WEBVTT 00:00:00.040 --> 00:00:01.400 Are you looking to analyze all your logs 00:00:01.400 --> 00:00:03.399 and events in one location, or maybe 00:00:03.399 --> 00:00:04.759 you're just looking to learn about a Sim 00:00:04.759 --> 00:00:07.000 tool like Splunk to prepare for a job in 00:00:07.000 --> 00:00:09.639 it or cyber security? Well, look no 00:00:09.639 --> 00:00:11.360 further. In this video, we're going to 00:00:11.360 --> 00:00:12.880 walk through installing and configuring 00:00:12.880 --> 00:00:14.679 Splunk which is one of the leaders in 00:00:14.679 --> 00:00:16.800 log and data analysis on a Windows 00:00:16.800 --> 00:00:19.240 system. But first, welcome to the channel 00:00:19.240 --> 00:00:21.519 or welcome back. My name is John Good and 00:00:21.519 --> 00:00:23.400 on this channel. We talk all about cyber 00:00:23.400 --> 00:00:25.400 security. If you enjoy the content, make 00:00:25.400 --> 00:00:27.400 sure to like the video, subscribe to the 00:00:27.400 --> 00:00:29.080 channel and hit the Bell icon. So you get 00:00:29.080 --> 00:00:31.000 notified for future content, and if you 00:00:31.000 --> 00:00:32.520 have any questions leave them in the 00:00:32.520 --> 00:00:34.480 comment section below. Also make sure to 00:00:34.480 --> 00:00:35.879 check out the description for more 00:00:35.879 --> 00:00:37.680 training and resources. All right, let's 00:00:37.680 --> 00:00:40.600 do this. In IT cyber security and even 00:00:40.600 --> 00:00:42.920 devops, one of the biggest issues that we 00:00:42.920 --> 00:00:44.920 have is monitoring our networks and 00:00:44.920 --> 00:00:46.360 being able to look at large amounts of 00:00:46.360 --> 00:00:48.800 data at once. If we have two computers 00:00:48.800 --> 00:00:50.360 yeah looking at the logs individually is 00:00:50.360 --> 00:00:51.920 going to be possible, but it's going to 00:00:51.920 --> 00:00:54.440 be annoying if we have a th systems. It's 00:00:54.440 --> 00:00:56.719 basically impossible to do that and stay 00:00:56.719 --> 00:00:57.960 current with all the events that are 00:00:57.960 --> 00:01:00.399 taking place on those systems. Splunk is 00:01:00.399 --> 00:01:01.680 one of the leaders and helping us 00:01:01.680 --> 00:01:03.840 analyze large amounts of data in one 00:01:03.840 --> 00:01:05.760 central location. So it's a pretty good 00:01:05.760 --> 00:01:07.159 idea that you become familiar with how 00:01:07.159 --> 00:01:09.400 it works. We also refer to Splunk as a 00:01:09.400 --> 00:01:11.240 Sim tool which stands for security 00:01:11.240 --> 00:01:13.360 information and event management. At a 00:01:13.360 --> 00:01:14.960 high level, Splunk operates basically 00:01:14.960 --> 00:01:17.040 like a database with its own specific 00:01:17.040 --> 00:01:18.720 language called search processing 00:01:18.720 --> 00:01:21.119 language or SPL. The better that you can 00:01:21.119 --> 00:01:23.720 navigate SPL and Splunk itself the more 00:01:23.720 --> 00:01:25.680 desirable that you'll be to employers. 00:01:25.680 --> 00:01:27.200 There are even jobs that are dedicated 00:01:27.200 --> 00:01:29.000 to configuring and managing Splunk 00:01:29.000 --> 00:01:30.920 installations. And even if you had to use 00:01:30.920 --> 00:01:32.640 a similar product, you'll have a good 00:01:32.640 --> 00:01:34.560 idea of what's going on. The goal in this 00:01:34.560 --> 00:01:36.119 video is to get a free Splunk 00:01:36.119 --> 00:01:38.240 installation running on a local system, 00:01:38.240 --> 00:01:39.520 and then show you some of the basic 00:01:39.520 --> 00:01:41.520 features that you