Log Analysis Using Splunk Hadoop Connect

reportActive / Technical Report | Accession Number: AD1046314 | Open PDF

Abstract:

The purpose of this research it to use Splunk and Hadoop to do timestamp analysis on computer logs. Splunk is a commercial data analytics tool. Hadoop is a system for large-scale distributed storage and processing. This research ingested computer logs from two kinds of forensic data from the Real Data Corpus to establish a baseline and find anomalies. We analyzed timestamps and Event IDs on more than two thousand logs across hundreds of drives. Additionally, we used packet captures from Center for Applied Internet Data Analysis to test Hadoops ability to store and transfer data between Hadoop Distributed File System and Splunk. We used Splunk Hadoop Connect for data transfer between a Splunk server and a Hadoop cluster. Splunk was able to effectively identify and represent statistical anomalies in log files. These anomalies could reveal misconfiguration, security concerns, or unusual but harmless traffic. Splunk could also easily transfer data to relatively inexpensive commodity servers using Splunk Hadoop Connect.

Author(s):
Chainourov, Boulat
Author Organization(s):
Naval Postgraduate School Monterey United States
Descriptive Note:
Technical Report
Pagination:
0087

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:
Approved For Public Release
Distribution Statement:
Approved For Public Release;

RECORD

Collection: TR
Subject Terms
Joint Capability Areas:
JCA_6_Net Centric; JCA_5_Command and Control; JCA_6.4.1_Secure Information Exchange; JCA_5.3_Planning; JCA_4.7.2_Installation Services; JCA_4.7_Base and Installations Support; JCA_6.1.3_Switching and Routing; JCA_6.1.1_Wired Transmission; JCA_6.1_Information Transport; JCA_6.4_Information Assurance; JCA_6.2.3_Core Enterprise Services; JCA_6.2.1_Information Sharing; JCA_6.2.2_Computing Services; JCA_6.2_Enterprise Services; JCA_3.2_Engagement; JCA_3_Force Application; JCA_3.2.2_Non-Kinetic Means; JCA_1.2.5_Lessons Learned; JCA_1.2.7_Experimentation; JCA_7.1.2_Prevent Non-kinetic Attack; JCA_7.1_Prevent
Modernization Areas:
Cyber
Communities of Interest:
Energy and Power Technologies
Descriptor(s):
data processing, COMPUTER SECURITY, FORENSIC ANALYSIS, DATA ANALYSIS
Field(s)/Group(s):
Computer Programming and Software, Computer Systems Management and Standards
Keyword(s):
Splunk, Hadoop, log analysis, timestamp analysis, event viewer, big data, analytics, cyber forensics
Report Date:
2017 Jun 01
Creation Date:
2017 Jun 01