WEBVTT 00:00:00.040 --> 00:00:01.400 are you looking to analyze all your logs 00:00:01.400 --> 00:00:03.399 and events in one location or maybe 00:00:03.399 --> 00:00:04.759 you're just looking to learn about a Sim 00:00:04.759 --> 00:00:07.000 tool like Splunk to prepare for a job in 00:00:07.000 --> 00:00:09.639 it or cyber security well look no 00:00:09.639 --> 00:00:11.360 further in this video we're going to 00:00:11.360 --> 00:00:12.880 walk through installing and configuring 00:00:12.880 --> 00:00:14.679 Splunk which is one of the leaders in 00:00:14.679 --> 00:00:16.800 log and data analysis on a Windows 00:00:16.800 --> 00:00:19.240 system but first welcome to the channel 00:00:19.240 --> 00:00:21.519 or welcome back my name is John good and 00:00:21.519 --> 00:00:23.400 on this channel we talk all about cyber 00:00:23.400 --> 00:00:25.400 security if you enjoy the content make 00:00:25.400 --> 00:00:27.400 sure to like the video subscribe to the 00:00:27.400 --> 00:00:29.080 channel and hit the Bell icon so you get 00:00:29.080 --> 00:00:31.000 notified for future content and if you 00:00:31.000 --> 00:00:32.520 have any questions leave them in the 00:00:32.520 --> 00:00:34.480 comment section below also make sure to 00:00:34.480 --> 00:00:35.879 check out the description for more 00:00:35.879 --> 00:00:37.680 training and resources all right let's 00:00:37.680 --> 00:00:40.600 do this in it cyber security and even 00:00:40.600 --> 00:00:42.920 devops one of the biggest issues that we 00:00:42.920 --> 00:00:44.920 have is monitoring our networks and 00:00:44.920 --> 00:00:46.360 being able to look at large amounts of 00:00:46.360 --> 00:00:48.800 data at once if we have two computers 00:00:48.800 --> 00:00:50.360 yeah looking at the logs individually is 00:00:50.360 --> 00:00:51.920 going to be possible but it's going to 00:00:51.920 --> 00:00:54.440 be annoying if we have a th systems it's 00:00:54.440 --> 00:00:56.719 basically impossible to do that and stay 00:00:56.719 --> 00:00:57.960 current with all the events that are 00:00:57.960 --> 00:01:00.399 taking place on those systems Splunk is 00:01:00.399 --> 00:01:01.680 one of the leaders and helping us 00:01:01.680 --> 00:01:03.840 analyze large amounts of data in one 00:01:03.840 --> 00:01:05.760 central location so it's a pretty good 00:01:05.760 --> 00:01:07.159 idea that you become familiar with how 00:01:07.159 --> 00:01:09.400 it works we also refer to Splunk as a 00:01:09.400 --> 00:01:11.240 Sim tool which stands for security 00:01:11.240 --> 00:01:13.360 information and event management at a 00:01:13.360 --> 00:01:14.960 high level Splunk operates basically 00:01:14.960 --> 00:01:17.040 like a database with its own specific 00:01:17.040 --> 00:01:18.720 language called search processing 00:01:18.720 --> 00:01:21.119 language or SPL the better that you can 00:01:21.119 --> 00:01:23.720 navigate SPL and Splunk itself the more 00:01:23.720 --> 00:01:25.680 desirable that you'll be to employers 00:01:25.680 --> 00:01:27.200 there are even jobs that are dedicated 00:01:27.200 --> 00:01:29.000 to configuring and managing spunk 00:01:29.000 --> 00:01:30.920 installations and even if you had to use 00:01:30.920 --> 00:01:32.640 a similar product you'll have a good 00:01:32.640 --> 00:01:34.560 idea of what's going on the goal in this 00:01:34.560 --> 00:01:36.119 video is to get a free Splunk 00:01:36.119 --> 00:01:38.240 installation running on a local system 00:01:38.240 --> 00:01:39.520 and then show you some of the basic 00:01:39.520 --> 00:01:41.520 features that you