0:00:00.040,0:00:01.400 Are you looking to analyze all your logs 0:00:01.400,0:00:03.399 and events in one location, or maybe 0:00:03.399,0:00:04.759 you're just looking to learn about a Sim 0:00:04.759,0:00:07.000 tool like Splunk to prepare for a job in 0:00:07.000,0:00:09.639 it or cyber security? Well, look no 0:00:09.639,0:00:11.360 further. In this video, we're going to 0:00:11.360,0:00:12.880 walk through installing and configuring 0:00:12.880,0:00:14.679 Splunk which is one of the leaders in 0:00:14.679,0:00:16.800 log and data analysis on a Windows 0:00:16.800,0:00:19.240 system. But first, welcome to the channel 0:00:19.240,0:00:21.519 or welcome back. My name is John Good and 0:00:21.519,0:00:23.400 on this channel. We talk all about cyber 0:00:23.400,0:00:25.400 security. If you enjoy the content, make 0:00:25.400,0:00:27.400 sure to like the video, subscribe to the 0:00:27.400,0:00:29.080 channel and hit the Bell icon. So you get 0:00:29.080,0:00:31.000 notified for future content, and if you 0:00:31.000,0:00:32.520 have any questions leave them in the 0:00:32.520,0:00:34.480 comment section below. Also make sure to 0:00:34.480,0:00:35.879 check out the description for more 0:00:35.879,0:00:37.680 training and resources. All right, let's 0:00:37.680,0:00:40.600 do this. In IT cyber security and even 0:00:40.600,0:00:42.920 devops, one of the biggest issues that we 0:00:42.920,0:00:44.920 have is monitoring our networks and 0:00:44.920,0:00:46.360 being able to look at large amounts of 0:00:46.360,0:00:48.800 data at once. If we have two computers 0:00:48.800,0:00:50.360 yeah looking at the logs individually is 0:00:50.360,0:00:51.920 going to be possible, but it's going to 0:00:51.920,0:00:54.440 be annoying if we have a th systems. It's 0:00:54.440,0:00:56.719 basically impossible to do that and stay 0:00:56.719,0:00:57.960 current with all the events that are 0:00:57.960,0:01:00.399 taking place on those systems. Splunk is 0:01:00.399,0:01:01.680 one of the leaders and helping us 0:01:01.680,0:01:03.840 analyze large amounts of data in one 0:01:03.840,0:01:05.760 central location. So it's a pretty good 0:01:05.760,0:01:07.159 idea that you become familiar with how 0:01:07.159,0:01:09.400 it works. We also refer to Splunk as a 0:01:09.400,0:01:11.240 Sim tool which stands for security 0:01:11.240,0:01:13.360 information and event management. At a 0:01:13.360,0:01:14.960 high level, Splunk operates basically 0:01:14.960,0:01:17.040 like a database with its own specific 0:01:17.040,0:01:18.720 language called search processing 0:01:18.720,0:01:21.119 language or SPL. The better that you can 0:01:21.119,0:01:23.720 navigate SPL and Splunk itself the more 0:01:23.720,0:01:25.680 desirable that you'll be to employers. 0:01:25.680,0:01:27.200 There are even jobs that are dedicated 0:01:27.200,0:01:29.000 to configuring and managing Splunk 0:01:29.000,0:01:30.920 installations. And even if you had to use 0:01:30.920,0:01:32.640 a similar product, you'll have a good 0:01:32.640,0:01:34.560 idea of what's going on. The goal in this 0:01:34.560,0:01:36.119 video is to get a free Splunk 0:01:36.119,0:01:38.240 installation running on a local system, 0:01:38.240,0:01:39.520 and then show you some of the basic 0:01:39.520,0:01:41.520 features that you should know after this 0:01:41.520,0:01:42.960 video. You'll be able to learn additional 0:01:42.960,0:01:45.200 capabilities of Splunk or at least be 0:01:45.200,0:01:47.159 able to talk about Splunk and how to use 0:01:47.159,0:01:49.159 similar tools. Before we dive into the 0:01:49.159,0:01:50.640 demo, I'm assuming that you already have 0:01:50.640,0:01:52.880 a virtual machine or a system to install 0:01:52.880,0:01:55.040 Splunk on for this video. I'll be using a 0:01:55.040,0:01:57.680 Windows Server 2022 virtual machine, 0:01:57.680,0:01:59.399 since we typically install Splunk on a 0:01:59.399,0:02:01.079 server. But the process is going to be 0:02:01.079,0:02:03.200 the same on any Windows system, all right. 