Introduction to Practical Log Analysis with Splunk
Background:
This blog post will walk you through basics of practical Log Analysis with Splunk after getting some background information. It will end with some industries specific standard retention rule and regulations.
Logs Analysis play an important Role in defense against adversaries Tactic, Technique and Procedure (TTP) when done in right way. While Security Operation Center Team (SOC), Security Engineer and Cyber Security Professional regularly deal with large amount of log, where to focus incident response and mitigation when incident happen will create difference on Incident response Team mitigation.
An incident is “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedure, or acceptable use policies.” Incident analysis is “the examination of acquired data for its significance and probative value to the case”
Importance of Log Analysis:
· Detection of unwanted activity
· Compliance
· Identifying behavioral patterns
· System troubleshooting
· Security Incident Response
When should logs be analyzed? This question can have multiple answers with each side arguing with supporting prove. The best practice is that log analysis is that in a proactive environment, logs should be analyzed continuously.
Types of Logs:
· Applications logs
· Firewall logs
· Intrusions logs
· Security logs
· System logs
Splunk Download and Logs Analysis
Step One: Register with Free account and validate link from your email to download Free Splunk and getting start with Log Analysis
Step Two: Download free Splunk from Splunk official website by searching from your favorite search engine. Under Product section click download
Step three: Now we can import our Log files by clicking on Add Data
From here we just click next until we reach done.
Step four: File is successfully uploaded and we are ready to analyze some logs
Step five: Click on start searching and Splunk will search for default Combined. The source file is Drupal and Host is Drupal_Webattack.log We can filter by time of Day
Different Searches Parameters with Logs Files
We can ignore other part and search by Host which will give us all file related to host. This is important because we will get all files.
Search with Date Range with specific file and IP: We can see that IP has been access from Feb 3 to Feb 23, 2021. Then we drill down to get more information on who access this IP with Source IP addresses.
Search applying regex, stats count and Date and time
Industries specific standard retention rule and regulations:
Now we have basics knowledge of practical log analysis with Splunk, let talk about little about how few industries required keeping logs for specific timeframe for either compliance or regulatory rules. How long Logs should be retained? That will depends on industry or organizations you work with in accordance of organizational compliance policies.
· Health Insurance Portability and Accountability Act of 1996(HIPPA) specifies retention for at least six years
· National Industrial Security Program Operating Manual (NISPOM) specifies by retention of least one year
· Sarbanes –Oxley Act(SOX) specifies log retention for up to seven years
Log Analysis help Cyber Security professional to defend their Network and system from adversaries Tactic, Technique and Procedure when done on timely manner.
Ousmane Sylla
Cyber Security Analyst
Master of Sciences in Information Assurance Student at SHSU