should know after this 00:01:41.520 --> 00:01:42.960 video you'll be able to learn additional 00:01:42.960 --> 00:01:45.200 capabilities of Splunk or at least be 00:01:45.200 --> 00:01:47.159 able to talk about Splunk and how to use 00:01:47.159 --> 00:01:49.159 similar tools before we dive into the 00:01:49.159 --> 00:01:50.640 demo I'm assuming that you already have 00:01:50.640 --> 00:01:52.880 a virtual machine or a system to install 00:01:52.880 --> 00:01:55.040 Splunk on for this video I'll be using a 00:01:55.040 --> 00:01:57.680 Windows Server 2022 virtual machine 00:01:57.680 --> 00:01:59.399 since we typically install Splunk on a 00:01:59.399 --> 00:02:01.079 server but the process is going to be 00:02:01.079 --> 00:02:03.200 the same on any Windows system all right 00:02:03.200 --> 00:02:05.079 let's begin okay so the first thing that 00:02:05.079 --> 00:02:06.560 you have to do is you have to go to the 00:02:06.560 --> 00:02:09.440 Splunk website so splunk.com because we 00:02:09.440 --> 00:02:11.520 need to download Splunk so we're going 00:02:11.520 --> 00:02:13.879 to go to products we're going to go to 00:02:13.879 --> 00:02:16.160 Splunk 00:02:16.160 --> 00:02:17.760 Enterprise all right and then we're 00:02:17.760 --> 00:02:20.560 going to click free 00:02:21.519 --> 00:02:23.720 trial and you'll have to create an 00:02:23.720 --> 00:02:26.040 account if you don't already have one in 00:02:26.040 --> 00:02:28.080 order to download Splunk and once you 00:02:28.080 --> 00:02:30.840 log in you need to go ahead and download 00:02:30.840 --> 00:02:33.480 Splunk and get the correct download 00:02:33.480 --> 00:02:35.120 depending on which operating system that 00:02:35.120 --> 00:02:37.120 you're using okay now that download is 00:02:37.120 --> 00:02:38.640 done go ahead and open that file and 00:02:38.640 --> 00:02:40.280 we're going to install Splunk and we're 00:02:40.280 --> 00:02:41.959 going to use a lot of the defaults in 00:02:41.959 --> 00:02:43.640 this but of course if you were in the 00:02:43.640 --> 00:02:45.360 real world you might customize some of 00:02:45.360 --> 00:02:47.120 these options we're going to go ahead 00:02:47.120 --> 00:02:49.120 and check the box to accept the license 00:02:49.120 --> 00:02:50.959 agreements and we're just going to hit 00:02:50.959 --> 00:02:52.680 next and these are the defaults that 00:02:52.680 --> 00:02:54.159 it's going to use so it's going to run 00:02:54.159 --> 00:02:55.920 Splunk Enterprise as a local system 00:02:55.920 --> 00:02:58.440 account it's going to use this directory 00:02:58.440 --> 00:02:59.560 and then it's going to create a start 00:02:59.560 --> 00:03:01.280 menu new shortcut so again we're going 00:03:01.280 --> 00:03:03.519 to use a defaults we'll hit 00:03:03.519 --> 00:03:06.000 next we're going to create a username 00:03:06.000 --> 00:03:08.400 and a 00:03:08.640 --> 00:03:11.319 password and then we'll hit 00:03:11.319 --> 00:03:13.560 next and we'll hit 00:03:13.560 --> 00:03:16.040 install so that username and password is 00:03:16.040 --> 00:03:17.440 really important because that's what 00:03:17.440 --> 00:03:21.360 you're going to use to actually log into 00:03:24.680 --> 00:03:26.799 Splunk Okay so we've successfully 00:03:26.799 --> 00:03:28.920 installed Splunk Enterprise and we're 00:03:28.920 --> 00:03:30.519 going to leave this launch browser with 00:03:30.519 --> 00:03:34.080 Splunk Enterprise checked and we'll hit 00:03:34.080 --> 00:03:37.920 finish and we'll open it with our web 00:03:37.920 --> 00:03:39.799 browser okay do you remember