0:02:03.200,0:02:05.079 Let's begin. Okay, so the first thing that 0:02:05.079,0:02:06.560 you have to do is you have to go to the 0:02:06.560,0:02:09.440 Splunk website. So splunk.com because we 0:02:09.440,0:02:11.520 need to download Splunk. So we're going 0:02:11.520,0:02:13.879 to go to products, we're going to go to 0:02:13.879,0:02:16.160 Splunk 0:02:16.160,0:02:17.760 Enterprise, all right, and then we're 0:02:17.760,0:02:20.560 going to click free 0:02:21.519,0:02:23.720 trial, and you'll have to create an 0:02:23.720,0:02:26.040 account if you don't already have one in 0:02:26.040,0:02:28.080 order to download Splunk. And once you 0:02:28.080,0:02:30.840 log in you need to go ahead and download 0:02:30.840,0:02:33.480 Splunk, and get the correct download 0:02:33.480,0:02:35.120 depending on which operating system that 0:02:35.120,0:02:37.120 you're using, okay. Now, that download is 0:02:37.120,0:02:38.640 done go ahead and open that file and 0:02:38.640,0:02:40.280 we're going to install Splunk and we're 0:02:40.280,0:02:41.959 going to use a lot of the defaults in 0:02:41.959,0:02:43.640 this. But of course, if you were in the 0:02:43.640,0:02:45.360 real world, you might customize some of 0:02:45.360,0:02:47.120 these options. We're going to go ahead, 0:02:47.120,0:02:49.120 and check the box to accept the license 0:02:49.120,0:02:50.959 agreements and we're just going to hit 0:02:50.959,0:02:52.680 next and these are the defaults that 0:02:52.680,0:02:54.159 it's going to use. So it's going to run 0:02:54.159,0:02:55.920 Splunk Enterprise as a local system 0:02:55.920,0:02:58.440 account. It's going to use this directory, 0:02:58.440,0:02:59.560 and then it's going to create a start 0:02:59.560,0:03:01.280 menu new shortcut. So again, we're going 0:03:01.280,0:03:03.519 to use a defaults we'll hit 0:03:03.519,0:03:06.000 next. We're going to create a username 0:03:06.000,0:03:08.400 and a 0:03:08.640,0:03:11.319 password and then we'll hit 0:03:11.319,0:03:13.560 next and we'll hit 0:03:13.560,0:03:16.040 install. So that username and password is 0:03:16.040,0:03:17.440 really important because that's what 0:03:17.440,0:03:21.360 you're going to use to actually log into 0:03:24.680,0:03:26.799 Splunk. Okay, so we've successfully 0:03:26.799,0:03:28.920 installed Splunk Enterprise and we're 0:03:28.920,0:03:30.519 going to leave this launch browser with 0:03:30.519,0:03:34.080 Splunk Enterprise checked and we'll hit 0:03:34.080,0:03:37.920 finish and we'll open it with our web 0:03:37.920,0:03:39.799 browser okay. Do you remember when we 0:03:39.799,0:03:41.720 originally installing and configuring 0:03:41.720,0:03:43.720 the installation for Splunk, and we had 0:03:43.720,0:03:45.480 to create a username and password. That's 0:03:45.480,0:03:47.000 what we need to enter here. So we can log 0:03:47.000,0:03:49.000 in. We've now successfully installed 0:03:49.000,0:03:51.400 Splunk, and we've logged in. Now, we need 0:03:51.400,0:03:53.360 to set up our logs actually being 0:03:53.360,0:03:55.439 adjusted into the tool. So we're going to 0:03:55.439,0:03:58.400 go to settings and then data inputs. For 0:03:58.400,0:03:59.840 this video, we're only going to deal with 0:03:59.840,0:04:01.400 local events. We're not going to deal 0:04:01.400,0:04:03.439 with remote systems, so we're going to go 0:04:03.439,0:04:05.720 under local event log collection. We're 0:04:05.720,0:04:07.079 going to select 0:04:07.079,0:04:09.760 edit. Now, we need to select the logs that 0:04:09.760,0:04:12.040 we want to actually injust into the tool. 0:04:12.040,0:04:13.879 So I'm going to keep it really simple, 0:04:13.879,0:04:16.320 and just do application security and 0:04:16.320,0:04:17.519 system. Those are kind of the 0:04:17.519,0:04:20.320 foundational logs. We'll scroll down and 0:04:20.320,0:04:22.080 we'll select 