We explained the process of installing and configuring Splunk by showing the steps that involve choosing the role of Splunk whether it will be main server or a forwader, configuring the forwaders to collect logs and create the indexes that store the collected logs. We demonstrated one practical scenario that involves manually uploading web server logs to a main instance of Splunk. This was part of TryHackMe Splunk: Setting up a SOC Lab which is part of the TryHackMe SOC Level 2 track.
This post also includes the answers for TryHackMe Splunk: Dashboards and Reports and TryHackMe Splunk: Data Manipulation rooms.
Highlights
Splunk is a powerful SIEM solution that provides the ability to search and explore machine data. Search Processing Language (SPL) is used to make the search more effective. It comprises various functions and commands used together to form complex yet effective search queries to get optimized results.
Splunk supports all major OS versions, has very straightforward steps to install, and can be up and running in less than 10 minutes on any platform.
Logs can be ingested into Splunk with three methods:
Manual Upload
Forwarder Agent
Through a TCP IP/Port
Room Answers
Room answers can be found here.