All Apps and Add-ons
Highlighted

Weird behavior of addon

Path Finder

Hi, I'm seeing a very strange behavior in the search after the installation of the addon.

Without auditd addon or secure-addon

I'm doing a simple search in a strict period ex. 12.7.2019 09:00 to 12.7.2019 10:00
index=linuxsec host=blablabla1
I'm getting from this result 102 events from both /var/log/secure and /var/log/audit/audit.log which is ok. Sourcetypes are linux:audit and **linux
secure. Data is get from the official Splunk addon (with sourcetypes there as **linux_audit and linux_secure)

After I install the addon, for exact same period instead of getting 102 events I'm getting much less (around 32) and the linux_secure sourcetype is missed. Tabling the raw data I'm getting 102.
If I remove the addon everything is getting back to normal. The behavior happen with any kind of server in any kind of period.

Any ideas? Do I miss something?

Thanks

0 Karma
Highlighted

Re: Weird behavior of addon

Esteemed Legend

I am sure that @doksu can help.

0 Karma
Highlighted

Re: Weird behavior of addon

SplunkTrust
SplunkTrust

Indeed, thanks @woodcock. @a_naoum that's a curious situation. Could you please let me know the version of Splunk and the apps you're using with any customisations? Also, if you're using ES in that search environment and its version.

Highlighted

Re: Weird behavior of addon

Path Finder

Splunk is 7.0.3 and ES is 5.0.1.

After couple of hours of troubleshooting (usually there is an enlightenment after I create a question here) I found the issue.
This eval : EVAL-process_name = urldecode(replace(proctitle,"([0-9A-F]{2})","%\1")) because there is the case of null characters (%00). If founds one or more times this one it is just.... don't want to work and doing the above behavior. Not sure if it is issue with our environment or OS (I found it for now only in RHEL7).
I managed to "fix" it by doing an extra replace and remove the characters: EVAL-process_name = urldecode(replace(replace(proctitle,"([0-9A-F]{2})","%\1"),"%00",""))
but I'm not sure about the "correct" way.

btw: the rest urldecode evals doesn't have any issue most probably because the data doesn't contain null characters.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.