All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Did you verify the permissions? If you created the directory with root ownership and 755 permissions, the non-root user won't be able to use it.
To be fully honest, I wouldn't upvote it. It's working as designed. If the issuer cannot be bothered to specify key usage, why would the client argue with the issuer? You wanna shoot yourself in the ... See more...
To be fully honest, I wouldn't upvote it. It's working as designed. If the issuer cannot be bothered to specify key usage, why would the client argue with the issuer? You wanna shoot yourself in the foot? Be my guest, here's the gun
Hi,  Im receiving an error in my CM when I go to input   ./splunk edit cluster-config -mode slave -master_uri http://url:8089 -replication_port 8080 -secret xxxxxxx   that says cannot contact ma... See more...
Hi,  Im receiving an error in my CM when I go to input   ./splunk edit cluster-config -mode slave -master_uri http://url:8089 -replication_port 8080 -secret xxxxxxx   that says cannot contact master. I've tried everything, reviewed my configurations and still doesnt work. HelP! 
hey! I'm having this issue right now and I'm so stuck! Can you help 
Is there a reason why the auth-success is excluded from the system_actions.csv lookup file in the Splunk Add-on for palo alto networks TA version 1.0.0 that was just released.  This is breaking auth... See more...
Is there a reason why the auth-success is excluded from the system_actions.csv lookup file in the Splunk Add-on for palo alto networks TA version 1.0.0 that was just released.  This is breaking auth events as only failures are being parsed.   
Hi !  thanks for your reply yeah I tied with phantom account as well still see error for folder permission ro soar-phantom . Not sure what mistake I am doing .  Is there any detaied video link or d... See more...
Hi !  thanks for your reply yeah I tied with phantom account as well still see error for folder permission ro soar-phantom . Not sure what mistake I am doing .  Is there any detaied video link or documntation to follow ? thanks   
Hi @shai, Looking at https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsconfspec/, the interval setting should "just work;" however, the use_single_instance sch... See more...
Hi @shai, Looking at https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsconfspec/, the interval setting should "just work;" however, the use_single_instance scheme parameter controls its behavior. Is use_single_instance set to false in your modular input's scheme? E.g.: <scheme> <!-- ... --> <use_single_instance>false</use_single_instance> <!-- ... --> </scheme>  
Speaking broadly (and without citing anything--ipse dixit), the consensus is an application (client and server) should require the presence of extended key usages to keep implementers from harming th... See more...
Speaking broadly (and without citing anything--ipse dixit), the consensus is an application (client and server) should require the presence of extended key usages to keep implementers from harming themselves, but it's not required. If you identify a scenario in which Splunk Enterprise/Splunk Universal Forwarder are vulnerable to some attack independent of the implementer's choices, it would be wise to disclose the vulnerability privately to Splunk through https://advisory.splunk.com/report. Otherwise, https://ideas.splunk.com/ is the best place to request new features, i.e. requiring extended key usages. I would upvote such an idea.
From RFC 5280 section 4.2.1.12: If the extension is present, then the certificate MUST only be used for one of the purposes indicated. If multiple purposes are indicated the application need not ... See more...
From RFC 5280 section 4.2.1.12: If the extension is present, then the certificate MUST only be used for one of the purposes indicated. If multiple purposes are indicated the application need not recognize all purposes indicated, as long as the intended purpose is present. Certificate using applications MAY require that the extended key usage extension be present and that a particular purpose be indicated in order for the certificate to be acceptable to that application. "If" and "MAY"--the easy way out. At a glance, OpenSSL's libssl only rejects unsupported certificate purposes if extended key usages are present [https://github.com/openssl/openssl/blob/master/crypto/x509/v3_purp.c] (the implementation may vary by version, of course; I'm making an assumption that earlier versions are similar): /* ... */ #define xku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_XKUSAGE) != 0 && ((x)->ex_xkusage & (usage)) == 0) /* ... */ /* * Key usage needed for TLS/SSL server: digital signature, encipherment or * key agreement. The ssl code can check this more thoroughly for individual * key types. */ #define KU_TLS \ KU_DIGITAL_SIGNATURE | KU_KEY_ENCIPHERMENT | KU_KEY_AGREEMENT static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int non_leaf) { if (xku_reject(x, XKU_SSL_SERVER | XKU_SGC)) return 0; if (non_leaf) return check_ssl_ca(x); if (ns_reject(x, NS_SSL_SERVER)) return 0; if (ku_reject(x, KU_TLS)) return 0; return 1; }  
@sainag_splunk  not sure what you meant by using cron job... when interval is defined in default/inputs.conf it is already activating a crod job behind the scenes... only when exposed to UI thorug... See more...
@sainag_splunk  not sure what you meant by using cron job... when interval is defined in default/inputs.conf it is already activating a crod job behind the scenes... only when exposed to UI thorugh inputs.conf.spec it stops doing so...  local/inputs.conf get's populated alright so idk what did you mean by trying it... after the user populates in the UI it is written into local/inputs.conf and then nothing happens. I use splunk 9.2.1 over linux.       
You are supposed to install SOAR using a nonprivileged user.
thank you Pickle, I now understand why it is not mentioned in details. so it is a customized approach to use external methods.    
Well, Splunk lets you use external script to use any not natively supported authentication scheme but it's up to you to implement it. RADIUS is here listed only as one of examples of authentication m... See more...
Well, Splunk lets you use external script to use any not natively supported authentication scheme but it's up to you to implement it. RADIUS is here listed only as one of examples of authentication methods you could want to integrate this way but it's in no way a manual how to do so.
