Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Advanced Splunk
  • Table Of Contents Toc
  • Feedback & Rating feedback
Advanced Splunk

Advanced Splunk

By : Tulsiram Yadav
3.8 (4)
Buy this Book
close
close
Advanced Splunk

Advanced Splunk

3.8 (4)
By: Tulsiram Yadav
Buy this Book

Overview of this book

Master the power of Splunk and learn the advanced strategies to get the most out of your machine data with this practical advanced guide. Make sense of the hidden data of your organization – the insight of your servers, devices, logs, traffic and clouds. Advanced Splunk shows you how. Dive deep into Splunk to find the most efficient solution to your data problems. Create the robust Splunk solutions you need to make informed decisions in big data machine analytics. From visualizations to enterprise integration, this well-organized high level guide has everything you need for Splunk mastery. Start with a complete overview of all the new features and advantages of the latest version of Splunk and the Splunk Environment. Go hands on with uploading data, search commands for basic and advanced analytics, advanced visualization techniques, and dashboard customizing. Discover how to tweak Splunk to your needs, and get a complete on Enterprise Integration of Splunk with various analytics and visualization tools. Finally, discover how to set up and use all the new features of the latest version of Splunk.
Table of Contents (14 chapters)
close
close
close
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Free Chapter
1
1. What's New in Splunk 6.3?
chevron up
1. What's New in Splunk 6.3?
Splunk's architecture
Search parallelization
Data integrity control
Intelligent job scheduling
The app key-value store
Splunk Enterprise Security
Authentication using SAML
Summary
2
2. Developing an Application on Splunk
2. Developing an Application on Splunk
Splunk apps and technology add-ons
Developing a Splunk app
Developing a Splunk add-on
Managing Splunk apps and add-ons
Splunk apps from the app store
Summary
3
3. On-boarding Data in Splunk
3. On-boarding Data in Splunk
Deep diving into various input methods and sources
Adding data to Splunk – new interfaces
Data processing
Managing event segmentation
Improving the data input process
Summary
4
4. Data Analytics
4. Data Analytics
Data and indexes
Search
Subsearch
Time
Fields
Results
Summary
5
5. Advanced Data Analytics
5. Advanced Data Analytics
Reports
Geography and location
Anomalies
Predicting and trending
Correlation
Machine learning
Summary
6
6. Visualization
6. Visualization
Prerequisites – configuration settings
Tables
Single value
Charts
Drilldown
Summary
7
7. Advanced Visualization
7. Advanced Visualization
Sunburst sequence
Geospatial visualization
Punchcard visualization
Calendar heatmap visualization
The Sankey diagram
Parallel coordinates
The force directed graph
Custom chart overlay
Custom decorations
Summary
8
8. Dashboard Customization
8. Dashboard Customization
Dashboard controls
Multi-search management
Tokens
Null search swapper
Switcher
Summary
9
9. Advanced Dashboard Customization
9. Advanced Dashboard Customization
Layout customization
Custom look and feel
The custom alert action
Summary
10
10. Tweaking Splunk
10. Tweaking Splunk
Index replication
Indexer auto-discovery
Sourcetype manager
Field extractor
Search history
Event pattern detection
Data acceleration
Splunk buckets
Search optimizations
Splunk health
Summary
11
11. Enterprise Integration with Splunk
11. Enterprise Integration with Splunk
The Splunk SDK
Installing the Splunk SDK
The Splunk SDK for Python
Splunk with R for analytics
Splunk with Tableau for visualization
Summary
12
12. What Next? Splunk 6.4
12. What Next? Splunk 6.4
Storage optimization
Machine learning
Management and admin
Indexer and search head enhancement
Visualizations
Multi-search management
Enhanced alert actions
Summary
13
Index
Index

Splunk Enterprise Security

Splunk Enterprise is connected to various data input sources, indexers, and search heads over a network, and hence, it is very important to harden the security of Splunk Enterprise. Taking necessary steps for Splunk Enterprise Security (SES) can mitigate risk and reduce attacks from hackers.

The following are ways to secure the Splunk Enterprise deployment:

  • Setting up user authentication and creating and managing user access by assigning roles. Splunk has a built-in system for user authentication and to assign roles. Along with the built-in system, it provides integration with the Lightweight Directory Access Protocol (LDAP). Splunk can be integrated with an active directory and can be used as a centralized authentication system for authentication and to assign roles. Splunk Enterprise 6.3 has been introduced with additional authentication using the Security Assertion Markup Language (SAML). Splunk Enterprise can be enabled for single sign-ons using SAML, which was explained in detail in the previous section of the chapter.
  • Use Secure Socket Layer (SSL) for secure communication of Splunk deployment. Splunk provides, by default, certificates and keys that can be used to enable SSL communication to provide encryption and data compression while communicating with different components of Splunk deployment. It secures the communication between browsers, Splunk Web, and data sent from forwarders to indexers. Splunk provisions to use your own certificates and keys to secure the communication of Splunk deployment components.
  • Keep Splunk installation updated with the latest security patches and updates. Splunk continuously keeps on fixing bugs and comes up with updates on Splunk Enterprise. Splunk releases the bug fix report that has a complete description about the fixes that were updated in the next release. If there are any security-related fixes, Splunk Enterprise deployment should apply that security patch/bug fix so as to make sure that Splunk Enterprise is secure from outside threats. Continuous auditing of Splunk configuration files and Splunk audit events will result in secure Splunk deployment.

