All Apps and Add-ons

Server management

QuantumRgw
Explorer

I am a learner who wants to create a Splunk server where I can retrieve information from a business server that I work at.  To securely protect the firm I wonder if I can connect to a server that all of the pc's are connected to and retrieve the information going out and going in.  Thus I can supervise the information and see if there are anything out of ordinary. If possiAny help is appreciated :).

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @QuantumRgw ,

so you have to install an UF on your pcs and manage them using a Deployment Server ad descripted at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Introduction_to_the_Splunk_Di...

Then you have to define your perimeter, in terms of hosts to monitor and, for each host, which logs to index.

Than having the above information, you have to define your Use Cases, e.g. monitoring of administrator accesses, presence of not updated patches, presence of malicious known packets, etc...

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @QuantumRgw ,

let me understand: you want to monitor a server using Splunk is it correct?

to do this, you have to send all logs from this server in Splunk using a Universal Forwarder (an agent) installed on this server and index your logs in a different server where Splunk is installed.

Then you have to identify the security use cases to implement in Splunk, the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435) could help you, but your question is too vague for a more detailed answer. 

Ciao.

Giuseppe

0 Karma

QuantumRgw
Explorer

Hello @gcusello 

I would like to monitor the log data from the pc's in the business firm where the pc's are connected to the server. I am planning to install universal forwarder to each pc and forward it to a Host pc in the firm. I want to monitor if there is an out of ordinary events. These range through if simple pc activity monitoring like https, security events, brute force attacks etc.. I don't know whether monitoring the server would be the https logs of the pc's or single installation of each one and forwarding it will give it to me.

thank you for the (https://splunkbase.splunk.com/app/3435)  security essentials,

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @QuantumRgw ,

your requirement is very larger than I thought:

you have to monitor the server, the pcs and the network to identify eventual threats.

When you'll have all these logs, you have to identify the possible variation or threats, it isn't an immediate job, you shoudl better analyze your perimeter (definying all the logs to use) and identify all the Use Cases to implement.

Ciao.

Giuseppe

0 Karma

QuantumRgw
Explorer

Hi again @gcusello 

Thank you for your information. My priority is to monitor the pc's. It would be great if you can let me know whether if it is possible to check https without checking the server but with directly getting information from the pc's. I've tried to look through my laptop's data logs but I don't think I can access to them.  It would be great if there are step-by-step explanation of it.

thank you in advance

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @QuantumRgw ,

how do you think that's possible to monitor a system without accessing it?

Have you Domain credentials to access pcs using WMI?

your question is too vague.

Ciao.

Giuseppe 

QuantumRgw
Explorer

hi @gcusello 

I will be accessing the pc's, since I will need to download Universal forwarder in each of them. I don't use WMI to access the pc's but rather physically access them.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @QuantumRgw ,

so you have to install an UF on your pcs and manage them using a Deployment Server ad descripted at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Introduction_to_the_Splunk_Di...

Then you have to define your perimeter, in terms of hosts to monitor and, for each host, which logs to index.

Than having the above information, you have to define your Use Cases, e.g. monitoring of administrator accesses, presence of not updated patches, presence of malicious known packets, etc...

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...