All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Rick, Instead of props.conf and transforms.conf in the HF (index-time extraction), we have moved the regex settings to the props.conf in all of our search heads (search-time extraction) manually ... See more...
Hi Rick, Instead of props.conf and transforms.conf in the HF (index-time extraction), we have moved the regex settings to the props.conf in all of our search heads (search-time extraction) manually in the /opt/splunk/etc/system/local directory as below:   props.conf [aws:elb:accesslogs] EXTRACT-aws_elb_accesslogs = ^(?P<Protocol>\S+)\s+(?P<Timestamp>\S+)\s+(?P<ELB>\S+)\s+(?P<ClientPort>\S+)\s+(?P<TargetPort>\S+)\s+(?P<RequestProcessingTime>\S+)\s+(?P<TargetProcessingTime>\S+)\s+(?P<ResponseProcessingTime>\S+)\s+(?P<ELBStatusCode>\S+)\s+(?P<TargetStatusCode>\S+)\s+(?P<ReceivedBytes>\S+)\s+(?P<SentBytes>\S+)\s+\"(?P<Request>[^\"]+)\"\s+\"(?P<UserAgent>[^\"]+)\"\s+(?P<SSLCipher>\S+)\s+(?P<SSLProtocol>\S+)\s+(?P<TargetGroupArn>\S+)\s+\"(?P<TraceId>[^\"]+)\"\s+\"(?P<DomainName>[^\"]+)\"\s+\"(?P<ChosenCertArn>[^\"]+)\"\s+(?P<MatchedRulePriority>\S+)\s+(?P<RequestCreationTime>\S+)\s+\"(?P<ActionExecuted>[^\"]+)\"\s+\"(?P<RedirectUrl>[^\"]+)\"\s+\"(?P<ErrorReason>[^\"]+)\"\s+(?P<AdditionalInfo1>\S+)\s+(?P<AdditionalInfo2>\S+)\s+(?P<AdditionalInfo3>\S+)\s+(?P<AdditionalInfo4>\S+)\s+(?P<TransactionId>\S+) This is working as of now, but it is weird that the props and transforms configurations wouldn't work since the regex are the same. 
In addition to the technical consideration @PickleRick points out, you should make a blunt case to your developers that this is logically impossible unless there is ever one user accessing your ent... See more...
In addition to the technical consideration @PickleRick points out, you should make a blunt case to your developers that this is logically impossible unless there is ever one user accessing your entire Web site with credentials, or there is a strict mechanism to prevent more than one user to access your Web site during any prescribed time interval. This, and if code authentication failure is the ONLY reason 401 is returned. (HTTP 401 is for unauthorized access, not an indicator of authentication failure.) Present the above two logs to your developers, ask them what logic can they use (without Splunk) to tell you why the second event is related to the same user as the second event? If your logs contain additional identifiable information such as client IP address, there is a better chance for such correlation.  But your mock data don't suggest existence of such data.
Ok. So you have the logs from UFs but did you check splunkd.log on those HFs?
Splunkd requires TLS client usage if the usage is specifed. (Been there several times - customer used mutual auth and their CA issued wrong usage certs for UFs). I also don't think I've seen a fairl... See more...
Splunkd requires TLS client usage if the usage is specifed. (Been there several times - customer used mutual auth and their CA issued wrong usage certs for UFs). I also don't think I've seen a fairly modern CA which doesn't push usages by default in their policies. So it's a volenti non fit iniuria case when someone issues such crappy cert.
Ha. I do think splunkd etc. should require it when acting as a server, especially given that it requires it when acting as a client! You're right about lazy CA policies, though.
The Splunk nodes including heavy forwarders are on Linux RHEL8, the universal forwarders are mainly on Linux.
This is a 10 years old thread. It's doubtful you get much help here. I see you posted another thread. Just add more details to that thread if needed.
Wait a second. That's a bit self-contradicting. You want to configure your CM to be a slave?
Did you verify the permissions? If you created the directory with root ownership and 755 permissions, the non-root user won't be able to use it.
To be fully honest, I wouldn't upvote it. It's working as designed. If the issuer cannot be bothered to specify key usage, why would the client argue with the issuer? You wanna shoot yourself in the ... See more...
To be fully honest, I wouldn't upvote it. It's working as designed. If the issuer cannot be bothered to specify key usage, why would the client argue with the issuer? You wanna shoot yourself in the foot? Be my guest, here's the gun
Hi,  Im receiving an error in my CM when I go to input   ./splunk edit cluster-config -mode slave -master_uri http://url:8089 -replication_port 8080 -secret xxxxxxx   that says cannot contact ma... See more...
