Splunk Tutorial for Beginners (Cyber Security Tools)

Edit subtitles

0:00 - 0:01

Are you looking to analyze all your logs
0:01 - 0:03

and events in one location, or maybe
0:03 - 0:05

you're just looking to learn about a Sim
0:05 - 0:07

tool like Splunk to prepare for a job in
0:07 - 0:10

it or cyber security? Well, look no
0:10 - 0:11

further. In this video, we're going to
0:11 - 0:13

walk through installing and configuring
0:13 - 0:15

Splunk which is one of the leaders in
0:15 - 0:17

log and data analysis on a Windows
0:17 - 0:19

system. But first, welcome to the channel
0:19 - 0:22

or welcome back. My name is John Good and
0:22 - 0:23

on this channel. We talk all about cyber
0:23 - 0:25

security. If you enjoy the content, make
0:25 - 0:27

sure to like the video, subscribe to the
0:27 - 0:29

channel and hit the Bell icon. So you get
0:29 - 0:31

notified for future content, and if you
0:31 - 0:33

have any questions leave them in the
0:33 - 0:34

comment section below. Also make sure to
0:34 - 0:36

check out the description for more
0:36 - 0:38

training and resources. All right, let's
0:38 - 0:41

do this. In IT cyber security and even
0:41 - 0:43

devops, one of the biggest issues that we
0:43 - 0:45

have is monitoring our networks and
0:45 - 0:46

being able to look at large amounts of
0:46 - 0:49

data at once. If we have two computers
0:49 - 0:50

yeah looking at the logs individually is
0:50 - 0:52

going to be possible, but it's going to
0:52 - 0:54

be annoying if we have a th systems. It's
0:54 - 0:57

basically impossible to do that and stay
0:57 - 0:58

current with all the events that are
0:58 - 1:00

taking place on those systems. Splunk is
1:00 - 1:02

one of the leaders and helping us
1:02 - 1:04

analyze large amounts of data in one
1:04 - 1:06

central location. So it's a pretty good
1:06 - 1:07

idea that you become familiar with how
1:07 - 1:09

it works. We also refer to Splunk as a
1:09 - 1:11

Sim tool which stands for security
1:11 - 1:13

information and event management. At a
1:13 - 1:15

high level, Splunk operates basically
1:15 - 1:17

like a database with its own specific
1:17 - 1:19

language called search processing
1:19 - 1:21

language or SPL. The better that you can
1:21 - 1:24

navigate SPL and Splunk itself the more
1:24 - 1:26

desirable that you'll be to employers.
1:26 - 1:27

There are even jobs that are dedicated
1:27 - 1:29

to configuring and managing Splunk
1:29 - 1:31

installations. And even if you had to use
1:31 - 1:33

a similar product, you'll have a good
1:33 - 1:35

idea of what's going on. The goal in this
1:35 - 1:36

video is to get a free Splunk
1:36 - 1:38

installation running on a local system,
1:38 - 1:40

and then show you some of the basic
1:40 - 1:42

features that you should know after this
1:42 - 1:43

video. You'll be able to learn additional
1:43 - 1:45

capabilities of Splunk or at least be
1:45 - 1:47

able to talk about Splunk and how to use
1:47 - 1:49

similar tools. Before we dive into the
1:49 - 1:51

demo, I'm assuming that you already have
1:51 - 1:53

a virtual machine or a system to install
1:53 - 1:55

Splunk on for this video. I'll be using a
1:55 - 1:58

Windows Server 2022 virtual machine,
1:58 - 1:59

since we typically install Splunk on a
1:59 - 2:01

server. But the process is going to be
2:01 - 2:03

the same on any Windows system, all right.
2:03 - 2:05

Let's begin. Okay, so the first thing that
2:05 - 2:07

you have to do is you have to go to the
2:07 - 2:09

Splunk website. So splunk.com because we
2:09 - 2:12

need to download Splunk. So we're going
2:12 - 2:14

to go to products, we're going to go to
2:14 - 2:16

Splunk
2:16 - 2:18

Enterprise, all right, and then we're
2:18 - 2:21

going to click free
2:22 - 2:24

trial, and you'll have to create an
2:24 - 2:26

account if you don't already have one in
2:26 - 2:28

order to download Splunk. And once you
2:28 - 2:31

log in you need to go ahead and download
2:31 - 2:33

Splunk, and get the correct download
2:33 - 2:35

depending on which operating system that
2:35 - 2:37

you're using, okay. Now, that download is
2:37 - 2:39

done go ahead and open that file and
2:39 - 2:40