should know after this 00:01:41.520 --> 00:01:42.960 video. You'll be able to learn additional 00:01:42.960 --> 00:01:45.200 capabilities of Splunk or at least be 00:01:45.200 --> 00:01:47.159 able to talk about Splunk and how to use 00:01:47.159 --> 00:01:49.159 similar tools. Before we dive into the 00:01:49.159 --> 00:01:50.640 demo, I'm assuming that you already have 00:01:50.640 --> 00:01:52.880 a virtual machine or a system to install 00:01:52.880 --> 00:01:55.040 Splunk on for this video. I'll be using a 00:01:55.040 --> 00:01:57.680 Windows Server 2022 virtual machine, 00:01:57.680 --> 00:01:59.399 since we typically install Splunk on a 00:01:59.399 --> 00:02:01.079 server. But the process is going to be 00:02:01.079 --> 00:02:03.200 the same on any Windows system, all right. 00:02:03.200 --> 00:02:05.079 Let's begin. Okay, so the first thing that 00:02:05.079 --> 00:02:06.560 you have to do is you have to go to the 00:02:06.560 --> 00:02:09.440 Splunk website. So splunk.com because we 00:02:09.440 --> 00:02:11.520 need to download Splunk. So we're going 00:02:11.520 --> 00:02:13.879 to go to products, we're going to go to 00:02:13.879 --> 00:02:16.160 Splunk 00:02:16.160 --> 00:02:17.760 Enterprise, all right, and then we're 00:02:17.760 --> 00:02:20.560 going to click free 00:02:21.519 --> 00:02:23.720 trial, and you'll have to create an 00:02:23.720 --> 00:02:26.040 account if you don't already have one in 00:02:26.040 --> 00:02:28.080 order to download Splunk. And once you 00:02:28.080 --> 00:02:30.840 log in you need to go ahead and download 00:02:30.840 --> 00:02:33.480 Splunk, and get the correct download 00:02:33.480 --> 00:02:35.120 depending on which operating system that 00:02:35.120 --> 00:02:37.120 you're using, okay. Now, that download is 00:02:37.120 --> 00:02:38.640 done go ahead and open that file and 00:02:38.640 --> 00:02:40.280 we're going to install Splunk and we're 00:02:40.280 --> 00:02:41.959 going to use a lot of the defaults in 00:02:41.959 --> 00:02:43.640 this. But of course, if you were in the 00:02:43.640 --> 00:02:45.360 real world, you might customize some of 00:02:45.360 --> 00:02:47.120 these options. We're going to go ahead, 00:02:47.120 --> 00:02:49.120 and check the box to accept the license 00:02:49.120 --> 00:02:50.959 agreements and we're just going to hit 00:02:50.959 --> 00:02:52.680 next and these are the defaults that 00:02:52.680 --> 00:02:54.159 it's going to use. So it's going to run 00:02:54.159 --> 00:02:55.920 Splunk Enterprise as a local system 00:02:55.920 --> 00:02:58.440 account. It's going to use this directory, 00:02:58.440 --> 00:02:59.560 and then it's going to create a start 00:02:59.560 --> 00:03:01.280 menu new shortcut. So again, we're going 00:03:01.280 --> 00:03:03.519 to use a defaults we'll hit 00:03:03.519 --> 00:03:06.000 next. We're going to create a username 00:03:06.000 --> 00:03:08.400 and a 00:03:08.640 --> 00:03:11.319 password and then we'll hit 00:03:11.319 --> 00:03:13.560 next and we'll hit 00:03:13.560 --> 00:03:16.040 install. So that username and password is 00:03:16.040 --> 00:03:17.440 really important because that's what 00:03:17.440 --> 00:03:21.360 you're going to use to actually log into 00:03:24.680 --> 00:03:26.799 Splunk. Okay, so we've successfully 00:03:26.799 --> 00:03:28.920 installed Splunk Enterprise and we're 00:03:28.920 --> 00:03:30.519 going to leave this launch browser with 00:03:30.519 --> 00:03:34.080 Splunk Enterprise checked and we'll hit 00:03:34.080 --> 00:03:37.920 finish and we'll open it with our web 00:03:37.920 --> 00:03:39.799 browser okay. Do you remember