All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Check the whole path from sender to receiver to Splunk.  Verify network connectivity at each step. Verify the syslog server is writing data to disk.  Confirm Splunk is monitoring those files and has... See more...
Check the whole path from sender to receiver to Splunk.  Verify network connectivity at each step. Verify the syslog server is writing data to disk.  Confirm Splunk is monitoring those files and has read access to them.  Check splunkd.log to see if there are messages about the files. Check the indexer for internal log files from the forwarder.  If they are not present then you have a connectivity problem between the forwarder and indexer (at least). When searching for data, use a wide time window that includes the future (earliest=-2d latest=+2d) in case the events are not onboarded properly.
I got the same parsing issue like you using the KV_MODE parameter  but  i found the cause and the solution Tested on splunk enterprise 9.2.1, in the props.conf,  you should specify the source field ... See more...
I got the same parsing issue like you using the KV_MODE parameter  but  i found the cause and the solution Tested on splunk enterprise 9.2.1, in the props.conf,  you should specify the source field and value in the stanza like this: [source::WinEventLog] KV_MODE = xml   NB: you can adapt the source value to match to you logs source value ***Since the post is old, I hope this solution will be useful to those who encounter the problem again.***
Correlating on time alone while possible is always tricky. You never know what delay you're gonna get between these two events. And you might get more than just those two events at this particular ti... See more...
Correlating on time alone while possible is always tricky. You never know what delay you're gonna get between these two events. And you might get more than just those two events at this particular timestamp. It's best if you either have both those pieces of information within one event or at least they both include some unique identifier so that you can unambiguously connect one with the other.
I will add - it is the same index but the 1st event is from one source type and the 2nd event from another source type (just different server logs)  
So I have an Index with working alerts thanks to your guys help. I have a question on 2 separate events at the same time. 1st Event : Invalid password provided for user : xxxxxxxx (this is in the E... See more...
So I have an Index with working alerts thanks to your guys help. I have a question on 2 separate events at the same time. 1st Event : Invalid password provided for user : xxxxxxxx (this is in the Event) 2nd Event :  GET /Project/1234/ HTTP/1.1 401 (this is basically letting me know about the first event but what Project they tried to connect.   How would one write to Get the Username of the invalid password and chlorate that with the project at the same time underneath Example User xxxxxx put in an invalid password for Project 1234. Thinking it is easier to get my team to write it all in 1 event for another release.  
So for our graduation project, we've decided to use splunk SIEM as our base app to build on. However, on further inspection, it turns out that splunk enterprise security has a lot of features that we... See more...
So for our graduation project, we've decided to use splunk SIEM as our base app to build on. However, on further inspection, it turns out that splunk enterprise security has a lot of features that we need. Is there any chance that Splunk would give us the chance to use it without pay?
If that is true (never tested it this way myself) that would be unexpected since when you're using cert-based client auth it requires that client's cert has client authentication usage.
Hi, When sslVerifyServerCert is true, Splunk verifies the trust chain, disallows self-signed certificates, and checks validity dates.  If you have certificateStatusValidationMethod = crl, Splunk wil... See more...
Hi, When sslVerifyServerCert is true, Splunk verifies the trust chain, disallows self-signed certificates, and checks validity dates.  If you have certificateStatusValidationMethod = crl, Splunk will also verify the certificate against any revocation lists you have configured. Splunk does support OCSP. The most recent common criteria evaluation covers Splunk TLS configuration quite well. See the administrative guide at https://www.niap-ccevs.org/products/11330. As I recall from my last conversation with support/development, key usages are not verified, but you should contact support to confirm.
Hi @capilarity, You can use jQuery UI's datepicker directly from dashboard JavaScript. I've included two options below, one using a text input with datepicker and the other using a time input with v... See more...
Hi @capilarity, You can use jQuery UI's datepicker directly from dashboard JavaScript. I've included two options below, one using a text input with datepicker and the other using a time input with various hidden. The datepicker uses d-M-yy as the dateFormat value, e.g. 9-Nov-2024. The format string is documented at https://api.jqueryui.com/datepicker/#utility-formatDate. See the same page for options to modify the datepicker's appearance. <!-- etc/apps/search/local/data/ui/views/date_picker.xml --> <form version="1.1" theme="light" script="date_picker.js"> <label>Date Picker</label> <init> <eval token="form.date_tok">strftime(relative_time(now(), "@d"), "%e-%b-%Y")</eval> <eval token="form.time_tok.earliest">relative_time(now(), "@d")</eval> <eval token="form.time_tok.latest">relative_time(now(), "+1d@d")</eval> </init> <fieldset submitButton="false"> <input id="input_date" type="text" token="date_tok"> <label>Date 1</label> </input> <input id="input_time" type="time" token="time_tok"> <label>Date 2</label> <default> <earliest>1731128400</earliest> <latest>1731214800</latest> </default> </input> </fieldset> <row depends="$hidden$"> <panel> <html> <style> div[data-test-panel-id="presets"], div[data-test-panel-id="relative"], div[data-test-panel-id="realTime"], div[data-test-panel-id="dateTime"], div[data-test-panel-id="advanced"] { display: none !important; } </style> </html> </panel> </row> <row> <panel> <html> <h2>Date 1: <b>$date_tok$</b> </h2> <h2>Date 2 Eearliest: <b>$time_tok.earliest$</b> </h2> <h2>Date 2 Latest: <b>$time_tok.latest$</b> </h2> </html> </panel> </row> </form> // etc/apps/search/appserver/static/date_picker.js require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function($, mvc) { $("#input_date input") .prop("readonly", true) .datepicker({ dateFormat: "d-M-yy", onSelect: function(dateText, inst) { var defaultTokens = mvc.Components.get("default"); if (defaultTokens) { console.log("Setting default token $date_tok$ to " + dateText); defaultTokens.set("date_tok", dateText); } var submittedTokens = mvc.Components.get("submitted"); if (submittedTokens) { console.log("Setting submitted token $date_tok$ to " + dateText); submittedTokens.set("date_tok", dateText); } } }); }); (I actually use the above format in my emails. Less ambiguity. In text data, I use ISO 8601. 'merica!)
