Splunk‐ Installlation - KVNuhman/cybersecurity-tools GitHub Wiki

Splunk Architecture Overview

Installation and Setup

  • Understand the Architecture of Splunk and Installation Process:
    • Familiarize yourself with Splunk's architecture and follow the installation process.
  • Setup Collector and Forwarder:
    • Implement the setup of collectors and forwarders to facilitate data collection.
  • Ensure Log Accumulation in Splunk:
    • Verify that logs are successfully accumulated in Splunk.
  • Dashboard Field Familiarization:
    • Gain a comprehensive understanding of the fields within the Splunk dashboard.

Splunk Architecture Components

  • Data Collection:

    • Splunk efficiently gathers data from diverse sources such as servers, network devices, applications, and sensors. This is achieved through the utilization of agents and connectors.

  • Data Indexing:

    • Collected data undergoes indexing and is stored in Splunk's proprietary format. The indexing process involves breaking down data into events, extracting fields, and creating an index for each field.

  • Search and Analysis:

    • Splunk boasts a robust search and analysis engine, enabling users to query indexed data using SPL (Splunk Processing Language). Users can perform ad-hoc searches or save them as dashboards and alerts for future reference.

  • Visualization:

    • Splunk provides diverse visualization options, including charts, graphs, and tables. Users can effectively comprehend and analyze their data, with customization options available for tailoring visualizations to specific requirements.

  • Deployment Options:

    • Splunk offers versatile deployment options, supporting on-premises, cloud-based, or hybrid setups. Splunk Enterprise can be deployed as a single instance or as part of a distributed environment with multiple indexers, search heads, and forwarders.

Installing Splunk Forwarder in Kali

image

Splunk Forwarding Configuration

Obtain Splunk Enterprise IP and Port

image

Manage Apps in Splunk Enterprise

image

Configure Splunk Forwarder

image

image

Send Logs to Splunk Enterprise

image

Port forwarding is successful

image

image

Splunk Overview

Advantages

  • Easy Data Collection: Splunk efficiently gathers data from various sources, making it simple to handle information from servers, networks, and applications.

  • User-Friendly Search: Splunk's search and analysis are user-friendly, allowing both ad-hoc searches and saved dashboards for quick insights.

  • Flexible Deployment: Splunk can be deployed on-premises, in the cloud, or in a hybrid setup, providing deployment flexibility.

  • Interactive Visualization: Splunk offers visually appealing charts and graphs, allowing users to customize visualizations for better data understanding.

Disadvantages

  • Cost Consideration: Splunk's licensing costs may be a concern for budget-conscious organizations.

  • Resource Requirements: Running Splunk may require significant resources, especially in large-scale deployments.

  • Learning Curve: There might be a learning curve for new users to grasp the Splunk Processing Language (SPL) and the overall environment.

Key Features

  • Efficient Data Indexing: Splunk optimizes data storage with its proprietary indexing format.

  • Data Forwarding and Collection: Splunk excels in collecting and forwarding data from various sources, ideal for distributed environments.

  • Real-time Monitoring: Splunk enables real-time monitoring of logs and events for quick detection of anomalies.

  • Alerting and Dashboards: Users can set alerts based on specific criteria and create visually appealing dashboards.

  • Security and Compliance: Splunk includes features for ensuring security and compliance by monitoring and analyzing logs for potential threats.