Deployment Architecture

How to pull out blocked connections from illumio within our Unix/Linux environment?

Explorer

If I log into the Linux system in question and go to the log area /var/log/illumio-pce/agent_traffic.log
type grep blocked/potentially blocked
I get information back

When I go into SPLUNK and make the following search

index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic

Information appears, but I do not see anything with the work Blocks or blocked/potentially blocked

index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially blocked

NOTHING comes back?

Need someone to explain to me what is wrong with my search

Tags (2)
0 Karma
1 Solution

Ultra Champion

Do you see events if you just run index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log"

What about if you add *block* to the search.

Splunk will look for exact string matches, so if you are not sure exactly how the events will occur, you can use the *something* approach to see if you get a "really wild" match.
*.* searches are generally very poor performing, so once you have identified how the the exact pattern is represented in the Splunk events, you should amend your serach to use that format over *.*

View solution in original post

0 Karma

Ultra Champion

Do you see events if you just run index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log"

What about if you add *block* to the search.

Splunk will look for exact string matches, so if you are not sure exactly how the events will occur, you can use the *something* approach to see if you get a "really wild" match.
*.* searches are generally very poor performing, so once you have identified how the the exact pattern is represented in the Splunk events, you should amend your serach to use that format over *.*

View solution in original post

0 Karma

Explorer

yes, I do see events

0 Karma

Ultra Champion

Ok, I was just ruling out a sourcetype problem. What about if you add *block* to the search.

0 Karma

Explorer

I added that and increased the timeout to 24 hours, BOOM that worked!!!!

YEAH!!!
thanks

0 Karma

Ultra Champion

Great.
I have converted my comment to an answer and added a bit more context. If you're happy, please accept my answer, and upvote. Good luck!

0 Karma