In this lab, I signed up for Splunk Cloud, uploaded sample log data, and used SPL queries to explore and narrow results. I practiced identifying key fields, filtering by host, and locating failed SSH logins for the root account.
As a security analyst at Buttercup Games, I needed to investigate any failed SSH attempts on the mail server’s root account. After ingesting the provided logs into Splunk Cloud, I performed a series of searches and field evaluations to pinpoint suspicious events.
| Task | My Actions & Findings |
|---|---|
| Upload data | I created a free Splunk Cloud trial, navigated to “Add Data,” and uploaded the sample_logs.csv file into the “main” index. The ingest confirmation showed 109,864 events indexed. |
| Basic search | I ran index="main" in the Search & Reporting app and retrieved all events, confirming the data was searchable across all time. |
| Evaluate fields | Under “Selected Fields,” I examined host, source, and sourcetype. I noted five hosts (e.g., mailsv, www1), eight source files, and three sourcetypes such as secure-2. |
| Narrow by host | I clicked on the mailsv host to append host="mailsv" to my search, reducing results to ~9,200 mail server events. |
| Search failed logins | I entered index="main" host="mailsv" fail* root and found 315 events indicating failed SSH root login attempts, spread across multiple timestamps. |
index="main") confirm data ingest and searchability.host="mailsv") narrows the dataset effectively.fail* root) locate specific SSH failure events.