when we 00:03:39.799 --> 00:03:41.720 originally installing and configuring 00:03:41.720 --> 00:03:43.720 the installation for Splunk, and we had 00:03:43.720 --> 00:03:45.480 to create a username and password. That's 00:03:45.480 --> 00:03:47.000 what we need to enter here. So we can log 00:03:47.000 --> 00:03:49.000 in. We've now successfully installed 00:03:49.000 --> 00:03:51.400 Splunk, and we've logged in. Now, we need 00:03:51.400 --> 00:03:53.360 to set up our logs actually being 00:03:53.360 --> 00:03:55.439 adjusted into the tool. So we're going to 00:03:55.439 --> 00:03:58.400 go to settings and then data inputs. For 00:03:58.400 --> 00:03:59.840 this video, we're only going to deal with 00:03:59.840 --> 00:04:01.400 local events. We're not going to deal 00:04:01.400 --> 00:04:03.439 with remote systems, so we're going to go 00:04:03.439 --> 00:04:05.720 under local event log collection. We're 00:04:05.720 --> 00:04:07.079 going to select 00:04:07.079 --> 00:04:09.760 edit. Now, we need to select the logs that 00:04:09.760 --> 00:04:12.040 we want to actually injust into the tool. 00:04:12.040 --> 00:04:13.879 So I'm going to keep it really simple, 00:04:13.879 --> 00:04:16.320 and just do application security and 00:04:16.320 --> 00:04:17.519 system. Those are kind of the 00:04:17.519 --> 00:04:20.320 foundational logs. We'll scroll down and 00:04:20.320 --> 00:04:22.080 we'll select 00:04:22.080 --> 00:04:24.440 save okay, and the status should be 00:04:24.440 --> 00:04:26.320 enabled because that's going to ingest 00:04:26.320 --> 00:04:29.919 those logs. And we'll go back to apps in 00:04:29.919 --> 00:04:32.199 Search and Reporting all right in the 00:04:32.199 --> 00:04:34.240 search bar here. We're going to put in an 00:04:34.240 --> 00:04:36.440 asterisk or a star and we're going to 00:04:36.440 --> 00:04:38.280 hit return to search for all the events 00:04:38.280 --> 00:04:40.240 that it knows about. As you can see, it's 00:04:40.240 --> 00:04:42.600 starting to get events from our local 00:04:42.600 --> 00:04:44.400 system again. In this video, we're just 00:04:44.400 --> 00:04:46.560 dealing with the local system not remote 00:04:46.560 --> 00:04:49.360 systems. So this would be a very basic 00:04:49.360 --> 00:04:52.280 kind of search. We can do all kinds of 00:04:52.280 --> 00:04:54.160 different basic searches in here. We can 00:04:54.160 --> 00:04:56.280 also get a little bit more advanced with 00:04:56.280 --> 00:04:59.120 filters and different queries and 00:04:59.120 --> 00:05:01.039 parameters and things like that for this 00:05:01.039 --> 00:05:03.240 what I'm going to do is I'm actually 00:05:03.240 --> 00:05:06.880 going to open up our Event 00:05:06.880 --> 00:05:09.199 Viewer. So I've gone to the windows menu, 00:05:09.199 --> 00:05:12.440 and I'm going to open up Event 00:05:12.520 --> 00:05:14.880 Viewer, and I'm going to go under Windows 00:05:14.880 --> 00:05:16.479 logs and 00:05:16.479 --> 00:05:18.880 security. I'm going to rightclick this, 00:05:18.880 --> 00:05:22.080 and I'm going to select clear 00:05:22.360 --> 00:05:24.680 log, and I'm going to select clear. So 00:05:24.680 --> 00:05:26.919 it's going to clear the security log and 00:05:26.919 --> 00:05:28.240 I'll show you why I'm doing this here in 00:05:28.240 --> 00:05:32.039 a second. So if if we go back into our 00:05:32.039 --> 00:05:33.919 system here in our Splunk 00:05:33.919 --> 00:05:36.039 system, we're going to actually narrow 00:05:36.039 --> 00:05:37.360 this down a little bit and I'm going to 00:05:37.360 --> 00:05:40.199 show you how you can do this. So