Are you looking to analyze all your logs and events in one location, or maybe you're just looking to learn about a Sim tool like Splunk to prepare for a job in it or cyber security? Well, look no further. In this video, we're going to walk through installing and configuring Splunk which is one of the leaders in log and data analysis on a Windows system. But first, welcome to the channel or welcome back. My name is John Good and on this channel. We talk all about cyber security. If you enjoy the content, make sure to like the video, subscribe to the channel and hit the Bell icon. So you get notified for future content, and if you have any questions leave them in the comment section below. Also make sure to check out the description for more training and resources. All right, let's do this. In IT cyber security and even devops, one of the biggest issues that we have is monitoring our networks and being able to look at large amounts of data at once. If we have two computers yeah looking at the logs individually is going to be possible, but it's going to be annoying if we have a th systems. It's basically impossible to do that and stay current with all the events that are taking place on those systems. Splunk is one of the leaders and helping us analyze large amounts of data in one central location. So it's a pretty good idea that you become familiar with how it works. We also refer to Splunk as a Sim tool which stands for security information and event management. At a high level, Splunk operates basically like a database with its own specific language called search processing language or SPL. The better that you can navigate SPL and Splunk itself the more desirable that you'll be to employers. There are even jobs that are dedicated to configuring and managing Splunk installations. And even if you had to use a similar product, you'll have a good idea of what's going on. The goal in this video is to get a free Splunk installation running on a local system, and then show you some of the basic features that you should know after this video. You'll be able to learn additional capabilities of Splunk or at least be able to talk about Splunk and how to use similar tools. Before we dive into the demo, I'm assuming that you already have a virtual machine or a system to install Splunk on for this video. I'll be using a Windows Server 2022 virtual machine, since we typically install Splunk on a server. But the process is going to be the same on any Windows system, all right. Let's begin. Okay, so the first thing that you have to do is you have to go to the Splunk website. So splunk.com because we need to download Splunk. So we're going to go to products, we're going to go to Splunk Enterprise, all right, and then we're going to click free trial, and you'll have to create an account if you don't already have one in order to download Splunk. And once you log in you need to go ahead and download Splunk, and get the correct download depending on which operating system that you're using, okay. Now, that download is done go ahead and open that file and we're going to install Splunk and we're going to use a lot of the defaults in this. But of course, if you were in the real world, you might customize some of these options. We're going to go ahead, and check the box to accept the license agreements and we're just going to hit next and these are the defaults that it's going to use. So it's going to run Splunk Enterprise as a local system account. It's going to use this directory, and then it's going to create a start menu new shortcut. So again, we're going to use a defaults we'll hit next. We're going to create a username and a password and then we'll hit next and we'll hit install. So that username and password is really important because that's what you're going to use to actually log into Splunk. Okay, so we've successfully installed Splunk Enterprise and we're going to leave this launch browser with Splunk Enterprise checked and we'll hit finish and we'll open it with our web browser okay. Do you remember when we originally installing and configuring the installation for Splunk, and we had to create a username and password. That's what we need to enter here. So we can log in. We've now successfully installed Splunk, and we've logged in. Now, we need to set up our logs actually being adjusted into the tool. So we're going to go to settings and then data inputs. For this video, we're only going to deal with local events. We're not going to deal with remote systems, so we're going to go under local event log collection. We're going to select edit. Now, we need to select the logs that we want to actually injust into the tool. So I'm going to keep it really simple, and just do application security and system. Those are kind of the foundational logs. We'll scroll down and we'll select save okay, and the status should be enabled because that's going to ingest those logs. And we'll go back to apps in Search and Reporting all right in the search bar here. We're going to put in an asterisk or a star and we're going to hit return to search for all the events that it knows about. As you can see, it's starting to get events from our local system again. In this video, we're just dealing with the local system not remote systems. So this would be a very basic kind of search. We can do all kinds of different basic searches in here. We can also get a little bit more advanced with filters and different queries and parameters and things like that for this what I'm going to do is I'm actually going to open up our Event Viewer. So I've gone to the windows menu, and I'm going to open up Event Viewer, and I'm going to go under Windows logs and security. I'm going to rightclick this, and I'm going to select clear log, and I'm going to select clear. So it's going to clear the security log and I'll show you why I'm doing this here in a second. So if if we go back into our system