Visualization of FirewallD-logs in SPLUNK
From Datateknik
(Difference between revisions)
(→List the 16 Worst towns in sweden) |
(→Install SPLUNK) |
||
(10 intermediate revisions by one user not shown) | |||
Line 12: | Line 12: | ||
rpm -ql splunk | grep splunk$ | rpm -ql splunk | grep splunk$ | ||
echo "--------------------------" | echo "--------------------------" | ||
− | # firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp | + | # firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp" accept' |
+ | |||
==Import data into splunk== | ==Import data into splunk== | ||
Not so difficult | Not so difficult | ||
− | == | + | ==Search data and Draw the Map== |
− | *View your data | + | *Click on the large green button "Search & reporting" |
− | source="/var/log/ | + | *View all your data in "excel" format |
+ | source="/var/log/attacker.log" | ||
*Select SRC data by typing SRC ( or | SRC ) | *Select SRC data by typing SRC ( or | SRC ) | ||
− | SRC | + | source="/var/log/attacker.log" SRC |
− | + | *Pipe SRC-data into stats-module: <tt> source="/var/log/attacker.log" SRC | stats count by SRC </tt> | |
− | + | 0.0.0.0 123 | |
− | *SRC | stats count by SRC | + | |
− | + | ||
1.0.232.123 23 | 1.0.232.123 23 | ||
1.1.12.4 12 | 1.1.12.4 12 | ||
*SRC | stats count by SRC | iplocation SRC | *SRC | stats count by SRC | iplocation SRC | ||
− | SRC count City Country Region lat lon | + | SRC count City Country Region lat lon |
0.0.0.0 176 | 0.0.0.0 176 | ||
− | 1.0.243.134 1 | + | 1.0.243.134 1 Thailand 13.75000 100.46670 |
− | + | 123.10.169.5 1 Uddevalla Sweden 13.75000 100.46670 | |
− | 1.10.170.79 1 | + | 1.10.170.79 1 Thailand 13.75000 100.46670 |
− | 1.11.242.151 1 Seoul | + | 1.11.242.151 1 Seoul Rep. of Korea Seoul 37.51110 126.97430 |
*Plot data with geostats: <tt> SRC | stats count by SRC | iplocation SRC | geostats latfield=lat longfield=lon count </tt> | *Plot data with geostats: <tt> SRC | stats count by SRC | iplocation SRC | geostats latfield=lat longfield=lon count </tt> | ||
*: TIP: you might need to click the tab /Visualzation\ and select <tt> Cluster Map </tt> | *: TIP: you might need to click the tab /Visualzation\ and select <tt> Cluster Map </tt> | ||
Line 44: | Line 44: | ||
* Save the map to your dashboard by clicking "Save As " | * Save the map to your dashboard by clicking "Save As " | ||
+ | |||
== Search data and plot Attack Ports == | == Search data and plot Attack Ports == | ||
* DPT | stats count by DPT | sort - count | head 16 | * DPT | stats count by DPT | sort - count | head 16 | ||
* Save the plot to your dashboard by clicking "Save As " | * Save the plot to your dashboard by clicking "Save As " | ||
== List the 16 Worst towns in Sweden == | == List the 16 Worst towns in Sweden == | ||
− | + | SRC | iplocation SRC | search Country="Sweden" | stats count by City | sort - count | head 16 | |
* Click "Save as " | * Click "Save as " | ||
− | |||
− |
Latest revision as of 10:12, 18 May 2017
Make sure you have a secure password!!
Contents |
[edit] FirewallD logs in SPLUNK
Check that you have a text-file (log) with ip attack data (use less ...)
[edit] Install SPLUNK
- install splunk do NOT install splunk if you alreade have installed it
wget -O splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.3&product=splunk&filename=splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm&wget=true' echo "--------------------------" yum localinstall splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm rpm -ql splunk | grep splunk$ echo "--------------------------" # firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp" accept'
[edit] Import data into splunk
Not so difficult
[edit] Search data and Draw the Map
- Click on the large green button "Search & reporting"
- View all your data in "excel" format
source="/var/log/attacker.log"
- Select SRC data by typing SRC ( or | SRC )
source="/var/log/attacker.log" SRC
- Pipe SRC-data into stats-module: source="/var/log/attacker.log" SRC | stats count by SRC
0.0.0.0 123 1.0.232.123 23 1.1.12.4 12
- SRC | stats count by SRC | iplocation SRC
SRC count City Country Region lat lon 0.0.0.0 176 1.0.243.134 1 Thailand 13.75000 100.46670 123.10.169.5 1 Uddevalla Sweden 13.75000 100.46670 1.10.170.79 1 Thailand 13.75000 100.46670 1.11.242.151 1 Seoul Rep. of Korea Seoul 37.51110 126.97430
- Plot data with geostats: SRC | stats count by SRC | iplocation SRC | geostats latfield=lat longfield=lon count
- TIP: you might need to click the tab /Visualzation\ and select Cluster Map
NICE MAP latitude Longitude Count -49.12312 -68.123123 12 12.45234 31.1231 7 -12.12312 12.1233 300
- Save the map to your dashboard by clicking "Save As "
[edit] Search data and plot Attack Ports
- DPT | stats count by DPT | sort - count | head 16
- Save the plot to your dashboard by clicking "Save As "
[edit] List the 16 Worst towns in Sweden
SRC | iplocation SRC | search Country="Sweden" | stats count by City | sort - count | head 16
- Click "Save as "