Hi,  Im receiving an error in my CM when I go to input   ./splunk edit cluster-config -mode slave -master_uri http://url:8089 -replication_port 8080 -secret xxxxxxx   that says cannot contact master. I've tried everything, reviewed my configurations and still doesnt work. HelP! 
hey! I'm having this issue right now and I'm so stuck! Can you help 
Is there a reason why the auth-success is excluded from the system_actions.csv lookup file in the Splunk Add-on for palo alto networks TA version 1.0.0 that was just released.  This is breaking auth... See more...
Is there a reason why the auth-success is excluded from the system_actions.csv lookup file in the Splunk Add-on for palo alto networks TA version 1.0.0 that was just released.  This is breaking auth events as only failures are being parsed.   
Hi !  thanks for your reply yeah I tied with phantom account as well still see error for folder permission ro soar-phantom . Not sure what mistake I am doing .  Is there any detaied video link or d... See more...
Hi !  thanks for your reply yeah I tied with phantom account as well still see error for folder permission ro soar-phantom . Not sure what mistake I am doing .  Is there any detaied video link or documntation to follow ? thanks   
Hi @shai, Looking at https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsconfspec/, the interval setting should "just work;" however, the use_single_instance sch... See more...
Hi @shai, Looking at https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsconfspec/, the interval setting should "just work;" however, the use_single_instance scheme parameter controls its behavior. Is use_single_instance set to false in your modular input's scheme? E.g.: <scheme> <!-- ... --> <use_single_instance>false</use_single_instance> <!-- ... --> </scheme>  
Speaking broadly (and without citing anything--ipse dixit), the consensus is an application (client and server) should require the presence of extended key usages to keep implementers from harming th... See more...
Speaking broadly (and without citing anything--ipse dixit), the consensus is an application (client and server) should require the presence of extended key usages to keep implementers from harming themselves, but it's not required. If you identify a scenario in which Splunk Enterprise/Splunk Universal Forwarder are vulnerable to some attack independent of the implementer's choices, it would be wise to disclose the vulnerability privately to Splunk through https://advisory.splunk.com/report. Otherwise, https://ideas.splunk.com/ is the best place to request new features, i.e. requiring extended key usages. I would upvote such an idea.
From RFC 5280 section 4.2.1.12: If the extension is present, then the certificate MUST only be used for one of the purposes indicated. If multiple purposes are indicated the application need not ... See more...
From RFC 5280 section 4.2.1.12: If the extension is present, then the certificate MUST only be used for one of the purposes indicated. If multiple purposes are indicated the application need not recognize all purposes indicated, as long as the intended purpose is present. Certificate using applications MAY require that the extended key usage extension be present and that a particular purpose be indicated in order for the certificate to be acceptable to that application. "If" and "MAY"--the easy way out. At a glance, OpenSSL's libssl only rejects unsupported certificate purposes if extended key usages are present [https://github.com/openssl/openssl/blob/master/crypto/x509/v3_purp.c] (the implementation may vary by version, of course; I'm making an assumption that earlier versions are similar): /* ... */ #define xku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_XKUSAGE) != 0 && ((x)->ex_xkusage & (usage)) == 0) /* ... */ /* * Key usage needed for TLS/SSL server: digital signature, encipherment or * key agreement. The ssl code can check this more thoroughly for individual * key types. */ #define KU_TLS \ KU_DIGITAL_SIGNATURE | KU_KEY_ENCIPHERMENT | KU_KEY_AGREEMENT static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int non_leaf) { if (xku_reject(x, XKU_SSL_SERVER | XKU_SGC)) return 0; if (non_leaf) return check_ssl_ca(x); if (ns_reject(x, NS_SSL_SERVER)) return 0; if (ku_reject(x, KU_TLS)) return 0; return 1; }  
@sainag_splunk  not sure what you meant by using cron job... when interval is defined in default/inputs.conf it is already activating a crod job behind the scenes... only when exposed to UI thorug... See more...
@sainag_splunk  not sure what you meant by using cron job... when interval is defined in default/inputs.conf it is already activating a crod job behind the scenes... only when exposed to UI thorugh inputs.conf.spec it stops doing so...  local/inputs.conf get's populated alright so idk what did you mean by trying it... after the user populates in the UI it is written into local/inputs.conf and then nothing happens. I use splunk 9.2.1 over linux.       
You are supposed to install SOAR using a nonprivileged user.
thank you Pickle, I now understand why it is not mentioned in details. so it is a customized approach to use external methods.