Wednesday, August 21, 2013

Gearing up for Splunk .conf13

We had the Columbus Splunk user group meeting today which got me looking forward to Splunk's annual user group conference. Of course as I think that I reminded myself that instead of writing this I should be working on my own preso for the conference so will keep this short. I find it easier to make an argument for securing travel and training funds when you get a discount by speaking. My talk will be around how we went from a 350GB license to 2TB in less than a year and the associated growing pains/lessons learned. Hopefully folks will find a nugget or two of value. 

For those on the fence I would pull the trigger. Lots of information to walk away with that will help you plan, adjust, tweak, create, and simply expand your vision of what's possible. Some of that won't come from the sessions as much as talking with other folks and seeing how they are using the tool. Wondering what the free gift for attendance might be this year. Last year it was a zip up Splunk hoodie that was great - primarily because the conference area was chilly! 

To circle back to an issue raised at the local user group meeting. While I'm full time on our Splunk effort (and in need an extra body) many folks are Splunk admins plus wear any number of other hats. There would probably be high interest in a session devoted to running a Splunk environment with a skeleton crew as it were. I'll try to put some thought into that.

Anyone have any thoughts on that or tips to share?


Posted by at No comments:
Labels: ,

Tuesday, July 2, 2013

Solve for 80% - find logs needing work in Splunk

There are a couple of sayings, maxims if you will, that I try to keep in the back of my mind as I do things
  • Most times coincidence is God acting anonymously
  • Activity != Accomplishment
  • Effectiveness and efficiency are two different concepts
  • Solve for 80%

Read more »
Posted by at No comments:
Labels: , , ,

Wednesday, May 22, 2013

Hidden value of Windows 673/4769 events - updated for Splunk

So I took some time today and converted something I had somewhat forgotten - the post I made just over 3 years ago about being able to detect an infected Windows machine exhibiting wormlike behavior into Splunk search language. Don't judge me - a lot has happened between then and now.

The beauty of this detection is you just need to get logs from your domain controllers.

Read more »
Posted by at No comments:

Thursday, May 9, 2013

Some queries related to Splunk administration/Deployment Server

Once again time flys /sigh. At times I wish there was more hours in the day but that would probably just translate into more hours working. Hopefully will get over the bubble soon (yeah right). At any rate we had our first Columbus Splunk user group the other day. Was neat to see others in the local area and talk Splunk...at least in as much as we could. The location was a bit noisy. Figured I'd share here a few of the queries I put together in a slide deck related to using (or mostly administrating) Splunk's Deployment Server. I guess they aren't specifically related to the DS as much as general Universal Forwarder (local Splunk agent) health which you can control with the DS
Read more »
Posted by at 4 comments:
Labels: , , ,

Sunday, January 6, 2013

Back in the saddle...and using Splunk!


Been a long time since writing and lots has changed! New house, cataract surgery (at 39!), new job, developing and implementing the log management and event correlation program at a large edu, etc. On that front a large university is very different than a large corporation. Take all of those issues you have with decentralization and multiply that by about 50. I debated between believable and hyperbole there and ended up somewhere in the middle I guess.

One of the bigger changes is using Splunk for the first time. At some point I should write some comparisons between ArcSight, Symantec MSSP, and Splunk. Granted it has been a few years since I’ve used ArcSight’s Enterprise Security Manager (ESM) or Logger for that matter though I remember ESM fondly and often wistfully. It still amazes me when I hear people say things like ArcSight is too hard. I maintain that for most of those cases they somehow had the idea (or were told by the sales people) that it was some magical plug and play cross between a one armed bandit and magic 8-ball. I also hear in the latest update to Symantec’s MSSP they have implemented a number of the dozens of changes I suggested (am sure others as well!) and it is now much better than what it was 6 months ago.

If there is one piece of advice I could give it would be install Splunk today. You may not use it a ton in an active way but at the very least I wish I had had it for all of those times I had large Excel spreadsheets to massage in an effort of extracting value.

Welp as was the case when I first started writing this was written while waiting for the oil to be changed in one of my vehicles. That is complete and this sort of went in a different direction than planned. In my next post I plan to talk about a few ways I’ve found in Splunk to look for fields that don’t exist. As an aside it is somewhat interesting to think about writing Splunk stuffs in somewhat of the same way I used to write about ArcSight stuffs. The main driver back then was there wasn’t much out there at all for ArcSight and LM/SIEM in general and the ArcSight forums were gated to the general public. That isn’t the case with Splunk (gated community) and sadly the act of running the Splunk implementation and general ho-ha leaves me far less time to actually DO something in Splunk than I’d like.
Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)