Splunk Enterprise
Highlighted

What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

New Member

What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog?

I would like to stand up an auditing solution using the free version of Splunk installed on a Windows platform to demonstrate Splunk's ability to meet our NIST auditing requirements and measure our bandwidth requirements. We have Windows 2008 R2 event logs and RHEL v6.9 syslogs that need to be aggregated, reviewed, and archived. I'm looking for a document targeted towards this one use case. Does anything like this exist?

Tags (2)
0 Karma
Highlighted

Re: What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

SplunkTrust
SplunkTrust

Hello talonned,
I will carefully say that NIST auditing requirements you follow is the document you are looking for. The important thing is to enable the correct auditing rules / mechanisms / functions on your OS level. When everything is available, send that data to Splunk, use the correct TA's that will assist you with pre-configured extractions, tags and eventtypes and you are ready to rock and roll.
follow the NIST doc and translate to splunk querys, reports, dashboards and alerts
I hope it helps

Highlighted

Re: What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

New Member

Perhaps I didn't word my question well.
You say...
"I will carefully say that NIST auditing requirements you follow is the document you are looking for. The important thing is to enable the correct auditing rules / mechanisms / functions on your OS level."
My reply...
"We've done that and have been doing that for years...with a tool called EventTracker. We don't like EventTracker and would like to consider moving to Splunk."
You say...
"When everything is available, send that data to Splunk, use the correct TA's that will assist you with pre-configured extractions, tags and eventtypes and you are ready to rock and roll."
My Reply...
"I have no idea what you're talking about. Could you please dumb it down a little?"

Note: I have Windows events and RHEL syslogs. I'm happy with the content of those logs. I need to learn how to aggregate those records on a Splunk server, review with filters (e.g. machine name, time, event type, etc.), and have the capability to archive/purge records older than "X".

I would think that this would be a fairly common use case for Splunk and there would be an out-of-the-box solution. If not, I apologize for taking your time. I'll have to pursue a different solution...such as SolarWinds.

0 Karma
Highlighted

Re: What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

SplunkTrust
SplunkTrust

Hello @talonned,
I see where you are at (at least i think I do).
for starters, you will probably want all your data in one spot which is easy to search and reports against.
Use the Splunk Universal Forwarder to bring data into your Splunk indexer.
Leverage the TAs (Splunk apps) to extract the correct field and normalize the data.
TA's are software pieces built for splunk and most of the times they are around a certain technology or product.
you will probably want the TA for nix: https://splunkbase.splunk.com/app/833/ Splunk TA windows: https://splunkbase.splunk.com/app/742/ and maybe couple others.
I am not so sure to what you mean by "out of the box solution" as splunk has many prebuilt apps that has plenty of built reports and visualizations around your use case, I found out that clients tend to tweak those here and there depends of their unique questions they have around their data.
To your point, Splunk gives you a robust search capability across all data sources and will also give you the ability to archive / purge records according to your retention policies.
I can advise you to try and download splunk and install on a small VM, collect your data and create some reports around your NIST requirements.
We are here to help.

0 Karma
Highlighted

Re: What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

SplunkTrust
SplunkTrust

links that will help with my above comment:
start using splunk: http://docs.splunk.com/Documentation/Splunk/6.6.0/Installation/Whatsinthismanual
download splunk: https://www.splunk.com/en_us/download.html
download Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html
some docs regarding Windows Pre Built visualization and reports app:
http://docs.splunk.com/Documentation/MSApp/1.4.1/Reference/Aboutthismanual
linux auditd app:
https://splunkbase.splunk.com/app/2642/

0 Karma
Highlighted

Re: What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

New Member

I'm going to go through the process once again of installing Splunk and a forwarder on a different server to see if I can get it to work. I last tried this in 2015 and gave up...due to hitting roadblocks that I couldn't surmount. Hopefully it will go smoothly this time.

0 Karma
Highlighted

Re: What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

SplunkTrust
SplunkTrust

@talonned,
Good luck!
we are here to assist.
try and start very small, 1 splunk instance, enable receiving port, install 1 forwarder on windows box.
install the windows TA on indexer and forwarder, enable inputs on forwarder.
see your data in splunk indexer

0 Karma
Highlighted

Re: What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

New Member

Adonio,

  1. Install Splunk on Splunk server (check)
  2. Install Splunk Forwarder on Splunk client (check)

I see the events for the Splunk server, I see the Splunk Forwarder machine on the Splunk server, but I don't see any events from the remote client (forwarder). This is usually where I get stuck each time. I can't find the documentation or instructional video on how to troubleshoot.

Your instructional videos are great...the couple I've found. Do you have any on configuring Splunk Forwarders or creating Dashboards?

Best Regards, Tom.

0 Karma
Highlighted

Re: What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

SplunkTrust
SplunkTrust

check this doc, i find it helpful:
http://docs.splunk.com/Documentation/Splunk/6.5.3/Troubleshooting/Cantfinddata
make sure youcan see data from your forwarder: index = _internal host = YourForwarder
check your inputs on the forwarder.
install the TA for windows or TA for Nix depends on your OS on forwarder and indexer
enable inputs on the TA's (they have full documentation)
check that you can see date in the correct indexes

0 Karma
Highlighted

Re: What are the actionable tasks required to install/configure Splunk to meet NIST auditing requirements for windows event logs and RHEL syslog

New Member

Good Morning Adonio,

I have a Splunk server and a Splunk forwarder set up on different machines. I'm ingesting local logs just find on the Splunk server (I'll call this the "Server"), but not seeing anything from the machine running the Splunk forwarder (I'll call this the "client"). I see an active connection between the Client and the Server on port 8089, but no Client data in the Splunk interface.

I look for Forwarders, but see nothing. I look at the documentation you point me to and see instructions like...

"Check that your data is in fact being forwarded. Here are some searches to get you started. You can run all these searches, except for the last one, from the Splunk default Search app. The last search you run from the CLI to access the forwarder. A forwarder does not have a user interface: "

...what the heck is the "Splunk default Search app"?

I'm looking for something like...

  1. Install Splunk (w/instructions...done)
  2. Install Forwarder (w/instructions...done)
  3. Validate connections (w/instructions...not done)
  4. Set up a basic dashboard that shows...(not done) a. Events by Client b. Events by Event Type c. Events by Time

I can learn more about Splunk once those simple tasks are configured. I would hope there would be some simple use case of instructions for a beginner to achieve that result without having to first learn everything there is to learn about Splunk.

Best Regards, Tom

0 Karma