Hello,
I have PoC. I wonder where I could find the documentation and videos about installation, administration, system requirements and licensing of Splunk SIEM. I have no experience in installing or configuration it. I interesing in how to work splunk siem? How collect logs and events? How it is licensed? I searched some information and see 30gb/day I confused this is all events and log size daily? I am ready to receive all information and recommendations about splunk SIEM
Hi @Nikolozts,
I use Windows only on my pc for test, never for production systems.
About requirements, you can see at https://docs.splunk.com/Documentation/ES/6.5.1/Install/DeploymentPlanning
But Anyway, I continue to hint to call a Splunk Partner for the Demo, otherwise you risk to not correctly evaluate ES, if you don't know anyone, contact me with a private message.
In addition, using a demo environment, you already have many log sources to see how ES works, in your lab, you have to ingest logs before to start to install ES and, if you haven't experience on Splunk, it could be a long job.
You have to:
An expert could do the work in few days (except firewall routes, agents and syslogs), if you aren't an expert it surely will be a longer work.
Ciao.
Giuseppe
Hi
If you have limited time and resources for this PoC, I propose that contact to your nearest Splunk Partner and ask that they could help you with it. I suppose that this will be the most cost efficient way to do it.
https://partners.splunk.com/locator/
r. Ismo
Hi @Nikolozts,
I can confirm, from my experience, that Splunk Enterprise Security (the Splunk SIEM) is one of the best SIEM on the market, and Gartner confirm my idea.
Installation isn't so immediate, because you have to install Splunk Enterprise (easy!) and then Splunk ES with all its modules, then you have to configure it .
I hint to ask to a Splunk partner (if you are in Italy or near I can propose myself) to make a demo ti you and then open a demo environment on Splunk Cloud.
Anyway, on youtube you can find some videos about this:
https://www.youtube.com/watch?v=KoIY-_2ItSc&pp=ugMICgJpdBABGAE%3D
https://www.youtube.com/watch?v=IA2QwdpCm74&pp=ugMICgJpdBABGAE%3D
https://www.youtube.com/watch?v=9D00ysP5Hbg&t=646s
https://www.youtube.com/watch?v=HN4zGIyi3PI
https://www.youtube.com/watch?v=h2_MiD9OC_8&list=PLxkFdMSHYh3Qx3Ct9ZzeL7accYO2rE_ZB
https://www.youtube.com/watch?v=M1JXeQTiQBQ&pp=ugMICgJpdBABGAE%3D
About your questions:
Splunk Enterprise collect every kind of logs,
using some own modules (called Technical Add-Ons) parse these logs and normalize them in CIM format,
Splunk ES takes these logs, correlate and use them into some Use Cases,
there are around 300 Use Cases already ready, then you can create your own Use Cases.
Both Splunk Enterprise and Splunk ES are licensed based on the logs daily indexed, you have to buy both a license for Splunk Enterprise and Splunk ES,
The volume of daily indexed logs depends on the perimeter to monitor: how many servers, firewalls, proxies, is there packet capure, are there application logs, etc...?
Here you can find all the information about ES: https://docs.splunk.com/Documentation/ES/6.5.1/User/Overview
Ciao.
Giuseppe
Thank you very much for the quick reply. I will look carefully at the links provided by you. What are the minimum system recommended requirements and your experience which one is the best operating system for Splunk SIEM? Of course I think about installing it on Linux but which is the fully supported system? Are there any restrictions on Windows system?
Hi @Nikolozts,
I use Windows only on my pc for test, never for production systems.
About requirements, you can see at https://docs.splunk.com/Documentation/ES/6.5.1/Install/DeploymentPlanning
But Anyway, I continue to hint to call a Splunk Partner for the Demo, otherwise you risk to not correctly evaluate ES, if you don't know anyone, contact me with a private message.
In addition, using a demo environment, you already have many log sources to see how ES works, in your lab, you have to ingest logs before to start to install ES and, if you haven't experience on Splunk, it could be a long job.
You have to:
An expert could do the work in few days (except firewall routes, agents and syslogs), if you aren't an expert it surely will be a longer work.
Ciao.
Giuseppe