1
00:00:08,870 --> 00:00:14,990
All right, so one last video, we made sure we were collecting the correct logs from P.S. one and we

2
00:00:14,990 --> 00:00:17,180
modified the inputs Dukkha to get it working.

3
00:00:17,480 --> 00:00:22,550
Now, off camera, I did the same thing for you and for the DC.

4
00:00:23,480 --> 00:00:28,300
So all Windows logs are now being adjusted in this system on partial logging.

5
00:00:28,730 --> 00:00:29,480
All that good stuff.

6
00:00:30,170 --> 00:00:38,360
Also, the other thing I did was I went to the Splunk Enterprise when I clicked the settings and I bumped

7
00:00:38,360 --> 00:00:40,370
up the memory to eight gigabytes.

8
00:00:41,360 --> 00:00:43,430
Now, you might want to do this if you want to get better performance.

9
00:00:44,030 --> 00:00:50,870
I have the resources on my hosting machine to make an eight gigabyte bump inconsequential.

10
00:00:51,680 --> 00:00:56,360
And I suggest you do the same if you can, because you Splunk searches will be a lot smoother.

11
00:00:56,720 --> 00:00:57,050
All right.

12
00:00:57,050 --> 00:00:57,910
If you can't, it's OK.

13
00:00:57,920 --> 00:00:58,820
You can still follow along.

14
00:00:59,420 --> 00:00:59,710
All right.

15
00:00:59,720 --> 00:01:03,590
So if we close out of that and now we're at a place where we can start.

16
00:01:03,590 --> 00:01:08,960
So PC one or two and DC have all locks being quoted in this book.

17
00:01:09,530 --> 00:01:15,860
But we need to create a few indexes and we need to disable Splunk Anonymous telemetry and then we'll

18
00:01:15,860 --> 00:01:21,120
be able to configure the appliance to forward the logs into Splunk as well.

19
00:01:22,040 --> 00:01:26,510
So I'm just going to log into Splunk and I'm going to create these indexes first so we can knock this

20
00:01:26,510 --> 00:01:26,810
out.

21
00:01:27,630 --> 00:01:29,060
And it's really straightforward, really easy.

22
00:01:29,060 --> 00:01:29,380
You'll see.

23
00:01:29,990 --> 00:01:30,370
All right.

24
00:01:30,370 --> 00:01:33,080
So I'm going to go to Settings Indexes.

25
00:01:34,210 --> 00:01:38,500
And you can see some of the indexes we have here, but we're going to do is we're going to create a

26
00:01:38,500 --> 00:01:41,480
new index for the network, for Surakarta and for our show.

27
00:01:42,190 --> 00:01:43,610
So I'm going to call it network.

28
00:01:43,690 --> 00:01:46,120
This is going to be our firewall.

29
00:01:47,050 --> 00:01:47,470
Save.

30
00:01:53,420 --> 00:01:54,310
Civica.

31
00:01:56,420 --> 00:02:00,140
And our show.

32
00:02:01,480 --> 00:02:06,320
All right, so we've got those here, it's the power sharing network in Turkey.

33
00:02:06,850 --> 00:02:07,390
Very cool.

34
00:02:08,020 --> 00:02:09,970
Now we need to disable the instrumentation.

35
00:02:11,000 --> 00:02:16,640
Because spunk by default will send anonymized telemetry to Splunk.

36
00:02:16,670 --> 00:02:18,190
And, you know, I don't want that to happen.

37
00:02:18,770 --> 00:02:19,900
You don't need to send data out.

38
00:02:19,910 --> 00:02:20,810
We shouldn't send it out.

39
00:02:20,810 --> 00:02:21,110
Right.

40
00:02:21,770 --> 00:02:23,810
So it's saying no data was sent in the last 30 days.

41
00:02:23,820 --> 00:02:24,320
That's fine.

42
00:02:24,330 --> 00:02:26,620
I'm going to make sure no data is sent ever.

43
00:02:27,080 --> 00:02:32,870
So we put the clock next to user usage data and then we're just going to disable the aggregated usage

44
00:02:32,870 --> 00:02:33,250
data.

45
00:02:35,430 --> 00:02:37,560
And we want to disable the support usage data.

46
00:02:40,560 --> 00:02:41,040
Nice.

47
00:02:42,590 --> 00:02:44,670
All right, so we are good to go there now.

