WEBVTT 0:00:04.220000 --> 0:00:07.120000 Centralized log collection with Splunk. 0:00:07.120000 --> 0:00:11.460000 So in this section of the course, that was, you know, that's focused on 0:00:11.460000 --> 0:00:17.460000 logging. We've gotten to understand, you know, what logging is, how it 0:00:17.460000 --> 0:00:18.940000 works, why it's in place. 0:00:18.940000 --> 0:00:24.680000 And we most recently, or in the previous video, I should say, talked about 0:00:24.680000 --> 0:00:28.860000 log collection, shipping and aggregation. 0:00:28.860000 --> 0:00:32.900000 And we did that in a theoretical sense, right? 0:00:32.900000 --> 0:00:35.000000 So we understood what it's all about theoretically. 0:00:35.000000 --> 0:00:40.520000 But now we're going to take a look at what, you know, centralized log 0:00:40.520000 --> 0:00:46.540000 collection and shipping looks like, you know, how it works practically. 0:00:46.540000 --> 0:00:52.360000 And in this case, our focus will be, or the tool that we'll be using or 0:00:52.360000 --> 0:00:55.460000 will be shipping our logs to is going to be Splunk. 0:00:55.460000 --> 0:00:58.160000 Now, don't worry if you've never used Splunk before. 0:00:58.160000 --> 0:00:59.920000 You're not sure what it is. 0:00:59.920000 --> 0:01:04.660000 I will be covering or providing you with an introduction to it later down 0:01:04.660000 --> 0:01:10.620000 the line. But in order to do this, we're going to be utilizing a lab. 0:01:10.620000 --> 0:01:13.360000 So this video has a lab associated with it. 0:01:13.360000 --> 0:01:17.460000 Now, before we get started, I just want to give you an overview of the 0:01:17.460000 --> 0:01:22.320000 lab, at least formally, so you understand what our objectives are. 0:01:22.320000 --> 0:01:27.960000 All right, so in this lab, you'll configure two servers to send their 0:01:27.960000 --> 0:01:33.680000 log data to a Splunk instance that resides on a system called server 01. 0:01:33.680000 --> 0:01:35.540000 Right? That's the host name. 0:01:35.540000 --> 0:01:41.400000 So when you start the lab again, it's just going to be below this video. 0:01:41.400000 --> 0:01:45.560000 You're going to have, you know, a detailed lab guide with credentials 0:01:45.560000 --> 0:01:48.360000 to all of the systems involved. 0:01:48.360000 --> 0:01:52.220000 So I'll not be walking you through that because it's already there. 0:01:52.220000 --> 0:01:57.520000 But the idea is to, you know, send the logs from a window system and a 0:01:57.520000 --> 0:02:01.100000 Linux system to a Splunk server or instance. 0:02:01.100000 --> 0:02:06.360000 So the first system, which is the window system is called DC one. 0:02:06.360000 --> 0:02:07.660000 That's the host name. 0:02:07.660000 --> 0:02:13.680000 Right? We'll require or we are required to ship specific Windows event 0:02:13.680000 --> 0:02:20.480000 logs, including some ad information and the Linux system with the host 0:02:20.480000 --> 0:02:26.140000 name Linux one or 01 will need specific or blog files sent. 0:02:26.140000 --> 0:02:28.160000 So objectives are fairly simple. 0:02:28.160000 --> 0:02:32.540000 We need to ship these logs from both of these systems. 0:02:32.540000 --> 0:02:37.960000 And more specifically, we need to ship specific logs from both the Windows 0:02:37.960000 --> 0:02:40.260000 system as well as the Linux system. 0:02:40.260000 --> 0:02:43.620000 So what are we going to be doing in this lab? 0:02:43.620000 --> 0:02:48.380000 A, collect the logs from DC 01, which is a Windows Active Directory domain 0:02:48.380000 --> 0:02:52.840000 controller and Linux 01, which is a Linux server. 0:02:52.840000 --> 0:02:56.780000 And more specifically, we're going to be, you know, collect the logs. 0:02:56.780000 --> 0:02:58.500000 We're going to be collecting the auth logs. 0:02:58.500000 --> 0:03:02.500000 If you remember that, I told you that that would become important when 0:03:02.500000 --> 0:03:05.480000 we covered log, log formats, etc. 0:03:05.480000 --> 0:03:07.960000 or logging on Linux, let's say. 0:03:07.960000 --> 0:03:12.400000 Secondly, we need to ship these logs to a centralized Splunk instance. 0:03:12.400000 --> 0:03:13.880000 That's going to be on service 01. 0:03:13.880000 --> 0:03:17.040000 That's the system you're going to be provided with access to by default 0:03:17.040000 --> 0:03:19.280000 when you start the lab. 0:03:19.280000 --> 0:03:24.420000 And then, you know, we can perform some quick analysis of the logs for 0:03:24.420000 --> 0:03:28.120000 visibility. I wouldn't say instant response because the objective here 0:03:28.120000 --> 0:03:34.780000 is really, this lab is really focused on the collection and shipping process. 0:03:34.780000 --> 0:03:39.040000 But in order to validate the logs that the logs from both systems have 0:03:39.040000 --> 0:03:44.560000 been sent over or are being shipped, we will be able to run or write a 0:03:44.560000 --> 0:03:47.060000 couple of Splunk searches. 0:03:47.060000 --> 0:03:51.520000 So the scenario behind this lab is as follows. 0:03:51.520000 --> 0:03:55.020000 So you have been tasked with collecting log information from two servers 0:03:55.020000 --> 0:03:56.560000 in the organization. 0:03:56.560000 --> 0:04:01.420000 Your director is asked for security event logs and basic ad information 0:04:01.420000 --> 0:04:07.780000 to be collected from DC 01 and sent to the Splunk server on server 01. 0:04:07.780000 --> 0:04:10.620000 So these are just host names, as I've mentioned. 0:04:10.620000 --> 0:04:15.800000 And in addition to that, you've been asked to have authorization logs 0:04:15.800000 --> 0:04:18.740000 from the Linux server indexed into Splunk as well. 0:04:18.740000 --> 0:04:22.240000 So that's the, you know, the auth logs as it were. 0:04:22.240000 --> 0:04:25.120000 And the objectives I've already mentioned. 