About gjanders

gjanders · ‎09-17-2016

This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup. This is how I achieved the CIM compliance for the SQL server audit logs that were read in via the database using the DB Connect application for Splunk. Please see the answer for the solution information, hopefully this will be available in a future version of the application.

gjanders · ‎09-16-2016

props.conf [DB2:audit] EVAL-instance_name = replace(source, "/[^-]+-([^.]+).log$", "\1") EVAL-status = if(category=="SECMAINT",if(eventstatus==0,"success","failure"),null()) FIELDALIAS-DB2:audit_aliases = eventstatus AS result_id grantee AS object granteetype AS object_category host AS dest EXTRACT-db2src = (?ms)applicationid=(?P.*?)(.[^.]+){2}; EVAL-user = coalesce(grantor,userid) EVAL-action = if(category=="VALIDATE",if(eventstatus==0,"success","failure"),null()) eventtypes.conf [db2_audit_change] search = sourcetype=DB2:audit category=SECMAINT [db2_audit_auth] search = sourcetype=DB2:audit category=VALIDATE tags.conf [eventtype=db2_audit_change] change = enabled [eventtype=db2_audit_auth] authentication = enabled You may need to change this depending on your exact requirements but hopefully it helps someone...

gjanders · ‎09-16-2016

This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup. This is how I achieved the CIM compliance for the DB2 audit logs that are dumped to the filesystem by the DBA (not read in via the DB Connect application). Please see the answer for the solution information.

gjanders · ‎09-15-2016

This is the props.conf I used to achieve CIM compliance. props.conf [mainframe:audit] FIELDALIAS-mainframe = category AS user whatDESC AS status onWhatDSNAME AS file_name fromWhereCONSOLE AS user EVAL-command = coalesce(whatRACFCMD, whatACTION) EVAL-object = coalesce(onWhatRACFCMD_NAME, whoNAME) EVAL-object_id = coalesce(onWhatRACFCMD_USER, whoUSERID) EVAL-user = coalesce(whoUSERID,fromWhereCONSOLE,category) EXTRACT-result = Alert: (?P<result>.*)$ EXTRACT-audit_code = ^[^[]+ (?P<audit_code>[^ ]+) \[ EVAL-change_type = if(isnull(onWhatDSNAME),"AAA","filesystem") EVAL-dest = coalesce(onWhatRACFCMD-USER,whereSYSTEM) eventtypes.conf [mainframe_audit_acct] search = sourcetype=mainframe:audit object=* NOT onWhatDSNAME=* [mainframe_audit_filesys] search = sourcetype=mainframe:audit onWhatDSNAME=* tags.conf [eventtype=mainframe_audit_acct] change = enabled account = enabled [eventtype=mainframe_audit_filesys] change = enabled endpoint = enabled You may need to change this depending on your exact requirements but hopefully it helps someone...

gjanders · ‎09-15-2016

This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup. This is how I achieved the CIM compliance for the z/OS mainframe audit logs sent via syslog (UDP traffic), hopefully someone will find this useful as CIM tagging data can be quite time consuming! Please see the answer for the solution information.

gjanders · ‎09-08-2016

|rest servicesNS/-/-/data/models Works as expected! This is the solution provided by splunk support... I have also sent this information into the author of the firebrigade app so it can be updated as well.

gjanders · ‎09-08-2016

The issue for my site is sorted, the only issue was some code in the application that had identified my server as a search head cluster when it was not clustered... Once I removed the invalid code, the application works as expected.

gjanders · ‎09-01-2016

After reading about %z on these pages and http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Configuretimestamprecognition , I found the python 3 documentation https://docs.python.org/3/library/datetime.html has this explanation: " %z UTC offset in the form +HHMM or -HHMM (empty string if the object is naive). (empty), +0000, -0400, +1030 (6) %Z Time zone name (empty string if the object is naive). (empty), UTC, EST, CST " The documentation has been prompt updated to reflect this information correctly! Furthermore, the preview functionality mentioned is now part of the "add data"/data upload option in Splunk...

gjanders · ‎08-21-2016

I'm using max_fd = 1000 You can tune based on your environments requirements...

gjanders · ‎08-19-2016

Please note that using the above example in Splunk version 6.4, you need to remove the empty <query></query> from the <search id="MainSearch" ref="Report1"> for the above example to work...

