- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk for PCI Compliance App not creating notable...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk for PCI Compliance App not creating notable event
Hi!
I'm implementing the Splunk App for PCI Compliance and I have problem with notable events not being created for excessive failed login on a custom sourcetype with a custom "app=sam"
The corresponding search (Access - Excessive Failed Logins - Rule) recognizes correctly the events and the events are also placed in the "access_summary" index ("index=access_summary app=sam count>50" returns my excessive failed logins). But no Notable event has been created in the "index=notable" ("index=notable app=sam" doesn't return any event)
The original events produce the requested fields: host,action,app,src,src_user,dest,user
Any ideas?
Thanks,
Marco Scala
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello What we found was that the search was in Real Time and the Limits.conf have a limit number of searches so the new real-time search was out of that Limit, the PCI APP have several real-time searches so it is very easy to reach the limit in limits.conf When we modify that limit everything was fine, at least that solve our problem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I don't know for PCI app but if it's like ES, I think you should verify that your logs are tagged following CIM (not just the fields) then wait a bit (like 30 minutes) until the PCI app find them to be able to generate events and retest ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Matthieu,
I also implemented ES and was fine. I'm not working on that project any more, and I remember that the logs were tagged following CIM, otherwise the Correlational Rule doesn't recognize them and apply.
Marco
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone found an answer to this question? I am running into the same issue. The data appears to be there if I look at the events returned in Verbose mode but in the table view or in Smart mode, the results are zero.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you been resolved this?
Sadly I see very few activity on PCI Compliance APP questions
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