0:04:25.120000 --> 0:04:30.600000 There's one key one that I haven't pointed out and that is to ensure reliable 0:04:30.600000 --> 0:04:34.140000 and secure delivery over port. 0:04:34.140000 --> 0:04:41.620000 So basically, we need to configure these Splunk four days on each of both 0:04:41.620000 --> 0:04:48.120000 of the systems to communicate back to the Splunk server via or on port 0:04:48.120000 --> 0:04:54.800000 997. So this is a, you know, just a basic topology of the lab. 0:04:54.800000 --> 0:04:59.320000 And one thing that I wanted to point out because I told you it would be 0:04:59.320000 --> 0:05:02.260000 important is the model, right? 0:05:02.260000 --> 0:05:06.580000 The log, like the logging model as it were. 0:05:06.580000 --> 0:05:12.320000 Or when you talk about the logging pipeline, in this particular case, 0:05:12.320000 --> 0:05:17.160000 this is, you know, going to be push based because we're going to be setting 0:05:17.160000 --> 0:05:18.820000 up the Splunk Universal. 0:05:18.820000 --> 0:05:23.740000 For the on both the window system and the Linux system. 0:05:23.740000 --> 0:05:30.220000 And the Splunk for this will then actively send or push the logs to the 0:05:30.220000 --> 0:05:35.360000 central Splunk instance that's running on server 01 over port 997. 0:05:35.360000 --> 0:05:39.560000 And within the lab documentation, you will be provided with the IP addresses, 0:05:39.560000 --> 0:05:41.020000 the credentials, etc. 0:05:41.020000 --> 0:05:43.780000 to facilitate the exercise. 0:05:43.780000 --> 0:05:47.640000 So with that being said, I'm going to start up my lab environment and 0:05:47.640000 --> 0:05:50.560000 I'll see you there in a couple of seconds. 0:05:50.560000 --> 0:05:54.140000 All right. So I'm currently within the lab environment. 0:05:54.140000 --> 0:05:58.120000 And as you can see, you'll be provided with access to the window system 0:05:58.120000 --> 0:06:02.060000 that is hosting the Splunk server or instance. 0:06:02.060000 --> 0:06:04.880000 Now, of course, in most cases, it's going to be running. 0:06:04.880000 --> 0:06:07.580000 You're going to be hosting Splunk on a Linux server. 0:06:07.580000 --> 0:06:09.940000 Right? But again, this is just a lab. 0:06:09.940000 --> 0:06:16.080000 And to start up Splunk, you'll see the desktop shortcut here on your desktop. 0:06:16.080000 --> 0:06:21.460000 Just click on that, double click on it and it'll start up the Splunk server. 0:06:21.460000 --> 0:06:24.280000 And you want to give this a couple of seconds. 0:06:24.280000 --> 0:06:26.740000 It shouldn't take too much time at all. 0:06:26.740000 --> 0:06:31.200000 Once, you know, you've started it up, you should be able to access this 0:06:31.200000 --> 0:06:35.080000 plug, this Splunk web user interface, like so. 0:06:35.080000 --> 0:06:39.160000 So it'll automatically open it up in your web browser. 0:06:39.160000 --> 0:06:40.960000 So this is Splunk Enterprise. 0:06:40.960000 --> 0:06:43.660000 And we're going to give it a few seconds. 0:06:43.660000 --> 0:06:46.180000 Don't worry. It will automatically log you in. 0:06:46.180000 --> 0:06:49.340000 You don't need any credentials to log into Splunk. 0:06:49.340000 --> 0:06:51.420000 As I said, just give it a few seconds. 0:06:51.420000 --> 0:06:53.620000 I'm going to wait for this to complete. 0:06:53.620000 --> 0:06:57.720000 All right. So once it started up, you can see it's pretty bare bones. 0:06:57.720000 --> 0:06:59.180000 Nothing has been created. 0:06:59.180000 --> 0:07:01.260000 We just have search and reporting. 0:07:01.260000 --> 0:07:02.900000 Those are the only apps there. 0:07:02.900000 --> 0:07:05.940000 Now, if this is your first time interacting with Splunk, you can definitely 0:07:05.940000 --> 0:07:10.280000 use this as an opportunity to navigate around, play around with things. 0:07:10.280000 --> 0:07:14.920000 But for the purpose of this demonstration, I'm going to be fairly straightforward. 0:07:14.920000 --> 0:07:18.160000 So the first thing we need to do is because this is the system, this Windows 0:07:18.160000 --> 0:07:20.920000 system is the system that's hosting Splunk. 0:07:20.920000 --> 0:07:28.960000 Right? And we are going to need to configure a receiver or configure Splunk 0:07:28.960000 --> 0:07:30.580000 to receive logs, right? 0:07:30.580000 --> 0:07:32.280000 From the Universal 4D. 0:07:32.280000 --> 0:07:36.260000 So we want to navigate to Settings and under Data, you're going to see 0:07:36.260000 --> 0:07:38.840000 forwarding and receiving. 0:07:38.840000 --> 0:07:41.920000 Okay? So Splunk can actually do both. 0:07:41.920000 --> 0:07:45.700000 So again, give that a few seconds and we shouldn't have any receivers 0:07:45.700000 --> 0:07:50.660000 or 4Ders by default, as you can see, nothing in here. 0:07:50.660000 --> 0:07:54.900000 We want to go under receive data and click on add new. 0:07:54.900000 --> 0:07:58.480000 Okay? So give that a few more seconds as well. 0:07:58.480000 --> 0:08:03.820000 And we're going to configure the listener port as 9997. 0:08:03.820000 --> 0:08:08.860000 As you can see here, that's the default, which is very, very important. 0:08:08.860000 --> 0:08:12.500000 And that's why we're not deviating from this in the lab demonstration. 0:08:12.500000 --> 0:08:18.500000 So set up the Splunk instance to receive data from a single folder or 0:08:18.500000 --> 0:08:19.520000 multiple folders. 0:08:19.520000 --> 0:08:22.740000 So we can hit save and this is on TCP. 0:08:22.740000 --> 0:08:24.700000 This is a TCP port, right? 