Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What system logs are needed to deploy Splunk effectively and cover the SANS top 20? Need to determine where to deploy forwarders

jardakanian
New Member
‎07-22-2016 12:47 PM

Hi

I am deploying Splunk in an environment and would like to capture as many security aspects from the SANS top 20 as possible. I am not too technical, so I am hoping someone will be able to help me determine what type of logs I will actually need access to so I know where to deploy my forwarders.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-24-2016 12:30 PM

This is a big topic.

Luckily for you, Splunk has at least made an attempt at compiling some of this information for you in their "Splunk and the SANS stuff" document. That's not its real name, by the way. The document explains the SANS CSC, what they are and how Splunk can help. It also lists the Apps that Splunk has available to read the data out of the various other pieces of software, too.

You can find that document at their shortcut to SANS link which requires a free registration. You could also find that same PDF if you search using one of the better search engines for "Splunk SANS". I'm just sayin'.

I also think actual application and notes about the various CSCs would be well placed in the Splunk Wiki, because I'll bet there are a lot of people who could use the details of how to actually do this. But really, the usual difficulty is one of figuring out what needs to be done; once you've defined your needs fairly well the rest just becomes a simple technical detail.

Happy SANS hunting!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...