Currently have the OPSEC for linux installed and working. The big problem is that since it was enabled, it is still indexing old data. How can I get it to stop indexing the old data and start with the new data? I have tried the props.conf in multiple locations to no avail. We are running 6.0.1 of Splunk - my opsec forwarder is on my indexer - its one box - we are testing inputs to get an idea of how much space it will take up.
I have tried the props.conf in $SPLUNK_HOME/etc/system/local and in $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local. I have tried MAX_DAYS_AGO. I have the TIME_PREFIX and TIME_FORMAT from the default props.conf that is included in the add-on.
It was installed on 3/26 and it is still indexing data from 2/17 but instead of indexing it as 2/17, after I put the props.conf in place, now it indexes it as todays date. Do I need to clear out the opsec-entity-health/log-status.conf files and opsec-log-status.conf? Do I need to clear my index?
I want the data starting from today and nothing from before today.
You may try performing a log switch on the checkpoint side. The OPSEC LEA API does not allow to seek by date/time.
You may try performing a log switch on the checkpoint side. The OPSEC LEA API does not allow to seek by date/time.