Scribd Logo
Upload

Welcome to Scribd!

  • Lab 7 Splunk Analyzing Log File

    Uploaded by

    Humera Gull
    8 views5 pages

    Original Title

    Lab 7 Splunk Analyzing Log file

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views5 pages

    Lab 7 Splunk Analyzing Log File

    Uploaded by

    Humera Gull

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Lab 7: Analyzing Log file using Splunk Cloud

    In this lab, we will analyze a log file using Splunk. We will look for suspicious
    events and figure out what happened exactly.

    Log files are difficult to read as it contains thousands of lines with many events
    and metadata. Splunk can assist us in analyzing such file using search filter.

    Tools used:
    a- Splunk Cloud
    b- You need to analyze the file shared with you on BB (access.log).

    Steps:

    1- First you need to use Free Splunk Cloud via the link:
    https://www.splunk.com/en_us/download/splunk-cloud/cloud-trial.html?
    utm_campaign=google_emea_tier3_en_search_brand&utm_source=google&utm
    _medium=cpc&utm_content=cloud_signup_product&utm_term=free
    %20splunk&_bk=free
    %20splunk&_bt=548280304713&_bm=p&_bn=g&_bg=121759865680&device=
    c&gclid=CjwKCAjw__ihBhADEiwAXEazJj80uqdVRcABT0MIvaBCX2k1Esqx
    omeLkFg841vgrtKwIJPooL50jRoCoXcQAvD_BwE
    2- You need to register first, so, fill your data and make sure you put your correct
    email because you will receive activation on email.
    3- Open your email to activate your account.
    4- Then you will receive an email with your username and pwaasword:

    Dr. Sarah Abu Ghazalah


    5- Enter your username and password you received in your email.

    6- Reset your password.[8 characters]

    7- Go to Settings icon, and choose Add Data

    8- Then upload access.log file:

    Dr. Sarah Abu Ghazalah


    9- Click on Next.

    10- Here Splunk displays the access log, What do you observe from Event 17 and
    above?
    11- Click Next
    12- Click Next
    13- Click Submit
    14- Click on Start Searching.
    15- Here we can filter our search based on specific fields. All the interesting fields are
    shown on the left side.
    16- Also, you can expand each field to see more details:

    Dr. Sarah Abu Ghazalah


    17- When we filter our search to:
    Source=”access_log.txt” uri_path=”//admin” GET

    You will find that there is a brute force attack where the attacker is trying to
    log multiple times as Admin but with 401 error code.

    The HyperText Transfer Protocol (HTTP) 401 Unauthorized response


    status code
    S
    indicates that the client request has not been completed
    because it lacks valid authentication credentials for the requested
    resource.

    Dr. Sarah Abu Ghazalah


    Activity:
    So, surely now you want to know did the attacker succeed in his attempt, to do so answer
    the following question:
    1- What web status code you will use to search for successful attempt?
    For teachers only>>>code 200
    2- Do filtering based on successful code, and show the results
    For teachers only here is the answer:

    source="access_log.txt" uri_path="//admin" GET status=200


    3- What makes the attempt successful (in other words what is different here than
    other packets?
    For teachers only We can see when the packets send admin as part of the URL it
    succeeded.

    Dr. Sarah Abu Ghazalah

    You might also like