Splunk .conf 2014 Slides

** Update Oct 15, 2014 – Poodle SSLv3 Issue**
The talk was given the week before the SSLv3 issue was released. Please remove all references to supportSSLV3Only = true from the configs when you use them. You also can find more from Splunk on the SSLv3 issue and how to mitigate at http://www.splunk.com/view/SP-CAAANKE


.conf 2014 was a great time this year. Duane and I enjoyed giving the talk “Avoid the SSLippery Slope of Default SSL” with great questions from the audience. I was surprised at the solid turn out for a Thursday 9am talk. My talk was “From Tool to Team Member: Controlling Systems with Splunk Alert Scripts”

Here are the PDF copies of the slides for both talks:

Increasingly, production security requires more than using default SSL certificates. This session will cover best practices for implementing your own SSL certificates on all Splunk channels. The right configuration and steps can provide both encryption and authentication needed for today’s due diligence requirements.

We will go in depth into setting up alert scripts that can make web services calls to other devices such as intrusion prevention systems. This gives Splunk the ability to actively control such systems. Code samples will be provided that include being able to save login credentials encrypted within Splunk. Using alert scripts we can change Splunk from just a tool into an IT team member taking actions on your behalf!

Nashville Infosec Presentation – Log Collection on a Shoe String

Here are my slides and the tutorial I made for Rolling your own logging vm. Between the slides and the tutorial you can find all the links I referenced.

The VM tutorial uses Ubuntu Linux, syslog-ng and Splunk.  I go over how to use syslog-ng with fifo queues to handle multiple sources and even rewrite forwarded syslog events coming from Kiwisyslog before indexing in Splunk.  The tutorial zip has both pdf and epub formats in it.

*update* I was asked some questions today during my presentation on MS Log Parser.  I added my post on it below to the link list.  Also for those downloading my actual logging vm from the link I gave those whom attended my talk.  The url does redirect to dropbox so do not be surprised.

*second update* a question came up today on a forensics mailing list to search some evtx event log files.  I suggested using MS Log Parser to replay output to syslog.  The target being spunk say like in my logging vm tutorial.  Then the logs are easily searchable.