we're going to install Splunk and we're
2:40 - 2:42

going to use a lot of the defaults in
2:42 - 2:44

this. But of course, if you were in the
2:44 - 2:45

real world, you might customize some of
2:45 - 2:47

these options. We're going to go ahead,
2:47 - 2:49

and check the box to accept the license
2:49 - 2:51

agreements and we're just going to hit
2:51 - 2:53

next and these are the defaults that
2:53 - 2:54

it's going to use. So it's going to run
2:54 - 2:56

Splunk Enterprise as a local system
2:56 - 2:58

account. It's going to use this directory,
2:58 - 3:00

and then it's going to create a start
3:00 - 3:01

menu new shortcut. So again, we're going
3:01 - 3:04

to use a defaults we'll hit
3:04 - 3:06

next. We're going to create a username
3:06 - 3:08

and a
3:09 - 3:11

password and then we'll hit
3:11 - 3:14

next and we'll hit
3:14 - 3:16

install. So that username and password is
3:16 - 3:17

really important because that's what
3:17 - 3:21

you're going to use to actually log into
3:25 - 3:27

Splunk. Okay, so we've successfully
3:27 - 3:29

installed Splunk Enterprise and we're
3:29 - 3:31

going to leave this launch browser with
3:31 - 3:34

Splunk Enterprise checked and we'll hit
3:34 - 3:38

finish and we'll open it with our web
3:38 - 3:40

browser okay. Do you remember when we
3:40 - 3:42

originally installing and configuring
3:42 - 3:44

the installation for Splunk, and we had
3:44 - 3:45

to create a username and password. That's
3:45 - 3:47

what we need to enter here. So we can log
3:47 - 3:49

in. We've now successfully installed
3:49 - 3:51

Splunk, and we've logged in. Now, we need
3:51 - 3:53

to set up our logs actually being
3:53 - 3:55

adjusted into the tool. So we're going to
3:55 - 3:58

go to settings and then data inputs. For
3:58 - 4:00

this video, we're only going to deal with
4:00 - 4:01

local events. We're not going to deal
4:01 - 4:03

with remote systems, so we're going to go
4:03 - 4:06

under local event log collection. We're
4:06 - 4:07

going to select
4:07 - 4:10

edit. Now, we need to select the logs that
4:10 - 4:12

we want to actually injust into the tool.
4:12 - 4:14

So I'm going to keep it really simple,
4:14 - 4:16

and just do application security and
4:16 - 4:18

system. Those are kind of the
4:18 - 4:20

foundational logs. We'll scroll down and
4:20 - 4:22

we'll select
4:22 - 4:24

save okay, and the status should be
4:24 - 4:26

enabled because that's going to ingest
4:26 - 4:30

those logs. And we'll go back to apps in
4:30 - 4:32

Search and Reporting all right in the
4:32 - 4:34

search bar here. We're going to put in an
4:34 - 4:36

asterisk or a star and we're going to
4:36 - 4:38

hit return to search for all the events
4:38 - 4:40

that it knows about. As you can see, it's
4:40 - 4:43

starting to get events from our local
4:43 - 4:44

system again. In this video, we're just
4:44 - 4:47

dealing with the local system not remote
4:47 - 4:49

systems. So this would be a very basic
4:49 - 4:52

kind of search. We can do all kinds of
4:52 - 4:54

different basic searches in here. We can
4:54 - 4:56

also get a little bit more advanced with
4:56 - 4:59

filters and different queries and
4:59 - 5:01

parameters and things like that for this
5:01 - 5:03

what I'm going to do is I'm actually
5:03 - 5:07

going to open up our Event
5:07 - 5:09

Viewer. So I've gone to the windows menu,
5:09 - 5:12

and I'm going to open up Event
5:13 - 5:15

Viewer, and I'm going to go under Windows
5:15 - 5:16

logs and
5:16 - 5:19

security. I'm going to rightclick this,
5:19 - 5:22

and I'm going to select clear
5:22 - 5:25

log, and I'm going to select clear. So
5:25 - 5:27

it's going to clear the security log and
5:27 - 5:28

I'll show you why I'm doing this here in
5:28 - 5:32

a second. So if if we go back into our
5:32 - 5:34

system here in our Splunk
5:34 - 5:36

system, we're going to actually narrow
5:36 - 5:37

this down a little bit and I'm going to
5:37 - 5:40

show you how you can do this. So all of
5:40 - 5:43

these parameters and fields if I select
5:43 - 5:45

one. So for instance the host, I'm going
5:45 - 5:48

to left click on this and I'm going to
5:48 - 5:49

do add to
