topic Re: Using Splunk to replace manual viewing of security logs in Security

Using Splunk to replace manual viewing of security logs

ryjones13 — Fri, 22 Mar 2013 14:14:52 GMT

Good Morning-

We currently have Splunk installed in house but not overly configured. Each week, I take a our security logs using the MS dumpel command, and compile the 92 logs into one 2 GB text file, run that through a MS Access Database, to kick out a series of critical event logs to review as part of the company I work for's company information security policy and practice of which we have to report to the SEC for Sarbanes-Oxley compliancy. I'm hoping to be able to set up alerts in Splunk to email if certain criteria are found and kick those alerts into our Sharepoint environment to act as a log for this instead. Any advice on configuring alerts like this would be greatly appreciated.

Thanks-

--Ryan

Re: Using Splunk to replace manual viewing of security logs

martin_mueller — Fri, 22 Mar 2013 15:06:50 GMT

That sounds a lot like a use case for the http://splunk-base.splunk.com/apps/22297/splunk-app-for-enterprise-security

You can define additional criteria to match your specific requirements to automatically have Splunk generate events for your team to review.

Re: Using Splunk to replace manual viewing of security logs

ryjones13 — Fri, 22 Mar 2013 16:09:33 GMT

That looks like it would work but we use the free version, not the Enterprise one. Can I pay for just this app? Or are there notices I can configure within the system?

Re: Using Splunk to replace manual viewing of security logs

Matthias_BY — Fri, 22 Mar 2013 16:15:07 GMT

Hello Ryan,

if i did understand your archtiecture correctly i would suggest you to send all MS Events into Splunk... from there you can classify them with tags or extract some fields and create reports + alerts.

then you can decide if you want to have a report which is sent as PDF regulary to a mailbox which stores it on a sharepoint or you can use alerts who trigger a command. via the command you can give also parameters and trigger a script what might generate something on your sharepoint...

maybe if you have something with access databases and you want to keep those, have a look to the DB Connect App which can pull and push information via JDBC.

br
matthias

Re: Using Splunk to replace manual viewing of security logs

martin_mueller — Fri, 22 Mar 2013 16:29:18 GMT

It's only available for purchase to Enterprise customers, so you'd have to upgrade your splunk license as well. That's a good idea either way though 🙂

Critically, you cannot define alerts in the free version.