Security

Splunk SIEM license

Nikolozts
Engager

Hello,

I have PoC.  I wonder where I could find the documentation and videos about installation, administration, system requirements and licensing of Splunk SIEM. I have no experience in installing or configuration it. I interesing in how to work splunk siem? How collect logs and events? How it is licensed? I searched some information and see 30gb/day I confused this is all events and log size daily? I am ready to receive all information and recommendations about splunk SIEM

Labels (1)
Tags (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Nikolozts,

I use Windows only on my pc for test, never for production systems.

About requirements, you can see at https://docs.splunk.com/Documentation/ES/6.5.1/Install/DeploymentPlanning 

But Anyway, I continue to hint to call a Splunk Partner for the Demo, otherwise you risk to not correctly evaluate ES, if you don't know anyone, contact me with a private message.

In addition, using a demo environment, you already have many log sources to see how ES works, in your lab, you have to ingest logs before to start to install ES and, if you haven't experience on Splunk, it could be a long job.

You have to:

  • prepare Server,
  • install Splunk Enterprise,
  • install Universal Forwarder (Splunk Agent) on servers,
  • open firewall routes,
  • configure them,
  • configure syslogs from appliances,
  • install and configure Technical Add-Ons on Splunk Enterprise,
  • install Splunk ES and its modules,
  • configure it,
  • activate Data Models and Correlation Searches.

An expert could do the work in few days (except firewall routes, agents and syslogs), if you aren't an expert it surely will be a longer work.

Ciao.

Giuseppe

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi
If you have limited time and resources for this PoC, I propose that contact to your nearest Splunk Partner and ask that they could help you with it. I suppose that this will be the most cost efficient way to do it.

https://partners.splunk.com/locator/

r. Ismo

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Nikolozts,

I can confirm, from my experience, that Splunk Enterprise Security (the Splunk SIEM) is one of the best SIEM on the market, and Gartner confirm my idea.

Installation isn't so immediate, because you have to install Splunk Enterprise (easy!) and then Splunk ES with all its modules, then you have to configure it .

I hint to ask to a Splunk partner (if you are in Italy or near I can propose myself) to make a demo ti you and then open a demo environment on Splunk Cloud.

Anyway, on youtube you can find some videos about this:

https://www.youtube.com/watch?v=KoIY-_2ItSc&pp=ugMICgJpdBABGAE%3D

https://www.youtube.com/watch?v=IA2QwdpCm74&pp=ugMICgJpdBABGAE%3D

https://www.youtube.com/watch?v=9D00ysP5Hbg&t=646s

https://www.youtube.com/watch?v=HN4zGIyi3PI

https://www.youtube.com/watch?v=h2_MiD9OC_8&list=PLxkFdMSHYh3Qx3Ct9ZzeL7accYO2rE_ZB

https://www.youtube.com/watch?v=M1JXeQTiQBQ&pp=ugMICgJpdBABGAE%3D

About your questions:

Splunk Enterprise collect every kind of logs,

using some own modules (called Technical Add-Ons) parse these logs and normalize them in CIM format,

Splunk ES takes these logs, correlate and use them into some Use Cases,

there are around 300 Use Cases already ready, then you can create your own Use Cases.

Both Splunk Enterprise and Splunk ES are licensed based on the logs daily indexed, you have to buy both a license for Splunk Enterprise and Splunk ES,

The volume of daily indexed logs depends on the perimeter to monitor: how many servers, firewalls, proxies, is there packet capure, are there application logs, etc...?

Here you can find all the information about ES: https://docs.splunk.com/Documentation/ES/6.5.1/User/Overview

Ciao.

Giuseppe

0 Karma

Nikolozts
Engager

Thank you very much for the quick reply. I will look carefully at the links provided by you. What are the minimum system recommended requirements and your experience which one is the best operating system for Splunk SIEM? Of course I think about installing it on Linux but which is the fully supported system? Are there any restrictions on Windows system?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Nikolozts,

I use Windows only on my pc for test, never for production systems.

About requirements, you can see at https://docs.splunk.com/Documentation/ES/6.5.1/Install/DeploymentPlanning 

But Anyway, I continue to hint to call a Splunk Partner for the Demo, otherwise you risk to not correctly evaluate ES, if you don't know anyone, contact me with a private message.

In addition, using a demo environment, you already have many log sources to see how ES works, in your lab, you have to ingest logs before to start to install ES and, if you haven't experience on Splunk, it could be a long job.

You have to:

  • prepare Server,
  • install Splunk Enterprise,
  • install Universal Forwarder (Splunk Agent) on servers,
  • open firewall routes,
  • configure them,
  • configure syslogs from appliances,
  • install and configure Technical Add-Ons on Splunk Enterprise,
  • install Splunk ES and its modules,
  • configure it,
  • activate Data Models and Correlation Searches.

An expert could do the work in few days (except firewall routes, agents and syslogs), if you aren't an expert it surely will be a longer work.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...