5:49 - 5:51

search, that's going to add it in this
5:51 - 5:55

search bar and we're going to slowly
5:55 - 5:57

narrow this search down. And then the
5:57 - 5:59

next one I'm going to do is source. So we
5:59 - 6:02

want it from from the security
6:02 - 6:04

logs, and then the event code I want to
6:04 - 6:06

also add in here. So I'm going to add
6:06 - 6:08

this to our
6:08 - 6:11

search, and this did not add the full
6:11 - 6:13

thing here but that's okay. We're going
6:13 - 6:16

to add equal sign and then we want 112
6:16 - 6:20

is the event that we want to
6:20 - 6:23

find, and we'll hit
6:23 - 6:25

return and that's how you can narrow
6:25 - 6:28

down the searches. So we've only got this
6:28 - 6:31

one particular event,
6:31 - 6:34

which this event was the audit log being
6:34 - 6:37

cleared. That's what we just
6:37 - 6:39

did great. So that's an example of how
6:39 - 6:42

you can search in Splunk for specific
6:42 - 6:45

things now. I'm going to copy this
6:45 - 6:47

because we'll need it
6:47 - 6:49

later, and then I'm actually going to
6:49 - 6:52

select create table
6:52 - 6:54

view. We'll skip the tour because again, I
6:54 - 6:56

don't care about that and this will
6:56 - 6:58

actually put this into a
6:58 - 7:01

table and, and then on the left here, you
7:01 - 7:03

can select or deselect different types
7:03 - 7:05

of logs. So I'm going to actually
7:05 - 7:07

unselect raw. So it's not going to give
7:07 - 7:09

us all that information and I'm going to
7:09 - 7:11

hit
7:11 - 7:14

done okay. And as you can see that gave
7:14 - 7:16

us a table with the fields that we've
7:16 - 7:18

selected. I hope you're enjoying the
7:18 - 7:19

content so far. If you are, make sure to
7:19 - 7:22

leave a like comment and subscribe also
7:22 - 7:23

check out the description for more
7:23 - 7:25

training and resources, all right. Let's
7:25 - 7:26

get back to the content now, I'm going to
7:26 - 7:28

go to
7:28 - 7:30

dashboards and again I'm going to skip
7:30 - 7:31

the
7:31 - 7:35

tour and I'm going to select create new
7:35 - 7:37

dashboard and we're just going to label
7:37 - 7:39

this clear
7:39 - 7:42

logs and we're going to create this with
7:42 - 7:44

the dashboard
7:44 - 7:47

studio and we're going to do
7:47 - 7:50

grid select
7:52 - 7:54

create. All right, so now we can create a
7:54 - 7:57

dashboard. Dashboards are huge for
7:57 - 7:58

analyzing data because we can quickly
7:58 - 8:01

display C. Certain things and especially
8:01 - 8:04

in areas like security or it or any kind
8:04 - 8:06

of data analytics, you're probably
8:06 - 8:08

looking for relatively specific things
8:08 - 8:10

and this way anything you're
8:10 - 8:11

consistently looking for, you can just
8:11 - 8:13

put into a table or a graph or something
8:13 - 8:15

like that and put it on a dashboard so
8:15 - 8:18

you can easily view it as it happens. So
8:18 - 8:20

we're going to add a chart here, we're
8:20 - 8:22

going to add a
8:22 - 8:24

table and we're going to paste in this
8:24 - 8:26

search with SPL that query that we
8:26 - 8:28

already found to find the event logs
8:28 - 8:31

being cleared. So as you can see this
8:31 - 8:34

looks exactly like it did in our other
8:34 - 8:36

search, all right. And we're going to
8:36 - 8:38

select apply and
8:38 - 8:41

close, we're going to give this a
8:41 - 8:43

label and we're not really going to
8:43 - 8:45

customize this at all, but you could in
8:45 - 8:48

the column formatting. You can add things.
8:48 - 8:50

You can also remove things,
8:50 - 8:53

too. So if we go up here and we actually
8:53 - 8:55

edit our
8:55 - 8:57

search. I'm going to show you how, you can
8:57 - 8:58

eliminate some of these columns if you
8:58 - 9:01

didn't want them. So we can add a
9:01 - 9:04

pipe and then we're going to type
9:04 - 9:06

Fields a
9:06 - 9:08

minus and then we're going to type the
9:08 - 9:10

actual field in
9:10 - 9:12

here. So
9:12 - 9:15

bkt and CD we're going to
9:15 - 9:18

eliminate. We'll select apply and
9:18 - 9:21

close and as you can see those columns
9:21 - 9:23

are no longer in here. So you can totally
9:23 - 9:26

