Tuesday, October 9, 2018

Splunk Tips and Tricks

Splunk Installation:
On Google Cloud Windows 2016 VM

1. Change Web Management Port from 8000 to 80
Splunk enterprise default http/https port is 8000. You can use either Splunk Web GUI to change it to some other port.

To change the ports from their installation settings:

  • Log into Splunk Web as the admin user.
  • Click Settings in the top-right of the interface.
  • Click the Server settings link in the System section of the screen.
  • Click General settings.
  • Change the value for either Management port or Web port, and click Save.

You may need to update your local firewall configuration based on your new port. Here is an example to change my Windows 2016 server's firewall configuration to allow tcp port 80.

2. Fortinet Fortigate App for Splunk
Youtube Video:

2.1 Device
index="fortigate"  | stats dc(devid)

2.2 Session
index="fortigate"  | stats dc(sessionid)

2.3 Session Transferred Overtime
index="fortigate" type="traffic" |timechart count by devname

2.4 Top 20 Applications
index="fortigate" type="traffic" | TOP limit=20 app

2.5 Threat
index="fortigate" type="utm"  | timechart count by severity

2.6 Application by Destination Countries
index="fortigate" type="traffic" | iplocation "dstip" | geostats count by app

3. Customized Dashboard

3.1 Traffic Sessions by Destination IP
index="fortigate" srcip=* dstip=*  type="traffic" action=*  NOT dstip="" | timechart count by dstip

3.2 Traffic Sessions by Action
index="fortigate" srcip=* dstip=* type="traffic" action=* | timechart count by action

3.3 Statistic for UTM
index="fortigate" OR index=main  type=utm | stats count by srcip,dstip,hostname,url,service,direction,app,apprisk | sort -count

4. New Data Input - UDP 514 for Syslog

No comments:

Post a Comment