when we 00:03:39.799 --> 00:03:41.720 originally installing and configuring 00:03:41.720 --> 00:03:43.720 the installation for Splunk and we had 00:03:43.720 --> 00:03:45.480 to create a username and password that's 00:03:45.480 --> 00:03:47.000 what we need to enter here so we can log 00:03:47.000 --> 00:03:49.000 in we've now successfully installed 00:03:49.000 --> 00:03:51.400 Splunk and we've logged in now we need 00:03:51.400 --> 00:03:53.360 to set up our logs actually being 00:03:53.360 --> 00:03:55.439 adjusted into the tool so we're going to 00:03:55.439 --> 00:03:58.400 go to settings and then data inputs for 00:03:58.400 --> 00:03:59.840 this video we're only going to deal with 00:03:59.840 --> 00:04:01.400 local events we're not going to deal 00:04:01.400 --> 00:04:03.439 with remote systems so we're going to go 00:04:03.439 --> 00:04:05.720 under local event log collection we're 00:04:05.720 --> 00:04:07.079 going to select 00:04:07.079 --> 00:04:09.760 edit now we need to select the logs that 00:04:09.760 --> 00:04:12.040 we want to actually injust into the tool 00:04:12.040 --> 00:04:13.879 so I'm going to keep it really simple 00:04:13.879 --> 00:04:16.320 and just do application security and 00:04:16.320 --> 00:04:17.519 system those are kind of the 00:04:17.519 --> 00:04:20.320 foundational logs we'll scroll down and 00:04:20.320 --> 00:04:22.080 we'll select 00:04:22.080 --> 00:04:24.440 save okay and the status should be 00:04:24.440 --> 00:04:26.320 enabled because that's going to ingest 00:04:26.320 --> 00:04:29.919 those logs and we'll go back to apps in 00:04:29.919 --> 00:04:32.199 Search and Reporting all right in the 00:04:32.199 --> 00:04:34.240 search bar here we're going to put in an 00:04:34.240 --> 00:04:36.440 asterisk or a star and we're going to 00:04:36.440 --> 00:04:38.280 hit return to search for all the events 00:04:38.280 --> 00:04:40.240 that it knows about as you can see it's 00:04:40.240 --> 00:04:42.600 starting to get events from our local 00:04:42.600 --> 00:04:44.400 system again in this video we're just 00:04:44.400 --> 00:04:46.560 dealing with the local system not remote 00:04:46.560 --> 00:04:49.360 systems so this would be a very basic 00:04:49.360 --> 00:04:52.280 kind of search we can do all kinds of 00:04:52.280 --> 00:04:54.160 different basic searches in here we can 00:04:54.160 --> 00:04:56.280 also get a little bit more advanced with 00:04:56.280 --> 00:04:59.120 filters and different queries and 00:04:59.120 --> 00:05:01.039 parameters and things like that for this 00:05:01.039 --> 00:05:03.240 what I'm going to do is I'm actually 00:05:03.240 --> 00:05:06.880 going to open up our Event 00:05:06.880 --> 00:05:09.199 Viewer so I've gone to the windows menu 00:05:09.199 --> 00:05:12.440 and I'm going to open up Event 00:05:12.520 --> 00:05:14.880 Viewer and I'm going to go under Windows 00:05:14.880 --> 00:05:16.479 logs and 00:05:16.479 --> 00:05:18.880 security I'm going to rightclick this 00:05:18.880 --> 00:05:22.080 and I'm going to select clear 00:05:22.360 --> 00:05:24.680 log and I'm going to select clear so 00:05:24.680 --> 00:05:26.919 it's going to clear the security log and 00:05:26.919 --> 00:05:28.240 I'll show you why I'm doing this here in 00:05:28.240 --> 00:05:32.039 a second so if if we go back into our 00:05:32.039 --> 00:05:33.919 system here in our Splunk 00:05:33.919 --> 00:05:36.039 system we're going to actually narrow 00:05:36.039 --> 00:05:37.360 this down a little bit and I'm going to 00:05:37.360 --> 00:05:40.199 show you how you can do this so all of 