What system logs are needed to deploy Splunk effec...

jardakanian · ‎07-22-2016

Hi

I am deploying Splunk in an environment and would like to capture as many security aspects from the SANS top 20 as possible. I am not too technical, so I am hoping someone will be able to help me determine what type of logs I will actually need access to so I know where to deploy my forwarders.

Richfez · ‎07-24-2016

This is a big topic.

Luckily for you, Splunk has at least made an attempt at compiling some of this information for you in their "Splunk and the SANS stuff" document. That's not its real name, by the way. The document explains the SANS CSC, what they are and how Splunk can help. It also lists the Apps that Splunk has available to read the data out of the various other pieces of software, too.

You can find that document at their shortcut to SANS link which requires a free registration. You could also find that same PDF if you search using one of the better search engines for "Splunk SANS". I'm just sayin'.

I also think actual application and notes about the various CSCs would be well placed in the Splunk Wiki, because I'll bet there are a lot of people who could use the details of how to actually do this. But really, the usual difficulty is one of figuring out what needs to be done; once you've defined your needs fairly well the rest just becomes a simple technical detail.

Happy SANS hunting!

What system logs are needed to deploy Splunk effectively and cover the SANS top 20? Need to determine where to deploy forwarders

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!