I'm working to migrate ES to a new search head that has network visibility to indexers in multiple Business Units and more indexers. I am seeing my network traffic counts increase as I am now picking up the new architecture but I can't get my 'new' Threat Activity Dashboard to report anything.
I can see that the Threat Intelligence Downloads are operational and (as far as I've been told) both platforms should be equal, other than the additional feeds available to the new system.
I'm just not sure where to start when the only response is "no results found".
Does the files in /opt/splunk/etc/apps/SA-ThreatIntelligence/lookups are populated ?
What is the result of the following command in search (from ES): | inputlookup threatintelbycidr
Is it the same ES version ? Which one ? Same OS ?
To answer your questions in order:
1) Yes, opt/splunk/etc/apps/SA-ThreatIntelligence/lookups are poplulating on both servers, old an new. Latest updates are from 6/28/15
2) | inputlookup thretintelbycidr gives a list of ip_intel addresses on both systems
3) Yes, it's the same ES version, 3.3.0. The "new" server is on RHEL (no feed) the "old" is Win2012 Server (working).
What is the status of the Threat_Intelligence datamodel (in the Data Model audit) ?
Is it accelerated ? Is it complete ? And the disk size ?
Yes it is accelerated, 100% complete and about .2MB on disk. (same on both systems)
Of course, other dashboards (like the traffic one) are populated , correct ?
Yes, Traffic Center IS populating.
There IS a difference here in that both systems are picking up "pan-traffic" from the client's Palo Alto firewalls and on the new system I am working to get their Cisco ASA traffic tagged appropriately using the Splunk Add-on for Cisco ASA. (again, different BU's working with different technology)
I am not yet properly seeing the ASA traffic but I was/am assuming I should still be able to get the matches from the Palo Altos.
Did you tried to add in the local threat list an IP that is used in one of your log ? I just want to be sure that some traffic IP are matching the ones from the threat lists ?
I think I am getting closer to the issue. I followed your advice and as I attempt to find the IP addresses in localthreatlist, I'm seeing that "esslookup_lists" does not populate on the new server.
Essentially, the new deployment isn't reporting ANY lists and lookups. Is there a configuration piece that got missed?
Hummmm... how did you migrate ES to the new server ? Did you copy the files or reinstall a fresh copy of ES ? And when (just a few hours ago, or several days ago) ?
Do you have the both ES running in parallel ?