The first Step is to Install SPLUK on Ubuntu.
You will have to register with the website to obtain this download files and it will come with a temporary enterprise license, and after this license expires it will default to the 500 Mb per day license, without some of the enterprise functionality. This free license is still useful for monitoring logs on sytems that do not require more than 500Mb per day of data processing
.
http://www.splunk.com/download/?ac=ga0508_s_splunk&_kk=download%20splunk&_kt=0d0ee68f-00b5-441f-966d-e7b6c9228ad1&gclid=CLT9oK6jnLECFQ5Thwod-HNhfw
I installed and utilized the following version on my 32 bit system :
splunk-4.3.3-128297-linux-2.6-intel.deb
Once SPLUNK is installed you will need to start the service with the following commands
sudo /opt/splunk/bin/splunk start
You can also stop and restart with the following commands:
sudo /opt/splunk/bin/splunk start¦ restart| stop
Go to the following location to access the web interface:
The web interface will provide a logon screen with the following default login credentials:
Login = admin
Password = changeme
Once you enter the above information, you will be given the change to change the default password
Once this all done then you will be take to the following screen -
Click on App -> *.nix
This app will provide most capabilities necessary to manage your host system -
I have been utilizing the Log Files functionality to manage my audit logs, snort logs, and pretty much all of my logs in "/var/log/*"
As you can see below - rkhunter, audit.log and I am also monitoring my routers logs -
The best part of splunk's capabilities is the application does not care what type of data it indexes, you can pretty much index any type of data.
The dashboard and command interface are huge benefits that SPLUNK provides.
You can enter any commands on the bar and any object you select in the web interface it will automatically build a command string for future use or reference,
I've barely scratched the surface of SPLUNK's capabilities and usefulness and I will post in future blogs my Snort Dashboard and some great reports that it provides through the pre-built *nix and advanced searches-
I have spent many years importing the data in MySQL and writing programs, C, C++, PERL, Python, etc... parsing these logs and importing the results in EXCEL for these types of reports, and really appreciate these pre-built capabilities.
Useful Links -
Splunk Log Analysis: Overview of cheat sheets, documents and other useful resources (Google Docs)
https://docs.google.com/document/d/1RXKG0NsnGApEu4mBlQV_frGEWb8V95UMYKkyOU7oJK0/edit?pli=1
Splunk Log Analysis: Overview of cheat sheets, documents and other useful resources (Google Docs)
https://docs.google.com/document/d/1RXKG0NsnGApEu4mBlQV_frGEWb8V95UMYKkyOU7oJK0/edit?pli=1
No comments:
Post a Comment