In fact, product requirements for either ES or ITSI state that they must not be installed together on the same SH(C). Or at least said so about two years ago when I last checked but I wouldn't expect... See more...
In fact, product requirements for either ES or ITSI state that they must not be installed together on the same SH(C). Or at least said so about two years ago when I last checked but I wouldn't expect it to change.
Your answers are againt a bit confusing. You say that "indexers have been migrated yet". Does it mean they have been already or they haven't been yet? Anyway, your general plan looks pretty decent.... See more...
Your answers are againt a bit confusing. You say that "indexers have been migrated yet". Does it mean they have been already or they haven't been yet? Anyway, your general plan looks pretty decent. It's always the details, like making sure you have proper network connectivity - SH->idx, SH->LM, probably also MC->SH. If you install new machines with new names and new IPs and you have either IP-based access rules or allowed SANs, you might have problems. I've even seen situations when TLS connections wouldn't be allowed because a perimeter IPS was forbidding connection with local CA-issued certs. So prepare to at least do a trial launch for test users to verify if everything's working properly before going prod.
Hi @richgalloway , Yes we have a dedicated syslog ng server and UF in place to forward it to indexer.  But we are not receiving logs.. how can I troubleshoot this issue? To check whether issue is f... See more...
Hi @richgalloway , Yes we have a dedicated syslog ng server and UF in place to forward it to indexer.  But we are not receiving logs.. how can I troubleshoot this issue? To check whether issue is from splunk end or requestor end?
Yes, other apps can be installed with ES to help improve your security monitoring abilities.  A common one is Splunk Security Essentials, but there are many others.  Go to apps.splunk.com to see what... See more...
Yes, other apps can be installed with ES to help improve your security monitoring abilities.  A common one is Splunk Security Essentials, but there are many others.  Go to apps.splunk.com to see what is available and choose those that support the products you need to monitor. Use caution when installing apps on your ES SH because ES uses a lot of resources.  Apps that don't contribute directly to your ES use cases should be installed on a separate SH. ITSI is not a security product and should be installed on its own SH.
@splunklearner wrote: I am unable to receive those syslog in forwarder or indexer. Why not?  What errors do you see? Sending syslog directly to a Splunk process is not good practice.  Syslog e... See more...
@splunklearner wrote: I am unable to receive those syslog in forwarder or indexer. Why not?  What errors do you see? Sending syslog directly to a Splunk process is not good practice.  Syslog events should be sent to a dedicated syslog server (like rsyslog or syslog-ng) and saved to disk.  Then have a Splunk Universal Forwarder monitor those disk files.
@mattymo Do the answers to your questions affect the logic of your previous suggestions? If possible, could you please clarify?   I would probably: - back up the apps and kvstore if needed - bu... See more...
@mattymo Do the answers to your questions affect the logic of your previous suggestions? If possible, could you please clarify?   I would probably: - back up the apps and kvstore if needed - build the new SH/SHC in the cloud - restore configs - cut over DNS or point users in a uniform fashion to the new SH during a Maintenance Window - shut down the old SH. 
As I said, if you can't configure your input that it assigns _time automatically, you're limited to using INGEST_EVAL to find the timestamp within your event and then strptime it.
LTM as far as I know is not something you can "install on a syslog server". About  LTM you have to talk with your F5 specialist. Syslog ingestion can be relatively complicated thing. While for lab u... See more...
LTM as far as I know is not something you can "install on a syslog server". About  LTM you have to talk with your F5 specialist. Syslog ingestion can be relatively complicated thing. While for lab usage or some very small deployment you probably could get away with receiving events directly on TCP or UDP inputs on your UF it's not recommended for production use. You should use an external syslog receiver which either writes to files from which you pick up the events with monitor inputs or which sends the events to a HEC input on your HF or indexer. Loadbalancing syslog traffic is usually not a good idea. It's often better to just install a good syslog receiver as close to the source as possible.
@PickleRick Thanks for your wonderful suggestion in the shared doc link.  However, timestamp specification setting is only available in "Batch type" not available in "Rising Column Type". Is there an... See more...
@PickleRick Thanks for your wonderful suggestion in the shared doc link.  However, timestamp specification setting is only available in "Batch type" not available in "Rising Column Type". Is there any other suggestion or idea to apply this with rising column type also to avoid duplication ingestion of events?  
Hi Guys, Syslog is sent to forwarder IP through TCP 9523 port. I am unable to receive those syslog in forwarder or indexer. How to check whether syslog is received in forwarder ? How to receive th... See more...
Hi Guys, Syslog is sent to forwarder IP through TCP 9523 port. I am unable to receive those syslog in forwarder or indexer. How to check whether syslog is received in forwarder ? How to receive those syslog in indexer? Getting those logs from network device.
Hello ES Splunker,   I want to know if any applications can be installed to enhance the security posture alongside with Enterprise Security. is ITSI App added value for the security posture?