are you looking to analyze all your logs and events in one location or maybe you're just looking to learn about a Sim tool like Splunk to prepare for a job in it or cyber security well look no further in this video we're going to walk through installing and configuring Splunk which is one of the leaders in log and data analysis on a Windows system but first welcome to the channel or welcome back my name is John good and on this channel we talk all about cyber security if you enjoy the content make sure to like the video subscribe to the channel and hit the Bell icon so you get notified for future content and if you have any questions leave them in the comment section below also make sure to check out the description for more training and resources all right let's do this in it cyber security and even devops one of the biggest issues that we have is monitoring our networks and being able to look at large amounts of data at once if we have two computers yeah looking at the logs individually is going to be possible but it's going to be annoying if we have a th systems it's basically impossible to do that and stay current with all the events that are taking place on those systems Splunk is one of the leaders and helping us analyze large amounts of data in one central location so it's a pretty good idea that you become familiar with how it works we also refer to Splunk as a Sim tool which stands for security information and event management at a high level Splunk operates basically like a database with its own specific language called search processing language or SPL the better that you can navigate SPL and Splunk itself the more desirable that you'll be to employers there are even jobs that are dedicated to configuring and managing spunk installations and even if you had to use a similar product you'll have a good idea of what's going on the goal in this video is to get a free Splunk installation running on a local system and then show you some of the basic features that you should know after this video you'll be able to learn additional capabilities of Splunk or at least be able to talk about Splunk and how to use similar tools before we dive into the demo I'm assuming that you already have a virtual machine or a system to install Splunk on for this video I'll be using a Windows Server 2022 virtual machine since we typically install Splunk on a server but the process is going to be the same on any Windows system all right let's begin okay so the first thing that you have to do is you have to go to the Splunk website so splunk.com because we need to download Splunk so we're going to go to products we're going to go to Splunk Enterprise all right and then we're going to click free trial and you'll have to create an account if you don't already have one in order to download Splunk and once you log in you need to go ahead and download Splunk and get the correct download depending on which operating system that you're using okay now that download is done go ahead and open that file and we're going to install Splunk and we're going to use a lot of the defaults in this but of course if you were in the real world you might customize some of these options we're going to go ahead and check the box to accept the license agreements and we're just going to hit next and these are the defaults that it's going to use so it's going to run Splunk Enterprise as a local system account it's going to use this directory and then it's going to create a start menu new shortcut so again we're going to use a defaults we'll hit next we're going to create a username and a password and then we'll hit next and we'll hit install so that username and password is really important because that's what you're going to use to actually log into Splunk Okay so we've successfully installed Splunk Enterprise and we're going to leave this launch browser with Splunk Enterprise checked and we'll hit finish and we'll open it with our web browser okay do you remember when we originally installing and configuring the installation for Splunk and we had to create a username and password that's what we need to enter here so we can log in we've now successfully installed Splunk and we've logged in now we need to set up our logs actually being adjusted into the tool so we're going to go to settings and then data inputs for this video we're only going to deal with local events we're not going to deal with remote systems so we're going to go under local event log collection we're going to select edit now we need to select the logs that we want to actually injust into the tool so I'm going to keep it really simple and just do application security and system those are kind of the foundational logs we'll scroll down and we'll select save okay and the status should be enabled because that's going to ingest those logs and we'll go back to apps in Search and Reporting all right in the search bar here we're going to put in an asterisk or a star and we're going to hit return to search for all the events that it knows about as you can see it's starting to get events from our local system again in this video we're just dealing with the local system not remote systems so this would be a very basic kind of search we can do all kinds of different basic searches in here we can also get a little bit more advanced with filters and different queries and parameters and things like that for this what I'm going to do is I'm actually going to open up our Event Viewer so I've gone to the windows menu and I'm going to open up Event Viewer and I'm going to go under Windows logs and security I'm going to rightclick this and I'm going to select clear log and I'm going to select clear so it's going to clear the security log and I'll show you why I'm doing this here in a second so if if we go back into our system here in