Open in app

Sign in

Write

Sign in

Event Analysis and Logs Parsing with Splunk | TryHackMe Fixit

Motasem Hamdan
2 min readApr 15, 2024

--

TryHackMe Fixit

We discussed Splunk configuration files namely, props.conf,transforms.conf,fields.conf,inputs.conf, indexes.conf and mentioned the purpose and goal of each one of them. Splunk configuration files are used to configure log parsing rules, fields extraction and set log storage and retention rules. Use these config files when Splunk doesn’t extract the fields properly from the provided log file or when you have unique format for your logs. For demonstration purposes, we solved TryHackMe Fixit challenge that lets us to practically test our knowledge in configuring log parsing rules with Splunk.

Splunk SIEM Field Notes

Simply this 90 pages-booklet covers operational notes, search queries, commands and different scenarios of using Splunk…

www.buymeacoffee.com

Splunk SIEM Full Course with Practical Scenarios

Table of contents:- Splunk Installation on Linux - Video Length: 04:02- Splunk Forwarder Config on Linux - Video…

www.buymeacoffee.com

Highlights

Splunk is a powerful SIEM solution that provides the ability to search and explore machine data. Search Processing Language (SPL) is used to make the search more effective. It comprises various functions and commands used together to form complex yet effective search queries to get optimized results.

Splunk supports all major OS versions, has very straightforward steps to install, and can be up and running in less than 10 minutes on any platform.

Logs can be ingested into Splunk with three methods:

  • Manual Upload
  • Forwarder Agent
  • Through a TCP IP/Port

Splunk needs to be properly configured to parse and transform the logs appropriately. Some of the important aspects are:

  • Event Breaking:

Configure Splunk to break the events properly.

  • Multi-line Events:

Configure Splunk to configure multi-line events properly.

  • Masking:

Some logs may contain sensitive data such as credit card data . To comply with the PCI DSS (Payment Card Industry Data Security Standard) standard, information like credit card numbers must be masked to avoid any violation.

  • Extracting custom fields:

To properly parse unique log formats with Splunk, we follow below steps:

Understand the Data Format

Many data types, including CSV, JSON, XML, syslog, and others, are supported by Splunk. Choose the appropriate fields you wish to extract and the format of your data source.

Identify the Sourcetype

The format of the data being indexed is represented by the sourcetype in Splunk. It facilitates Splunk’s use of the proper parsing rules. You can create a new sourcetype in Splunk if your data source doesn’t already have one.

Configure the required files

Namely props.conf, inputs.conf and transforms.conf

Lastly restart Splunk

Room Answers

Room answers can be found here.

Video Walkthrough

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Splunk
Infosec

--

--

Motasem Hamdan
Motasem Hamdan

Written by Motasem Hamdan

541 Followers
10 Following

Motasem Hamdan is a content creator and swimmer who creates cyber security training videos and articles. https://www.youtube.com/@MotasemHamdan

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams