First Time: Splunk
This article sums up my first experiences with Splunk.
What is Splunk anyway?
Vendor speech: “Splunk collects, indexes and harnesses all the fast moving machine data generated by your applications, servers and devices – physical, virtual and in the cloud. Troubleshoot application problems and investigate security incidents in minutes instead of hours or days, avoid service degradation or outages, deliver compliance at lower cost and gain new business insights.”
Prerequisites
- BackTrack 5 R2
- update distro:
apt-get update apt-get -u dist-upgrade
- download Splunk to /root/pentest-home/Download:
- 64 bit: wget -O splunk-4.3.3-128297-linux-2.6-amd64.deb ‘http://www.splunk.com/page/download_track?file=4.3.3/splunk/linux/splunk-4.3.3-128297-linux-2.6-amd64.deb&ac=Net_Security_Download&wget=true&name=wget&typed=releases’
OR - 32 bit: wget -O splunk-4.3.3-128297-linux-2.6-intel.deb ‘http://www.splunk.com/page/download_track?file=4.3.3/splunk/linux/splunk-4.3.3-128297-linux-2.6-intel.deb&ac=Net_Security_Download&wget=true&name=wget&typed=releases’
- 64 bit: wget -O splunk-4.3.3-128297-linux-2.6-amd64.deb ‘http://www.splunk.com/page/download_track?file=4.3.3/splunk/linux/splunk-4.3.3-128297-linux-2.6-amd64.deb&ac=Net_Security_Download&wget=true&name=wget&typed=releases’
- install Splunk:
dpkg --install splunk-4.3.3*.deb
- start Splunk:
/opt/splunk/bin/splunk start
- access Splunk in the browser: http://127.0.0.1:8000
user: admin, password: changeme
Getting Started
- we will start analyzing some Apache access and error log, so get some onto your BT system into the following diorectory: /root/pentest-home/Splunk
- add a data source to Splunk:
- Add Data to Splunk
- From files and directories
- Skip Preview
- specify the path (/root/pentest-home/Splunk)
- click on “More Settings”
- specify a host name
- Save
- you should see some of the log files appear in the Splunk search view
Searching
- play around with the search app in Splunk
- hints:
- Splunk will search for an caseinsensitive exact match for all terms (implicit AND)
- use * for pattern search
- use NOT and OR respectively
- place exact terms in quotes
- click on word in results to add to the query / ALT + click to add NOT + term
- click again to remove from query
Hints
- rebuild all index from scratch and erase nearly everything (users, …):
This action will permanently erase all indexed event data, user information, global data, and internal logs; it cannot be undone!
/opt/splunk/bin/splunk stop /opt/splunk/bin/splunk clean all /opt/splunk/bin/splunk start