the description for more
training and resources all right let's
get back to the content now I'm going to
go to
dashboards and again I'm going to skip
the
tour and I'm going to select create new
dashboard and we're just going to label
this clear
logs and we're going to create this with
the dashboard
studio and we're going to do
grid select
create all right so now we can create a
dashboard dashboards are huge for
analyzing data because we can quickly
display C certain things and especially
in areas like security or it or any kind
of data analytics you're probably
looking for relatively specific things
and this way anything you're
consistently looking for you can just
put into a table or a graph or something
like that and put it on a dashboard so
you can easily view it as it happens so
we're going to add a chart here we're
going to add a
table and we're going to paste in this
search with SPL that query that we
already found to find the event logs
being cleared so as you can see this
looks exactly like it did in our other
search all right and we're going to
select apply and
close we're going to give this a
label and we're not really going to
customize this at all but you could in
the column formatting you can add things
you can also remove things
too so if we go up here and we actually
edit our
search I'm going to show you how you can
eliminate some of these columns if you
didn't want them so we can add a
pipe and then we're going to type
Fields a
minus and then we're going to type the
actual field in
here so
bkt and CD we're going to
eliminate we'll select apply and
close and as you can see those columns
are no longer in here so you can totally
customize it however you want to see
it and then we're going to select save
to save this dashboard save this
table right so that's saved now if you
go back under dashboards so just
clicking dashboards from wherever you're
at within the application you'll see
that your dashboard is in here so we're
going to actually click on our dashboard
that we created so the clear
logs and this is going to be the table
that we
created if we do actions and we select
set as home dashboard that's going to be
our primary
dashboard so this is just going to be on
the the search and Reporting application
so having a dashboard like this is
extremely useful again you can look at
very specific things that maybe you're
constantly looking at or things that you
need to view at a quick glance
especially when you're dealing with
executive level or management level
leaders this can be great because you
can easily present information in an
easy to read way that they like to see
it so they're not confused by all the
nuances or smaller details of the
application it's just extremely
beneficial to be able to create
dashboards and easy to read
information so then if I go somewhere
else so let's just click anything we'll
just click data inputs under the
settings just so we can get onto a
different
screen and then we're going to go back
to
apps and actually we'll click Splunk
Enterprise to take us back to the
homepage there is clear logs right on
that main page so again you can do
whatever you want as far as the
dashboard and what you have in there
what kind of tables and stuff but that's
just an example of what you can do with
dashboards to quickly and easily display
information so one other website that's
extremely useful is this ultimate it
security they have all the event IDs for
Windows that you'll ever need and then
for instance we have 1102 the audit log
was cleared that's what we were just
looking at if we click on
this you can see it has even more
details about specifically what it is so
if you ever aren't sure what an event ID
is or you need something specific this
is a great resource to use question of
the day what are some important events
or logs that we might want to monitor in
Splunk let me know down in the comment
section Below in this video we walk
through installing and configuring
Splunk which is one of the leading Sim
Tools in login data analysis remember
knowing a tool like Splunk is extremely
helpful in your career and will make you
more desirable by employers as always
make sure to leave a like comment and
subscribe check out the description for
more training resources and I'll see you
next time
[Music]