Since my last post on Splunk, I have been getting familiar with SPL, or the search processing language. This is what Splunk uses to refine and search through logs.
In this post I am going to document the setup process for two fundamental SIEM dashboards. First, I am going to create a dashboard to monitor my computers’ and servers’ resources, such as CPU and RAM usage. Next, I am going to create a dashboard to monitor my Windows systems for security logs.
The first dashboard I created displays all Windows Security Event logs gathered from all the Windows machine in my environment, and a chart that shows the amount of logs each hour.
The second dashboard I made was to monitor the Windows security and event logs from my Windows10 PC. I also included a bar chart to monitor the time and frequency of these events.
The next dashboard I made was similar to the last one, but instead of displaying every Security log, I am setting it to only display important security logs that could be an IoC. For this dashboard, I found a community created query that specified important security event codes and I added the search as a rule in my dashboard. On this same dashboard, I added a separate section that will alert me to any failed logon attempts on a windows computer using the query below. I will also purposefully fail a few login attempts and include the results of the query.
Now I wanted to focus on a dashboard to alert me anytime someone logs onto any of my Linux servers. To do this I started playing with search queries and ended up finding the correct query, which ended up being ‘source=”/var/log/auth.log”‘. I combined this search with a bar chart to provide me an easy to review log feed that provided user logins, Sudo sessions, and logoffs for all Linux servers. I had some extra space here, so I also added a Windows logon section to this dashboard. This Windows section shows me the time someone logs on and the duration of the session.
Setting up these essential dashboards has been a good project and helped me further my practical Splunk skills. I am really getting the hang of querying on Splunk, and it is actually quite fun parsing through all the logs and making it a challenge to find the information I want to see. I do need to work on making my dashboards more aesthetically pleasing, but that’s something that will come with practice. For now I think this is a good spot to end.