0:08:24.700000 --> 0:08:30.520000 It's not UDP. Okay, so once that is done, you can see the status is set 0:08:30.520000 --> 0:08:34.480000 to enabled and you also have the ability to disable it or to delete it. 0:08:34.480000 --> 0:08:39.320000 Now, because we're on Windows, we probably also want to configure the 0:08:39.320000 --> 0:08:49.680000 firewall. So Windows, firewall, and ensure that port 9997 is actually 0:08:49.680000 --> 0:08:54.000000 allowed. Or, you know, we need to configure the firewall to allow traffic 0:08:54.000000 --> 0:08:55.540000 on that particular port. 0:08:55.540000 --> 0:09:00.420000 So I'm going to go into firewall advanced settings and give this a few 0:09:00.420000 --> 0:09:03.420000 seconds. Just so we can. 0:09:03.420000 --> 0:09:08.560000 There we are. And now I'm just going to maximize this and we're going 0:09:08.560000 --> 0:09:12.800000 to go into inbound rules and I'm going to create a new rule right over 0:09:12.800000 --> 0:09:19.180000 here. And what we want to do is create a port rule, right? 0:09:19.180000 --> 0:09:21.400000 Because that's what we're dealing with here. 0:09:21.400000 --> 0:09:24.720000 And in this case, it's going to be a specific local port and it's TCP. 0:09:24.720000 --> 0:09:29.200000 So the port we want to allow is triple 9 7. 0:09:29.200000 --> 0:09:36.160000 Okay, and it next and this port at this point, we need to configure the 0:09:36.160000 --> 0:09:42.840000 action. Right. So the action in this particular case, we want to allow 0:09:42.840000 --> 0:09:48.620000 the connection. And we can just hit on next. 0:09:48.620000 --> 0:09:51.960000 When does this rule apply? 0:09:51.960000 --> 0:09:55.000000 We want to enable it for all. 0:09:55.000000 --> 0:09:57.440000 So domain private public. 0:09:57.440000 --> 0:09:59.500000 And then the name we're just going to call it. 0:09:59.500000 --> 0:10:02.600000 Well, just call it Splunk Forwarder. 0:10:02.600000 --> 0:10:07.900000 It's always good to have descriptive names for our rules. 0:10:07.900000 --> 0:10:08.960000 We're going to finish. 0:10:08.960000 --> 0:10:09.660000 And there we are. 0:10:09.660000 --> 0:10:13.420000 So we're done now on the. 0:10:13.420000 --> 0:10:15.220000 Server 01 system. 0:10:15.220000 --> 0:10:19.260000 So just so you're aware the server 01 system that I was referring to all 0:10:19.260000 --> 0:10:22.820000 that is referred to in the lab documentation is referring to this window 0:10:22.820000 --> 0:10:25.600000 system that you provided with access to by default. 0:10:25.600000 --> 0:10:28.700000 That is running as you can see here. 0:10:28.700000 --> 0:10:32.800000 That is running the these Splunk instance or the Splunk server. 0:10:32.800000 --> 0:10:37.860000 Okay, so now that we've configured, you know, the Splunk, you know, we've 0:10:37.860000 --> 0:10:42.620000 configured Splunk to receive. 0:10:42.620000 --> 0:10:45.420000 Logs on port, triple 9 7. 0:10:45.420000 --> 0:10:50.740000 We now can move to the first system that we need to, you know, get the 0:10:50.740000 --> 0:10:54.980000 logs from, which is the other windows system. 0:10:54.980000 --> 0:10:56.340000 That's the domain controller. 0:10:56.340000 --> 0:11:02.600000 So DC 01. The IP address, you know, for DC 01 has already been provided 0:11:02.600000 --> 0:11:04.980000 to you in the lab documentation. 0:11:04.980000 --> 0:11:08.940000 You can access it via this system via the remote desktop protocol. 0:11:08.940000 --> 0:11:12.580000 So I'm going to say remote desktop connection. 0:11:12.580000 --> 0:11:22.220000 And in here with the address, the IP address in this case is 172.31. 0:11:22.220000 --> 0:11:26.100000 0.115. 0.100. Okay. 0:11:26.100000 --> 0:11:29.780000 And the password likewise has been provided to you. 0:11:29.780000 --> 0:11:34.640000 So in this particular case, it's, you know, fairly secure password. 0:11:34.640000 --> 0:11:38.320000 So I can't really tell you what it is just copy it and you should be able 0:11:38.320000 --> 0:11:39.820000 to paste it like so. 0:11:39.820000 --> 0:11:45.020000 And that's going to connect to the DC 01 system or the windows domain 0:11:45.020000 --> 0:11:48.540000 controller via RDP. 0:11:48.540000 --> 0:11:53.140000 And on that system, the Splunk 4 has already been downloaded for you, 0:11:53.140000 --> 0:11:55.300000 the actual executable or installer. 0:11:55.300000 --> 0:11:59.540000 So we can just go or begin with the configuration process. 0:11:59.540000 --> 0:12:05.020000 So I'm going to wait for the remote desktop connection to initialize and 0:12:05.020000 --> 0:12:12.180000 I will catch. I will get back to you when, when I have access to DC 01 0:12:12.180000 --> 0:12:14.720000 via RDP. All right. 0:12:14.720000 --> 0:12:19.420000 So I currently have access to DC 01 by RDP. 0:12:19.420000 --> 0:12:22.860000 And on the desktop, you're going to see a tools folder. 0:12:22.860000 --> 0:12:26.160000 Open that up and you're going to see the sit, the Splunk 4. 0:12:26.160000 --> 0:12:28.460000 Installer package. 0:12:28.460000 --> 0:12:30.760000 So just double click on that. 0:12:30.760000 --> 0:12:34.260000 And this is the fall intents and purposes. 0:12:34.260000 --> 0:12:36.760000 This is the agent as it were. 0:12:36.760000 --> 0:12:41.360000 But of course, from the perspective of Splunk, this is the universal for 0:12:41.360000 --> 0:12:44.780000 again, if you're familiar with Splunk, then you already know what the 0:12:44.780000 --> 0:12:46.320000 next steps are going to be. 0:12:46.320000 --> 0:12:51.560000 But what we need to do is configure the folder on the domain controller 0:12:51.560000 --> 0:12:59.840000 to firstly connect to the listener or the receiver as it were on the Splunk 0:12:59.840000 --> 0:13:03.920000 server via port 99, triple 9, 7. 