Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About gpullis
gpullis
Communicator
Member since:
10-13-2010
01-29-2025
Community Statistics
| Posts | 57 |
| Solutions | 5 |
| Karma Given | 55 |
| Karma Received | 37 |
| Member Since | 10-13-2010 |
Activity Feed
- Posted Re: How do I match Licence Hash to Licence GUID? on All Apps and Add-ons. 01-29-2025 01:23 PM
- Posted Re: How to monitor process scheduler jobs in peoplesoft using splunk? on Getting Data In. 10-17-2024 11:03 AM
- Karma New Release | Splunk Enterprise 9.3 for kwheeler. 09-24-2024 09:08 AM
- Karma Re: Splunk Get Earliest Data by Index and Sourcetype for nickhills. 06-05-2024 08:16 AM
- Got Karma for Re: Timeline - Custom Visualization: Can full date time DD/MM/YY HH:MM tooltip options be added?. 05-08-2023 10:05 PM
- Got Karma for Re: Converting Duration Field value to seconds. 02-28-2023 06:16 AM
- Got Karma for Re: Converting Duration Field value to seconds. 12-14-2021 09:29 AM
- Got Karma for Re: Converting Duration Field value to seconds. 12-08-2021 05:50 AM
- Got Karma for Re: Converting Duration Field value to seconds. 07-13-2021 05:17 PM
- Karma Re: After Updating the Add-on for Windows receive error "Could not load lookup=LOOKUP-app4_for_windows_security" for napomokoetle. 06-05-2020 12:50 AM
- Karma Why the error after updating the Add-on for Windows "Could not load lookup=LOOKUP-app4_for_windows_security"? for wcates. 06-05-2020 12:50 AM
- Karma Re: can I combine values from multiple field extractions into a single table field for woodcock. 06-05-2020 12:50 AM
- Karma Re: Splunk 7.2.0 - Field Aliases incorrect behavior for deangoris. 06-05-2020 12:50 AM
- Karma Splunk 7.2.0 - Field Aliases incorrect behavior for shayhibah. 06-05-2020 12:50 AM
- Karma How do I migrate data from a single install (search head + indexer) to a search head + X indexers? for robertlynch2020. 06-05-2020 12:50 AM
- Got Karma for Re: How do I migrate data from a single install (search head + indexer) to a search head + X indexers?. 06-05-2020 12:50 AM
- Got Karma for Re: How do I migrate data from a single install (search head + indexer) to a search head + X indexers?. 06-05-2020 12:50 AM
- Karma Re: Error 'Could not find all of the specified lookup fields in the lookup table.' for worshamn. 06-05-2020 12:49 AM
- Karma Error 'Could not find all of the specified lookup fields in the lookup table.' for LeandroKopke. 06-05-2020 12:49 AM
- Karma Windows IIS logs not formatting correctly / hostname problem for joesrepsol. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 |
01-19-2012
02:50 PM
For the one that works, my guess is that you just got lucky as it had a 50/50 chance of picking the one you wanted. It's probably too late for this, but it may have behooved you to have your private and public IPs on separate subnets.
... View more
01-19-2012
02:44 PM
So, your "private" and "public" IP addresses are on the same subnet? In that case, you'll need to add a static route that points to your Splunk server and specifies which interface to use:
Do a
netsh interface ip show interface
to get your interface indexes (Idx column). Then, do a:
netsh interface ip add route 1.2.3.4/32 interface=1 nexthop=142.16.7.1
Where 1.2.3.4 is the IP address of your Splunk deployment server, 1 is the interface index you got from the show interface command, and 142.16.7.1 is the gateway for the 142.16.7.0/24 subnet. Modify appropriately with your real world values.
You'll probably want to set up a static route to point to your indexer too.
You can to a netsh interface ip add route /? to get help for the command.
... View more
08-09-2011
09:45 AM
Looking closer, I noticed that it was really just one of my Windows servers that was still showing Kerberos events, and that server was still running Splunk 4.1. I upgraded the forwarder to a Universal Forwarder (v 4.2.2) and now I'm not seeing the forwarder events.
