Scribd
Upload
2 views29 pages

Day 2 doc

The document outlines the process of onboarding Linux and Windows authentication logs to Splunk, detailing steps for accessing logs via SSH, configuring data inputs, and setting up forwarding and receiving configurations. It includes commands for monitoring logs and creating necessary configuration files for both operating systems. Additionally, it provides examples of search queries for detecting brute force attacks on Windows systems.

Uploaded by

bariyaseen96
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2 views29 pages

Day 2 doc

The document outlines the process of onboarding Linux and Windows authentication logs to Splunk, detailing steps for accessing logs via SSH, configuring data inputs, and setting up forwarding and receiving configurations. It includes commands for monitoring logs and creating necessary configuration files for both operating systems. Additionally, it provides examples of search queries for detecting brute force attacks on Windows systems.

Uploaded by

bariyaseen96
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 29

Logs Importing

Logs onboarding from Linux


for onboarding the linux authentication log I am using a putty access from rdp to the ubuntu
linux , having the ip of 192.168.30.10 And login as ubuntu cdlin

Then going as root user and changing the directory to var/log to get the authentication logs
For getting the authentication logs use the command as tail -f auth.log this is used in ubuntu
based linux.

then create a duplicate session to check it is logging the session or not

The below screenshot shows that the logs are generated


For onboarding the logs to splunk webui we are using the gui method by going to the settings
then data inputs and add new as shown in shown in the below screenshot chronologically
Then click on the browse for authentication logs of the ubuntu and do a continuously monitor
Then the 2nd step is source type selection as we know that the all the authentication logs are
formed in linux_secure as shown in screenshot
Creating a new index as linux
Then reviewing and submit
As shown in the below screenshot the linux logs are successfully onboarded the splunk webui
and it shows also the failed login as I highlighted

For checking the continuous monitoring


I have once again started new session in putty and again given the wrong login credentials
For windows onboarding

Ping to check for the connectivity to the spunk host i.e 192.168.30.10
we are creating a rdp connection from our purplesynapz rdp to window client1 rdp as shown in
the below screenshot and from rdp(192.168.15.172)host windows forwarder is copied and pasted
to the rdp 192.168.30.40
Leave it empty

For deployment of logs from splunk to splunk we use forwarding and receiving
cli
ck on configure receiving as mentioned in below screenshot

the
n click on new receiving port

I have given the listening port as 9997 it will receive data on tcp port 9997

Now the our splunk instance Is listening other splunks instances logs

the
n the we have given the splunk receiving indexer the hostname and the listening port no.
Then install
Creating a input.conf file in splunk universal forwarder for the logs to the our splunk instance

Then open that input.conf by the notepad and add a stanza because we collecting the windows
event logs
As we want the logs of the security channel we have given the security as I mentioned in the
screenshot below as I want to send this logs to the windows that’s why I have given the index as
windows
Now creating the index in our splunk instance

By writing the stanza as renderXml= true we are getting the logs in xml format
INPUTS.CONF
[monitor://C:\Windows\Performance\WinSAT\winsat.log]
disabled = 0
index = windows_logs
sourcetype = Windowslogs
source = C:\Windows\Performance\WinSAT\winsat.log

[WinEventLog://Application]
disabled = 0
index = windows2
sourcetype = Windowslogs

[WinEventLog://Security]
disabled = 0
index = windows2
sourcetype = Windowslogs

[WinEventLog://System]
disabled = 0
index = windows2
sourcetype = Windowslogs
[perfmon://CPU]
disabled = 0
index = windows2
counters = % Processor Time
instances = _Total;
object = Processor
interval = 300
[perfmon://LogicalDisk]
disabled = 0
index = windows2
counters = % Free Space; Free Megabytes; Used Space; Used Megabytes
instances = *
object = LogicalDisk
interval = 300
OUTPUTS.CONF

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.30.10:9997

[tcpout-server://192.168.30.10:9997]
In order to update the configuration we have to restart the splunk forwarder either from cli or
services,

Note : whenever we are trying to change the configuration try to restart the services
Brute force attack on windows

An example of a Basic search to get logs related to authentication


index="windows2" EventCode=4625 | bin _time span=5m | stats count by _time user
ComputerName src src_ip action | where count > 5
Note: make changes in the query according to your index name and field names if needed.

An example of a brute force query


index="windows2" EventCode=4625 | bin _time span=5m | stats count by _time user
ComputerName src src_ip action | where count > 5
Logs from Checkpoint

You might also like