Administration

Setting up Splunk to monitor network activity

date
Mar 27, 2023
slug
splunk-101
author
status
Public
tags
Admin
Cloud
Projects
Splunk
SIEM
Docs
summary
Setting up a basic Splunk dashboard
type
Post
thumbnail
https://cdn.invicti.com/statics/img/techdoc/company-logos/splunk-logo.png
category
Administration
updatedAt
Mar 28, 2023 06:34 AM
After a catastrophic event that caused my remote server to malfunction, I had to redo several projects, including my Splunk instance, which I used to monitor my lab and network. I figured I might as well write down some of the stuff I did.
In this tutorial, I'll guide you through the process of setting up Splunk to monitor your network activity.
Splunk | The Key to Enterprise Resilience
Splunk is the key to enterprise resilience. Our platform enables organizations around the world to prevent major issues, absorb shocks and accelerate digital transformation.
Splunk | The Key to Enterprise Resilience
https://www.splunk.com/
Splunk | The Key to Enterprise Resilience

Prerequisites

  • Before we start, make sure you have a Splunk account, even a free trial one will work.

Windows Install

Since most people use Windows, I’ll set up on Windows. Setting up Splunk on a Windows machine is pretty easy; here's how to do it:
  1. Download the Splunk installer
      2. notion image
  1. Run the installer; for me, I'm doing the basic configuration install.
      2. notion image
  1. Sign In to your account
  1. Wait for the installation to complete.
      2. notion image
  1. Once the installation is done, launch your browser and go to http://127.0.0.1:8000/. This should take you to the Splunk home page (unless you have another service running on that port).
      2. notion image
  1. Sign in to your account.
  1. You'll be brought to a screen that looks like this:
      2. notion image
  1. Click on Settings > Data Inputs in the top right corner.
  1. Click on the new page, click the edit button for Local event log collection
  1. This is where you select the logs you want to ingest. For minimal usage, select Application, Setup, and System logs. Once you've made your selection, click Save in the bottom right corner.
      2. notion image
  1. Now on the top left of the screen, click on: Apps > Search and Reporting in the search bar, we’ll do the following prompt *
      2. Star (*) will give us everything
      notion image
  1. So for me, my PC is labelled as host = MSI. If you click on it, you can add to the search query to refine the search results further.
      2. notion image
  1. You can continue to narrow down the search results if you wish. Once you have a search query that you want to save as a table, click on the Create Table View button located on the top right of the search page. For me, I decided on the following search query: * host=MSI "SourceName=gupdate”. However, I don't want to see the raw information, so I'll deselect the raw column on the left-hand side of the table view.
      2. Before
      Before
      after removing raw
      after removing raw
  1. Now, I’ll go to Dashboards and click on Create New Dashboard on the top right. I will set up my dashboard for gupdates, and I’ll make it using Dashboard Studio with a Grid layout. Hit Create.
      2. notion image
  1. From the new page, click on the bar graph icon on the top left and select the Table option. This will create a table data source for us.
      2. notion image
  1. On the right, you’ll see a box called Search with SPL. Copy and paste in your query from earlier into that box. Then hit Apply & Close.
      2. notion image
  1. In the new panel, give the following info: Title: [whatever you want] Click save
  1. Now, you may have some columns that you may not want. You can get rid of that by going to the configuration pane of the graph and clicking the data configuration pencil button. This will bring up the query you originally put in.
      2. notion image
  1. From here, in the box after your original query, type Shift enter then put the following * host=MSI "SourceName=gupdate” | fields - _bkt, _cd NOTE: the _bkt and _cd are the column I don't want to have in my graph. You’ll probably want to get rid of whatever you think is unnecessary. Hit Apply & Close. Then, if you are satisfied with the look of your dashboard, hit Save.
  1. So now, with that dashboard saved, if you go to the Dashboards Tab on the top left, you’ll see your named dashboard there, for me, it was “gupdates”
      2. notion image
  1. From there you can view it. Now for even faster accessibility to this, if you click on the actions of that dashboard, you can Set As a Home Dashboard, this will make it so that dashboard will be your primary dashboard that you first see on Splunk homepage.
Some other neat stuff is Splunk allows for third party add-ons/apps to be able to install. One of the ones I like a lot since I have a lot of different websites I have to monitor is Website Monitoring.
splunkbase.splunk.com
splunkbase.splunk.com
https://splunkbase.splunk.com/app/1493
This allows for me to monitor the website for uptimes, status/status codes, and other things that are important. An example of that dashboard for me is the following, where I have some of my personal subdomains and website being monitored. The ones with 403 status means something is wrong, which in this case is due to the fact I have Cloudflare Zero Trust controls running on those specific sites, disallowing anything that doesn’t have the specific Cloudflare VPN to access those websites.
notion image

Conclusion

Setting up Splunk to monitor your network activity is a straightforward process that can help you detect and respond to potential security threats. With the steps outlined in this tutorial, you can quickly get started with Splunk and begin analyzing data from your network. Remember to regularly check your dashboard and adjust your search queries as necessary to get the most out of your Splunk instance. Happy monitoring!