48
00:02:44,690 --> 00:02:48,980
We're going to do flip over to our open sense appliance.

49
00:02:49,700 --> 00:02:50,550
Let's get this thing working.

50
00:02:57,340 --> 00:03:04,120
All right, so we're going in we're going in right to the first thing we're going to do is we're going

51
00:03:04,120 --> 00:03:08,140
to go to settings under system.

52
00:03:11,530 --> 00:03:14,260
And we want to go to the logging targets.

53
00:03:15,710 --> 00:03:19,920
We're going to do is add a new logging destination, so we're going to click the plus sign right here.

54
00:03:21,570 --> 00:03:25,770
And we want to enable of course, we're going to use UDP for the applications, we're going to select

55
00:03:25,770 --> 00:03:30,930
nothing, because if you look at the full help, that means that all the applications are going to be

56
00:03:30,930 --> 00:03:31,310
forwarded.

57
00:03:31,660 --> 00:03:35,100
OK, we want all the levels to be forwarded, all the facilities.

58
00:03:35,130 --> 00:03:38,190
This is for this log and then for the hostname.

59
00:03:38,220 --> 00:03:42,880
We're going to put in our Splunk index, right.

60
00:03:43,380 --> 00:03:47,110
Change the port to five one four seven, and then we will give it a name.

61
00:03:47,220 --> 00:03:51,600
We'll just call it ship open since logs to Splunk.

62
00:03:53,120 --> 00:03:53,540
All right.

63
00:03:55,610 --> 00:04:00,890
All right, now we need to make sure we apply it, as the message told us, we're going to click apply.

64
00:04:01,440 --> 00:04:02,180
Let's go.

65
00:04:02,730 --> 00:04:05,150
Let's flip back over to Splunk.

66
00:04:05,480 --> 00:04:08,720
Let's go back into the Splunk Enterprise Search and reporting app.

67
00:04:09,420 --> 00:04:12,170
Now we're going to do is we're going to set up a new data input.

68
00:04:12,170 --> 00:04:14,150
So we're going to go to settings.

69
00:04:15,470 --> 00:04:20,030
Data inputs, because we're sending the data to Splunk, but right now, Splunk doesn't have a way of

70
00:04:20,030 --> 00:04:20,600
capturing it.

71
00:04:20,690 --> 00:04:21,440
What's it doing?

72
00:04:21,440 --> 00:04:25,090
A baseball at someone without a glove and the other person can have a hard time catching it.

73
00:04:25,100 --> 00:04:28,040
So we're going to give Splunk the glove it needs to catch the logs.

74
00:04:28,820 --> 00:04:33,550
So under UDP, we can click, add new and guess what we're going to put in here for the port.

75
00:04:34,520 --> 00:04:37,940
If you said five one four seven, you're getting the hang of it, right?

76
00:04:37,940 --> 00:04:39,770
It's not not too difficult.

77
00:04:40,460 --> 00:04:41,210
Well, you know what to do.

78
00:04:41,210 --> 00:04:41,900
It's not too difficult.

79
00:04:41,900 --> 00:04:42,140
Right.

80
00:04:43,160 --> 00:04:43,480
All right.

81
00:04:43,490 --> 00:04:44,480
The UDP selected.

82
00:04:44,490 --> 00:04:49,880
We're going to put five one four seven as a port.

83
00:04:50,960 --> 00:04:52,370
And let's see everything else.

84
00:04:52,370 --> 00:04:53,060
Looks good in here.

85
00:04:53,750 --> 00:04:54,410
Could next.

86
00:04:55,900 --> 00:05:03,770
And for this source type, we're going to put an open sense, no, it's not there.

87
00:05:03,840 --> 00:05:04,270
Where's it?

88
00:05:07,100 --> 00:05:10,690
Oh, that's why it not showing up, because we don't have the open sense app, so let's go ahead and

89
00:05:10,690 --> 00:05:11,650
install that first.

90
00:05:12,430 --> 00:05:14,440
I'm going to control click this and go to manage apps.

91
00:05:16,370 --> 00:05:21,980
We need to install two apps, the SIM and the Open Sense app.

92
00:05:24,390 --> 00:05:29,460
All right, let's type in first the common information model, this will normalize all the log data

93
00:05:29,670 --> 00:05:30,690
to a standard format.

