All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Server management

QuantumRgw
Explorer
‎11-30-2023 06:35 AM

I am a learner who wants to create a Splunk server where I can retrieve information from a business server that I work at.  To securely protect the firm I wonder if I can connect to a server that all of the pc's are connected to and retrieve the information going out and going in.  Thus I can supervise the information and see if there are anything out of ordinary. If possiAny help is appreciated :).

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-01-2023 10:53 PM

Hi @QuantumRgw ,

so you have to install an UF on your pcs and manage them using a Deployment Server ad descripted at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Introduction_to_the_Splunk_Di...

Then you have to define your perimeter, in terms of hosts to monitor and, for each host, which logs to index.

Than having the above information, you have to define your Use Cases, e.g. monitoring of administrator accesses, presence of not updated patches, presence of malicious known packets, etc...

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-30-2023 08:06 AM

Hi @QuantumRgw ,

let me understand: you want to monitor a server using Splunk is it correct?

to do this, you have to send all logs from this server in Splunk using a Universal Forwarder (an agent) installed on this server and index your logs in a different server where Splunk is installed.

Then you have to identify the security use cases to implement in Splunk, the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435) could help you, but your question is too vague for a more detailed answer. 

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

QuantumRgw
Explorer
‎12-01-2023 08:53 AM

Hello @gcusello 

I would like to monitor the log data from the pc's in the business firm where the pc's are connected to the server. I am planning to install universal forwarder to each pc and forward it to a Host pc in the firm. I want to monitor if there is an out of ordinary events. These range through if simple pc activity monitoring like https, security events, brute force attacks etc.. I don't know whether monitoring the server would be the https logs of the pc's or single installation of each one and forwarding it will give it to me.

thank you for the (https://splunkbase.splunk.com/app/3435)  security essentials,

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-01-2023 08:58 AM

Hi @QuantumRgw ,

your requirement is very larger than I thought:

you have to monitor the server, the pcs and the network to identify eventual threats.

When you'll have all these logs, you have to identify the possible variation or threats, it isn't an immediate job, you shoudl better analyze your perimeter (definying all the logs to use) and identify all the Use Cases to implement.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

QuantumRgw
Explorer
‎12-01-2023 10:08 AM

Hi again @gcusello 

Thank you for your information. My priority is to monitor the pc's. It would be great if you can let me know whether if it is possible to check https without checking the server but with directly getting information from the pc's. I've tried to look through my laptop's data logs but I don't think I can access to them.  It would be great if there are step-by-step explanation of it.

thank you in advance

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-01-2023 10:26 AM

Hi @QuantumRgw ,

how do you think that's possible to monitor a system without accessing it?

Have you Domain credentials to access pcs using WMI?

your question is too vague.

Ciao.

Giuseppe 

Reply
Solved! Jump to solution

QuantumRgw
Explorer
‎12-01-2023 10:37 AM

hi @gcusello 

I will be accessing the pc's, since I will need to download Universal forwarder in each of them. I don't use WMI to access the pc's but rather physically access them.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-01-2023 10:53 PM

Hi @QuantumRgw ,

so you have to install an UF on your pcs and manage them using a Deployment Server ad descripted at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Introduction_to_the_Splunk_Di...

Then you have to define your perimeter, in terms of hosts to monitor and, for each host, which logs to index.

Than having the above information, you have to define your Use Cases, e.g. monitoring of administrator accesses, presence of not updated patches, presence of malicious known packets, etc...

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...