all of 00:05:40.199 --> 00:05:43.160 these parameters and fields if I select 00:05:43.160 --> 00:05:45.319 one. So for instance the host, I'm going 00:05:45.319 --> 00:05:47.520 to left click on this and I'm going to 00:05:47.520 --> 00:05:48.919 do add to 00:05:48.919 --> 00:05:51.039 search, that's going to add it in this 00:05:51.039 --> 00:05:54.560 search bar and we're going to slowly 00:05:54.560 --> 00:05:57.160 narrow this search down. And then the 00:05:57.160 --> 00:05:59.160 next one I'm going to do is source. So we 00:05:59.160 --> 00:06:01.720 want it from from the security 00:06:01.720 --> 00:06:04.280 logs, and then the event code I want to 00:06:04.280 --> 00:06:06.240 also add in here. So I'm going to add 00:06:06.240 --> 00:06:08.120 this to our 00:06:08.120 --> 00:06:10.880 search, and this did not add the full 00:06:10.880 --> 00:06:12.520 thing here but that's okay. We're going 00:06:12.520 --> 00:06:16.400 to add equal sign and then we want 112 00:06:16.400 --> 00:06:19.720 is the event that we want to 00:06:19.720 --> 00:06:23.240 find, and we'll hit 00:06:23.240 --> 00:06:25.440 return and that's how you can narrow 00:06:25.440 --> 00:06:28.240 down the searches. So we've only got this 00:06:28.240 --> 00:06:30.960 one particular event, 00:06:30.960 --> 00:06:33.599 which this event was the audit log being 00:06:33.599 --> 00:06:36.680 cleared. That's what we just 00:06:36.680 --> 00:06:39.240 did great. So that's an example of how 00:06:39.240 --> 00:06:42.319 you can search in Splunk for specific 00:06:42.319 --> 00:06:44.639 things now. I'm going to copy this 00:06:44.639 --> 00:06:46.720 because we'll need it 00:06:46.720 --> 00:06:49.000 later, and then I'm actually going to 00:06:49.000 --> 00:06:51.720 select create table 00:06:51.720 --> 00:06:54.360 view. We'll skip the tour because again, I 00:06:54.360 --> 00:06:56.039 don't care about that and this will 00:06:56.039 --> 00:06:58.360 actually put this into a 00:06:58.360 --> 00:07:00.680 table and, and then on the left here, you 00:07:00.680 --> 00:07:03.240 can select or deselect different types 00:07:03.240 --> 00:07:04.840 of logs. So I'm going to actually 00:07:04.840 --> 00:07:06.919 unselect raw. So it's not going to give 00:07:06.919 --> 00:07:09.039 us all that information and I'm going to 00:07:09.039 --> 00:07:11.000 hit 00:07:11.000 --> 00:07:14.080 done okay. And as you can see that gave 00:07:14.080 --> 00:07:16.120 us a table with the fields that we've 00:07:16.120 --> 00:07:17.599 selected. I hope you're enjoying the 00:07:17.599 --> 00:07:19.360 content so far. If you are, make sure to 00:07:19.360 --> 00:07:21.639 leave a like comment and subscribe also 00:07:21.639 --> 00:07:23.000 check out the description for more 00:07:23.000 --> 00:07:24.560 training and resources, all right. Let's 00:07:24.560 --> 00:07:26.080 get back to the content now, I'm going to 00:07:26.080 --> 00:07:27.840 go to 00:07:27.840 --> 00:07:29.759 dashboards and again I'm going to skip 00:07:29.759 --> 00:07:30.720 the 00:07:30.720 --> 00:07:35.160 tour and I'm going to select create new 00:07:35.240 --> 00:07:37.240 dashboard and we're just going to label 00:07:37.240 --> 00:07:39.199 this clear 00:07:39.199 --> 00:07:41.840 logs and we're going to create this with 00:07:41.840 --> 00:07:43.960 the dashboard 00:07:43.960 --> 00:07:46.520 studio and we're going to do 00:07:46.520 --> 00:07:49.919 grid select 00:07:51.720 --> 00:07:53.840 create. All right, so now we can create a 00:07:53.840 --> 00:07:56.520 dashboard. Dashboards are huge for 00:07:56.520 --> 00:07:58.479 analyzing data because we