Discovering Security Events of Interest Using Splunk

Security events of interest can be discovered by analyzing several different sources of machine data, including logs. Applications and the servers they run on contain many valuable logs which detail the events that have occurred on them. By analyzing and correlating this data, important information about the attacks against these systems can be discovered. Splunk is a powerful tool for analyzing such data. It provides a high performance solution for analyzing large amounts of unstructured data from multiple sources. This paper includes procedures for setting up a Splunk server and forwarding data to it from multiple sources. Example searches and use of pre-built add on functionality is given. It is a concise, comprehensive guide for deploying and using a centralized system for intelligence gathering with a focus on detecting security events of interest.