0:13:03.920000 --> 0:13:16.160000 And we then also need to configure or specify what logs we want to send. 0:13:16.160000 --> 0:13:18.060000 Right. So we have a lot of links which we went through when we are talking 0:13:18.060000 --> 0:13:19.460000 about Windows logging. 0:13:19.460000 --> 0:13:24.640000 So I'm just going to click on or I'm going to accept the license agreement. 0:13:24.640000 --> 0:13:29.380000 And in this case, we are connecting to an on premise Splunk Enterprise 0:13:29.380000 --> 0:13:32.960000 instance. We'll go to customize options. 0:13:32.960000 --> 0:13:35.540000 The default installation directory is fine. 0:13:35.540000 --> 0:13:39.000000 So do we have any SSL set? 0:13:39.000000 --> 0:13:41.820000 No, we don't. So we're just going to skip this. 0:13:41.820000 --> 0:13:44.720000 And then now we need to specify. 0:13:44.720000 --> 0:13:49.800000 So you can see it'll say the user you install universal for the as determines 0:13:49.800000 --> 0:13:52.200000 what data it has access to. 0:13:52.200000 --> 0:13:53.160000 This is very important. 0:13:53.160000 --> 0:13:57.040000 So the managed service account and group managed service account are supported 0:13:57.040000 --> 0:14:07.960000 by CLI only. So this is where we get to specify, you know, what what user 0:14:07.960000 --> 0:14:11.380000 we installing universal for the as. 0:14:11.380000 --> 0:14:13.380000 So we're using local systems. 0:14:13.380000 --> 0:14:17.580000 So in this case, it will install universal for the using the local system 0:14:17.580000 --> 0:14:22.600000 account. What that means is that universal for they can access all data 0:14:22.600000 --> 0:14:25.360000 on or for that to this machine. 0:14:25.360000 --> 0:14:28.520000 If you go with the domain account, then this will install the universal 0:14:28.520000 --> 0:14:32.980000 for the with the domain account you provide the difference between the 0:14:32.980000 --> 0:14:37.460000 two. It should be fairly obvious, but to sort of elaborate on this, this 0:14:37.460000 --> 0:14:41.940000 lets you collect logs and metrics from remote machines as well as local 0:14:41.940000 --> 0:14:43.220000 and for the data. 0:14:43.220000 --> 0:14:46.400000 It actually makes sense if you want to, you know, use the, you know, if 0:14:46.400000 --> 0:14:50.660000 you want to get logs from other domain joined computers, you can do that 0:14:50.660000 --> 0:14:54.860000 as well. We'll just go with the local and remember, as per the objectives 0:14:54.860000 --> 0:14:59.660000 of the lab now, once you've gone through this demo, you can restart the 0:14:59.660000 --> 0:15:04.140000 lab and play around with what logs you want to ship or to forward. 0:15:04.140000 --> 0:15:08.040000 But you can see you have under windows event logs, the various types of 0:15:08.040000 --> 0:15:11.980000 categories. So you have the application log security log system logs for 0:15:11.980000 --> 0:15:16.440000 the events log setup log and you can also enable a monitoring, which is 0:15:16.440000 --> 0:15:19.940000 something that our directive you remember in the lab scenario has tasked 0:15:19.940000 --> 0:15:24.560000 us to do. So we're going to need to enable the security log and enable 0:15:24.560000 --> 0:15:29.500000 a D monitoring. You can also specify a path to monitor. 0:15:29.500000 --> 0:15:34.240000 So that's a, I wouldn't call it file integrity monitoring, but you can 0:15:34.240000 --> 0:15:38.200000 specify a file that you want to monitor for particular changes, any types 0:15:38.200000 --> 0:15:39.800000 of changes, right? 0:15:39.800000 --> 0:15:43.400000 And we don't want any performance based statistics, although that would 0:15:43.400000 --> 0:15:44.840000 be, you know, very, very useful. 0:15:44.840000 --> 0:15:50.700000 In any case, what we're going to do now is just click on next. 0:15:50.700000 --> 0:15:54.060000 And now you're going to need to create credentials for the administrator 0:15:54.060000 --> 0:15:58.540000 account. The password must contain at minimum eight printable ASCII characters. 0:15:58.540000 --> 0:16:02.460000 So in the case of this demo, we'll just create the username and we'll 0:16:02.460000 --> 0:16:04.580000 say, you know, Splunk admin. 0:16:04.580000 --> 0:16:07.660000 And we'll, you know, just say generate a random password. 0:16:07.660000 --> 0:16:10.440000 Okay. So we'll click on next. 0:16:10.440000 --> 0:16:12.740000 Do we have a deployment server? 0:16:12.740000 --> 0:16:18.480000 No, we don't. We have the receiving indexer, which is, you know, the Splunk 0:16:18.480000 --> 0:16:24.100000 instance. So you want to leave that blank, but in the index configuration 0:16:24.100000 --> 0:16:28.280000 page here, this is where we specify the IP address of the Windows system 0:16:28.280000 --> 0:16:32.120000 that that is actually running or hosting the Splunk server or instance. 0:16:32.120000 --> 0:16:41.200000 So again, you can refer to the lab documentation, the IP is 172.31.115. 0:16:41.200000 --> 0:16:42.680000 Point 110 and the port. 0:16:42.680000 --> 0:16:46.960000 Remember, you can see it tells us the default is 997 and we didn't do 0:16:46.960000 --> 0:16:51.520000 anything other than, or we didn't specify any other port. 0:16:51.520000 --> 0:16:57.800000 So we'll leave it as the default there and we can click on install. 0:16:57.800000 --> 0:17:01.900000 And this is going to set up the Splunk universal folder. 0:17:01.900000 --> 0:17:07.500000 And if everything goes well, or if we configure everything correctly, 0:17:07.500000 --> 0:17:12.180000 then it should install without an issue and we can then go back to the, 0:17:12.180000 --> 0:17:18.740000 we can go back to the Windows system that, you know, server 01 and try 0:17:18.740000 --> 0:17:24.600000 and see whether we can actually get logs from DC 01 in Splunk. 