I'd have to dig through standards to confirm it but this actually makes sense. It's up to CA to define what the certificate is good for. ExtKeyUsage is an extension of X.509 which means it doesn't ha... See more...
I'd have to dig through standards to confirm it but this actually makes sense. It's up to CA to define what the certificate is good for. ExtKeyUsage is an extension of X.509 which means it doesn't have to be present. If it is not present, one can assume that no restrictions have been imposed on key usage. Also rememher that this extension, even if present, could be marked as non-critical.
Thank you, Pickle for your response. I attempted to follow the Splunk documentation below, which does not contain a lot of information; however, I attempted to change the configuration file "authent... See more...
Thank you, Pickle for your response. I attempted to follow the Splunk documentation below, which does not contain a lot of information; however, I attempted to change the configuration file "authentication.conf" with the stanza containing the radius information [IP secret port], as well as to use the python script and fill it with the necessary data, but with no success. https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/ConfigureSplunkToUsePAMOrRADIUSAuthentication I also tested my linux server's connectivity by installing the radius client and using the radtest function to examine the delivered request, but I received no response from the server. So I'm looking for a trustworthy manual to follow, but I can't locate one, and I'm not sure if that program is available to use and test via.
Sorry forgot to mention its  version 6.3.0
Hi @tscroggins , Here are observations from my tests. 1)EKU extension exists with serverAuth – server cert accepted 2)EKU extension exists but without serverAuth, it is set to clientAuth – server ... See more...
Hi @tscroggins , Here are observations from my tests. 1)EKU extension exists with serverAuth – server cert accepted 2)EKU extension exists but without serverAuth, it is set to clientAuth – server cert rejected 3)EKU extension does not exist – server cert accepted. I am referring to the 3rd test here, i.e. EKU does not exist. Could you confirm which test case is the one you referred in your comment?
Hi !   I am stuck for my home lab trying to install phantom on VM . All steps for soar-prep competed fine but then I tried ./soar-install seeing errors like : Error: Cannot run as the root user E... See more...
Hi !   I am stuck for my home lab trying to install phantom on VM . All steps for soar-prep competed fine but then I tried ./soar-install seeing errors like : Error: Cannot run as the root user Error: The install directory (/opt/phantom) is not owned by the installation owner (root) Pre-deploy checks failed with errors   Directory has root access with all folders in it image attched .  {"component": "installation_log", "time": "2024-11-10T02:02:56.071875", "logger": "install.deployments.deployment", "pid": 2005, "level": "ERROR", "file": "/opt/phantom/splunk-soar/install/deployments/deployment.py", "line": 175, "message": "Error: The install directory (/opt/phantom) is not owned by the installation owner (root)", "install_run_uuid": "17e0674c-b035-4696-9f75-acf2297ab325", "start_time": "2024-11-10T02:02:54.547287", "install_mode": "install", "installed_version": null, "proposed_version": "6.3.0.719", "deployment_type": "unpriv", "continue_from": null, "phase": "pre-deploy", "operation_status": "failed", "time_elapsed_since_start": 1.524704} {"component": "installation_log", "time": "2024-11-10T02:02:56.072144", "logger": "install", "pid": 2005, "level": "ERROR", "file": "/opt/phantom/splunk-soar/./soar-install", "line": 105, "message": "Pre-deploy checks failed with errors", "install_run_uuid": "17e0674c-b035-4696-9f75-acf2297ab325", "start_time": "2024-11-10T02:02:54.547287", "install_mode": "install", "installed_version": null, "proposed_version": "6.3.0.719", "deployment_type": "unpriv", "continue_from": null, "time_elapsed_since_start": 1.525168, "pretty_exc_info": ["Traceback (most recent call last):", " File \"/opt/phantom/splunk-soar/./soar-install\", line 82, in main", " deployment.run()", " File \"/opt/phantom/splunk-soar/install/deployments/deployment.py\", line 145, in run", " self.run_pre_deploy()", " File \"/opt/phantom/splunk-soar/usr/python39/lib/python3.9/contextlib.py\", line 79, in inner", " return func(*args, **kwds)", " File \"/opt/phantom/splunk-soar/install/deployments/deployment.py\", line 178, in run_pre_deploy", " raise DeploymentChecksFailed(", "install.install_common.DeploymentChecksFailed: Pre-deploy checks failed with errors"]}  
I just tested forwarder version 9.1.1 on Windows with outputs.conf [tcpout] sslVerifyServerCert = true, and key usage is checked:   11-09-2024 20:57:30.517 -0500 ERROR X509Verify [85708 TcpOutEloop... See more...
I just tested forwarder version 9.1.1 on Windows with outputs.conf [tcpout] sslVerifyServerCert = true, and key usage is checked:   11-09-2024 20:57:30.517 -0500 ERROR X509Verify [85708 TcpOutEloop] - Server X509 certificate (CN=splunk.example.com,O=Example,L=Washington,ST=District of Columbia,C=US) failed validation; error=26, reason="unsupported certificate purpose"   Edit: I tested in 9.0.3, and key usage is verified there as well. splunkd, splunkweb, and mongod on Splunk Enterprise 9.3.0 do happily load and use the certificate, though. My last conversation with Splunk on the topic was circa 8.2. I haven't had cause to test this specifically since then. Good to see!
Splunk Enterprise Security (ES) is Splunk's SIEM product.  Splunk SIEM is another term for Splunk ES. You may be able to get the software via Splunk's Product & Training Donation program.