Visualization of FirewallD-logs in SPLUNK
From Datateknik
(Difference between revisions)
(→Install SPLUNK) |
|||
| (18 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
Make sure you have a secure password!! | Make sure you have a secure password!! | ||
| − | [[File:splunk-screenshot1.png| | + | [[File:splunk-screenshot1.png|1000px|caption]] |
= FirewallD logs in SPLUNK = | = FirewallD logs in SPLUNK = | ||
Check that you have a text-file (log) with ip attack data (use less ...) | Check that you have a text-file (log) with ip attack data (use less ...) | ||
| Line 12: | Line 12: | ||
rpm -ql splunk | grep splunk$ | rpm -ql splunk | grep splunk$ | ||
echo "--------------------------" | echo "--------------------------" | ||
| − | # firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp | + | # firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp" accept' |
| + | |||
==Import data into splunk== | ==Import data into splunk== | ||
Not so difficult | Not so difficult | ||
| − | ==Search | + | ==Search data and Draw the Map== |
| + | *Click on the large green button "Search & reporting" | ||
| + | *View all your data in "excel" format | ||
| + | source="/var/log/attacker.log" | ||
| + | *Select SRC data by typing SRC ( or | SRC ) | ||
| + | source="/var/log/attacker.log" SRC | ||
| + | *Pipe SRC-data into stats-module: <tt> source="/var/log/attacker.log" SRC | stats count by SRC </tt> | ||
| + | 0.0.0.0 123 | ||
| + | 1.0.232.123 23 | ||
| + | 1.1.12.4 12 | ||
| + | *SRC | stats count by SRC | iplocation SRC | ||
| + | SRC count City Country Region lat lon | ||
| + | 0.0.0.0 176 | ||
| + | 1.0.243.134 1 Thailand 13.75000 100.46670 | ||
| + | 123.10.169.5 1 Uddevalla Sweden 13.75000 100.46670 | ||
| + | 1.10.170.79 1 Thailand 13.75000 100.46670 | ||
| + | 1.11.242.151 1 Seoul Rep. of Korea Seoul 37.51110 126.97430 | ||
| + | *Plot data with geostats: <tt> SRC | stats count by SRC | iplocation SRC | geostats latfield=lat longfield=lon count </tt> | ||
| + | *: TIP: you might need to click the tab /Visualzation\ and select <tt> Cluster Map </tt> | ||
| + | |||
| + | NICE MAP | ||
| + | |||
| + | latitude Longitude Count | ||
| + | -49.12312 -68.123123 12 | ||
| + | 12.45234 31.1231 7 | ||
| + | -12.12312 12.1233 300 | ||
| + | |||
| + | * Save the map to your dashboard by clicking "Save As " | ||
| + | |||
| + | == Search data and plot Attack Ports == | ||
| + | * DPT | stats count by DPT | sort - count | head 16 | ||
| + | * Save the plot to your dashboard by clicking "Save As " | ||
| + | == List the 16 Worst towns in Sweden == | ||
| + | SRC | iplocation SRC | search Country="Sweden" | stats count by City | sort - count | head 16 | ||
| − | + | * Click "Save as " | |
Latest revision as of 10:12, 18 May 2017
Make sure you have a secure password!!
Contents |
[edit] FirewallD logs in SPLUNK
Check that you have a text-file (log) with ip attack data (use less ...)
[edit] Install SPLUNK
- install splunk do NOT install splunk if you alreade have installed it
wget -O splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.3&product=splunk&filename=splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm&wget=true' echo "--------------------------" yum localinstall splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm rpm -ql splunk | grep splunk$ echo "--------------------------" # firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp" accept'
[edit] Import data into splunk
Not so difficult
[edit] Search data and Draw the Map
- Click on the large green button "Search & reporting"
- View all your data in "excel" format
source="/var/log/attacker.log"
- Select SRC data by typing SRC ( or | SRC )
source="/var/log/attacker.log" SRC
- Pipe SRC-data into stats-module: source="/var/log/attacker.log" SRC | stats count by SRC
0.0.0.0 123 1.0.232.123 23 1.1.12.4 12
- SRC | stats count by SRC | iplocation SRC
SRC count City Country Region lat lon 0.0.0.0 176 1.0.243.134 1 Thailand 13.75000 100.46670 123.10.169.5 1 Uddevalla Sweden 13.75000 100.46670 1.10.170.79 1 Thailand 13.75000 100.46670 1.11.242.151 1 Seoul Rep. of Korea Seoul 37.51110 126.97430
- Plot data with geostats: SRC | stats count by SRC | iplocation SRC | geostats latfield=lat longfield=lon count
- TIP: you might need to click the tab /Visualzation\ and select Cluster Map
NICE MAP latitude Longitude Count -49.12312 -68.123123 12 12.45234 31.1231 7 -12.12312 12.1233 300
- Save the map to your dashboard by clicking "Save As "
[edit] Search data and plot Attack Ports
- DPT | stats count by DPT | sort - count | head 16
- Save the plot to your dashboard by clicking "Save As "
[edit] List the 16 Worst towns in Sweden
SRC | iplocation SRC | search Country="Sweden" | stats count by City | sort - count | head 16
- Click "Save as "
