Escolar Documentos
Profissional Documentos
Cultura Documentos
Splunk
Description & Installation
Contents
What is Splunk? 1 Description & Installation
1.1 What is Splunk?
Splunk (the product) captures, indexes and correlates real-time data in a searchable repository from which it can 1.2 Installation
generate graphs, reports, alerts, dashboards and visualizations. 1.2.1 Install Splunk
1.2.2 Enable boot autostart
Installation 1.3 Configuration
1.3.1 Change default log retention
1.4 Upgrade Splunk
Install Splunk 2 Search examples
2.1 Unique values
$ cd /data/src/
2.2 Group by field
$ wget -O splunk-6.4.0-f2c836328108-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_ 2.3 Top results
$ sudo tar xzf splunk-6.4.0-f2c836328108-Linux-x86_64.tgz -C /opt/ 2.4 Group by several fields
2.5 Add a sparkline to search results
2.6 Timechart
2.7 Select columns to show
Enable boot autostart 2.8 Merge 2 fields
2.9 Count by time
To enable boot-start: 3 Reports & Dashboards
3.1 Single Value
$ cd /opt/splunk/ 3.2 Column Chart
$ sudo bin/splunk enable boot-start 3.3 Cluster map
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot. 3.4 Scatter chart
3.5 Time selection
3.6 Form drilldown
If you have previously started splunk daemon, stop it: 4 Regular expressions
4.1 Squid
$ sudo bin/splunk stop 5 Advanced examples
Stopping splunkd... 6 Make your own app
Shutting down. Please wait, as this may take a few minutes.
... 6.1 Structure
Stopping splunk helpers... 6.2 Packing
Done.
6.2.1 Compressing
6.2.2 Publish your app
7 Comments
And restart it with systemctl :
Configuration
Change default log retention
Log retention is set to 6 years by default. This setting is set under the frozenTimePeriodInSecs parameter in the /opt/splunk/etc/system/default/indexes.conf
configuration file ( index specific defaults section). To overwrite this value, you should create an indexes.conf configuration file in /opt/splunk/etc/system/local/ :
Upgrade Splunk
1. Backup your splunk $SPLUNK_HOME/etc directory.
2. Stop Splunk:
or
$SPLUNK_HOME/bin/splunk stop
3. Confirm no other processes can start Splunk Enterprise automatically (e.g. systemctl, crontab, ...).
4. To upgrade and migrate from version 5.0 and later, install the Splunk Enterprise package over your existing deployment:
https://www.aldeid.com/wiki/Splunk 1/12
5/18/2018 Splunk - aldeid
5. Execute the $SPLUNK_HOME/bin/splunk start command.
6. Splunk Enterprise displays a warning message informing that the upgrade process is about to start and asks you to confirm.
7. Choose whether or not you want to run the migration preview script to see proposed changes to your existing configuration files, or proceed with the migration and
upgrade right away. If you choose to view the expected changes, the script provides a list.
8. After you review these changes and are ready to proceed with migration and upgrade, run $SPLUNK_HOME/bin/splunk start again.