0:04:22.080,0:04:24.440 save okay, and the status should be 0:04:24.440,0:04:26.320 enabled because that's going to ingest 0:04:26.320,0:04:29.919 those logs. And we'll go back to apps in 0:04:29.919,0:04:32.199 Search and Reporting all right in the 0:04:32.199,0:04:34.240 search bar here. We're going to put in an 0:04:34.240,0:04:36.440 asterisk or a star and we're going to 0:04:36.440,0:04:38.280 hit return to search for all the events 0:04:38.280,0:04:40.240 that it knows about. As you can see, it's 0:04:40.240,0:04:42.600 starting to get events from our local 0:04:42.600,0:04:44.400 system again. In this video, we're just 0:04:44.400,0:04:46.560 dealing with the local system not remote 0:04:46.560,0:04:49.360 systems. So this would be a very basic 0:04:49.360,0:04:52.280 kind of search. We can do all kinds of 0:04:52.280,0:04:54.160 different basic searches in here. We can 0:04:54.160,0:04:56.280 also get a little bit more advanced with 0:04:56.280,0:04:59.120 filters and different queries and 0:04:59.120,0:05:01.039 parameters and things like that for this 0:05:01.039,0:05:03.240 what I'm going to do is I'm actually 0:05:03.240,0:05:06.880 going to open up our Event 0:05:06.880,0:05:09.199 Viewer. So I've gone to the windows menu, 0:05:09.199,0:05:12.440 and I'm going to open up Event 0:05:12.520,0:05:14.880 Viewer, and I'm going to go under Windows 0:05:14.880,0:05:16.479 logs and 0:05:16.479,0:05:18.880 security. I'm going to rightclick this, 0:05:18.880,0:05:22.080 and I'm going to select clear 0:05:22.360,0:05:24.680 log, and I'm going to select clear. So 0:05:24.680,0:05:26.919 it's going to clear the security log and 0:05:26.919,0:05:28.240 I'll show you why I'm doing this here in 0:05:28.240,0:05:32.039 a second. So if if we go back into our 0:05:32.039,0:05:33.919 system here in our Splunk 0:05:33.919,0:05:36.039 system, we're going to actually narrow 0:05:36.039,0:05:37.360 this down a little bit and I'm going to 0:05:37.360,0:05:40.199 show you how you can do this. So all of 0:05:40.199,0:05:43.160 these parameters and fields if I select 0:05:43.160,0:05:45.319 one. So for instance the host, I'm going 0:05:45.319,0:05:47.520 to left click on this and I'm going to 0:05:47.520,0:05:48.919 do add to 0:05:48.919,0:05:51.039 search, that's going to add it in this 0:05:51.039,0:05:54.560 search bar and we're going to slowly 0:05:54.560,0:05:57.160 narrow this search down. And then the 0:05:57.160,0:05:59.160 next one I'm going to do is source. So we 0:05:59.160,0:06:01.720 want it from from the security 0:06:01.720,0:06:04.280 logs, and then the event code I want to 0:06:04.280,0:06:06.240 also add in here. So I'm going to add 0:06:06.240,0:06:08.120 this to our 0:06:08.120,0:06:10.880 search, and this did not add the full 0:06:10.880,0:06:12.520 thing here but that's okay. We're going 0:06:12.520,0:06:16.400 to add equal sign and then we want 112 0:06:16.400,0:06:19.720 is the event that we want to 0:06:19.720,0:06:23.240 find, and we'll hit 0:06:23.240,0:06:25.440 return and that's how you can narrow 0:06:25.440,0:06:28.240 down the searches. So we've only got this 0:06:28.240,0:06:30.960 one particular event, 0:06:30.960,0:06:33.599 which this event was the audit log being 0:06:33.599,0:06:36.680 cleared. That's what we just 0:06:36.680,0:06:39.240 did great. So that's an example of how 0:06:39.240,0:06:42.319 you can search in Splunk for specific 0:06:42.319,0:06:44.639 things now. I'm going to copy this 0:06:44.639,0:06:46.720 because we'll need it 0:06:46.720,0:06:49.000 later, and then I'm actually going to 0:06:49.000,0:06:51.720 select create table 0:06:51.720,0:06:54.360 view. We'll skip the tour because again, I 0:06:54.360,0:06:56.039 don't care about that and this will 0:06:56.039,0:06:58.360 actually put this into a 0:06:58.360,0:07:00.680 table and, and then on the left here, you 0:07:00.680,0:07:03.240 can select or deselect different types 0:07:03.240,0:07:04.840 of logs. So I'm