94
00:05:31,440 --> 00:05:34,140
So here it is, this Splunk common information model.

95
00:05:34,150 --> 00:05:34,950
We need this app.

96
00:05:36,340 --> 00:05:39,520
And we're going to put in our Splunk dot com credentials.

97
00:05:46,350 --> 00:05:47,610
Log in and continue.

98
00:05:52,070 --> 00:05:55,250
Sweet, and then we'll get the open sense apps.

99
00:05:58,890 --> 00:06:02,160
The open sins out on Facebook and the open up Facebook.

100
00:06:05,130 --> 00:06:05,920
Nice.

101
00:06:05,940 --> 00:06:06,570
Let's get the other one.

102
00:06:09,560 --> 00:06:14,570
Again, this is providing all the passing of the log data so that all the fields are in the right place

103
00:06:14,570 --> 00:06:16,790
and we can start to look at some really fun data.

104
00:06:17,270 --> 00:06:20,660
So now let's go back to this dashboard.

105
00:06:21,570 --> 00:06:23,430
Might need to refresh this page.

106
00:06:27,850 --> 00:06:31,000
All right, take me back here, but I want to go to data inputs.

107
00:06:33,510 --> 00:06:40,350
UDP, a new group, selected five one four seven.

108
00:06:41,690 --> 00:06:45,440
All right, let's good quick next source type.

109
00:06:46,760 --> 00:06:52,280
Now we get open sense, so we want this one right here without all the stuff after just open since.

110
00:06:54,280 --> 00:06:56,430
And then for the method for the host went to Pakistan.

111
00:06:57,210 --> 00:07:03,380
We're just going to put in the name of our open since appliance and then for the index, try to guess

112
00:07:03,380 --> 00:07:05,500
what we're going to put here network.

113
00:07:07,430 --> 00:07:07,820
All right.

114
00:07:09,050 --> 00:07:09,610
Looks good.

115
00:07:10,000 --> 00:07:14,410
We quick review UDP five one four seven.

116
00:07:15,810 --> 00:07:18,480
And it is open source, source type.

117
00:07:19,570 --> 00:07:24,130
Open Seats is the host name of the host and index is going to be network simit.

118
00:07:25,950 --> 00:07:29,070
Let's go and start searching CyberWorks.

119
00:07:31,030 --> 00:07:31,840
Moment of truth, right?

120
00:07:35,070 --> 00:07:36,220
OK, that is a good sign.

121
00:07:36,330 --> 00:07:39,870
We've got some data coming in, let's tidy the search up a little bit.

122
00:07:40,200 --> 00:07:46,140
So let's say index network source type equals open since star.

123
00:07:48,290 --> 00:07:48,920
There we go.

124
00:07:50,000 --> 00:07:50,690
I was looking for this.

125
00:07:50,870 --> 00:07:57,590
These bills are broken out, so what it's actually done because we have the logs and everything configured

126
00:07:57,590 --> 00:07:58,100
correctly.

127
00:07:58,940 --> 00:08:00,760
Now we're seeing the breakdown of these weblogs.

128
00:08:01,100 --> 00:08:01,320
Right.

129
00:08:01,400 --> 00:08:03,080
If I click on one of these logs in the event list.

130
00:08:04,270 --> 00:08:06,260
Think it's under event actions to be the role of.

131
00:08:07,860 --> 00:08:14,040
The source was going to try to show you the raw log so you can see, you know, the magic that these

132
00:08:14,820 --> 00:08:16,110
yeah, so this is kind of the prologue.

133
00:08:16,120 --> 00:08:21,810
So all this this raw data is being passed into this pretty log data here.

134
00:08:22,870 --> 00:08:28,660
So everything's broken down by feeling a value because we have the technical the technical attachments

135
00:08:29,170 --> 00:08:31,310
and the other tags for open installed.

136
00:08:31,990 --> 00:08:33,210
So that is really, really good.

137
00:08:33,730 --> 00:08:40,060
And now we have open since firewall data inside of our around tax will be able to see those here in

138
00:08:40,060 --> 00:08:40,680
the next lecture.

139
00:08:40,690 --> 00:08:43,280
We're going to make sure it's configured correctly for Surakarta.

140
00:08:43,690 --> 00:08:46,720
So we'll see you guys in a little bit by.