0:17:24.600000 --> 0:17:28.760000 So we'll go through a couple of interesting searches, but this will take 0:17:28.760000 --> 0:17:32.200000 a few seconds. I'm just going to wait for it to complete and then I'll 0:17:32.200000 --> 0:17:34.440000 get back to you when it's done. 0:17:34.440000 --> 0:17:38.680000 All right, the universal border is done or, you know, installing it was 0:17:38.680000 --> 0:17:41.140000 successful and we can click on finish. 0:17:41.140000 --> 0:17:45.800000 And now I'll just minimize the RDP session and go back into server 01 0:17:45.800000 --> 0:17:51.060000 and into the Splunk enterprise web user interface and I'll just go home 0:17:51.060000 --> 0:17:55.900000 here. And maybe I will zoom in a little bit and we can go into search 0:17:55.900000 --> 0:18:01.280000 and reporting. And we shouldn't have any predefined searches, which is 0:18:01.280000 --> 0:18:02.580000 exactly what we want. 0:18:02.580000 --> 0:18:07.700000 So this is exactly like, this is, this mirrors the pretty much the exact 0:18:07.700000 --> 0:18:12.580000 process you would go through when you're setting up your own scene. 0:18:12.580000 --> 0:18:15.500000 And we'll cover scenes in the next section of this course. 0:18:15.500000 --> 0:18:19.800000 But, you know, we've pretty much just configured one system to forward 0:18:19.800000 --> 0:18:22.640000 its logs to our Splunk enterprise server. 0:18:22.640000 --> 0:18:26.340000 How do we confirm that we're actually getting the logs from that system? 0:18:26.340000 --> 0:18:32.100000 Well, we can perform a quick search or run the following query so we can 0:18:32.100000 --> 0:18:34.960000 specify all indexes. 0:18:34.960000 --> 0:18:39.080000 So we can use the wildcard operator there, which is denoted by an asterisk 0:18:39.080000 --> 0:18:42.260000 and then specify the host that we are interested in. 0:18:42.260000 --> 0:18:46.240000 And in this case, the matching term seems to already give us DC 01, which 0:18:46.240000 --> 0:18:50.640000 means I'm pretty sure we're getting logs from that system. 0:18:50.640000 --> 0:18:52.660000 So there we are. 0:18:52.660000 --> 0:18:54.040000 We can see them here. 0:18:54.040000 --> 0:18:56.880000 So in this case, they're called events. 0:18:56.880000 --> 0:19:00.880000 You know, you're going to see a difference between normal klecher, you 0:19:00.880000 --> 0:19:05.360000 know, across various seems, but, you know, you can see that we're getting 0:19:05.360000 --> 0:19:09.200000 those events being sent and you can actually validate this against the 0:19:09.200000 --> 0:19:14.840000 time. So it's 457 based on this system's clock and you can see, you know, 0:19:14.840000 --> 0:19:18.260000 4456 is the latest one received. 0:19:18.260000 --> 0:19:24.160000 And yeah, so we're getting all of the security event logs from the Windows 0:19:24.160000 --> 0:19:27.580000 system. And I think we've done that successfully. 0:19:27.580000 --> 0:19:34.060000 We're also getting active directory events or logs as it were. 0:19:34.060000 --> 0:19:38.500000 So from this point on, you sort of understand how you can start filtering 0:19:38.500000 --> 0:19:41.060000 for what you're looking for. 0:19:41.060000 --> 0:19:45.100000 And more importantly, based on, you know, what you find or what you want 0:19:45.100000 --> 0:19:49.640000 to, what you classify as potentially interesting or malicious, you can 0:19:49.640000 --> 0:19:54.900000 then move on to the next stage, which is creating alerts based on, you 0:19:54.900000 --> 0:19:58.220000 know, a predefined set of rules, which will actually get to. 0:19:58.220000 --> 0:20:00.400000 But that's the first system down. 0:20:00.400000 --> 0:20:04.020000 The second one is the Linux system that we need to configure. 0:20:04.020000 --> 0:20:10.800000 So if we want to access the Linux system, you're going to need to access 0:20:10.800000 --> 0:20:16.160000 it via SSH and we already have the putty SSH client on the desktop of 0:20:16.160000 --> 0:20:17.660000 the service 01 system. 0:20:17.660000 --> 0:20:19.100000 So just double click on that. 0:20:19.100000 --> 0:20:23.740000 If you have never used putty before, just know this is an SSH client. 0:20:23.740000 --> 0:20:30.200000 So remember, you should already be have been provided with the IP in the 0:20:30.200000 --> 0:20:32.440000 lab overview section. 0:20:32.440000 --> 0:20:35.580000 So in this case, I'll just type it in. 0:20:35.580000 --> 0:20:42.440000 It is 172.31.115.1111. 0:20:42.440000 --> 0:20:48.660000 So 111. Okay. And let me just copy the password here and I'll just hit 0:20:48.660000 --> 0:20:53.060000 open and the user is lab admin. 0:20:53.060000 --> 0:20:57.400000 So I will just say lab admin, like so. 0:20:57.400000 --> 0:21:02.160000 And to paste with putty, you just right click like so and then hit enter. 0:21:02.160000 --> 0:21:05.220000 Hmm. My case, it's saying that's denied. 0:21:05.220000 --> 0:21:07.900000 Let's try this again. 0:21:07.900000 --> 0:21:09.780000 And that's not working. 0:21:09.780000 --> 0:21:11.020000 Maybe now. Okay. 0:21:11.020000 --> 0:21:12.260000 There we are. Fantastic. 0:21:12.260000 --> 0:21:16.600000 By the way, I should have modified the appearance here. 0:21:16.600000 --> 0:21:18.740000 Let me see if I can do that right now. 0:21:18.740000 --> 0:21:23.260000 So I'll change the font so you can actually see this a little bit better. 0:21:23.260000 --> 0:21:26.920000 Say move that to 16 and then appearance. 0:21:26.920000 --> 0:21:30.120000 Sorry, under colors, the default foreground. 0:21:30.120000 --> 0:21:34.600000 I'll make that a little bit brighter for everyone. 0:21:34.600000 --> 0:21:37.220000 So you can actually see the font a little bit better. 0:21:37.220000 --> 0:21:38.620000 There we are. Fantastic. 0:21:38.620000 --> 0:21:48.240000 So now that we have now that we can access the Linux server, we can get 0:21:48.240000 --> 0:21:51.700000 started with configuring the universal for down Linux. 0:21:51.700000 --> 0:21:57.080000 Now, before we actually set up the universal for that is a couple of prerequisites 0:21:57.080000 --> 0:21:58.720000 that we need to go through on Linux. 0:21:58.720000 --> 0:22:04.020000 The first is we need to add a user for the Splunk Universal folder, the 0:22:04.020000 --> 0:22:05.280000 service specifically. 0:22:05.280000 --> 0:22:08.720000 So we're going to add this user and we're just going to call it Splunk. 0:22:08.720000 --> 0:22:12.340000 And the password, let me just get it again. 0:22:12.340000 --> 0:22:17.640000 This is quite tedious, but we need the password here because that is a 0:22:17.640000 --> 0:22:19.660000 root command. So there we are. 0:22:19.660000 --> 0:22:21.440000 Looks like that's done. 0:22:21.440000 --> 0:22:26.920000 And now that we have created that user, we can now. 0:22:26.920000 --> 0:22:33.680000 Let's create a environment variable that can store the installation. 0:22:33.680000 --> 0:22:38.440000 The location where the universal for days typically installed. 0:22:38.440000 --> 0:22:41.080000 So we're just going to say export. 0:22:41.080000 --> 0:22:45.000000 And we'll call it Splunk underscore home. 0:22:45.000000 --> 0:22:52.700000 I'm going to set that as we're going to set that as OPT and Splunk for. 0:22:52.700000 --> 0:22:56.800000 So this is where the Splunk for days usually installed and on Linux, you 0:22:56.800000 --> 0:23:01.120000 know, third-party software typically is installed in the OPT folder. 0:23:01.120000 --> 0:23:04.100000 So I'll now hit enter. 0:23:04.100000 --> 0:23:08.040000 And if I say and we should have that here. 0:23:08.040000 --> 0:23:09.760000 So there we are Splunk home. 0:23:09.760000 --> 0:23:16.280000 Okay. So now let's create the directory over there. 0:23:16.280000 --> 0:23:20.980000 So we are going to say create sudo make directory and then just specify 0:23:20.980000 --> 0:23:22.680000 the environment variables. 0:23:22.680000 --> 0:23:26.120000 So Splunk home that will create the directory for us. 0:23:26.120000 --> 0:23:32.760000 And now if we list out the content, we list out the contents of the home 0:23:32.760000 --> 0:23:35.920000 directory of the lab admin user on the Linux server. 0:23:35.920000 --> 0:23:40.220000 You'll see that the Splunk for the Debian package has already been downloaded 0:23:40.220000 --> 0:23:45.760000 for you. So in order to install a Debian package via the terminal, you 0:23:45.760000 --> 0:23:49.300000 can just utilize the Debian package management utility. 0:23:49.300000 --> 0:23:54.820000 So DPKG and then use the i flag to say that you want to install it and 0:23:54.820000 --> 0:23:58.120000 then Splunk for the and then hit enter. 0:23:58.120000 --> 0:24:00.300000 Okay. That'll take a few seconds. 0:24:00.300000 --> 0:24:02.260000 Shouldn't take more than that. 0:24:02.260000 --> 0:24:04.000000 So we'll actually wait for it. 0:24:04.000000 --> 0:24:11.060000 There we are. It's complete. 0:24:11.060000 --> 0:24:16.740000 You know, Splunk home as it were to we need to set it as the Splunk user 0:24:16.740000 --> 0:24:17.760000 that we created. 0:24:17.760000 --> 0:24:20.260000 So sudo CH owns Splunk Splunk. 0:24:20.260000 --> 0:24:23.460000 And then the environment variable was Splunk home. 0:24:23.460000 --> 0:24:27.740000 And then we'll say we'll use the or specify the R flag. 0:24:27.740000 --> 0:24:30.360000 So our hyphen uppercase R. 0:24:30.360000 --> 0:24:34.480000 So that the the ownership is applied recursively. 0:24:34.480000 --> 0:24:36.020000 So we hit enter now. 0:24:36.020000 --> 0:24:40.160000 All right. So now that we're done here, we can actually just navigate 0:24:40.160000 --> 0:24:48.840000 to Splunk home. And more specifically, the bin directory and in here, 0:24:48.840000 --> 0:24:53.840000 we should have the Splunk binary and we can now execute it and say sudo 0:24:53.840000 --> 0:25:00.300000 Splunk. And we'll say start and accept. 0:25:00.300000 --> 0:25:09.300000 Accept license. It and please enter and administrate a name. 0:25:09.300000 --> 0:25:12.720000 So in this case, we'll just stick to the defaults that we used on the 0:25:12.720000 --> 0:25:16.660000 windows system. So Splunk underscore admin. 0:25:16.660000 --> 0:25:20.800000 And in this case, you will need to provide a password, specify something 0:25:20.800000 --> 0:25:22.420000 that you can remember. 0:25:22.420000 --> 0:25:24.660000 In my case, I'll do that here. 0:25:24.660000 --> 0:25:28.600000 So there we go. That's going to set up the folder. 0:25:28.600000 --> 0:25:32.440000 But we haven't configured it yet. 0:25:32.440000 --> 0:25:37.480000 So if we want to, you know, configure it or what do I mean when I say 0:25:37.480000 --> 0:25:38.620000 we haven't configured it yet. 0:25:38.620000 --> 0:25:44.100000 We haven't told the Splunk forward where to forward the logs to. 0:25:44.100000 --> 0:25:49.460000 So we need to say sudo run the Splunk binary again and say add and forward 0:25:49.460000 --> 0:25:59.860000 server and the address of the server 01 system, which is 172 31.115.110. 0:25:59.860000 --> 0:26:03.460000 And the port was 997. 0:26:03.460000 --> 0:26:06.160000 So we hit enter. 0:26:06.160000 --> 0:26:12.700000 Don't worry if you get a server certificate, hostname validation is disabled 0:26:12.700000 --> 0:26:25.700000 message there. It's always good on Linux to just restart the service. 