going to actually 0:07:04.840,0:07:06.919 unselect raw. So it's not going to give 0:07:06.919,0:07:09.039 us all that information and I'm going to 0:07:09.039,0:07:11.000 hit 0:07:11.000,0:07:14.080 done okay. And as you can see that gave 0:07:14.080,0:07:16.120 us a table with the fields that we've 0:07:16.120,0:07:17.599 selected. I hope you're enjoying the 0:07:17.599,0:07:19.360 content so far. If you are, make sure to 0:07:19.360,0:07:21.639 leave a like comment and subscribe also 0:07:21.639,0:07:23.000 check out the description for more 0:07:23.000,0:07:24.560 training and resources, all right. Let's 0:07:24.560,0:07:26.080 get back to the content now, I'm going to 0:07:26.080,0:07:27.840 go to 0:07:27.840,0:07:29.759 dashboards and again I'm going to skip 0:07:29.759,0:07:30.720 the 0:07:30.720,0:07:35.160 tour and I'm going to select create new 0:07:35.240,0:07:37.240 dashboard and we're just going to label 0:07:37.240,0:07:39.199 this clear 0:07:39.199,0:07:41.840 logs and we're going to create this with 0:07:41.840,0:07:43.960 the dashboard 0:07:43.960,0:07:46.520 studio and we're going to do 0:07:46.520,0:07:49.919 grid select 0:07:51.720,0:07:53.840 create. All right, so now we can create a 0:07:53.840,0:07:56.520 dashboard. Dashboards are huge for 0:07:56.520,0:07:58.479 analyzing data because we can quickly 0:07:58.479,0:08:00.840 display C. Certain things and especially 0:08:00.840,0:08:04.120 in areas like security or it or any kind 0:08:04.120,0:08:05.680 of data analytics, you're probably 0:08:05.680,0:08:08.440 looking for relatively specific things 0:08:08.440,0:08:10.120 and this way anything you're 0:08:10.120,0:08:11.440 consistently looking for, you can just 0:08:11.440,0:08:13.199 put into a table or a graph or something 0:08:13.199,0:08:15.319 like that and put it on a dashboard so 0:08:15.319,0:08:18.400 you can easily view it as it happens. So 0:08:18.400,0:08:19.720 we're going to add a chart here, we're 0:08:19.720,0:08:21.759 going to add a 0:08:21.759,0:08:23.960 table and we're going to paste in this 0:08:23.960,0:08:26.280 search with SPL that query that we 0:08:26.280,0:08:28.280 already found to find the event logs 0:08:28.280,0:08:30.520 being cleared. So as you can see this 0:08:30.520,0:08:34.399 looks exactly like it did in our other 0:08:34.399,0:08:36.200 search, all right. And we're going to 0:08:36.200,0:08:37.959 select apply and 0:08:37.959,0:08:40.640 close, we're going to give this a 0:08:40.640,0:08:42.599 label and we're not really going to 0:08:42.599,0:08:45.120 customize this at all, but you could in 0:08:45.120,0:08:47.519 the column formatting. You can add things. 0:08:47.519,0:08:49.640 You can also remove things, 0:08:49.640,0:08:52.920 too. So if we go up here and we actually 0:08:52.920,0:08:54.600 edit our 0:08:54.600,0:08:56.720 search. I'm going to show you how, you can 0:08:56.720,0:08:58.200 eliminate some of these columns if you 0:08:58.200,0:09:01.320 didn't want them. So we can add a 0:09:01.320,0:09:03.800 pipe and then we're going to type 0:09:03.800,0:09:06.240 Fields a 0:09:06.240,0:09:08.200 minus and then we're going to type the 0:09:08.200,0:09:09.920 actual field in 0:09:09.920,0:09:12.000 here. So 0:09:12.000,0:09:15.240 bkt and CD we're going to 0:09:15.240,0:09:18.079 eliminate. We'll select apply and 0:09:18.079,0:09:20.640 close and as you can see those columns 0:09:20.640,0:09:22.640 are no longer in here. So you can totally 0:09:22.640,0:09:25.640 customize it however you want to see 0:09:25.640,0:09:28.000 it, and then we're going to select save 0:09:28.000,0:09:30.680 to save this dashboard, save this 0:09:30.680,0:09:33.240 table right. So that's saved now if you 0:09:33.240,0:09:35.120 go back under dashboards. So just 0:09:35.120,0:09:37.079 clicking dashboards from wherever you're 0:09:37.079,0:09:39.360 at within the application, you'll see 0:09:39.360,0:09:40.839 that your dashboard is in here. So we're 0:09:40.839,0:09:42.760 going to actually click on our dashboard 0:09:42.760,0:09:44.839 that we created. So the clear 0:09:44.839,0:09:47.079 logs and this is going to be the table 0:09:47.079,0:09:48.600 that we 0:09:48.600,0:09:52.160 created. If we do actions and we select 0:09:52.160,0:09:54.600 set as home dashboard, that's going to be 0:09:54.600,0:09:56.720 our primary 0:09:56.720,0:09:59.200 dashboard. So this is just going to be on 0:09:59.200,0:10:01.320 the the search and Reporting application. 