Log Analysis in Linux and Splunk

Log analysis is one of the most widely used skills for an analyst. Logs can give indicators of what might be happening to systems on the network. Logs can indicate precursors to compromise, can contain information about a compromise, and also can contain information relevant to post exploitation activities. There are various tools that can be used to analyze logs. There are commercial tools like Splunk as well as free tools like awk, gawk, and grep. The important thing is to be able to look at the logs and parse the relevant information that you're looking for regardless of the tool used.

Overview

Splunk is a widely used commercial log aggregation tool. It is a great tool for ingesting data and then being able to help you analyze network incidents. There are other ways to view log files besides using Splunk. For instance, using grep, gawk, and awk can provide you with similar log parsing results, but those are more arduous methods and those tools are more command line based and require the analyst to remember many various commands and switches.

Outcomes

In this lab, you will learn to:

Use Linux commands to search Linux logs.
Use Splunk to analyze network traffic and logs.

Courses

Cybersecurity Attack and Defend

Key terms and descriptions

cat

A Linux command used to show the output of data

Splunk

A commercial tool with the ability to analyze large log files

grep (global regular expressions print)

A Linux tool to parse information

Leafpad

A GUI text editor program for Linux (similar to Windows Notepad)

tail

The command to show the last few lines of a file in Linux