Splunking the Linux Audit System

For my last blog we discussed a Splunk topic geared towards the Windows side of the shop (Splunking Microsoft Windows Firewalls). So now it’s time to show some love to the Linux admins out there. More specifically, in today’s blog we will explore some tips for gaining insight into Linux audit logs using Splunk.

A little background on the Linux Audit System

The Linux Audit system provides a way to track security-relevant information on your...

Using event types and tags to create an accelerated datamodel search

Accelerated data models have made performing searches over large periods of time and/or large amounts of data extremely fast. This blog will go through an easy, cut through, step by step procedure on how to create a custom search while leveraging the CIM data model.


Example Use Case: Monitor all Windows user/computer account creation.


Step 1: Make sure Windows data is coming into Splunk according to best practices. This means the data should be properly indexed, sourcetyped, etc.


Step 2:...

CIO Review Names Function1 to 20 Most Promising Red Hat Solution Providers 2015

Function1, global leader in Operational Intelligence, Web Experience Management, and Data Security solutions, has been selected by CIO Review as one of the 20 Most Promising Red Hat Solution Providers in 2015.
A distinguished panel of CIOs, CEOs, VCs and members of CIO Review’s editorial board are responsible for identifying this annual list of companies, which aims to highlight and promote technology entrepreneurship. The decision highlights Function1's 2 year...

Splunk Alerts in Slack!

Here at Function1 we use Slack in order to stay in constant contact with our co-workers. If you haven't heard of Slack before, Slack is a team chat and communication tool. We use it to talk about our projects, company announcements, sports, random water cooler talk, technical questions, etc. Slack has integration built-in with a lot of services. We rely heavily on the GitHub, Asana, and Twitter integrations, but they have many others.
Since we do a lot of Splunk development for our own projects and our clients, we thought, "...

Red Hat Storage Server, an Innovative Hybrid Storage Solution for Big Data

Big Data surrounds us all, in some shape or form. Typically Big Data (billions or trillions of vast and complex records) is so large, that it requires new and powerful computational resources to process and store. These gigantic sets of data can be analyzed to comprehend patterns, associations, trends, and statistics that help better understand user experience, human behavior, interactions, engagement, etc.

Big Data analysis, such as the services offered by our Function1 Operational Intelligence team, can be provided for a range of industries including but not limited to: financial...

Anonymizing Data in Splunk


In this blog we'd like to discuss masking or obscuring data in Splunk.  We’ve had customers in the past ask us how to mask data at both search and index-time.  Usually this is to hide personally identifiable information either for security, compliance or both.  In this post we’ll cover several different approaches for doing this in Splunk and discuss some pros and cons.

For each of the approaches we will use the following sample data from a fictitious HR application:

sourcetype = hr_app
sample event = “This is an event with a sensitive number in it...

Splunking Microsoft Windows Firewalls


Without exception, if you are an experienced security analyst, then you know the importance of firewall logs and the invaluable network traffic related data that they provide. Many of the key strategies of information security revolve around the network traffic of an organization and the rules that govern it. No matter the type of firewall, whether it is a hardware appliance or a software/OS level...

Distributed Management Console: Monitoring your deployment


So you did it. You early adopter you! You love having the latest and greatest Splunk Enterprise has to offer and upgraded to Splunk Enterprise 6.2. The new UI is snazzy, the new regex field extractor wizard is magical, the Search Head Clustering feature is what we've all been waiting for, and how about that savvy new App bar display? And that is not all Splunk Enterprise 6.2 has to offer. Here’s the situation: you are on your Splunk 6.2 instance and you navigate over to the settings drop-down and...

Every Click You Make, Splunk is Watching You…


When I am at client sites I often get asked how they can get a better understanding of what is going on in their Splunk environment. A recent client wanted to understand what dashboards were being used the most in their environment and who were the top users. What a great thought! I knew that Splunk had to have a way to track this. It was just a matter of locating the data and then determining the best way to pull it. After going back and forth between metadata and the internal index, I came across this in Splunk’s internal index.


Stay In Touch