Solved: OPSEC for linux

caspertz · ‎03-28-2014

Currently have the OPSEC for linux installed and working. The big problem is that since it was enabled, it is still indexing old data. How can I get it to stop indexing the old data and start with the new data? I have tried the props.conf in multiple locations to no avail. We are running 6.0.1 of Splunk - my opsec forwarder is on my indexer - its one box - we are testing inputs to get an idea of how much space it will take up.

I have tried the props.conf in $SPLUNK_HOME/etc/system/local and in $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local. I have tried MAX_DAYS_AGO. I have the TIME_PREFIX and TIME_FORMAT from the default props.conf that is included in the add-on.

It was installed on 3/26 and it is still indexing data from 2/17 but instead of indexing it as 2/17, after I put the props.conf in place, now it indexes it as todays date. Do I need to clear out the opsec-entity-health/log-status.conf files and opsec-log-status.conf? Do I need to clear my index?

I want the data starting from today and nothing from before today.

rroussev_splunk · ‎04-05-2014

You may try performing a log switch on the checkpoint side. The OPSEC LEA API does not allow to seek by date/time.

View solution in original post

rroussev_splunk · ‎04-05-2014

You may try performing a log switch on the checkpoint side. The OPSEC LEA API does not allow to seek by date/time.

OPSEC for linux

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation