1. Get access.log /access combine logs from your webserver 2. Install splunk. 3. Download security onion and import the logs to security onion 4. Go to terminal and type cat [path of your webserver logs ] | /var/ossec/bin/ossec-logtest -a >results.txt 5. Now you have to upload results.txt to SPlunk and create source type to parse logs 6. Splunk will not detect these logs once you upload there will be two time values in results.txt. 7. If BREAK_ONLY_BEFORE is not there in advance setting. Create a new setting and add. 8. Now once the logs are indexed you need to parse and the more important field is the rules that are triggered 9. Go to extract fields and write regex to extract the rule trigerred 10 . Regex is (?<rule>(Rule)\:\s\d+\s\(\w+\s\d+\)\s\-\>\s\'\w+.+\.\'\s) including brackets ?<rule> --- is the new field name you can change accor...