Enabling HTTPS for Splunk Web

We will see how to enable HTTPS from the Splunk Web console for all communications happening via Splunk's web channel. On enabling HTTPS, Splunk will not be able to listen over the HTTP connection, and this is the time when Splunk can be configured to either listen to HTTP or HTTPS communications only!

The following are the steps to enable HTTPS via the Splunk Web console:

  1. Access the Splunk Web console via a web browser by typing the IP address followed by the port number.

    For example, http://IPAddress:Port or http://localhost:8000. Here, 8000 is a default web access port of Splunk Enterprise.

  2. Go to System Menu | System Settings.
  3. Click on the radio button to enable HTTPS. Splunk is configured to use default certificates when HTTPS is enabled. The default configuration is available at $SPLUNK_HOME\etc\auth\web.conf:
    [settings]
enableSplunkWebSSL = true
privKeyPath = etc\auth\splunkweb\privkey.pem #Path of Default Private Key
caCertPath = etc\auth\splunkweb\cert.pem #Path of Default Certificate Path

We'll now configure Splunk Web with your own certificate and private key. We are talking about securing Splunk, so the default private key and default certificate provided by Splunk Enterprises should be changed for better authentication and security.

Certificates can be self-signed or can be purchased from third-part vendors. Once you have the certificate and private key, the following procedure is to be followed for the changes to take effect.

In our explanation, let's say the certificate filename is TestCertificate.pem and the private key is TestPrivateKey.key. The following are a series of steps to configure Splunk Web with a certificate and private key:

  1. Copy TestCertificate.pem and TestPrivateKey.key to $SPLUNK_HOME\etc\auth\splunkweb\
  2. Do not overwrite or delete the existing certificate located at $SPLUNK_HOME\etc\auth\splunkweb\, as the certificates are generated on every restart, and any changes made on this certificate and key will be reset
  3. Configure web.conf located at $SPLUNK_HOME\etc\system\local as follows:
    [settings]
enableSplunkWebSSL = true
privKeyPath = etc\auth\splunkweb\TestPrivateKey.key
caCertPath = etc\auth\splunkweb\TestCertificate.pem

Splunk needs to be restarted for the newer settings to take effect, and after the restart of Splunk Server, Splunk Web will be available only via HTTPS URL, that is, https://localhost:8000.

Enabling HTTPS for the Splunk forwarder

Configure inputs.conf located at $SPLUNK_HOME\etc\system\local\ of the indexer, as mentioned in the following code block. In this example, port number 9000 is to be configured on the indexer:

[SSL]
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem #Path of default Key
serverCert = $SPLUNK_HOME\etc\auth\server.pem #Path of default Certificate 
password = password
[splunktcp-ssl:9000]
disabled=0

The Splunk forwarder needs to be configured to forward using the secure certificate and key. To configure the outputs.conf forwarder located at $SPLUNK_HOME\etc\system\local, place the following code block as in the following mentioned code block. In this example, 192.168.1.10 is the IP address of the indexer that was configured in the previous instance:

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = 192.168.1.10:9000
sslVerifyServerCert = false
sslRootCAPath = $SPLUNK_HOME\etc\auth\cacert.pem
sslCertPath = $SPLUNK_HOME\etc\auth\server.pem
sslPassword = password

Similar to the previous section, even in the indexer and forwarder, the certificates and private keys can be copied to their respective folders. The path of the certificate and private key can be configured in their respective config files. Splunk must be restarted for the settings to take effect.

Securing a password with Splunk

Splunk has an in built feature of encrypting configuration files via SSH. Splunk for its first start up, creates a file named splunk.secret, which contains a secret key that is used to encrypt authentication information in configuration files.

The following is the list of information that is encrypted via the splunk.secret key:

  • web.conf: This refers to SSL passwords of every instance
  • authentication.conf: This refers to the LDAP password; if deployment is LDAP integrated
  • inputs.conf: This refers to SSL passwords
  • outputs.conf: This refers to SSL passwords

When Splunk starts and if it detects a clear-text password in any of the preceding configuration files, it creates a configuration in the equivalent local folder with the encrypted password.

In a clustered and distributed environment, when Splunk is deployed on multiple servers, a secure password mechanism of encryption can be very useful to ensure consistency across the deployment.

To apply the same settings of a secret key to all the instances, users just need to configure all the changes in the configuration files and restart Splunk to ensure that the splunk.secret file is updated with the latest information.

Once you have the updated file, just copy the splunk.secret file to all the other instances and restart the instance, and you will have the same settings you applied to all the instances.

The access control list

Splunk can be configured for high security with an access control list. Using an access control list, various restrictions on the basis of IP address to various components of Splunk deployment can be applied.

The server.conf and inputs.conf can be edited or modified to specify which IP address should be allowed and which should be restricted for various communications within the Splunk deployment.

In server.conf and inputs.conf, the [accept from] block can be added to allow communication only from a specific IP address. For example, to instruct a node to accept communication from a specific IP address, edit the [httpserver] block in server.conf; likewise, to restrict TCP communication using SSL to a specific IP address, edit the [tcp-ssl] block in inputs.conf.

Similarly, various communications of Splunk Web, forwarder, and indexers can be restricted or allowed only from a specific IP address, and thus, security can be enhanced using the access control list features of Splunk Enterprise 6.3.

End of Section 7
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY