All Apps and Add-ons

OPSEC for linux

caspertz
Engager

Currently have the OPSEC for linux installed and working. The big problem is that since it was enabled, it is still indexing old data. How can I get it to stop indexing the old data and start with the new data? I have tried the props.conf in multiple locations to no avail. We are running 6.0.1 of Splunk - my opsec forwarder is on my indexer - its one box - we are testing inputs to get an idea of how much space it will take up.

I have tried the props.conf in $SPLUNK_HOME/etc/system/local and in $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local. I have tried MAX_DAYS_AGO. I have the TIME_PREFIX and TIME_FORMAT from the default props.conf that is included in the add-on.

It was installed on 3/26 and it is still indexing data from 2/17 but instead of indexing it as 2/17, after I put the props.conf in place, now it indexes it as todays date. Do I need to clear out the opsec-entity-health/log-status.conf files and opsec-log-status.conf? Do I need to clear my index?

I want the data starting from today and nothing from before today.

1 Solution

rroussev_splunk
Splunk Employee
Splunk Employee

You may try performing a log switch on the checkpoint side. The OPSEC LEA API does not allow to seek by date/time.

View solution in original post

rroussev_splunk
Splunk Employee
Splunk Employee

You may try performing a log switch on the checkpoint side. The OPSEC LEA API does not allow to seek by date/time.