# Disboard #
  • Reconnaissance
    • Quick Guide
    • Ports and Protocols
    • Passive Reconnaissance
    • Active Reconnaissance
  • Web
    • OWASP Top 10
    • OWASP API
    • SQL Injection
      • Microsoft SQL Injection
    • Cross Site Scripting
    • Browser Vulnerabilities
    • Steganography
    • Fuzzing
  • Linux
    • Privilege Escalation
    • Hydra
    • Password Cracking
    • Docker
    • Program Life Cycle
    • Snort
  • Windows
    • Privilege Escalation
    • Active Directory
    • Powershell
  • Exploitation
    • Shells
      • Upgrading Shells
    • Metasploit
      • Meterpreter
    • KOTH
    • Source Code Review
  • Hack the Box
    • ARCHETYPE
    • BASE
    • BASHED
    • EXPLORE
    • NIBBLES
  • Try Hack Me
    • ADVENTURE TIME
    • HACKFINITY
    • MOTHER'S SECRET
    • OFFSEC
    • POSTEXPLOIT
    • ROASTED
    • TEMPEST
    • TRAVERSE
  • CompTIA
    • Network
      • 1.0 Networking Fundamentals
      • 2.0 Network Implementations
      • 3.0 Network Operations
      • 4.0 Network Security
      • 5.0 Network Troubleshooting
    • PenTest
  • SIEM
    • Splunk
    • Elastic
  • Wireless
    • Wi-Fi Hacking
  • Other
    • PicoCTF
    • SSH Tunneling
    • Life Hacks
    • My Pokémon API
    • Github
Powered by GitBook
On this page
  • Spunk Components
  • 1. Splunk Forwarder
  • 2. Splunk Indexer
  • 3. Splunk Search Head
  • Splunk Navigation
  • Adding Data
  1. SIEM

Splunk

SIEM Solution

PreviousPenTestNextElastic

Last updated 8 months ago

Splunk is one of the leading SIEM solutions in the market that provides the ability to collect, analyze and correlate the network and machine logs in real-time.

Spunk Components

Splunk has 3 components:

1. Splunk Forwarder

Splunk forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the Splunk Instance. Some of the key data sources include:

  • Web server generating web traffic

  • Windows machine generating Windows Event Logs, PowerShell, and Sysmon data.

  • Linux host generating host-centric logs

  • Database generating DB connection requests, responses, and errors

2. Splunk Indexer

The indexer plays the main role in processing the data it receives from forwarders. It takes the data, normalizes it into field-value pairs, determines the datatype of the data, and stores them as events. Processed data is easy to search and analyze.

3. Splunk Search Head

Search head is the place within the "Search & Reporting App" where users can search the indexed logs as shown below. When the user searches for a term or uses a Search language known as Splunk Search Processing Language, the request is sent to the indexer and the relevant events are returned in the form of field-value pairs.

It also provides the ability to transform the results into presentable tables, visualizations like pie-chart, bar-chart, and column-chart.

Splunk Navigation

The Splunk navigation bar contains:

  • Messages: System-level messages

  • Settings: Configure the Splunk instance

  • Activity: Progress of jobs

  • Help: Miscellaneous information such as tutorials

  • Find: Search feature

The Apps Panel generally contains the apps in the instance which can include:

  • Search & Reporting (default)

  • Splunk Essentials for Cloud and Enterprise

  • Splunk Secure Gateway

The Splunk dashboard or "home dashboard" allows a user to choose from a range of dashboards readily available within the Splunk instance.

Adding Data

The Explore Splunk option includes quick links to add data to the Splunk instance, add new Splunk apps, and access the Splunk database. Data can be added from the following methods:

  • Upload: Files from the computer i.e. local log files, local structured files such as CSV

  • Monitor: Files and ports on the Splunk platform instance i.e. files, HTTP, WMI, TCP, Scripts

  • Forward: Data from a Splunk forwarder