Getting Data In

How can we verify the patch that has been provided for the date time issue before 1/1/2020?

capesb
Engager

we were notified there is an issue with the recognition of 2 digit years in the Splunk code that requires an immediate patch. We need to know how to verify this patch is applied properly and going to be working properly come 1/1/2020
Link to issue: https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#More_information

woodcock
Esteemed Legend

You can use this search to find potentially problematic events. DISClAIMER: This is NOT a guarantee because we have no way to tell with SPL whether Indexers are using datetime.xml or proper Magic 6 settings. It will show you events that IF the indexers are using datetime.xml, will be broken without the fix.

index="*" AND sourcetype="*" AND timestartpos="*" earliest=-7d latest=now
| dedup punct sourcetype index
| eval timestr=substr(_raw, timestartpos+1, timeendpos-timestartpos)
| regex timestr="(((?:^|\D)\d{1,2}[-\/]\d{1,2}[-\/]19[^\d])|((?:^|\D)19[-\/]\d{1,2}[-\/]\d{1,2}[^\d])|((?:^|\D)\d{1,2}\s[-\/]\s\d{1,2}\s[-\/]\s19[^\d])|((?:^|\D)19\s[-\/]\s\d{1,2}\s[-\/]\s\d{1,2}[^\d])|((?:^|\D)([a-zA-Z]{3}[- \/]+\d{1,2}[- \/]+19[^:\d]))|((?:^|\D)19[- \/][a-zA-Z]{3}[- \/]\d{1,2}[^:\d])|((?:^|\D)\d{1,2}[- \/]+[a-zA-Z]{3}[- \/]+19[^:\d]))"
| table punct sourcetype index timestr time*pos _time _raw time*
| stats list(*) AS * BY index sourcetype

If this search returns nothing, then you have nothing to fix. Do note that this search will return the same results BEFORE and AFTER you deploy the fix. It only shows your potential risk, not your actual.

0 Karma

capesb
Engager

thanks Rich and David, appreciate the feedback

0 Karma

DavidHourani
Super Champion

@woodcock loop answer, can't go wrong there 😛

0 Karma

woodcock
Esteemed Legend

Just keep clicking.

DavidHourani
Super Champion

lol almost there 😛

0 Karma

woodcock
Esteemed Legend

Keep going!!!

0 Karma

DavidHourani
Super Champion

587 link clicks and still nothing...

0 Karma

jordanking1992
Path Finder

Is there a query that can search the _raw events for sources that are using 2 digit years?

0 Karma

DavidHourani
Super Champion

Hi @capesb,

To confirm that the change has been made you need to be sure that your datetime.xml file matches the one in https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#More_information
And that you've restarted your Splunk instances after modification. As mentioned here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Download_an_updat...

OR that you are one of the bug free versions specified here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Upgrade_Splunk_pl...

On this blog you can find what exactly changed in the datetime.xml :
https://www.bleepingcomputer.com/news/security/splunk-faces-y2k-bug-like-problem-unless-patched/

Let me know if that helps.

Cheers,
David

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To test the fix, try ingesting a file that contains the two-digit year "20". Use a test index, of course. You'll also need to set MAX_DAYS_HENCE in props.conf to a value that includes the date in the file (at least 30).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...