Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What system logs are needed to deploy Splunk effectively and cover the SANS top 20? Need to determine where to deploy forwarders

jardakanian
New Member
‎07-22-2016 12:47 PM

Hi

I am deploying Splunk in an environment and would like to capture as many security aspects from the SANS top 20 as possible. I am not too technical, so I am hoping someone will be able to help me determine what type of logs I will actually need access to so I know where to deploy my forwarders.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-24-2016 12:30 PM

This is a big topic.

Luckily for you, Splunk has at least made an attempt at compiling some of this information for you in their "Splunk and the SANS stuff" document. That's not its real name, by the way. The document explains the SANS CSC, what they are and how Splunk can help. It also lists the Apps that Splunk has available to read the data out of the various other pieces of software, too.

You can find that document at their shortcut to SANS link which requires a free registration. You could also find that same PDF if you search using one of the better search engines for "Splunk SANS". I'm just sayin'.

I also think actual application and notes about the various CSCs would be well placed in the Splunk Wiki, because I'll bet there are a lot of people who could use the details of how to actually do this. But really, the usual difficulty is one of figuring out what needs to be done; once you've defined your needs fairly well the rest just becomes a simple technical detail.

Happy SANS hunting!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...