Splunk

1. Introduction to Splunk & Setting Up Labs

• • • • • Introduction to Splunk
        • Installation Process
        • Introduction to Docker Containers
        • Installing Docker
        • Installing Docker in Linux
        • Installing Splunk – Docker Approach
        • Installation Manual – Docker and RPM
        • Installing Splunk – RPM Approach
        • Data Persistence for Container Volumes
        • Important Pointer for Docker in Windows
        • Splunk Licensing Model
        • Splunk Developer 10GB License
        • Importing License into Splunk

3. Splunk Architecture

• • • • • Directory Structure of Splunk
        • Splunk Configuration Directories
        • Splunk Configuration Precedence
        • Splunk Configuration Precedence – Apps and Locals
        • Introduction to Indexes
        • Bucket Lifecycle
        • Warm to Cold Bucket Migration
        • Archiving Data to Frozen Path
        • Thawing Process
        • Splunk Workflow Actions

5. Post Installation Activities

• • • • • Understanding Regular Expressions
        • Regex – Exercise
        • Parsing Web Server Logs & Named Group Expression
        • Sample – Web Server Logs
        • Importance of Source Types
        • Interactive Field Extractor (IFX)
        • props.conf and transforms.conf
        • Sample Log – MySQL Error Logs
        • Splunk Event Types
        • Tags
        • Splunk Events Types Priority and Coloring Scheme
        • Splunk Lookups
        • Splunk Alerts

7. Distributed Splunk Architecture

• • • • • Overview of Distributed Splunk Architecture
        • Understanding License Master
        • Implementing License Master
        • License Pools
        • Indexer
        • Masking Sensitive Data at Index Time
        • Search Head
        • Splunk Monitoring Console

2. Getting started with Splunk

• • • • • Importing Data to Splunk
        • Sample Tutorial Logs
        • Security Use-Case – Finding Attack Vectors
        • Search Processing Language (SPL)
        • Splunk Search Assistant
        • Splunk Reports
        • Splunk Report – Email Clarification (Followup)
        • Understanding Add-Ons and Apps
        • Splunk Add-On for AWS
        • Splunk App for AWS
        • Overview of Dashboards and Panels
        • Building Dashboard Inputs – Time Range Picker
        • Building Dashboard Inputs – Text Box
        • Building Dashboard Inputs – Drop down
        • Building Dashboard Inputs – Dynamic DropDown

4. Forwarder & User Management

• • • • • Overview of Universal Forwarders
        • Installing Universal Forwarder in Linux
        • Installation Manual – Splunk Universal Forwarder
        • Challenges in Forwarder Management
        • Introduction to Deployment Server
        • ServerClass and Deployment Apps
        • Creating Custom Add-Ons for deployment
        • Pushing Splunk Linux Add-On via Deployment Server
        • Understanding Scripted Monitoring inputs

6. Security Primer

• • • • • Access Control
        • Creating Custom Roles & Capabilities

8. Indexer Clustering

• • • • • Overview of Indexer Clustering
        • Deploying Infrastructure for Indexer Cluster
        • Master Indexer
        • Peer Indexers
        • Testing Replication and Failover capabilities
        • Configuration Bundle
        • Forwarding Logs to Indexer Cluster
        • Indexer Discovery

9. Search Head Clustering

• • • • • Overview of Search Head Clusters
        • Deploying Infrastructure for Search Head Cluster
        • Configuring Cluster Setup on Search Heads
        • Validating Search Head Replication
        • Pushing Artifacts through Deployer
        • Connecting Search Head Cluster to Indexer Cluster
        • SH to IDX Cluster Document

10. Advanced Splunk Concepts

• • • • • Using Btool for Troublshooting
        • Overview of Data Models with Practical
        • Splunk Support Programs