All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Well, Splunk lets you use external script to use any not natively supported authentication scheme but it's up to you to implement it. RADIUS is here listed only as one of examples of authentication m... See more...
Well, Splunk lets you use external script to use any not natively supported authentication scheme but it's up to you to implement it. RADIUS is here listed only as one of examples of authentication methods you could want to integrate this way but it's in no way a manual how to do so.
I'd have to dig through standards to confirm it but this actually makes sense. It's up to CA to define what the certificate is good for. ExtKeyUsage is an extension of X.509 which means it doesn't ha... See more...
I'd have to dig through standards to confirm it but this actually makes sense. It's up to CA to define what the certificate is good for. ExtKeyUsage is an extension of X.509 which means it doesn't have to be present. If it is not present, one can assume that no restrictions have been imposed on key usage. Also rememher that this extension, even if present, could be marked as non-critical.
Thank you, Pickle for your response. I attempted to follow the Splunk documentation below, which does not contain a lot of information; however, I attempted to change the configuration file "authent... See more...
Thank you, Pickle for your response. I attempted to follow the Splunk documentation below, which does not contain a lot of information; however, I attempted to change the configuration file "authentication.conf" with the stanza containing the radius information [IP secret port], as well as to use the python script and fill it with the necessary data, but with no success. https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/ConfigureSplunkToUsePAMOrRADIUSAuthentication I also tested my linux server's connectivity by installing the radius client and using the radtest function to examine the delivered request, but I received no response from the server. So I'm looking for a trustworthy manual to follow, but I can't locate one, and I'm not sure if that program is available to use and test via.
Sorry forgot to mention its  version 6.3.0
Hi @tscroggins , Here are observations from my tests. 1)EKU extension exists with serverAuth – server cert accepted 2)EKU extension exists but without serverAuth, it is set to clientAuth – server ... See more...
Hi @tscroggins , Here are observations from my tests. 1)EKU extension exists with serverAuth – server cert accepted 2)EKU extension exists but without serverAuth, it is set to clientAuth – server cert rejected 3)EKU extension does not exist – server cert accepted. I am referring to the 3rd test here, i.e. EKU does not exist. Could you confirm which test case is the one you referred in your comment?
Hi !   I am stuck for my home lab trying to install phantom on VM . All steps for soar-prep competed fine but then I tried ./soar-install seeing errors like : Error: Cannot run as the root user E... See more...
Hi !   I am stuck for my home lab trying to install phantom on VM . All steps for soar-prep competed fine but then I tried ./soar-install seeing errors like : Error: Cannot run as the root user Error: The install directory (/opt/phantom) is not owned by the installation owner (root) Pre-deploy checks failed with errors   Directory has root access with all folders in it image attched .  {"component": "installation_log", "time": "2024-11-10T02:02:56.071875", "logger": "install.deployments.deployment", "pid": 2005, "level": "ERROR", "file": "/opt/phantom/splunk-soar/install/deployments/deployment.py", "line": 175, "message": "Error: The install directory (/opt/phantom) is not owned by the installation owner (root)", "install_run_uuid": "17e0674c-b035-4696-9f75-acf2297ab325", "start_time": "2024-11-10T02:02:54.547287", "install_mode": "install", "installed_version": null, "proposed_version": "6.3.0.719", "deployment_type": "unpriv", "continue_from": null, "phase": "pre-deploy", "operation_status": "failed", "time_elapsed_since_start": 1.524704} {"component": "installation_log", "time": "2024-11-10T02:02:56.072144", "logger": "install", "pid": 2005, "level": "ERROR", "file": "/opt/phantom/splunk-soar/./soar-install", "line": 105, "message": "Pre-deploy checks failed with errors", "install_run_uuid": "17e0674c-b035-4696-9f75-acf2297ab325", "start_time": "2024-11-10T02:02:54.547287", "install_mode": "install", "installed_version": null, "proposed_version": "6.3.0.719", "deployment_type": "unpriv", "continue_from": null, "time_elapsed_since_start": 1.525168, "pretty_exc_info": ["Traceback (most recent call last):", " File \"/opt/phantom/splunk-soar/./soar-install\", line 82, in main", " deployment.run()", " File \"/opt/phantom/splunk-soar/install/deployments/deployment.py\", line 145, in run", " self.run_pre_deploy()", " File \"/opt/phantom/splunk-soar/usr/python39/lib/python3.9/contextlib.py\", line 79, in inner", " return func(*args, **kwds)", " File \"/opt/phantom/splunk-soar/install/deployments/deployment.py\", line 178, in run_pre_deploy", " raise DeploymentChecksFailed(", "install.install_common.DeploymentChecksFailed: Pre-deploy checks failed with errors"]}  
I just tested forwarder version 9.1.1 on Windows with outputs.conf [tcpout] sslVerifyServerCert = true, and key usage is checked:   11-09-2024 20:57:30.517 -0500 ERROR X509Verify [85708 TcpOutEloop... See more...
