In 2016, in conjunction with the expiration of the maintenance contract for Chiba University's academic information infrastructure system (the system infrastructure that integrates the core network, mail system, high-speed calculation server for research, and educational terminals for self-study), In September 2009, an introduction proposal was made as part of the log management of the information infrastructure system, and the adoption was decided as a result of the bidding. After completing construction of the new academic information infrastructure system, full-scale operation began in March 2017.

The main sources collected by Splunk are DNS, LDAP, DHCP, wireless LAN controllers, proxies, webmail, multi-factor authentication, mail Box, IPS, Active Directory, etc., mainly for the following four purposes. are making use of it. The first is monitoring user communications. Important detection information such as detection by proxy and IPS (intrusion prevention system), DNS query status, DHCP acquisition information, etc. is sent to the administrator by e-mail with Splunk. The second is to grasp the usage status of the wireless LAN. Collect information such as connection to the wireless LAN controller, authentication, and DHCP acquisition information. The third is to check the login and operation history of Web mail. The dashboard makes it easy to use the dashboard to check the login failures in real time, and to understand the OTP transmission status, such as external webmail logins and multi-factor authentication. The fourth is a cross-search based on basic information such as user numbers and IP addresses. For example, in the case of proxy detection → DHCP lease history hit from the IP address of the originating host → wireless LAN host, the user ID is identified from the authentication at the time of connection.

With the introduction of Splunk, it became possible to search by keyword regardless of the data format, and even if an incident occurred in Web mail, it became possible to easily search across multiple servers by email address. The advantage of being able to search almost in real time is great. “Up until now, when the amount of logs was large, we created a program that redefines the format, and then grep the logs after formatting them. The more you change, the easier it is,” says Mr. Nakamura of the Integrated Information Center. Due to the huge amount of firewall logs, it took 7 to 8 hours to process each day, and the analysis results for the previous day were available in the evening, but after introducing Splunk, it is possible to extract only the necessary firewall logs. As a result, the process is simplified and the result is obtained immediately, so it is possible to send an alert to C-csirt without time lag.

The C-csirt team also sees significant benefits. Mr. Suzuki, a C-csirt dedicated staff member, said, "Because it is difficult to monitor all logs 24/7, we have focused on webmail login monitoring and botnet searches, and sent only critical logs that require special attention by e-mail. We have asked the Integrated Information Center to notify us, which has enabled C-csirt to obtain information in real time."

Mr. Hasegawa, who is also in charge of C-csirt, said, "Chiba University has significantly strengthened security, so no major incidents have occurred, but Splunk's email notification has made the initial response to the investigation faster. We can also expect the effect of clarifying the priority of analysis.”

Chiba University also uses a one-time password (OTP) when using webmail from outside. It is said that traces such as whether or not can be grasped on the Splunk dashboard. Mr. Kiyomiya of the Integrated Information Center says, "I feel that the Splunk dashboard can be used not only for security, but also for normal system operation, troubleshooting, and user services."

In the future, at Chiba University, some mail server logs that are not currently collected, logs of public web servers installed in each faculty and research center using virtual domains, and logs used by faculty and graduate students will be collected. We plan to add remote access VPN logs to Splunk as well. In addition, the company plans to take on the challenge of visualizing network traffic.

Mr. Imaizumi, the C-csirt team leader, said, "The enhanced security provided by Splunk has been further complemented, and an information system environment that is even safer and more secure than before has been realized. Various threats are appearing every day. However, in order to respond to that, we would like to continue to find ways to use Splunk effectively.”