can quickly 00:07:58.479 --> 00:08:00.840 display C. Certain things and especially 00:08:00.840 --> 00:08:04.120 in areas like security or it or any kind 00:08:04.120 --> 00:08:05.680 of data analytics, you're probably 00:08:05.680 --> 00:08:08.440 looking for relatively specific things 00:08:08.440 --> 00:08:10.120 and this way anything you're 00:08:10.120 --> 00:08:11.440 consistently looking for, you can just 00:08:11.440 --> 00:08:13.199 put into a table or a graph or something 00:08:13.199 --> 00:08:15.319 like that and put it on a dashboard so 00:08:15.319 --> 00:08:18.400 you can easily view it as it happens. So 00:08:18.400 --> 00:08:19.720 we're going to add a chart here, we're 00:08:19.720 --> 00:08:21.759 going to add a 00:08:21.759 --> 00:08:23.960 table and we're going to paste in this 00:08:23.960 --> 00:08:26.280 search with SPL that query that we 00:08:26.280 --> 00:08:28.280 already found to find the event logs 00:08:28.280 --> 00:08:30.520 being cleared. So as you can see this 00:08:30.520 --> 00:08:34.399 looks exactly like it did in our other 00:08:34.399 --> 00:08:36.200 search, all right. And we're going to 00:08:36.200 --> 00:08:37.959 select apply and 00:08:37.959 --> 00:08:40.640 close, we're going to give this a 00:08:40.640 --> 00:08:42.599 label and we're not really going to 00:08:42.599 --> 00:08:45.120 customize this at all, but you could in 00:08:45.120 --> 00:08:47.519 the column formatting. You can add things. 00:08:47.519 --> 00:08:49.640 You can also remove things, 00:08:49.640 --> 00:08:52.920 too. So if we go up here and we actually 00:08:52.920 --> 00:08:54.600 edit our 00:08:54.600 --> 00:08:56.720 search. I'm going to show you how, you can 00:08:56.720 --> 00:08:58.200 eliminate some of these columns if you 00:08:58.200 --> 00:09:01.320 didn't want them. So we can add a 00:09:01.320 --> 00:09:03.800 pipe and then we're going to type 00:09:03.800 --> 00:09:06.240 Fields a 00:09:06.240 --> 00:09:08.200 minus and then we're going to type the 00:09:08.200 --> 00:09:09.920 actual field in 00:09:09.920 --> 00:09:12.000 here. So 00:09:12.000 --> 00:09:15.240 bkt and CD we're going to 00:09:15.240 --> 00:09:18.079 eliminate. We'll select apply and 00:09:18.079 --> 00:09:20.640 close and as you can see those columns 00:09:20.640 --> 00:09:22.640 are no longer in here. So you can totally 00:09:22.640 --> 00:09:25.640 customize it however you want to see 00:09:25.640 --> 00:09:28.000 it, and then we're going to select save 00:09:28.000 --> 00:09:30.680 to save this dashboard, save this 00:09:30.680 --> 00:09:33.240 table right. So that's saved now if you 00:09:33.240 --> 00:09:35.120 go back under dashboards. So just 00:09:35.120 --> 00:09:37.079 clicking dashboards from wherever you're 00:09:37.079 --> 00:09:39.360 at within the application, you'll see 00:09:39.360 --> 00:09:40.839 that your dashboard is in here. So we're 00:09:40.839 --> 00:09:42.760 going to actually click on our dashboard 00:09:42.760 --> 00:09:44.839 that we created. So the clear 00:09:44.839 --> 00:09:47.079 logs and this is going to be the table 00:09:47.079 --> 00:09:48.600 that we 00:09:48.600 --> 00:09:52.160 created. If we do actions and we select 00:09:52.160 --> 00:09:54.600 set as home dashboard, that's going to be 00:09:54.600 --> 00:09:56.720 our primary 00:09:56.720 --> 00:09:59.200 dashboard. So this is just going to be on 00:09:59.200 --> 00:10:01.320 the the search and Reporting application. 