I just tested forwarder version 9.1.1 on Windows with outputs.conf [tcpout] sslVerifyServerCert = true, and key usage is checked:   11-09-2024 20:57:30.517 -0500 ERROR X509Verify [85708 TcpOutEloop] - Server X509 certificate (CN=splunk.example.com,O=Example,L=Washington,ST=District of Columbia,C=US) failed validation; error=26, reason="unsupported certificate purpose"   Edit: I tested in 9.0.3, and key usage is verified there as well. splunkd, splunkweb, and mongod on Splunk Enterprise 9.3.0 do happily load and use the certificate, though. My last conversation with Splunk on the topic was circa 8.2. I haven't had cause to test this specifically since then. Good to see!
Splunk Enterprise Security (ES) is Splunk's SIEM product.  Splunk SIEM is another term for Splunk ES. You may be able to get the software via Splunk's Product & Training Donation program.
Check the whole path from sender to receiver to Splunk.  Verify network connectivity at each step. Verify the syslog server is writing data to disk.  Confirm Splunk is monitoring those files and has... See more...
Check the whole path from sender to receiver to Splunk.  Verify network connectivity at each step. Verify the syslog server is writing data to disk.  Confirm Splunk is monitoring those files and has read access to them.  Check splunkd.log to see if there are messages about the files. Check the indexer for internal log files from the forwarder.  If they are not present then you have a connectivity problem between the forwarder and indexer (at least). When searching for data, use a wide time window that includes the future (earliest=-2d latest=+2d) in case the events are not onboarded properly.
I got the same parsing issue like you using the KV_MODE parameter  but  i found the cause and the solution Tested on splunk enterprise 9.2.1, in the props.conf,  you should specify the source field ... See more...
I got the same parsing issue like you using the KV_MODE parameter  but  i found the cause and the solution Tested on splunk enterprise 9.2.1, in the props.conf,  you should specify the source field and value in the stanza like this: [source::WinEventLog] KV_MODE = xml   NB: you can adapt the source value to match to you logs source value ***Since the post is old, I hope this solution will be useful to those who encounter the problem again.***
Correlating on time alone while possible is always tricky. You never know what delay you're gonna get between these two events. And you might get more than just those two events at this particular ti... See more...
Correlating on time alone while possible is always tricky. You never know what delay you're gonna get between these two events. And you might get more than just those two events at this particular timestamp. It's best if you either have both those pieces of information within one event or at least they both include some unique identifier so that you can unambiguously connect one with the other.
I will add - it is the same index but the 1st event is from one source type and the 2nd event from another source type (just different server logs)  
So I have an Index with working alerts thanks to your guys help. I have a question on 2 separate events at the same time. 1st Event : Invalid password provided for user : xxxxxxxx (this is in the E... See more...
So I have an Index with working alerts thanks to your guys help. I have a question on 2 separate events at the same time. 1st Event : Invalid password provided for user : xxxxxxxx (this is in the Event) 2nd Event :  GET /Project/1234/ HTTP/1.1 401 (this is basically letting me know about the first event but what Project they tried to connect.   How would one write to Get the Username of the invalid password and chlorate that with the project at the same time underneath Example User xxxxxx put in an invalid password for Project 1234. Thinking it is easier to get my team to write it all in 1 event for another release.  
So for our graduation project, we've decided to use splunk SIEM as our base app to build on. However, on further inspection, it turns out that splunk enterprise security has a lot of features that we... See more...
So for our graduation project, we've decided to use splunk SIEM as our base app to build on. However, on further inspection, it turns out that splunk enterprise security has a lot of features that we need. Is there any chance that Splunk would give us the chance to use it without pay?
If that is true (never tested it this way myself) that would be unexpected since when you're using cert-based client auth it requires that client's cert has client authentication usage.
Hi, When sslVerifyServerCert is true, Splunk verifies the trust chain, disallows self-signed certificates, and checks validity dates.  If you have certificateStatusValidationMethod = crl, Splunk wil... See more...