gjanders · ‎08-18-2016

Network connections also count as file descriptors at the Unix OS level so your ulimit's won't exactly line up with the max_fd within the limits.conf file. During previous support cases Splunk has advised there is no harm in raising the limit, we have the limit set to 1000 on many forwarders without an issue, our OS level limits for the universal forwarder is generally 8192 file descriptors. 8192 is the recommended minimum for an enterprise installation, we apply this setting to universal forwarders. FYI we found turning on SSL drastically increased the OS level file descriptor usage by universal forwarders. http://docs.splunk.com/Documentation/Splunk/6.4.2/Installation/Systemrequirements#Considerations_regarding_file_descriptor_limits_.28FDs.29_on_.2Anix_systems

gjanders · ‎08-14-2016

I had a quick look and the data model Threat Activity is based on the index: index=threat_activity You also mention threat_intelligence in your original post, are you working on the threat acitivty or threat intelligence ? FInally, something inside ES is populating the threat_activity index, so unless you also update that to populate the data for status into the threat_activity index, the data model will not be updated... I haven't found how that works...

gjanders · ‎08-13-2016

Furthermore, keep in mind that accelerated data models by default will store data in the default index location as per: Accelerate Data Models This can be customized but in version 8.0 the splunk_summaries volume does not have a set maximum as per the indexes.conf.spec "maxVolumeDataSizeMB = , * Optional" On my test server on 8.0.0 it was not specified at all. This will not count towards your custom-made volume unless you customise the tstatsHomePath for each index with an accelerated data model...

gjanders · ‎08-13-2016

If you run ulimit -n (or just run ulimit -a) as the user who you run Splunk as (normally the username Splunk) has the number of files hit an acceptable limit? If not then login/logout of the server or confirm your limits.conf has been set correctly for the user running Splunk (some of the mentioned settings appear to be for the root user). For a heavy forwarder, I would consider 8192 or above to be a minimum number of file descriptors on Linux, I have the indexers set much higher.

gjanders · ‎08-11-2016

Currently the query you use is: | rest /services/data/models | search acceleration=1 | fields title, eai:acl.app | eval app_model_name='eai:acl.app' . " / " . title | eval dm_full_name="DM_" . 'eai:acl.app' . "_" . title On my Splunk 6.4.0 instance that gets no results, in fact : | rest /services/data/models Shows me 12 data models, all within the search application (I am running from the fire brigade application FYI). However, if you do: |rest servicesNS/-/-/data/models | search acceleration=1 | fields title, eai:acl.app | eval app_model_name='eai:acl.app' . " / " . title | eval dm_full_name="DM_" . 'eai:acl.app' . "_" . title I get the expected result, a number of data models which are accelerated, including those provided by the nmon application. The query: |rest servicesNS/-/-/data/models Was provided by Splunk support while during investigating why the REST query would not return all the data models as expected. Can you update the application please? Also if you find this useful please vote... Thanks

gjanders · ‎08-10-2016

Have you turned on indexer acknowledgement on the data input for the HTTP event collector? I found the docker driver only works with indexer acknowledgement turned off, otherwise it silently fails...

gjanders · ‎07-31-2016

Here's the solution we obtained from symantec: Add this line on the conf.properties : scm.extlog.deli=, Run the Management Server Configuration Wizard Go to the Manager Folder > Bin > Run sca.bat Note that the wizard was run with no configuraiton changes in there, and after this the null disappeared. Furthermore I've submitted a case to correct an invalid regex in the symantec application that was causing the fields to not be extracted on some files from the symantec server (after having the null removed).

gjanders · ‎07-28-2016

So far I have found issues where debug logging did not work on my instance, and the application appeared to be looking for a search head captain. Since my search head / heavy forwarder was non-clustered this would never work, I have temporarily removed that code and I am past this error and still discussing the issues with Splunk support.

gjanders · ‎07-28-2016

I actually used the exact same solution yesterday and I've just found your post today. I've submitted a case to Splunk to ensure this gets fixed in a future version.

gjanders · ‎07-26-2016

It is an open support ticket with splunk support now. Interestingly, if you use the REST API it does work the way you would expect: curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/nmon/data/models Assuming you query in the context of the app. Does return a completely different list compared to what I see in the GUI by running: | rest /services/data/models Note that the above was run inside the nmon application in the GUI and I did not see the same results. I will update this if I do get a solution.

