All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk for PCI Compliance App not creating notable event

marcoscala
Builder
‎11-22-2013 08:41 AM

Hi!
I'm implementing the Splunk App for PCI Compliance and I have problem with notable events not being created for excessive failed login on a custom sourcetype with a custom "app=sam"

The corresponding search (Access - Excessive Failed Logins - Rule) recognizes correctly the events and the events are also placed in the "access_summary" index ("index=access_summary app=sam count>50" returns my excessive failed logins). But no Notable event has been created in the "index=notable" ("index=notable app=sam" doesn't return any event)

The original events produce the requested fields: host,action,app,src,src_user,dest,user

Any ideas?

Thanks,
Marco Scala

0 Karma
Reply

israelgutierrez
Path Finder
‎04-25-2014 12:31 PM

Hello What we found was that the search was in Real Time and the Limits.conf have a limit number of searches so the new real-time search was out of that Limit, the PCI APP have several real-time searches so it is very easy to reach the limit in limits.conf When we modify that limit everything was fine, at least that solve our problem

0 Karma
Reply

matthieu_araman
Communicator
‎04-23-2014 02:23 AM

Hello,

I don't know for PCI app but if it's like ES, I think you should verify that your logs are tagged following CIM (not just the fields) then wait a bit (like 30 minutes) until the PCI app find them to be able to generate events and retest ?

0 Karma
Reply

marcoscala
Builder
‎04-23-2014 03:31 AM

Thanks Matthieu,
I also implemented ES and was fine. I'm not working on that project any more, and I remember that the logs were tagged following CIM, otherwise the Correlational Rule doesn't recognize them and apply.

Marco

0 Karma
Reply

msmapper
Path Finder
‎04-18-2014 12:24 PM

Has anyone found an answer to this question? I am running into the same issue. The data appears to be there if I look at the events returned in Verbose mode but in the table view or in Smart mode, the results are zero.

0 Karma
Reply

israelgutierrez
Path Finder
‎03-18-2014 09:18 PM

Have you been resolved this?

Sadly I see very few activity on PCI Compliance APP questions

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top