What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog?
I would like to stand up an auditing solution using the free version of Splunk installed on a Windows platform to demonstrate Splunk's ability to meet our NIST auditing requirements and measure our bandwidth requirements. We have Windows 2008 R2 event logs and RHEL v6.9 syslogs that need to be aggregated, reviewed, and archived. I'm looking for a document targeted towards this one use case. Does anything like this exist?
I will carefully say that NIST auditing requirements you follow is the document you are looking for. The important thing is to enable the correct auditing rules / mechanisms / functions on your OS level. When everything is available, send that data to Splunk, use the correct TA's that will assist you with pre-configured extractions, tags and eventtypes and you are ready to rock and roll.
follow the NIST doc and translate to splunk querys, reports, dashboards and alerts
I hope it helps
Perhaps I didn't word my question well.
"I will carefully say that NIST auditing requirements you follow is the document you are looking for. The important thing is to enable the correct auditing rules / mechanisms / functions on your OS level."
"We've done that and have been doing that for years...with a tool called EventTracker. We don't like EventTracker and would like to consider moving to Splunk."
"When everything is available, send that data to Splunk, use the correct TA's that will assist you with pre-configured extractions, tags and eventtypes and you are ready to rock and roll."
"I have no idea what you're talking about. Could you please dumb it down a little?"
Note: I have Windows events and RHEL syslogs. I'm happy with the content of those logs. I need to learn how to aggregate those records on a Splunk server, review with filters (e.g. machine name, time, event type, etc.), and have the capability to archive/purge records older than "X".
I would think that this would be a fairly common use case for Splunk and there would be an out-of-the-box solution. If not, I apologize for taking your time. I'll have to pursue a different solution...such as SolarWinds.
I see where you are at (at least i think I do).
for starters, you will probably want all your data in one spot which is easy to search and reports against.
Use the Splunk Universal Forwarder to bring data into your Splunk indexer.
Leverage the TAs (Splunk apps) to extract the correct field and normalize the data.
TA's are software pieces built for splunk and most of the times they are around a certain technology or product.
you will probably want the TA for nix: https://splunkbase.splunk.com/app/833/ Splunk TA windows: https://splunkbase.splunk.com/app/742/ and maybe couple others.
I am not so sure to what you mean by "out of the box solution" as splunk has many prebuilt apps that has plenty of built reports and visualizations around your use case, I found out that clients tend to tweak those here and there depends of their unique questions they have around their data.
To your point, Splunk gives you a robust search capability across all data sources and will also give you the ability to archive / purge records according to your retention policies.
I can advise you to try and download splunk and install on a small VM, collect your data and create some reports around your NIST requirements.
We are here to help.
links that will help with my above comment:
start using splunk: http://docs.splunk.com/Documentation/Splunk/6.6.0/Installation/Whatsinthismanual
download splunk: https://www.splunk.com/en_us/download.html
download Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html
some docs regarding Windows Pre Built visualization and reports app:
linux auditd app:
I'm going to go through the process once again of installing Splunk and a forwarder on a different server to see if I can get it to work. I last tried this in 2015 and gave up...due to hitting roadblocks that I couldn't surmount. Hopefully it will go smoothly this time.
we are here to assist.
try and start very small, 1 splunk instance, enable receiving port, install 1 forwarder on windows box.
install the windows TA on indexer and forwarder, enable inputs on forwarder.
see your data in splunk indexer
I see the events for the Splunk server, I see the Splunk Forwarder machine on the Splunk server, but I don't see any events from the remote client (forwarder). This is usually where I get stuck each time. I can't find the documentation or instructional video on how to troubleshoot.
Your instructional videos are great...the couple I've found. Do you have any on configuring Splunk Forwarders or creating Dashboards?
Best Regards, Tom.
check this doc, i find it helpful:
make sure youcan see data from your forwarder: index = _internal host = YourForwarder
check your inputs on the forwarder.
install the TA for windows or TA for Nix depends on your OS on forwarder and indexer
enable inputs on the TA's (they have full documentation)
check that you can see date in the correct indexes
Good Morning Adonio,
I have a Splunk server and a Splunk forwarder set up on different machines. I'm ingesting local logs just find on the Splunk server (I'll call this the "Server"), but not seeing anything from the machine running the Splunk forwarder (I'll call this the "client"). I see an active connection between the Client and the Server on port 8089, but no Client data in the Splunk interface.
I look for Forwarders, but see nothing. I look at the documentation you point me to and see instructions like...
"Check that your data is in fact being forwarded. Here are some searches to get you started. You can run all these searches, except for the last one, from the Splunk default Search app. The last search you run from the CLI to access the forwarder. A forwarder does not have a user interface: "
...what the heck is the "Splunk default Search app"?
I'm looking for something like...
I can learn more about Splunk once those simple tasks are configured. I would hope there would be some simple use case of instructions for a beginner to achieve that result without having to first learn everything there is to learn about Splunk.
Best Regards, Tom