gjanders · ‎07-21-2016

I assume you solved: 01-27-2015 14:12:44.726 -0500 ERROR ArchiveContext - From archive='/opt/splunkforwarder/etc/apps/TA-nmon/var/nmon_repository/bhcx27_150127_1357.nmon': python: A file or directory in the path name does not exist. But for anyone else who hits the issue, this will happen if python is not installed (as is typical on AIX servers), the props.conf of the nmon application can be overridden to use the perl interpreter: [source::.../*.nmon] unarchive_cmd = $SPLUNK_HOME/etc/apps/TA-nmon/bin/nmon2csv.pl # To manage repositories archives of cold nmon files (add you own for other compressed formats) [source::.../*.nmon.gz] unarchive_cmd = gunzip | $SPLUNK_HOME/etc/apps/nmon/bin/nmon2csv.pl The above normally defaults to python. The official documentation for the nmon app is here: http://nmonsplunk.wikidot.com/ The application itself lives here: https://splunkbase.splunk.com/app/1753

gjanders · ‎07-19-2016

Ticket logged on this one, it might be a bug in 6.4.0

gjanders · ‎07-19-2016

From what I can see their is no possible answer to your question, I would ask why you need to measure sourcetypes inside an index. Is that for billing purposes? And if so why not just separate the required sourcetypes into different indexes? You could approximate the number by counting the number of events by sourcetype inside an index and estimating the % size usage inside an index but I don't think you can obtain exact numbers. You can obtain exact numbers for incoming data and then check the compression ratio and approximate that way...

gjanders · ‎07-15-2016

Did you resolve this ? From what I can see the command only works for data stores that have global permissions on them, if they are application level or private the REST API does not expose them...

gjanders · ‎07-15-2016

I assume it is a cross platform difference of some kind, but the zip file for FireBrigade always includes a PaxHeader directory. Since I have a search head cluster I unzip the file onto the deployer and if I forgot to delete the PaxHeader directories inside the zip file I end up restarting the search head cluster. Any idea why they are in there ? This is a great application by the way. Thanks

Posts	1268
Solutions	134
Karma Given	106
Karma Received	392
Member Since	‎04-14-2018

Online Status	Offline
Date Last Visited	‎11-07-2025 07:47 PM

Splunk Indexers — ext4 vs XFS filesystem performan...

DECRYPT version 2.3.0 not working with python 3

DECRYPT version 2.2 - why is local=true in command...

Lookup editor - Splunk 8 - Uncaught TypeError - st...

Web Tools Add on (TA-webtools): Curl command sends...

Splunk sendemail no longer works without search re...

Lookup editor - application labels with parenthese...

Splunk systemd unit file in versions 7.2.2 and new...

Web Tools Add on (TA-webtools) curl command throws...

Smart PDF exporter for Splunk - emailed export not...

How do I CIM tag SQL server audit logs read by the...

Re: How do I CIM tag DB2 audit logs that are dumpe...

How do I CIM tag DB2 audit logs that are dumped on...

Re: How do I CIM tag mainframe Z/OS audit logs sen...

How do I CIM tag mainframe Z/OS audit logs sent in...

Re: How can I programmatically monitor data model ...

Re: Splunk Add-on for Microsoft Cloud Services: "C...

Re: Time zone in TIME_FORMAT

Re: Getting TailReader - File descriptor cache is ...

Re: Using a Scheduled Saved Search as a base searc...

Re: Getting TailReader - File descriptor cache is ...

Re: Splunk App for Enterprise Security: How to edi...

Re: MIsmatch between df and Splunk size of volume

Re: Getting TailReader - File descriptor cache is ...

Suggestion for data model acceleration page summar...

Re: I have the Docker Splunk driver running, but w...

Re: Has anyone seen the word 'null' in SEP logs ra...

Re: Splunk Add-on for Microsoft Cloud Services: "C...

Re: Splunk Add-on for Microsoft SQL Server: The lo...

Re: How can I programmatically monitor data model ...

Re: Splunk App for Unix and Linux: How to check sp...

Re: How can I programmatically monitor data model ...

Re: How to report Detailed Disk usage in a distrib...

Re: How can I programmatically monitor data model ...

Why does the zip file for FireBrigade include the ...

Join the Conversation