our Splunk system we're going to actually narrow this down a little bit and I'm going to show you how you can do this so all of these parameters and Fields if I select one so for instance the host I'm going to left click on this and I'm going to do add to search that's going to add it in this search bar and we're going to slowly narrow this search down and then the next one I'm going to do is source so we want it from from the security logs and then the event code I want to also add in here so I'm going to add this to our search and this did not add the full thing here but that's okay we're going to add equal sign and then we want 112 is the event that we want to find and we'll hit return and that's how you can narrow down the searches so we've only got this one particular event which this event was the audit log being cleared that's what we just did great so that's an example of how you can search in Splunk for specific things now I'm going to copy this because we'll need it later and then I'm actually going to select create table view we'll skip the tour because again I don't care about that and this will actually put this into a table and and then on the left here you can select or deselect different types of logs so I'm going to actually unselect raw so it's not going to give us all that information and I'm going to hit done okay and as you can see that gave us a table with the fields that we've selected I hope you're enjoying the content so far if you are make sure to leave a like comment and subscribe also check out the description for more training and resources all right let's get back to the content now I'm going to go to dashboards and again I'm going to skip the tour and I'm going to select create new dashboard and we're just going to label this clear logs and we're going to create this with the dashboard studio and we're going to do grid select create all right so now we can create a dashboard dashboards are huge for analyzing data because we can quickly display C certain things and especially in areas like security or it or any kind of data analytics you're probably looking for relatively specific things and this way anything you're consistently looking for you can just put into a table or a graph or something like that and put it on a dashboard so you can easily view it as it happens so we're going to add a chart here we're going to add a table and we're going to paste in this search with SPL that query that we already found to find the event logs being cleared so as you can see this looks exactly like it did in our other search all right and we're going to select apply and close we're going to give this a label and we're not really going to customize this at all but you could in the column formatting you can add things you can also remove things too so if we go up here and we actually edit our search I'm going to show you how you can eliminate some of these columns if you didn't want them so we can add a pipe and then we're going to type Fields a minus and then we're going to type the actual field in here so bkt and CD we're going to eliminate we'll select apply and close and as you can see those columns are no longer in here so you can totally customize it however you want to see it and then we're going to select save to save this dashboard save this table right so that's saved now if you go back under dashboards so just clicking dashboards from wherever you're at within the application you'll see that your dashboard is in here so we're going to actually click on our dashboard that we created so the clear logs and this is going to be the table that we created if we do actions and we select set as home dashboard that's going to be our primary dashboard so this is just going to be on the the search and Reporting application so having a dashboard like this is extremely useful again you can look at very specific things that maybe you're constantly looking at or things that you need to view at a quick glance especially when you're dealing with executive level or management level leaders this can be great because you can easily present information in an easy to read way that they like to see it so they're not confused by all the nuances or smaller details of the application it's just extremely beneficial to be able to create dashboards and easy to read information so then if I go somewhere else so let's just click anything we'll just click data inputs under the settings just so we can get onto a different screen and then we're going to go back to apps and actually we'll click Splunk Enterprise to take us back to the homepage there is clear logs right on that main page so again you can do whatever you want as far as the dashboard and what you have in there what kind of tables and stuff but that's just an example of what you can do with dashboards to quickly and easily display information so one other website that's extremely useful is this ultimate it security they have all the event IDs for Windows that you'll ever need and then for instance we have 1102 the audit log was cleared that's what we were just looking at if we click on this you can see it has even more details about specifically what it is so if you ever aren't sure what an event ID is or you need something specific this is a great resource to use question of the day what are some important events or logs that we might want to monitor in Splunk let me know down in the comment section Below in this video we walk through installing and configuring Splunk which is one of the leading Sim Tools in login data analysis remember knowing a tool like Splunk is extremely helpful in your career and will make you more desirable by employers as always make sure to leave a like comment and subscribe check out the description for more training resources and I'll see you next time [Music]