To accept the license and begin the upgrade without viewing the changes (answer 'y'):
Search examples
Unique values
Don't use the above request for populating inputs (e.g. dropdown) in dashboards. Rather the following request:
Group by field
source="*suricata*" AND event_type="alert" | stats count by alert.signature | sort -count
https://www.aldeid.com/wiki/Splunk 2/12
5/18/2018 Splunk - aldeid
Top results
Display count of alerts and percentage for each distinct src_ip (limited to 100 first results in the example)
https://www.aldeid.com/wiki/Splunk 3/12
5/18/2018 Splunk - aldeid
Timechart
https://www.aldeid.com/wiki/Splunk 4/12
5/18/2018 Splunk - aldeid
Merge 2 fields
The below example shows how you can merge 2 source IP addresses coming from 2 feeds using different names and filter them with CIDR notation:
Count by time
| stats count by _time
useful for charts (line, area, column)
| stats count by date_hour
count by hours
https://www.aldeid.com/wiki/Splunk 5/12
5/18/2018 Splunk - aldeid
Column Chart
source="*suricata*" event_type="alert" | timechart count by alert.category
Cluster map
Display the distribution of dest_ip implied in suricata events on a worldmap
source="*suricata*" | iplocation prefix=iploc_ dest_ip | geostats latfield=iploc_lat longfield=iploc_lon count
https://www.aldeid.com/wiki/Splunk 6/12
5/18/2018 Splunk - aldeid
Scatter chart
Show the distribution of user-agent length (info from squid proxy access.log in combined format)
sourcetype="access_combined" | eval length=len(useragent) | stats count by useragent, length | sort -length
https://www.aldeid.com/wiki/Splunk 7/12
5/18/2018 Splunk - aldeid
Time selection
To add a time picker to your dashboard:
Token TimeRangePicker
Token Options
Default Today
On each widget that you would like to be automatically updated when the time range is changed, do as follows:
Notice that if your widget has been added from an existing report ( Add Panel > New From Report ), you will need to clone it to an Inline Search first:
https://www.aldeid.com/wiki/Splunk 8/12
5/18/2018 Splunk - aldeid
Form drilldown
Let's create a dropdown list that contains Suricata signatures and a pie chart that shows the distribution of source IPs. We would like to automatically update the pie chart
when a new value is selected from the dropdown list:
To do that:
First open the dashboard in edit mode: Edit > Edit Panels
Then add a new input: Add input > Dropdown
Click on the pen icon of the input object to edit its properties:
https://www.aldeid.com/wiki/Splunk 9/12
5/18/2018 Splunk - aldeid
Label signature
General
Search on Change checked
Now edit the pie chart widget ( Inline Search > Edit Search String ) and add the token (notice that the token name should be surrounded by $ ) to your search:
Regular expressions
Squid
Below is the regular expression I wrote to parse squid access.log (combined):
(?P<clientip>\S+)\s+(?P<ident>\S+)\s+(?P<auth>\S+)\s+\[([^:]+):(\d+:\d+:\d+)([^\]]+)\]\s+\"(?P<method>\S+)\s+(?<uri>\S+)\s+(?P<proto>[^/]+)/(?P<http_version>\S+)\"\s+(?P<http_status>\d+)\s+
Advanced examples
Youtube custom search command
https://www.aldeid.com/wiki/Splunk 10/12
5/18/2018 Splunk - aldeid
Table with expandable rows that show events associated + time picker to filter events
SDSIEM (opensource SIEM I'm working on)
├── appserver
│ └── static
│ ├── application.css
│ ├── appLogo_allblack.png
│ ├── expand_alerts.js
│ ├── loader.gif
│ └── splIcons.gif
├── bin
│ └── readme.txt
├── default
│ ├── app.conf
│ ├── data
│ │ └── ui
│ │ ├── nav
│ │ │ └── default.xml
│ │ └── views
│ │ ├── siem-dashboard-alerts.xml
│ │ ├── siem-dashboard-overview.xml
│ │ └── siem-dashboard-useragent.xml
│ ├── savedsearches.conf
│ └── viewstates.conf
├── local
└── metadata
├── default.meta
└── local.meta
Packing
Compressing
Once you have finished organizing your files, you can compress your application as follows:
$ cd $SPLUNK_HOME/etc/apps/
$ tar czf /data/mysplunkapps/appname.tgz appname/
Comments
0 Comments Aldeid Security Wiki
1 Login
Sort by Oldest
Recommend ⤤ Share
LOG IN WITH
OR SIGN UP WITH DISQUS ?
Name
Keywords: splunk
https://www.aldeid.com/wiki/Splunk 11/12
5/18/2018 Splunk - aldeid
https://www.aldeid.com/wiki/Splunk 12/12