In this video, I'll discuss Splunk.
Throughout the next several videos,
I'll be talking about monitoring and auditing and log management.
And to do that,
I'm going to discuss that in terms of or use the tool Splunk.
Splunk is commercial software.
It allows us to ingest all kinds of information.
It takes in information from servers, devices, application,
traffic, anything basically that you can
put into a log file or anything that's repetitive,
like an audit log for example.
And we'll talk about audit logs here in the next lesson.
But, let's dive into Splunk a little bit.
So, I'm gonna just type in,
I've already logged in and this is our enterprise account.
Now we have this- we have a very small license for Splunk.
We've been using it for about seven years now,
and it's still very small even though there's 3.7 billion logs in here and technically,
it's only from the last two year because we keep very few logs up to the five year mark.
So, if I wanted to type in- let's just type in
my username here at UCCS and see what happens.
And I'm gonna select the time period.
Let's say last 15 minutes.
What did I do in the past 15 minutes here.
So we notice that it's ingesting.
Well, looks like only we have only one host that's reporting instant data.
So if we look at this,
we look at a Microsoft Windows security log event
and that's off of one of the servers here called AUTH1.
AUTH1 is our authentication server.
So Splunk allows us to ingest all kinds of
useful information in order to understand how data is moving.
How data is being- what our organization is doing if you will.
If we look at- let's briefly look at some dashboards
here how we can gain some more insight into what's going on in our environment.
But this is one I created a couple of years ago,
and the dashboard just gives us a brief glimpse of what's going on.
It takes all those log files and allows us to see what's happening.
Now, it's really early in the morning here so,
it's even before any students get here.
I don't think I've even seen any staff in the building.
So, we only have about 1800 logins.
Wireless logins on campus are only about- and this is every second this is changing.
And then the portal logins as well.
What this allows us- what's Splunk allows us to do is it allows us to monitor and alert
for things that we may not be able to check in on them.
So we could see that log files are moving but how do we understand that there is
a problem if we're not looking at all the data all at once.
Now, Splunk is just a one tool that we can use for this purpose.
However, it is commercial software.
It is free in some circumstances,
so educational institutions get somewhat of a discount.
There's also a Splunk light.
There's also Splunk in the cloud that allows us to do anything.
I'm not sure why this dashboard isn't working here.
However, Lab usage within the past 24 hours.
So this is- let's see,
logons and logoffs here.
We actually were closed yesterday due to weather,
so I'm not sure how anybody was logging in at 4 pm on a lab because we were closed.
Looks like some of the labs also restart there at midnight or one of the labs.
Additionally, we also have mail going.
We don't have anybody sending mail right now because it
is a little early in the morning 7:10am.
However, this is mostly other systems that are sending out because we use Office 365.
So in order to understand what our organization is doing,
we need some kind of tool that aggregates all the information and
allows us to spit out that data in a meaningful way.
We may have metrics in an organization.
However, metrics are just metrics if there is no analysis behind them.
So if we can look at specific data and analyze that data,
it allows us to make decisions a little bit better.
We've chosen Splunk to do that.
However, there's other tools like Graylog and Elasticsearch that allow us to do this.
Greg WilliamsLecturer