customize it however you want to see
9:26 - 9:28

it, and then we're going to select save
9:28 - 9:31

to save this dashboard, save this
9:31 - 9:33

table right. So that's saved now if you
9:33 - 9:35

go back under dashboards. So just
9:35 - 9:37

clicking dashboards from wherever you're
9:37 - 9:39

at within the application, you'll see
9:39 - 9:41

that your dashboard is in here. So we're
9:41 - 9:43

going to actually click on our dashboard
9:43 - 9:45

that we created. So the clear
9:45 - 9:47

logs and this is going to be the table
9:47 - 9:49

that we
9:49 - 9:52

created. If we do actions and we select
9:52 - 9:55

set as home dashboard, that's going to be
9:55 - 9:57

our primary
9:57 - 9:59

dashboard. So this is just going to be on
9:59 - 10:01

the the search and Reporting application.
10:01 - 10:03

So having a dashboard like this is
10:03 - 10:05

extremely useful again, you can look at
10:05 - 10:07

very specific things that maybe you're
10:07 - 10:09

constantly looking at or things that you
10:09 - 10:12

need to view at a quick glance
10:12 - 10:14

especially when you're dealing with
10:14 - 10:16

executive level or management level
10:16 - 10:18

leaders. This can be great because you
10:18 - 10:21

can easily present information in an
10:21 - 10:23

easy to read way that they like to see
10:23 - 10:25

it. So they're not confused by all the
10:25 - 10:29

nuances or smaller details of the
10:29 - 10:31

application. It's just extremely
10:31 - 10:33

beneficial to be able to create
10:33 - 10:36

dashboards and easy to read
10:36 - 10:38

information. So then if I go somewhere
10:38 - 10:40

else. So let's just click anything. We'll
10:40 - 10:42

just click data inputs under the
10:42 - 10:43

settings, just so we can get onto a
10:43 - 10:45

different
10:45 - 10:47

screen and then we're going to go back
10:47 - 10:48

to
10:48 - 10:50

apps and actually we'll click Splunk
10:50 - 10:54

Enterprise to take us back to the
10:54 - 10:57

homepage. There is clear logs right on
10:57 - 10:59

that main page. So again you can do
10:59 - 11:00

whatever you want as far as the
11:00 - 11:02

dashboard, and what you have in there
11:02 - 11:04

what kind of tables and stuff but that's
11:04 - 11:06

just an example of what you can do with
11:06 - 11:09

dashboards to quickly and easily display
11:09 - 11:11

information. So one other website that's
11:11 - 11:13

extremely useful is this ultimate IT
11:13 - 11:15

security. They have all the event IDs for
11:15 - 11:18

Windows that you'll ever need and then
11:18 - 11:20

for instance we have 1102 the audit log
11:20 - 11:21

was cleared that's what we were just
11:21 - 11:24

looking at. If we click on
11:24 - 11:26

this, you can see it has even more
11:26 - 11:29

details about specifically what it is. So
11:29 - 11:31

if you ever aren't sure what an event ID
11:31 - 11:33

is or you need something specific, this
11:33 - 11:36

is a great resource to use question of
11:36 - 11:38

the day what are some important events
11:38 - 11:40

or logs that we might want to monitor in
11:40 - 11:42

Splunk, let me know down in the comment
11:42 - 11:44

section below in this video we walk
11:44 - 11:45

through installing and configuring
11:45 - 11:47

Splunk which is one of the leading Sim
11:47 - 11:49

Tools in login data analysis. Remember
11:49 - 11:51

knowing a tool like Splunk is extremely
11:51 - 11:53

helpful in your career and will make you
11:53 - 11:56

more desirable by employers. As always,
11:56 - 11:57

make sure to leave a like comment and
11:57 - 11:59

subscribe check out the description for
11:59 - 12:01

more training resources, and I'll see you
12:01 - 12:04

next time.
12:04 - 12:23

[Music]

Title:: Splunk Tutorial for Beginners (Cyber Security Tools)
Description:: more » « less
Video Language:: English
Duration:: 12:22

	OEVIDEOS edited English subtitles for Splunk Tutorial for Beginners (Cyber Security Tools)
	OEVIDEOS edited English subtitles for Splunk Tutorial for Beginners (Cyber Security Tools)

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

Splunk Tutorial for Beginners (Cyber Security Tools)

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)