Hi, When sslVerifyServerCert is true, Splunk verifies the trust chain, disallows self-signed certificates, and checks validity dates.  If you have certificateStatusValidationMethod = crl, Splunk will also verify the certificate against any revocation lists you have configured. Splunk does support OCSP. The most recent common criteria evaluation covers Splunk TLS configuration quite well. See the administrative guide at https://www.niap-ccevs.org/products/11330. As I recall from my last conversation with support/development, key usages are not verified, but you should contact support to confirm.
Hi @capilarity, You can use jQuery UI's datepicker directly from dashboard JavaScript. I've included two options below, one using a text input with datepicker and the other using a time input with v... See more...
Hi @capilarity, You can use jQuery UI's datepicker directly from dashboard JavaScript. I've included two options below, one using a text input with datepicker and the other using a time input with various hidden. The datepicker uses d-M-yy as the dateFormat value, e.g. 9-Nov-2024. The format string is documented at https://api.jqueryui.com/datepicker/#utility-formatDate. See the same page for options to modify the datepicker's appearance. <!-- etc/apps/search/local/data/ui/views/date_picker.xml --> <form version="1.1" theme="light" script="date_picker.js"> <label>Date Picker</label> <init> <eval token="form.date_tok">strftime(relative_time(now(), "@d"), "%e-%b-%Y")</eval> <eval token="form.time_tok.earliest">relative_time(now(), "@d")</eval> <eval token="form.time_tok.latest">relative_time(now(), "+1d@d")</eval> </init> <fieldset submitButton="false"> <input id="input_date" type="text" token="date_tok"> <label>Date 1</label> </input> <input id="input_time" type="time" token="time_tok"> <label>Date 2</label> <default> <earliest>1731128400</earliest> <latest>1731214800</latest> </default> </input> </fieldset> <row depends="$hidden$"> <panel> <html> <style> div[data-test-panel-id="presets"], div[data-test-panel-id="relative"], div[data-test-panel-id="realTime"], div[data-test-panel-id="dateTime"], div[data-test-panel-id="advanced"] { display: none !important; } </style> </html> </panel> </row> <row> <panel> <html> <h2>Date 1: <b>$date_tok$</b> </h2> <h2>Date 2 Eearliest: <b>$time_tok.earliest$</b> </h2> <h2>Date 2 Latest: <b>$time_tok.latest$</b> </h2> </html> </panel> </row> </form> // etc/apps/search/appserver/static/date_picker.js require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function($, mvc) { $("#input_date input") .prop("readonly", true) .datepicker({ dateFormat: "d-M-yy", onSelect: function(dateText, inst) { var defaultTokens = mvc.Components.get("default"); if (defaultTokens) { console.log("Setting default token $date_tok$ to " + dateText); defaultTokens.set("date_tok", dateText); } var submittedTokens = mvc.Components.get("submitted"); if (submittedTokens) { console.log("Setting submitted token $date_tok$ to " + dateText); submittedTokens.set("date_tok", dateText); } } }); }); (I actually use the above format in my emails. Less ambiguity. In text data, I use ISO 8601. 'merica!)
In fact, product requirements for either ES or ITSI state that they must not be installed together on the same SH(C). Or at least said so about two years ago when I last checked but I wouldn't expect... See more...
In fact, product requirements for either ES or ITSI state that they must not be installed together on the same SH(C). Or at least said so about two years ago when I last checked but I wouldn't expect it to change.
Your answers are againt a bit confusing. You say that "indexers have been migrated yet". Does it mean they have been already or they haven't been yet? Anyway, your general plan looks pretty decent.... See more...
Your answers are againt a bit confusing. You say that "indexers have been migrated yet". Does it mean they have been already or they haven't been yet? Anyway, your general plan looks pretty decent. It's always the details, like making sure you have proper network connectivity - SH->idx, SH->LM, probably also MC->SH. If you install new machines with new names and new IPs and you have either IP-based access rules or allowed SANs, you might have problems. I've even seen situations when TLS connections wouldn't be allowed because a perimeter IPS was forbidding connection with local CA-issued certs. So prepare to at least do a trial launch for test users to verify if everything's working properly before going prod.
Hi @richgalloway , Yes we have a dedicated syslog ng server and UF in place to forward it to indexer.  But we are not receiving logs.. how can I troubleshoot this issue? To check whether issue is f... See more...
Hi @richgalloway , Yes we have a dedicated syslog ng server and UF in place to forward it to indexer.  But we are not receiving logs.. how can I troubleshoot this issue? To check whether issue is from splunk end or requestor end?