0:26:25.700000 --> 0:26:32.520000 But before we do that, I also forgot we need to specify the folder or 0:26:32.520000 --> 0:26:35.360000 the logs that we want the folder to forward. 0:26:35.360000 --> 0:26:40.560000 Right. So all on a second, we need to enter our username here. 0:26:40.560000 --> 0:26:45.620000 So Splunk admin and then the password that we specified earlier. 0:26:45.620000 --> 0:26:50.520000 Okay. So we've added forwarding to the server 01 system that's running 0:26:50.520000 --> 0:26:51.940000 this blank server. 0:26:51.940000 --> 0:26:57.180000 What we now need to do is say sudo Splunk again and we're going to say 0:26:57.180000 --> 0:27:01.940000 add monitor. So we want to monitor what in this case we have been tasked 0:27:01.940000 --> 0:27:07.880000 to monitor the auth log, which is stored under var log auth.log And because 0:27:07.880000 --> 0:27:11.020000 this is a Ubuntu system that you can see it auto completed. 0:27:11.020000 --> 0:27:13.220000 So that file does exist. 0:27:13.220000 --> 0:27:18.680000 So I can it enter and it's added the monitor of the following directory, 0:27:18.680000 --> 0:27:19.900000 which we specified. 0:27:19.900000 --> 0:27:21.620000 All right. Great. 0:27:21.620000 --> 0:27:25.460000 So what we're all pointing out is we probably need to restart the Splunk 0:27:25.460000 --> 0:27:27.840000 folder, the service specifically. 0:27:27.840000 --> 0:27:33.180000 Really, it's the demon, but we can say sudo Splunk and then restart and 0:27:33.180000 --> 0:27:40.220000 that'll just restart everything so that we can actually verify our configuration 0:27:40.220000 --> 0:27:42.040000 and ensure everything is working. 0:27:42.040000 --> 0:27:45.340000 And in this case, you can see it looks like everything's working just 0:27:45.340000 --> 0:27:47.880000 fine. So that's pretty much it. 0:27:47.880000 --> 0:28:09.480000 We've configured the Linux system to host was the actual host name was 0:28:09.480000 --> 0:28:14.300000 just Linux 01. So to verify that we're actually getting logs from that 0:28:14.300000 --> 0:28:15.960000 system. There we are. 0:28:15.960000 --> 0:28:19.080000 Let me just type it again. 0:28:19.080000 --> 0:28:22.900000 Hit enter and let's see if we've got any logs. 0:28:22.900000 --> 0:28:23.840000 Indeed, we have. 0:28:23.840000 --> 0:28:28.540000 So you can see these are all the logs in the auth log auth.log file and 0:28:28.540000 --> 0:28:30.600000 you can actually see under source. 0:28:30.600000 --> 0:28:35.940000 We have var log auth.log and you can then expand this to the system. 0:28:35.940000 --> 0:28:39.220000 And you can see the other data fields here. 0:28:39.220000 --> 0:28:42.220000 And you can see that right over here. 0:28:42.220000 --> 0:28:46.020000 You then have actions, you know, so on and so forth in any case. 0:28:46.020000 --> 0:28:50.420000 Now to test this out, what to give you an example here. 0:28:50.420000 --> 0:28:58.080000 What if I, you know, let's let me try and authenticate to Linux, the Linux 0:28:58.080000 --> 0:29:01.340000 01 system and I'll put in some incorrect passwords. 0:29:01.340000 --> 0:29:04.720000 All right. So I'll just say, Alexis. 0:29:04.720000 --> 0:29:07.200000 Okay. That fairly as it did. 0:29:07.200000 --> 0:29:09.000000 And I'll say password. 0:29:09.000000 --> 0:29:11.400000 That's going to fail because that's not the password. 0:29:11.400000 --> 0:29:15.360000 The only reason why I'm doing this is, you know, I want to actually validate 0:29:15.360000 --> 0:29:19.060000 that we're getting these failed authentication attempts and they should 0:29:19.060000 --> 0:29:23.400000 be logged because of the auth.log as I mentioned in the Linux logging 0:29:23.400000 --> 0:29:29.140000 video, stores all authentication attempts successful or otherwise. 0:29:29.140000 --> 0:29:32.560000 So it looks like access denied here again. 0:29:32.560000 --> 0:29:33.740000 Okay. Excellent. 0:29:33.740000 --> 0:29:40.080000 So now I'm not going to get into, you know, how to craft a particular 0:29:40.080000 --> 0:29:45.080000 Splunk search, but I've created one here that can hopefully demonstrate, 0:29:45.080000 --> 0:29:50.040000 you know, the natural progression of how you move from, you know, detection 0:29:50.040000 --> 0:29:54.280000 or setting up detection, you know, your seem configuring log shipping 0:29:54.280000 --> 0:29:57.320000 or collection shipping and then aggregation. 0:29:57.320000 --> 0:30:02.400000 And how you then move on to, you know, creating the most basic of alerts 0:30:02.400000 --> 0:30:06.700000 based on, you know, what you would call rudimentary malicious activity. 0:30:06.700000 --> 0:30:10.540000 So in this case, you know, I can, I want to create a search that will 0:30:10.540000 --> 0:30:14.940000 just display the event logs or the logs in this particular case. 0:30:14.940000 --> 0:30:20.920000 Specific to failed or to failed authentication attempts for the host Linux 0:30:20.920000 --> 0:30:25.180000 01. So I'm just going to copy over the search that I created and I can 0:30:25.180000 --> 0:30:26.600000 show you, you know, what to do with this. 0:30:26.600000 --> 0:30:30.920000 What it looks like or what a Splunk search would look like. 0:30:30.920000 --> 0:30:38.080000 All right. So I've just pasted in my search here and you can see the index 0:30:38.080000 --> 0:30:40.100000 is still set to the wildcard. 0:30:40.100000 --> 0:30:42.420000 So everything or all indexes. 0:30:42.420000 --> 0:30:44.880000 And then the host is Linux 01. 0:30:44.880000 --> 0:30:46.900000 The source. This is very important. 0:30:46.900000 --> 0:30:48.900000 That's set to viral log, auth.log. 0:30:48.900000 --> 0:30:53.460000 And then in this case, I'm trying to check for, you know, any logs that 0:30:53.460000 --> 0:30:55.200000 match the following criteria. 