Revision as of 08:10, 11 May 2017

Make sure you have a secure password!!

FirewallD logs in SPLUNK

Check that you have a text-file (log) with ip attack data (use less ...)

Install SPLUNK

• install splunk do NOT install splunk if you alreade have installed it

wget -O splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.3&product=splunk&filename=splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm&wget=true'
echo "--------------------------"
yum localinstall splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm
rpm -ql splunk | grep splunk$
echo "--------------------------"
# firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp|udp" accept'

Import data into splunk

Not so difficult

Search Data

View your data and vi "excel" Data

 source="/var/log/messages"

Select SRC data by typing SRC ( or | SRC )

 SRC

SRC | stats count by SRC

0.0.0.0                        123
 1.0.232.123                     23
 1.1.12.4                        12

SRC | stats count by SRC | iplocation SRC

SRC	count	City	Country	Region	lat	lon
0.0.0.0	176	 	 	 	 	 
1.0.243.134	1		Thailand		13.75000	100.46670
1.10.169.5	1		Thailand		13.75000	100.46670
1.10.170.79	1		Thailand		13.75000	100.46670
1.11.242.151	1	Seoul	Republic of Korea	Seoul	37.51110	126.97430

Plot data with geostats: SRC | stats count by SRC | iplocation SRC | geostats latfield=lat longfield=lon count

TIP: you might need to click the tab /Visualzation\ and select Cluster Map

NICE MAP

latitude     Longitude    Count
-49.12312    -68.123123      12
 12.45234     31.1231         7
-12.12312     12.1233       300

Visualize Searched data