0:10:01.320,0:10:03.000 So having a dashboard like this is 0:10:03.000,0:10:05.440 extremely useful again, you can look at 0:10:05.440,0:10:07.399 very specific things that maybe you're 0:10:07.399,0:10:09.160 constantly looking at or things that you 0:10:09.160,0:10:11.880 need to view at a quick glance 0:10:11.880,0:10:13.600 especially when you're dealing with 0:10:13.600,0:10:15.920 executive level or management level 0:10:15.920,0:10:18.440 leaders. This can be great because you 0:10:18.440,0:10:20.800 can easily present information in an 0:10:20.800,0:10:23.160 easy to read way that they like to see 0:10:23.160,0:10:25.360 it. So they're not confused by all the 0:10:25.360,0:10:28.640 nuances or smaller details of the 0:10:28.640,0:10:30.920 application. It's just extremely 0:10:30.920,0:10:32.600 beneficial to be able to create 0:10:32.600,0:10:36.279 dashboards and easy to read 0:10:36.279,0:10:38.279 information. So then if I go somewhere 0:10:38.279,0:10:40.120 else. So let's just click anything. We'll 0:10:40.120,0:10:41.920 just click data inputs under the 0:10:41.920,0:10:43.240 settings, just so we can get onto a 0:10:43.240,0:10:45.000 different 0:10:45.000,0:10:46.800 screen and then we're going to go back 0:10:46.800,0:10:47.839 to 0:10:47.839,0:10:50.200 apps and actually we'll click Splunk 0:10:50.200,0:10:53.720 Enterprise to take us back to the 0:10:53.800,0:10:56.519 homepage. There is clear logs right on 0:10:56.519,0:10:58.760 that main page. So again you can do 0:10:58.760,0:11:00.360 whatever you want as far as the 0:11:00.360,0:11:01.880 dashboard, and what you have in there 0:11:01.880,0:11:04.320 what kind of tables and stuff but that's 0:11:04.320,0:11:06.360 just an example of what you can do with 0:11:06.360,0:11:08.639 dashboards to quickly and easily display 0:11:08.639,0:11:10.680 information. So one other website that's 0:11:10.680,0:11:12.760 extremely useful is this ultimate IT 0:11:12.760,0:11:15.440 security. They have all the event IDs for 0:11:15.440,0:11:18.079 Windows that you'll ever need and then 0:11:18.079,0:11:19.959 for instance we have 1102 the audit log 0:11:19.959,0:11:21.240 was cleared that's what we were just 0:11:21.240,0:11:23.800 looking at. If we click on 0:11:23.800,0:11:26.279 this, you can see it has even more 0:11:26.279,0:11:28.760 details about specifically what it is. So 0:11:28.760,0:11:31.160 if you ever aren't sure what an event ID 0:11:31.160,0:11:33.480 is or you need something specific, this 0:11:33.480,0:11:35.920 is a great resource to use question of 0:11:35.920,0:11:37.680 the day what are some important events 0:11:37.680,0:11:39.920 or logs that we might want to monitor in 0:11:39.920,0:11:41.880 Splunk, let me know down in the comment 0:11:41.880,0:11:43.760 section below in this video we walk 0:11:43.760,0:11:44.959 through installing and configuring 0:11:44.959,0:11:46.800 Splunk which is one of the leading Sim 0:11:46.800,0:11:49.480 Tools in login data analysis. Remember 0:11:49.480,0:11:51.440 knowing a tool like Splunk is extremely 0:11:51.440,0:11:53.320 helpful in your career and will make you 0:11:53.320,0:11:55.680 more desirable by employers. As always, 0:11:55.680,0:11:57.120 make sure to leave a like comment and 0:11:57.120,0:11:58.800 subscribe check out the description for 0:11:58.800,0:12:00.680 more training resources, and I'll see you 0:12:00.680,0:12:03.810 next time. 0:12:03.810,0:12:23.390 [Music]