0:30:55.200000 --> 0:31:01.000000 So accepted password or accepted public key to account for key based authentication. 0:31:01.000000 --> 0:31:06.920000 And then some additional filters here using rejects, which I don't need 0:31:06.920000 --> 0:31:11.420000 to get into. But I also, you know, get the stats and, you know, count 0:31:11.420000 --> 0:31:15.100000 by time host source IP username, the other fields. 0:31:15.100000 --> 0:31:16.220000 So I've right enter. 0:31:16.220000 --> 0:31:18.100000 Let's see if this gives us anything. 0:31:18.100000 --> 0:31:19.000000 Indeed, it does. 0:31:19.000000 --> 0:31:21.260000 So you can see right over here. 0:31:21.260000 --> 0:31:24.740000 If you click on this here, you can then click on the events or so. 0:31:24.740000 --> 0:31:27.400000 And this is associated with that or with that search. 0:31:27.400000 --> 0:31:32.080000 And this particular log is specific to when we logged in successfully 0:31:32.080000 --> 0:31:37.920000 when we were setting up the universal folder to begin with now. 0:31:37.920000 --> 0:31:45.680000 There's also the other option, which is to check or look for authentication 0:31:45.680000 --> 0:31:48.800000 failures, and I can show you what that looks like. 0:31:48.800000 --> 0:31:51.960000 So just give me a second. 0:31:51.960000 --> 0:31:56.520000 All right, so this is the other search here that I created. 0:31:56.520000 --> 0:32:00.740000 This is, as I mentioned, to give me all. 0:32:00.740000 --> 0:32:06.940000 In this particular case, all logs pertinent to the following criteria. 0:32:06.940000 --> 0:32:13.900000 So in this case, you know, failed authentication attempts via SSH on the 0:32:13.900000 --> 0:32:19.020000 host Linux 01. So you can see the username in all cases was lab admin. 0:32:19.020000 --> 0:32:22.000000 And you can see all the attempts here. 0:32:22.000000 --> 0:32:29.120000 So I can then click on a particular timestamp and view the events pertinent 0:32:29.120000 --> 0:32:33.000000 here. And you can actually see this here. 0:32:33.000000 --> 0:32:36.640000 So we can see the failed attempts right over here. 0:32:36.640000 --> 0:32:37.800000 And there you go. 0:32:37.800000 --> 0:32:45.460000 So, you know, that's an example of how you can then start leveraging Splunk 0:32:45.460000 --> 0:32:49.000000 in this case to, you know, actually analyze it. 0:32:49.000000 --> 0:32:51.340000 And you can see the logs that you've shipped over. 0:32:51.340000 --> 0:32:53.840000 And of course, you can do the same for the Windows system. 0:32:53.840000 --> 0:32:59.240000 So the core focus of this lab demonstration was to give you your, if you 0:32:59.240000 --> 0:33:03.140000 haven't already experienced this already, your first intro to, you know, 0:33:03.140000 --> 0:33:20.200000 log collection, shipping, and the data that has been completed. 0:33:20.200000 --> 0:33:23.880000 This is actually a phenomenal or fantastic playground for you to play 0:33:23.880000 --> 0:33:26.940000 around with logging with Splunk. 0:33:26.940000 --> 0:33:31.460000 You know, try and experiment with different searches based on different 0:33:31.460000 --> 0:33:35.820000 activities so you can try and, you know, do some interesting things on 0:33:35.820000 --> 0:33:39.660000 the domain controller and see whether, you know, you're actually getting 0:33:39.660000 --> 0:33:42.440000 those logs, so on and so forth. 0:33:42.440000 --> 0:33:47.700000 But the bottom line is, it's from this point that you then start building 0:33:47.700000 --> 0:33:53.000000 your alerts. So in this case, I've sort of identified malicious activity. 0:33:53.000000 --> 0:33:57.060000 As you can see here, you know, a failed authentication attempt is not 0:33:57.060000 --> 0:34:00.880000 necessarily an incident, but it's something that, you know, I should be 0:34:00.880000 --> 0:34:04.100000 aware of, or, you know, I should be able to visualize, which is another 0:34:04.100000 --> 0:34:08.180000 one of those really cool features offered by a team. 0:34:08.180000 --> 0:34:10.540000 But we're getting ahead of ourselves here. 0:34:10.540000 --> 0:34:13.460000 As I said, we'll be exploring seams in the next section of the course, 0:34:13.460000 --> 0:34:15.280000 the very next section of the course. 0:34:15.280000 --> 0:34:19.480000 So with that being said, that's going to be it for the practical demonstration 0:34:19.480000 --> 0:34:22.260000 section of this video. 0:34:22.260000 --> 0:34:30.040000 All right, so that was a demonstration of collecting and shipping logs 0:34:30.040000 --> 0:34:34.840000 from windows and Linux systems or from a windows and Linux system to a 0:34:34.840000 --> 0:34:51.500000 Splunk server centralized Splunk server. 0:34:51.500000 --> 0:34:52.620000 So, I'm going to be going to talk about the practical step, which is getting 0:34:52.620000 --> 0:34:54.640000 started with seams. 0:34:54.640000 --> 0:34:58.200000 So in the next section of the course, we'll be getting into or getting 0:34:58.200000 --> 0:35:02.900000 a proper intro to, you know, seem platforms, understanding how they work. 0:35:02.900000 --> 0:35:06.680000 And then there's plenty of practical demos where we'll revisit Splunk 0:35:06.680000 --> 0:35:12.840000 again. But we need to touch on arguably the most widely used or widely 0:35:12.840000 --> 0:35:17.480000 known, you know, platform or solution out there, which is the elastic 0:35:17.480000 --> 0:35:19.300000 stack or elk stack. 0:35:19.300000 --> 0:35:22.440000 So with that being said, that's going to be it for this video. 0:35:22.440000 --> 0:35:24.780000 And I will be seeing you in the next video.