I can not correctly post the sample <ReportItem> <port>www (443/tcp)</port><severity>2</severity> <pluginID>51192</pluginID> <pluginName>SSL Certificate signed with an unknown Certificate Authority</pluginName> <data>Synopsis :\n\nThe SSL certificate for this service is signed by an unknown\ncertificate authority.\n\nDescription :\n\nThe X.509 certificate of the remote host is not signed by a known\npublic certificate authority. If the remote host is a public host in\nproduction, this nullifies the use of SSL as anyone could establish a\nman in the middle attack against the remote host.\n\nSolution :\n \nPurchase or generate a proper certificate for this service.\n\nRisk factor :\n\nMedium / CVSS Base Score : 6.4\n(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n\nPlugin output :\n*** ERROR: Unknown root CA in the chain:\nCountry: US\nCommon Name: 192.168.125.253\n\n\n\nCertificate chain:\n|-Country: US\n|-Common Name: 192.168.125.253\n|\n\n\n</data></ReportItem> <ReportItem> <port>www (443/tcp)</port><severity>2</severity> <pluginID>26928</pluginID> <pluginName>SSL Weak Cipher Suites Supported</pluginName> <data>Synopsis :\n\nThe remote service supports the use of weak SSL ciphers.\n\nDescription :\n\nThe remote host supports the use of SSL ciphers that offer either weak\nencryption or no encryption at all.\n\nNote: This is considerably easier to exploit if the attacker is on the\nsame physical network.\n\nSee also :\n\nhttp://www.openssl.org/docs/apps/ciphers.html\n\nSolution :\n\nReconfigure the affected application if possible to avoid use of weak\nciphers.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4.3\n(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n\nPlugin output :\nHere is the list of weak SSL ciphers supported by the remote server :\n\n Low Strength Ciphers (&lt; 56-bit key)\n SSLv3\n EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export \n EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export \n EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export \n EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export \n TLSv1\n EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export \n EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export \n EXP-RC2-CBC-MD5 Kx=RSA(512) Enc=DES(40) Mac=SHA1 export \n EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export \n EXP-RC2-CBC-MD5 Kx=RSA(512) ciphername}\n Kx={key exchange}\n Au={authentication}\n Enc={symmetric encryption method}\n Mac={message authentication code}\n {export flag}\n\n\nOther references : CWE:327,CWE:326,CWE:753,CWE:803,CWE:720\n</data></ReportItem> <ReportItem> <port>www (443/tcp)</port><severity>2</severity> <pluginID>42873</pluginID> <pluginName>SSL Medium Strength Cipher Suites Supported</pluginName> <data>Synopsis :\n\nThe remote service supports the use of medium strength SSL ciphers.\n\nDescription :\n\nThe remote host supports the use of SSL ciphers that offer medium\nstrength encryption, which we currently regard as those with key \nlengths at least 56 bits and less than 112 bits.\n\nNote: This is considerably easier to exploit if the attacker is on the\nsame physical network.\n\nSolution :\n \nReconfigure the affected application if possible to avoid use of\nmedium strength ciphers.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4.3\n(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n\nPlugin output :\nHere is the list of medium strength SSL ciphers supported by the remote server :\n\n Medium Strength Ciphers (&gt;= 56-bit and &lt; 112-bit key)\n SSLv3\n EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 \n DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 \n TLSv1\n EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 \n DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 \n\nThe fields above are :\n\n {OpenSSL ciphername}\n Kx={key exchange}\n Au={authentication}\n Enc={symmetric encryption method}\n Mac={message authentication code}\n {export flag}\n\n\n</data></ReportItem> ... View more

The REX test worked but the EXTRACT did not. When I took out the max_match=100 from the rex command I did not find all the matches in the events. I will post a larger sample of the event data. ... View more

Ayn, Do you think I should modify the props.conf in the universal forwarder app "/etc/deployment-apps/appName/Local" or the indexer "etc/system/local" ? ... View more

thanks Ayn, I found this post after I asked the question http://splunk-base.splunk.com/answers/6764/events-chunked-into-256-lines Thanks again ... View more

I'm sorry I was looking for one kind of answer and you gave me the right one. It was not what I expected so I thought it must be wrong. I was looking for a way to alert on the input not the monitoring. I have setup an alert like you have suggested above and this will do what I wanted. Thanks for the help I really appreciate it. ... View more

Thanks Bob, I think I know what this is can you tell me what the difference is in these two lines whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out) _whitelist=(\.log|log$|^messages|^secure|mesg$|cron$|acpid$|\.out) These are on two different systems and I am not getting the same logs from both Should I take out the " ^ " symbol? ... View more

Thanks for answering I really appreciate your participation and trying to help. I can't monitor the log inputs because some of the clients are quit for longer than a minute and I wanted to get a one minute interval to monitor availability. ... View more

Now you're just making me feel stupid Thanks ... View more

I think I'm missing something "the field name" The sanslist.csv is only a list of IP's there is no field name in the one column table. Who do I get the field name in the table or lookup. I am doing a rex piped to a table command to get the IP from a scripted downloaded file and then pipe the table to "outputlookup sanslist.csv" How do I get the field name into this? ... View more

Hi rick, you probably don't remember but I took your class at the splunk.conf user conference, Anyway I don't think we coverd this in class and Im a little lost. When I get some time I will look into the App to see if I can find the problem. Do you know if the Splunk_Monitoring app is supported by Splunk Support? If you get a change can you take a look at my other question about lookup issues Thanks Mike ... View more

Yes I will start with once a day as the operations team meets every morning to disuse direction and progress ... View more

I might have to put the results in a summary and then go back and get the count of days on the list from there or in a lookup table but I have never done that before. ... View more

Matt, Thanks for asking I use something like this to get a tale with host ahd event ID for one day "source="WinEventLog:*" Type="Error" | top host event_id | Table host event_id count" ... View more

OH Ya this is good stuff. I like it but it is not realy what I'm lloking for here. I will be sure to keep this jem for later. Thanks much this is a great peace of code. ... View more

This helps thanks ... View more

Thats a good start thanks I'll let you know if I figure it out. ... View more