00:10:01.320 --> 00:10:03.000 So having a dashboard like this is 00:10:03.000 --> 00:10:05.440 extremely useful again, you can look at 00:10:05.440 --> 00:10:07.399 very specific things that maybe you're 00:10:07.399 --> 00:10:09.160 constantly looking at or things that you 00:10:09.160 --> 00:10:11.880 need to view at a quick glance 00:10:11.880 --> 00:10:13.600 especially when you're dealing with 00:10:13.600 --> 00:10:15.920 executive level or management level 00:10:15.920 --> 00:10:18.440 leaders. This can be great because you 00:10:18.440 --> 00:10:20.800 can easily present information in an 00:10:20.800 --> 00:10:23.160 easy to read way that they like to see 00:10:23.160 --> 00:10:25.360 it. So they're not confused by all the 00:10:25.360 --> 00:10:28.640 nuances or smaller details of the 00:10:28.640 --> 00:10:30.920 application. It's just extremely 00:10:30.920 --> 00:10:32.600 beneficial to be able to create 00:10:32.600 --> 00:10:36.279 dashboards and easy to read 00:10:36.279 --> 00:10:38.279 information. So then if I go somewhere 00:10:38.279 --> 00:10:40.120 else. So let's just click anything. We'll 00:10:40.120 --> 00:10:41.920 just click data inputs under the 00:10:41.920 --> 00:10:43.240 settings, just so we can get onto a 00:10:43.240 --> 00:10:45.000 different 00:10:45.000 --> 00:10:46.800 screen and then we're going to go back 00:10:46.800 --> 00:10:47.839 to 00:10:47.839 --> 00:10:50.200 apps and actually we'll click Splunk 00:10:50.200 --> 00:10:53.720 Enterprise to take us back to the 00:10:53.800 --> 00:10:56.519 homepage. There is clear logs right on 00:10:56.519 --> 00:10:58.760 that main page. So again you can do 00:10:58.760 --> 00:11:00.360 whatever you want as far as the 00:11:00.360 --> 00:11:01.880 dashboard, and what you have in there 00:11:01.880 --> 00:11:04.320 what kind of tables and stuff but that's 00:11:04.320 --> 00:11:06.360 just an example of what you can do with 00:11:06.360 --> 00:11:08.639 dashboards to quickly and easily display 00:11:08.639 --> 00:11:10.680 information. So one other website that's 00:11:10.680 --> 00:11:12.760 extremely useful is this ultimate IT 00:11:12.760 --> 00:11:15.440 security. They have all the event IDs for 00:11:15.440 --> 00:11:18.079 Windows that you'll ever need and then 00:11:18.079 --> 00:11:19.959 for instance we have 1102 the audit log 00:11:19.959 --> 00:11:21.240 was cleared that's what we were just 00:11:21.240 --> 00:11:23.800 looking at. If we click on 00:11:23.800 --> 00:11:26.279 this, you can see it has even more 00:11:26.279 --> 00:11:28.760 details about specifically what it is. So 00:11:28.760 --> 00:11:31.160 if you ever aren't sure what an event ID 00:11:31.160 --> 00:11:33.480 is or you need something specific, this 00:11:33.480 --> 00:11:35.920 is a great resource to use question of 00:11:35.920 --> 00:11:37.680 the day what are some important events 00:11:37.680 --> 00:11:39.920 or logs that we might want to monitor in 00:11:39.920 --> 00:11:41.880 Splunk, let me know down in the comment 00:11:41.880 --> 00:11:43.760 section below in this video we walk 00:11:43.760 --> 00:11:44.959 through installing and configuring 00:11:44.959 --> 00:11:46.800 Splunk which is one of the leading Sim 00:11:46.800 --> 00:11:49.480 Tools in login data analysis. Remember 00:11:49.480 --> 00:11:51.440 knowing a tool like Splunk is extremely 00:11:51.440 --> 00:11:53.320 helpful in your career and will make you 00:11:53.320 --> 00:11:55.680 more desirable by employers. As always, 00:11:55.680 --> 00:11:57.120 make sure to leave a like comment and 00:11:57.120 --> 00:11:58.800 subscribe check out the description for 00:11:58.800 --> 00:12:00.680 more training resources, and I'll see you 00:12:00.680 --> 00:12:03.810 next time. 00:12:03.810 --> 00:12:23.390 [Music]