All Posts

ktaylor · ‎01-18-2024

That makes a lot of sense, thanks for that. And thank you for the link!

jlsiri · ‎01-18-2024

<14> prefix is displayed in splunk logs, what does it mean, why is it displayed? Can anyone answer this question please?

PickleRick · ‎01-18-2024

OK. How are you ingesting your events? key/value or XML? Does the other (working) blacklist entry specify just the event code?

PickleRick · ‎01-18-2024

Again - there are several different approaches you can have about "using ES" but what I'd do to get a rough idea if the solution is indeed being used: 1. Check if it's configured - are there correla...

Again - there are several different approaches you can have about "using ES" but what I'd do to get a rough idea if the solution is indeed being used: 1. Check if it's configured - are there correlation searches defined, are there user/asset mappings defined/synchronised, are sources decently onboarded (CIM-compliant) 2. Does anyone actually open ES app views in webui (you should be able to find it in internal logs). 3. What is the status of your notables and investigations - do you see any traces of anyone working on them? 4. What is the version of your ESCU app? How long ago it's been updated?

Yadukrishnan · ‎01-18-2024

Didnt work. Yes, I have restarted the services after making the changes.

Yadukrishnan · ‎01-18-2024

I am making changes on opt splunk etc apps splunk_ta_win local inputs.conf. The Windows Event IDs are collected using Universal Forwarder. There is one another blacklist in the same configuration f...

I am making changes on opt splunk etc apps splunk_ta_win local inputs.conf. The Windows Event IDs are collected using Universal Forwarder. There is one another blacklist in the same configuration file which is working fine with out any issues.

btluynk · ‎01-18-2024

Hi team, I've completed all the configurations according to the steps provided in the following link for integrating Jamf Protect and Splunk: https://learn.jamf.com/bundle/jamf-protect-documentati...

Hi team, I've completed all the configurations according to the steps provided in the following link for integrating Jamf Protect and Splunk: https://learn.jamf.com/bundle/jamf-protect-documentation/page/Splunk_Integration.html Under the "Testing the Event Collector Token" section, when I execute the command as instructed in "Using the values obtained in step 1," I can see the log I sent from my local machine on the Splunk search head. However, logs from other clients, especially JamfPro logs, are not visible. I can confirm that the logs are being captured by using tcpdump on the heavy forwarder, but they are not appearing in search results. What could be the reason for this? Additionally, where can I check error logs from the CLI to investigate this further? Thanks

cYcJo7 · ‎01-18-2024

Thank you for your quick reply, I would like to know if Enterprise security is used at all in our company. So is it used 1-2 times a year or has it only been used 10 times in the last 3 months?

PickleRick · ‎01-18-2024

#define <utilisation> please

PickleRick · ‎01-18-2024

Well... scrub can work strangely sometimes. For example, scrubbing my firewall logs shows that my firewalls do actions: - allowed - blocked - dropped - mckenzie

kevinmabini · ‎01-18-2024

Hello, We have PROD and DEV instance that are both running Mission Control with the following versions below: PROD - ES v7.1.1, Mission Control v3.0.2 DEV - ES v7.3.0, Mission Control v3.0.2 PROD...

Hello, We have PROD and DEV instance that are both running Mission Control with the following versions below: PROD - ES v7.1.1, Mission Control v3.0.2 DEV - ES v7.3.0, Mission Control v3.0.2 PROD works fine and incidents are tally between ES and MC. Unfortunately for DEV, some of the notables from ES are not flowing into MC. Is this an issue with the latest version of ES? I've looked into the latest release notes of both ES and MC, and it's not listed in the "Known Issues" page. Can't find anything helpful too in the internal logs. Any insights will be highly appreciated. Thank you!

cYcJo7 · ‎01-18-2024

Hello, is it possible to analyse the utilisation of enterprise security, I assume it is currently not used in our company, but I would like to be able to prove this in statistics Thanks Pad

KulvinderSingh · ‎01-18-2024

Thanks @PickleRick let me check will update.

PickleRick · ‎01-18-2024

As you can see, this is a thread from almost 13 years ago. The probability that you'll get a response from people involved in it is very slim. You should rather start a new thread describing your pro...

As you can see, this is a thread from almost 13 years ago. The probability that you'll get a response from people involved in it is very slim. You should rather start a new thread describing your problem, what are your needs, what you tried already and so on. This will give you more visibility and higher chance of getting help.

PickleRick · ‎01-18-2024

There is no such thing as "merging" events. If you're sending to the /event endpoint, you have to make sure you're sending whole events. I'm not 100% how/if linebreaking works with /raw endpoint.

PickleRick · ‎01-18-2024

OK. I'm either overworked or blind. I counted them several times and always came up with the same 8/7 numbers. You're right. They both have 7 fields.

PickleRick · ‎01-18-2024

1. Check the sourcetype props 2. CEF typically comes with a syslog header. You're not showing the header - maybe it's been cut after the time had beed parsed out from it. It all boils down to verif...

1. Check the sourcetype props 2. CEF typically comes with a syslog header. You're not showing the header - maybe it's been cut after the time had beed parsed out from it. It all boils down to verifying: 1) Raw format of the data coming from the source with tcpdump to be sure what's on the wire 2) Settings for the sourcetype - how the timestamp is being parsed/assigned and how the event is modified on ingestion.

ITWhisperer · ‎01-18-2024

@PickleRick Both have 7

PickleRick · ‎01-18-2024

Department,Vendor,Type,url_domain,user,src_ip,Whitelisted BigData,Material,Google Remote Desktop,Alpha.com,Alice,172.16.28.12,TRUE Are you sure you copy-pasted whole lines? First line has 8 fields,...

Department,Vendor,Type,url_domain,user,src_ip,Whitelisted BigData,Material,Google Remote Desktop,Alpha.com,Alice,172.16.28.12,TRUE Are you sure you copy-pasted whole lines? First line has 8 fields, second one has 7.

dberber1 · ‎01-18-2024

@manish_singh_77 - did you ever figure this out? I'm having the same problem.

All Posts

All Posts

Re: Searching for windows logins

What is <14> we see in Splunk logs, each log starts with <14> what does it pertain to ? can anyone answer this please?

Re: Blacklist Windows Event ID 4769

Re: How to generate a report based on utilisation of Enterprise Security

Re: Blacklist Windows Event ID 4769

Re: Blacklist Windows Event ID 4769

Jamf Protect and Splunk Integration Issues

Re: How to generate a report based on utilisation of Enterprise Security

Re: How to generate a report based on utilisation of Enterprise Security

Re: Single Splunk command to generate dummy data that can be run in the search bar

Splunk ES Notables Not Flowing into Mission Control

How to generate a report based on utilisation of Enterprise Security

Re: logs with no timestamp automatically show +15 hrs of time stamp

Re: Monitoring Oracle on a Solaris Cluster

Re: merging as single event from mutlple lines

Re: Issue in excluding some results via Lookup table

Re: logs with no timestamp automatically show +15 hrs of time stamp

Re: Issue in excluding some results via Lookup table

Re: Issue in excluding some results via Lookup table

Re: How to create a drilldown for a single value panel?

All Posts

Are you a member of the Splunk Community?

All Posts