Tuesday, May 15, 2018

Bejtlich Joining Splunk


Since posting Bejtlich Moves On I've been rebalancing work, family, and personal life. I invested in my martial arts interests, helped more with home duties, and consulted through TaoSecurity.

Today I'm pleased to announce that, effective Monday May 21st 2018, I'm joining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk team. I will be Senior Director for Security and Intelligence Operations, reporting to our CISO, Joel Fulton. I will help build teams to perform detection and monitoring operations, digital forensics and incident response, and threat intelligence. I remain in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 norcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rn Virginia area and will align with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk presence in Tyson's Corner.

I'm very excited by this opportunity for four reasons. First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas for which I will be responsible are my favorite aspects of security. Long-time blog readers know I'm happiest detecting and responding to intruders! Second, I already know several people at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company, one of whom began this journey by Tweeting about opportunities at Splunk! These colleagues are top notch, and I was similarly impressed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people I met during my interviews in San Francisco and San Jose.

Third, I respect Splunk as a company. I first used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 products over ten years ago, and when I tried cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m again recently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y worked spectacularly, as I expected. Fourth, my new role allows me to be a leader in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas I know well, like enterprise defense and digital operational art, while building understanding in areas I want to learn, like cloud technologies, DevOps, and security outside enterprise constraints.

I'll have more to say about my role and team soon. Right now I can share that this job focuses on defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk enterprise and its customers. I do not expect to spend a lot of time in sales cycles. I will likely host visitors in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tyson's areas from time to time. I do not plan to speak as much with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press as I did at Mandiant and FireEye. I'm pleased to return to operational defense, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than advise on geopolitical strategy.

If this news interests you, please check our open job listings in information technology. As a company we continue to grow, and I'm thrilled to see what happens next!

Monday, May 07, 2018

Trying Splunk Cloud

I first used Splunk over ten years ago, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time I blogged about it was in 2008. I described how to install Splunk on Ubuntu 8.04. Today I decided to try cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud.

Splunk Cloud is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company's hosted Splunk offering, residing in Amazon Web Services (AWS). You can register for a 15 day free trial of Splunk Cloud that will index 5 GB per day.

If you would like to follow along, you will need a computer with a Web browser to interact with Splunk Cloud. (There may be ways to interact via API, but I do not cover that here.)

I will collect logs from a virtual machine running Debian 9, inside Oracle VirtualBox.

First I registered for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free Splunk Cloud trial online.

After I had a Splunk Cloud instance running, I consulted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation for Forward data to Splunk Cloud from Linux. I am running a "self-serviced" instance and not a "managed instance," i.e., I am cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administrator in this situation.

I learned that I needed to install a software package called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Universal Forwarder on my Linux VM.

I downloaded a 64 bit Linux 2.6+ kernel .deb file to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /home/Downloads directory on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linux VM.

richard@debian:~$ cd Downloads/

richard@debian:~/Downloads$ ls

splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb

With elevation permissions I created a directory for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .deb, changed into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory, and installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .deb using dpkg.

richard@debian:~/Downloads$ sudo bash
[sudo] password for richard: 

root@debian:/home/richard/Downloads# mkdir /opt/splunkforwarder

root@debian:/home/richard/Downloads# mv splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb /opt/splunkforwarder/

root@debian:/home/richard/Downloads# cd /opt/splunkforwarder/

root@debian:/opt/splunkforwarder# ls

splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb

root@debian:/opt/splunkforwarder# dpkg -i splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb 

Selecting previously unselected package splunkforwarder.
(Reading database ... 141030 files and directories currently installed.)
Preparing to unpack splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb ...
Unpacking splunkforwarder (7.1.0) ...
Setting up splunkforwarder (7.1.0) ...
complete

root@debian:/opt/splunkforwarder# ls
bin        license-eula.txt
copyright.txt  openssl
etc        README-splunk.txt
ftr        share
include        splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb
lib        splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest

Next I changed into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bin directory, ran cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 splunk binary, and accepted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 EULA.

root@debian:/opt/splunkforwarder# cd bin/

root@debian:/opt/splunkforwarder/bin# ls

btool   copyright.txt   openssl slim   splunkmon
btprobe   genRootCA.sh   pid_check.sh splunk   srm
bzip2   genSignedServerCert.sh  scripts splunkd
classify  genWebCert.sh   setSplunkEnv splunkdj

root@debian:/opt/splunkforwarder/bin# ./splunk start

SPLUNK SOFTWARE LICENSE AGREEMENT

THIS SPLUNK SOFTWARE LICENSE AGREEMENT ("AGREEMENT") GOVERNS THE LICENSING,
INSTALLATION AND USE OF SPLUNK SOFTWARE. BY DOWNLOADING AND/OR INSTALLING SPLUNK
SOFTWARE: (A) YOU ARE INDICATING THAT YOU HAVE READ AND UNDERSTAND THIS

...

Splunk Software License Agreement 04.24.2018

Do you agree with this license? [y/n]: y

Now I had to set an administrator password for this Universal Forwarder instance. I will refer to it as "mypassword" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 examples that follow although Splunk does not echo it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screen below.

This appears to be your first time running this version of Splunk.

An Admin password must be set before installation proceeds.
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password: 
Please confirm new password: 

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

With that done, I had to return to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud Web site, and click cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link to "Download Universal Forwarder Credentials" to download a splunkclouduf.spl file. As noted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation, splunkclouduf.spl is a "credentials file, which contains a custom certificate for your Splunk Cloud deployment. The universal forwarder credentials are different from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 credentials that you use to log into Splunk Cloud."

After downloading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 splunkclouduf.spl file, I installed it. Note I pass "admin" as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user and "mypassword" as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 password here. After installing I restart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 universal forwarder.

root@debian:/opt/splunkforwarder/bin# ./splunk install app /home/richard/Downloads/splunkclouduf.spl -auth admin:mypassword

App '/home/richard/Downloads/splunkclouduf.spl' installed 

root@debian:/opt/splunkforwarder/bin# ./splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.......
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

It's time to take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 final steps to get data into Splunk Cloud. I need to forwarder management in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud Web site. Observe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 input-prd-p-XXXX.cloud.splunk.com in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command. You obtain this (mine is masked with XXXX) from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URL for your Splunk Cloud deployment, e.g., https://prd-p-XXXX.cloud.splunk.com. Note that you have to add "input-" before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fully qualified domain name used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud instance.

root@debian:/opt/splunkforwarder/bin# ./splunk set deploy-poll input-prd-p-XXXX.cloud.splunk.com:8089

Your session is invalid.  Please login.
Splunk username: admin
Password: 
Configuration updated.

Once again I restart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 universal forwarder. I'm not sure if I could have done all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se restarts at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end.

root@debian:/opt/splunkforwarder/bin# ./splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.......
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

Finally I need to tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 universal forwarder to watch some logs on this Linux system. I tell it to monitor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /var/log directory and restart one more time.

root@debian:/opt/splunkforwarder/bin# ./splunk add monitor /var/log
Your session is invalid.  Please login.
Splunk username: admin
Password: 
Added monitor of '/var/log'.

root@debian:/opt/splunkforwarder/bin# ./splunk restart

Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
...............
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

At this point I return to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Splunk Cloud Web interface and click cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "search" feature. I see Splunk is indexing some data.


I run a search for "host=debian" and find my logs.


Not too bad! Have you tried Splunk Cloud? What do you think? Leave me a comment below.

Update: I installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Universal Forwarder on FreeBSD 11.1 using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 method above (except with a FreeBSD .tgz) and everything seems to be working!