here in our Splunk system, we're going to actually narrow this down a little bit and I'm going to show you how you can do this. So all of these parameters and fields if I select one. So for instance the host, I'm going to left click on this and I'm going to do add to search, that's going to add it in this search bar and we're going to slowly narrow this search down. And then the next one I'm going to do is source. So we want it from from the security logs, and then the event code I want to also add in here. So I'm going to add this to our search, and this did not add the full thing here but that's okay. We're going to add equal sign and then we want 112 is the event that we want to find, and we'll hit return and that's how you can narrow down the searches. So we've only got this one particular event, which this event was the audit log being cleared. That's what we just did great. So that's an example of how you can search in Splunk for specific things now. I'm going to copy this because we'll need it later, and then I'm actually going to select create table view. We'll skip the tour because again, I don't care about that and this will actually put this into a table and, and then on the left here, you can select or deselect different types of logs. So I'm going to actually unselect raw. So it's not going to give us all that information and I'm going to hit done okay. And as you can see that gave us a table with the fields that we've selected. I hope you're enjoying the content so far. If you are, make sure to leave a like comment and subscribe also check out the description for more training and resources, all right. Let's get back to the content now, I'm going to go to dashboards and again I'm going to skip the tour and I'm going to select create new dashboard and we're just going to label this clear logs and we're going to create this with the dashboard studio and we're going to do grid select create. All right, so now we can create a dashboard. Dashboards are huge for analyzing data because we can quickly display C. Certain things and especially in areas like security or it or any kind of data analytics, you're probably looking for relatively specific things and this way anything you're consistently looking for, you can just put into a table or a graph or something like that and put it on a dashboard so you can easily view it as it happens. So we're going to add a chart here, we're going to add a table and we're going to paste in this search with SPL that query that we already found to find the event logs being cleared. So as you can see this looks exactly like it did in our other search, all right. And we're going to select apply and close, we're going to give this a label and we're not really going to customize this at all, but you could in the column formatting. You can add things. You can also remove things, too. So if we go up here and we actually edit our search. I'm going to show you how, you can eliminate some of these columns if you didn't want them. So we can add a pipe and then we're going to type Fields a minus and then we're going to type the actual field in here. So bkt and CD we're going to eliminate. We'll select apply and close and as you can see those columns are no longer in here. So you can totally customize it however you want to see it, and then we're going to select save to save this dashboard, save this table right. So that's saved now if you go back under dashboards. So just clicking dashboards from wherever you're at within the application, you'll see that your dashboard is in here. So we're going to actually click on our dashboard that we created. So the clear logs and this is going to be the table that we created. If we do actions and we select set as home dashboard, that's going to be our primary dashboard. So this is just going to be on the the search and Reporting application. So having a dashboard like this is extremely useful again, you can look at very specific things that maybe you're constantly looking at or things that you need to view at a quick glance especially when you're dealing with executive level or management level leaders. This can be great because you can easily present information in an easy to read way that they like to see it. So they're not confused by all the nuances or smaller details of the application. It's just extremely beneficial to be able to create dashboards and easy to read information. So then if I go somewhere else. So let's just click anything. We'll just click data inputs under the settings, just so we can get onto a different screen and then we're going to go back to apps and actually we'll click Splunk Enterprise to take us back to the homepage. There is clear logs right on that main page. So again you can do whatever you want as far as the dashboard, and what you have in there what kind of tables and stuff but that's just an example of what you can do with dashboards to quickly and easily display information. So one other website that's extremely useful is this ultimate IT security. They have all the event IDs for Windows that you'll ever need and then for instance we have 1102 the audit log was cleared that's what we were just looking at. If we click on this, you can see it has even more details about specifically what it is. So if you ever aren't sure what an event ID is or you need something specific, this is a great resource to use question of the day what are some important events or logs that we might want to monitor in Splunk, let me know down in the comment section below in this video we walk through installing and configuring Splunk which is one of the leading Sim Tools in login data analysis. Remember knowing a tool like Splunk is extremely helpful in your career and will make you more desirable by employers. As always, make sure to leave a like comment and subscribe check out the description for more training resources, and I'll see you next time. [Music]