Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dncrypter/https-log-analysis-with-splunk

In this project, we will upload sample FTP log files to Splunk SIEM and perform various analyses to gain insights into FTP activity within the network.
https://github.com/dncrypter/https-log-analysis-with-splunk

http-server log-analysis splunk

Last synced: 5 days ago
JSON representation

In this project, we will upload sample FTP log files to Splunk SIEM and perform various analyses to gain insights into FTP activity within the network.

Awesome Lists containing this project

README 

          
# Http log analysis

## Apache HTTP Log Analysis using Splunk SIEM



In this project, we will upload sample HTTP log files to Splunk SIEM and perform various analyses to gain insights into web server activity within the network.



[![MIT License](https://img.shields.io/badge/License-MIT-green.svg)](https://choosealicense.com/licenses/mit/)

        [![LinkedIn](https://img.shields.io/badge/LinkedIn-Profile-blue)](https://www.linkedin.com/in/nikhil--chaudhari/)

        [![Medium](https://img.shields.io/badge/Medium-Writeups-black)](https://medium.com/@nikhil-c)



## 🍁Introduction

HTTP (Hypertext Transfer Protocol) log files contain valuable information about web server activity, including requests, responses, user agents, and more. Analyzing HTTP logs using Splunk SIEM enables security professionals to monitor web traffic, detect anomalies, and identify potential security threats.



## 🍁Prerequisites

- Splunk instance is installed and configured.

- HTTP log data sources are configured to forward logs to Splunk.



## 🍁Upload Sample HTTP Log Files to Splunk



### 1. Prepare Sample HTTP Log Files

- Obtain sample [HTTP log files]() in a suitable format (e.g., text files).

- Ensure the log files contain relevant HTTP events, including timestamps, request methods, URLs, response codes, user agents, etc.

- Save the sample log files in a directory accessible by the Splunk instance.



### 2. Upload Log Files to Splunk

- Log in to the Splunk web interface.

- Navigate to **Settings** > **Add Data**.

- Select **Upload** as the data input method.



### 3. Choose File

- Click on **Select File** and choose the sample HTTP log file you prepared earlier.



### 4. Set Source Type

- In the **Set Source Type** section, specify the source type for the uploaded log file.

- Choose the appropriate source type for HTTP logs (e.g., `access_combined` or a custom source type if applicable).



### 5. Review Settings

- Review other settings such as index, host, and sourcetype.

- Ensure the settings are configured correctly to match the sample HTTP log file.



### 6. Click Upload

- Once all settings are configured, click on the **Review** button.

- Review the settings one final time to ensure accuracy.

- Click **Submit** to upload the sample HTTP log file to Splunk.



### 7. Verify Upload

- After uploading, navigate to the search bar in the Splunk interface.

- Run a search query to verify that the uploaded HTTP events are visible.



## 🍁Analyse log file in splunk



### 1. Search for HTTP Events

- Open Splunk interface and navigate to the search bar.

- Enter the following search query to retrieve HTTP events:

```

index= sourcetype=

```



### 2. Extract Relevant Fields

- Identify key fields in HTTP logs such as timestamps, request methods, URLs, response codes, user agents, etc.

- Use Splunk's field extraction capabilities or regular expressions to extract these fields for better analysis.

- Example extraction command:

```

| rex field=_raw ""



```



### 3. Analyze Web Traffic Patterns

- Determine the distribution of request methods (GET, POST, etc.) to understand web traffic patterns.

```

index= sourcetype=

| stats count by method

```

- Identify top URLs or endpoints accessed by users.

```

index= sourcetype=

| top limit=10 uri

```

- Analyze response codes to identify errors or successful requests.

```

index= sourcetype=

| stats count by status

```



### 4. Detect Anomalies

- Look for unusual patterns in file transfer activity.

```

index= sourcetype=

| timechart span=1h count by _time

```

- Analyze high volumes of error responses:

```

index= sourcetype=

| stats count by status

| where status >= 400

```

- Investigate file transfers to or from suspicious IP addresses.

```

index= sourcetype=

| search src_ip="suspicious_ip"

```



### 5. Monitor User Behavior

- Identify users with multiple failed login attempts or unauthorized access attempts:

```

index= sourcetype=

| search action="login" status="failed"

| stats count by user

```

- Analyze user session durations and access patterns:

```

index= sourcetype=

| stats range(_time) as session_duration by session_id

| stats avg(session_duration) as avg_session_duration by user

```



## 🍁Conclusion

By analyzing HTTP log files using Splunk SIEM, security researcher can gain insights into web server activities. 



Now we are ready with http log analysis in splunk. Star this repo and you can also push some more content here. if you are interested in such content please check my medium profile where i uploads blogs.