00:05:40.199 --> 00:05:43.160 these parameters and Fields if I select 00:05:43.160 --> 00:05:45.319 one so for instance the host I'm going 00:05:45.319 --> 00:05:47.520 to left click on this and I'm going to 00:05:47.520 --> 00:05:48.919 do add to 00:05:48.919 --> 00:05:51.039 search that's going to add it in this 00:05:51.039 --> 00:05:54.560 search bar and we're going to slowly 00:05:54.560 --> 00:05:57.160 narrow this search down and then the 00:05:57.160 --> 00:05:59.160 next one I'm going to do is source so we 00:05:59.160 --> 00:06:01.720 want it from from the security 00:06:01.720 --> 00:06:04.280 logs and then the event code I want to 00:06:04.280 --> 00:06:06.240 also add in here so I'm going to add 00:06:06.240 --> 00:06:08.120 this to our 00:06:08.120 --> 00:06:10.880 search and this did not add the full 00:06:10.880 --> 00:06:12.520 thing here but that's okay we're going 00:06:12.520 --> 00:06:16.400 to add equal sign and then we want 112 00:06:16.400 --> 00:06:19.720 is the event that we want to 00:06:19.720 --> 00:06:23.240 find and we'll hit 00:06:23.240 --> 00:06:25.440 return and that's how you can narrow 00:06:25.440 --> 00:06:28.240 down the searches so we've only got this 00:06:28.240 --> 00:06:30.960 one particular event 00:06:30.960 --> 00:06:33.599 which this event was the audit log being 00:06:33.599 --> 00:06:36.680 cleared that's what we just 00:06:36.680 --> 00:06:39.240 did great so that's an example of how 00:06:39.240 --> 00:06:42.319 you can search in Splunk for specific 00:06:42.319 --> 00:06:44.639 things now I'm going to copy this 00:06:44.639 --> 00:06:46.720 because we'll need it 00:06:46.720 --> 00:06:49.000 later and then I'm actually going to 00:06:49.000 --> 00:06:51.720 select create table 00:06:51.720 --> 00:06:54.360 view we'll skip the tour because again I 00:06:54.360 --> 00:06:56.039 don't care about that and this will 00:06:56.039 --> 00:06:58.360 actually put this into a 00:06:58.360 --> 00:07:00.680 table and and then on the left here you 00:07:00.680 --> 00:07:03.240 can select or deselect different types 00:07:03.240 --> 00:07:04.840 of logs so I'm going to actually 00:07:04.840 --> 00:07:06.919 unselect raw so it's not going to give 00:07:06.919 --> 00:07:09.039 us all that information and I'm going to 00:07:09.039 --> 00:07:11.000 hit 00:07:11.000 --> 00:07:14.080 done okay and as you can see that gave 00:07:14.080 --> 00:07:16.120 us a table with the fields that we've 00:07:16.120 --> 00:07:17.599 selected I hope you're enjoying the 00:07:17.599 --> 00:07:19.360 content so far if you are make sure to 00:07:19.360 --> 00:07:21.639 leave a like comment and subscribe also 00:07:21.639 --> 00:07:23.000 check out the description for more 00:07:23.000 --> 00:07:24.560 training and resources all right let's 00:07:24.560 --> 00:07:26.080 get back to the content now I'm going to 00:07:26.080 --> 00:07:27.840 go to 00:07:27.840 --> 00:07:29.759 dashboards and again I'm going to skip 00:07:29.759 --> 00:07:30.720 the 00:07:30.720 --> 00:07:35.160 tour and I'm going to select create new 00:07:35.240 --> 00:07:37.240 dashboard and we're just going to label 00:07:37.240 --> 00:07:39.199 this clear 00:07:39.199 --> 00:07:41.840 logs and we're going to create this with 00:07:41.840 --> 00:07:43.960 the dashboard 00:07:43.960 --> 00:07:46.520 studio and we're going to do 00:07:46.520 --> 00:07:49.919 grid select 00:07:51.720 --> 00:07:53.840 create all right so now we can create a 00:07:53.840 --> 00:07:56.520 dashboard dashboards are huge for 00:07:56.520 --> 00:07:58.479 analyzing data because we can quickly 