Splunk Basics Course
- 2 hours on-demand video
- 3 articles
- 13 downloadable resources
- Full lifetime access
- Access on mobile and TV
- Certificate of Completion
Get your team access to 4,000+ top Udemy courses anytime, anywhere.Try Udemy for Business
- ICT Logging and monitoring basics
- How to make logs work for you and get notified if something went wrong
- Visualize data received from any log source in very simple steps
- Build a small computer LAB that consists of a Splunk server, Apache web server and Fortigate firewall virtual appliance
- Install and configure Splunk Enterprise and Splunk Universal Forwarder
- Know the different deployment types of Splunk
- Collect logs from remote nodes using Splunk Universal Forwarder
- Collect logs from Syslog devices like Fortigate firewall
- Search and explore data on Splunk
- Extract fields and add knowledge to data
- Quick introduction to Splunk Search Processing language (SPL)
- Some prior knowledge about Linux operation system
- You'll need a desktop computer (Windows, Mac, or Linux) capable of running 3 virtual machines. The course will walk you through installing the necessary free software.
Machines are trying to tell us something through logs, so they are a very valuable resource for IT departments to ensure that everything is working as expected and to give us an idea of what is going on in our IT environments which will help to respond faster to incidents.
In this hands-on course, we will learn how to set up a small virtual LAB to simulate real-world logging and monitoring scenarios, where we will collect logs from Apache web server and Fortigate firewall and send them to Splunk for storage, analysis, visualization and alerting.
I selected these two log sources specifically because they represent the majority of log sources you will find in your environment, so you can follow the same steps in the course to integrate different log sources in the future.
There are more complicated logs sources to integrate like logs that are pulled from database but they are not suitable to be discussed in an introductory course.
After we onboard logs to Splunk, we will search and explore data we received then we will add knowledge to it by extracting interesting fields in these logs.
At this point, our logs will be ready to be treated by Splunk Searching Processing Language (SPL) to create reports, dashboards, and alerts.
This course will make you ready to dig deep into more advanced topics of Splunk administration like,
Search head clusters
But you have to walk before you run, so my vision for this course is to master the basics first to break the ice.
- Security engineers
- IT Administrators
- Security operations center engineers
- Security incident handlers
- Systems administrators
- Anyone wants to explore huge log files/feeds
- Anyone interested to learn Splunk
A little bit about me and my story with Splunk and why am I teaching this course.
In this lecture, we will have a quick overview of the course structure and a quick look at the lab components.
In this lecture, we will assign static IPs for our machines and we will change the default password for osboxes user.
In this lecture, we will download Splunk packages for Splunk main server and Splunk universal forwarder that will collect logs from the Apache server and forward it to Splunk main server.
Also, we will install the Apache webserver to have it ready for the next lectures.
In this lecture, we will upload a sample log file to Splunk and explore this data from Splunk web interface.
Also, we configure required network ports on Splunk server to receive data from Syslog feed (Fortigate appliance) and from Apache server (using Splunk Universal Forwarder).
In this lecture, we will login to Splunk server web interface to explore the data we on sent to Splunk in previous lectures.
In this lecture, we will learn about one of the most important features of Splunk which is the Alerting but unfortunately, it is not available in the free license of Splunk, but we can use it in the trial version for 60 days.
We will configure our alert to be sent to "Triggered Alerts" page and also to be sent to an email.