Splunk

Loading...

From the course by University of Colorado System

Planning, Auditing and Maintaining Enterprise Systems

25 ratings

University of Colorado System

Planning, Auditing and Maintaining Enterprise Systems

25 ratings

Course 4 of 4 in the Specialization Computer Security and Systems Management

Good system management not only requires managing the systems themselves, but requires careful planning to make systems interact with each other, auditing of the systems once the systems are built, and proactive maintenance of all systems. Organizations also rely on organizational policies, such as Acceptable Use Policies to bolster the technical aspect of system management. This course explores many of the behind the scenes requirements of good system management. The first half of the course covers how to build security into system management process and the organization policies necessary for any enterprise to follow. The latter half of the course focuses on auditing and maintenance of systems once they have been designed, and implemented. By the end of the course you should be able to design and construct organizational policies based on a set of requirements, audit a system based on those requirements, and make sure systems adhere technically to the set of requirements.

From the lesson

Auditing systems in the enterprise

Once a system is planned and built, it's now time to continuously monitor and audit the systems.

Strategies for Monitoring7:48

Meet the Instructors

Greg Williams
Lecturer
Department of Computer Science

In this video, I'll discuss Splunk.

Throughout the next several videos,

I'll be talking about monitoring and auditing and log management.

And to do that,

I'm going to discuss that in terms of or use the tool Splunk.

Splunk is commercial software.

It allows us to ingest all kinds of information.

It takes in information from servers, devices, application,

traffic, anything basically that you can

put into a log file or anything that's repetitive,

like an audit log for example.

And we'll talk about audit logs here in the next lesson.

But, let's dive into Splunk a little bit.

So, I'm gonna just type in,

I've already logged in and this is our enterprise account.

Now we have this- we have a very small license for Splunk.

We've been using it for about seven years now,

and it's still very small even though there's 3.7 billion logs in here and technically,

it's only from the last two year because we keep very few logs up to the five year mark.

So, if I wanted to type in- let's just type in

my username here at UCCS and see what happens.

And I'm gonna select the time period.

Let's say last 15 minutes.

What did I do in the past 15 minutes here.

So we notice that it's ingesting.

Well, looks like only we have only one host that's reporting instant data.

So if we look at this,

we look at a Microsoft Windows security log event

and that's off of one of the servers here called AUTH1.

AUTH1 is our authentication server.

So Splunk allows us to ingest all kinds of

useful information in order to understand how data is moving.

How data is being- what our organization is doing if you will.

If we look at- let's briefly look at some dashboards

here how we can gain some more insight into what's going on in our environment.

But this is one I created a couple of years ago,

and the dashboard just gives us a brief glimpse of what's going on.

It takes all those log files and allows us to see what's happening.

Now, it's really early in the morning here so,

it's even before any students get here.

I don't think I've even seen any staff in the building.

So, we only have about 1800 logins.

Wireless logins on campus are only about- and this is every second this is changing.

And then the portal logins as well.

What this allows us- what's Splunk allows us to do is it allows us to monitor and alert

for things that we may not be able to check in on them.

So we could see that log files are moving but how do we understand that there is

a problem if we're not looking at all the data all at once.

Now, Splunk is just a one tool that we can use for this purpose.

However, it is commercial software.

It is free in some circumstances,

so educational institutions get somewhat of a discount.

There's also a Splunk light.

There's also Splunk in the cloud that allows us to do anything.

I'm not sure why this dashboard isn't working here.

However, Lab usage within the past 24 hours.

So this is- let's see,

logons and logoffs here.

We actually were closed yesterday due to weather,

so I'm not sure how anybody was logging in at 4 pm on a lab because we were closed.

Looks like some of the labs also restart there at midnight or one of the labs.

Additionally, we also have mail going.

We don't have anybody sending mail right now because it

is a little early in the morning 7:10am.

However, this is mostly other systems that are sending out because we use Office 365.

So in order to understand what our organization is doing,

we need some kind of tool that aggregates all the information and

allows us to spit out that data in a meaningful way.

We may have metrics in an organization.

However, metrics are just metrics if there is no analysis behind them.

So if we can look at specific data and analyze that data,

it allows us to make decisions a little bit better.

We've chosen Splunk to do that.

However, there's other tools like Graylog and Elasticsearch that allow us to do this.

Explore our Catalog

Join for free and get personalized recommendations, updates and offers.

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online.

© 2018 Coursera Inc. All rights reserved.

Download on the App Store

Get it on Google Play