00:07:58.479 --> 00:08:00.840 display C certain things and especially 00:08:00.840 --> 00:08:04.120 in areas like security or it or any kind 00:08:04.120 --> 00:08:05.680 of data analytics you're probably 00:08:05.680 --> 00:08:08.440 looking for relatively specific things 00:08:08.440 --> 00:08:10.120 and this way anything you're 00:08:10.120 --> 00:08:11.440 consistently looking for you can just 00:08:11.440 --> 00:08:13.199 put into a table or a graph or something 00:08:13.199 --> 00:08:15.319 like that and put it on a dashboard so 00:08:15.319 --> 00:08:18.400 you can easily view it as it happens so 00:08:18.400 --> 00:08:19.720 we're going to add a chart here we're 00:08:19.720 --> 00:08:21.759 going to add a 00:08:21.759 --> 00:08:23.960 table and we're going to paste in this 00:08:23.960 --> 00:08:26.280 search with SPL that query that we 00:08:26.280 --> 00:08:28.280 already found to find the event logs 00:08:28.280 --> 00:08:30.520 being cleared so as you can see this 00:08:30.520 --> 00:08:34.399 looks exactly like it did in our other 00:08:34.399 --> 00:08:36.200 search all right and we're going to 00:08:36.200 --> 00:08:37.959 select apply and 00:08:37.959 --> 00:08:40.640 close we're going to give this a 00:08:40.640 --> 00:08:42.599 label and we're not really going to 00:08:42.599 --> 00:08:45.120 customize this at all but you could in 00:08:45.120 --> 00:08:47.519 the column formatting you can add things 00:08:47.519 --> 00:08:49.640 you can also remove things 00:08:49.640 --> 00:08:52.920 too so if we go up here and we actually 00:08:52.920 --> 00:08:54.600 edit our 00:08:54.600 --> 00:08:56.720 search I'm going to show you how you can 00:08:56.720 --> 00:08:58.200 eliminate some of these columns if you 00:08:58.200 --> 00:09:01.320 didn't want them so we can add a 00:09:01.320 --> 00:09:03.800 pipe and then we're going to type 00:09:03.800 --> 00:09:06.240 Fields a 00:09:06.240 --> 00:09:08.200 minus and then we're going to type the 00:09:08.200 --> 00:09:09.920 actual field in 00:09:09.920 --> 00:09:12.000 here so 00:09:12.000 --> 00:09:15.240 bkt and CD we're going to 00:09:15.240 --> 00:09:18.079 eliminate we'll select apply and 00:09:18.079 --> 00:09:20.640 close and as you can see those columns 00:09:20.640 --> 00:09:22.640 are no longer in here so you can totally 00:09:22.640 --> 00:09:25.640 customize it however you want to see 00:09:25.640 --> 00:09:28.000 it and then we're going to select save 00:09:28.000 --> 00:09:30.680 to save this dashboard save this 00:09:30.680 --> 00:09:33.240 table right so that's saved now if you 00:09:33.240 --> 00:09:35.120 go back under dashboards so just 00:09:35.120 --> 00:09:37.079 clicking dashboards from wherever you're 00:09:37.079 --> 00:09:39.360 at within the application you'll see 00:09:39.360 --> 00:09:40.839 that your dashboard is in here so we're 00:09:40.839 --> 00:09:42.760 going to actually click on our dashboard 00:09:42.760 --> 00:09:44.839 that we created so the clear 00:09:44.839 --> 00:09:47.079 logs and this is going to be the table 00:09:47.079 --> 00:09:48.600 that we 00:09:48.600 --> 00:09:52.160 created if we do actions and we select 00:09:52.160 --> 00:09:54.600 set as home dashboard that's going to be 00:09:54.600 --> 00:09:56.720 our primary 00:09:56.720 --> 00:09:59.200 dashboard so this is just going to be on 00:09:59.200 --> 00:10:01.320 the the search and Reporting application 00:10:01.320 --> 00:10:03.000 so having a dashboard like this is 00:10:03.000 --> 00:10:05.440 extremely useful again you can look at 00:10:05.440 --> 00:10:07.399 very specific things that maybe you're 00:10:07.399 --> 00:10:09.160 constantly looking at or things that you 00:10:09.160 --> 00:10:11.880 need to view at a quick glance 00:10:11.880 --> 00:10:13.600 especially when you're dealing with 00:10:13.600 --> 00:10:15.920 executive level or management level 00:10:15.920 --> 00:10:18.440 leaders this can be great because you 00:10:18.440 --> 00:10:20.800 can easily present information in an 00:10:20.800 --> 00:10:23.160 easy to read way that they like to see 00:10:23.160 --> 00:10:25.360 it so they're not confused by all the 00:10:25.360 --> 00:10:28.640 nuances or smaller details of the 00:10:28.640 --> 00:10:30.920 application it's just extremely 00:10:30.920 --> 00:10:32.600 beneficial to be able to create 00:10:32.600 --> 00:10:36.279 dashboards and easy to read 00:10:36.279 --> 00:10:38.279 information so then if I go somewhere 00:10:38.279 --> 00:10:40.120 else so let's just click anything we'll 00:10:40.120 --> 00:10:41.920 just click data inputs under the 00:10:41.920 --> 00:10:43.240 settings just so we can get onto a 00:10:43.240 --> 00:10:45.000 different 00:10:45.000 --> 00:10:46.800 screen and then we're going to go back 00:10:46.800 --> 00:10:47.839 to 00:10:47.839 --> 00:10:50.200 apps and actually we'll click Splunk 00:10:50.200 --> 00:10:53.720 Enterprise to take us back to the 00:10:53.800 --> 00:10:56.519 homepage there is clear logs right on 00:10:56.519 --> 00:10:58.760 that main page so again you can do 00:10:58.760 --> 00:11:00.360 whatever you want as far as the 00:11:00.360 --> 00:11:01.880 dashboard and what you have in there 00:11:01.880 --> 00:11:04.320 what kind of tables and stuff but that's 00:11:04.320 --> 00:11:06.360 just an example of what you can do with 00:11:06.360 --> 00:11:08.639 dashboards to quickly and easily display 00:11:08.639 --> 00:11:10.680 information so one other website that's 00:11:10.680 --> 00:11:12.760 extremely useful is this ultimate it 00:11:12.760 --> 00:11:15.440 security they have all the event IDs for 00:11:15.440 --> 00:11:18.079 Windows that you'll ever need and then 00:11:18.079 --> 00:11:19.959 for instance we have 1102 the audit log 00:11:19.959 --> 00:11:21.240 was cleared that's what we were just 00:11:21.240 --> 00:11:23.800 looking at if we click on 00:11:23.800 --> 00:11:26.279 this you can see it has even more 00:11:26.279 --> 00:11:28.760 details about specifically what it is so 00:11:28.760 --> 00:11:31.160 if you ever aren't sure what an event ID 00:11:31.160 --> 00:11:33.480 is or you need something specific this 00:11:33.480 --> 00:11:35.920 is a great resource to use question of 00:11:35.920 --> 00:11:37.680 the day what are some important events 00:11:37.680 --> 00:11:39.920 or logs that we might want to monitor in 00:11:39.920 --> 00:11:41.880 Splunk let me know down in the comment 00:11:41.880 --> 00:11:43.760 section Below in this video we walk 00:11:43.760 --> 00:11:44.959 through installing and configuring 00:11:44.959 --> 00:11:46.800 Splunk which is one of the leading Sim 00:11:46.800 --> 00:11:49.480 Tools in login data analysis remember 00:11:49.480 --> 00:11:51.440 knowing a tool like Splunk is extremely 00:11:51.440 --> 00:11:53.320 helpful in your career and will make you 00:11:53.320 --> 00:11:55.680 more desirable by employers as always 00:11:55.680 --> 00:11:57.120 make sure to leave a like comment and 00:11:57.120 --> 00:11:58.800 subscribe check out the description for 00:11:58.800 --> 00:12:00.680 more training resources and I'll see you 00:12:00.680 --> 00:12:03.810 next time 00:12:03.810 --> 00:12:23.390 [Music]