This was previously answered here: Filter Windows Events On Indexer from a Universal Forwarder
... View more
08-09-2011
09:14 AM
Here's an example event:
08/09/11 12:09:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4768
EventType=0
Type=Information
ComputerName=XXXX.YYYY.ZZZZ
TaskCategory=Kerberos Authentication Service
OpCode=Info
RecordNumber=166028364
Keywords=Audit Success
Message=A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: XXXX$
Supplied Realm Name: YYYY.ZZZZ
User ID: S-1-5-21-9999999999-9999999999-9999999999-9999
Service Information:
Service Name: krbtgt
Service ID: S-1-5-21-9999999999-9999999999-9999999999-999
Network Information:
Client Address: ::ffff:999.999.999.999
Client Port: 13340
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x17
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
... View more
08-09-2011
09:06 AM
I checked by doing a
source=WinEventLog:Security TaskCategory=Kerberos* | eval raw=_raw | table raw
And fields are definitely delimited by =
... View more
08-06-2011
05:53 PM
1 Karma
Actually, the default behavior appears to be to look for a date in the filename if it can't find a date in the event.
... View more
08-05-2011
09:38 AM
I want to filter out Windows security events whose TaskCategory begins with "Kerberos".
props.conf
[source::WinEventLog:Security]
TRANSFORMS-Drop_TaskCategory = Drop_Kerberos, Drop_FilteringPlatform
transforms.conf
[Drop_FilteringPlatform]
REGEX=(?msi)^TaskCategory=Filtering\sPlatform
DEST_KEY=queue
FORMAT=nullQueue
[Drop_Kerberos]
REGEX=(?msi)^TaskCategory=Kerberos
DEST_KEY=queue
FORMAT=nullQueue
The Filtering Platform... events are filtered out but the Kerberos... events are not.
Anyone with Windows 2008 servers can get plenty of examples from the Splunk query:
TaskCategory="Filtering Platform*" OR TaskCategory="Kerberos*"
... View more
08-05-2011
09:30 AM
Not surprisingly, this one had been answered before, and I just didn't find it before asking. The answer is here: What Windows Event Codes are generally acceptable to filter out
... View more
08-05-2011
08:19 AM
Like most of us with Windows servers, I'm fighting with keeping my license usage down in the face of Windows Server 2008 Security event logs.
I'm pretty sure the correct answer is, "every environment is different", but I'm wondering if any of you wanted to share your advice on what events you feel are sufficiently silly that they can be shoved into the nullQueue?
... View more
07-26-2011
06:54 AM
Thanks, but what I'd like to do is use the timestamp from the log entry plus the modification date of the file to form the timestamp for the event. Is there a way to do that?
... View more
07-25-2011
01:10 PM
1 Karma
I have a sourcetype where Splunk is correctly getting the time stamp from the events, but the events don't contain a date.
Unfortunately the logs are named like:
rkj050508_d0373452.broomecounty.us.tracesql
Where 050508 is part of a username, and not a date. But, sure enough, Splunk thinks the events are from 2008-05-05.
Is there a way to get the date from index-time, but get the time from the timestamp?
... View more
06-01-2011
07:27 PM
Here's another thing, isn't my sourcetype override happening at index time and my field extractions happening at search time?
... View more
06-01-2011
07:13 PM
I tried putting REPORT-bsf = bsf_scan, bsf_send, bsf_recv in my [source::udp:514] , but unfortunately I still didn't get my field extractions.
... View more
06-01-2011
06:50 PM
My concern would be that my REPORT and KV_MODE keywords would affect all of my syslog stuff.
Maybe this is another example of why one shouldn't pump syslog directly into Splunk? 😕
... View more
06-01-2011
06:37 PM
Your method makes sense, but my implementation has some suck in it. I've posted my failing as a separate question
here.
I like mw's idea of using the EXTRACT keyword, but I'm failing in the same way when I try to implement it.
... View more
06-01-2011
06:15 PM
My sourcetype override is working, but my field extractions are not.
props.conf
[source::udp:514]
TRANSFORMS-changesourcetype = set_sourcetype_barracuda_sf
[barracuda_sf]
KV_MODE=none
REPORT-bsf = bsf_scan, bsf_send, bsf_recv
transforms.conf
[set_sourcetype_barracuda_sf]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(10.1.5.49|10.1.5.50)[\w\.\-]*\]?\s
FORMAT = sourcetype::barracuda_sf
DEST_KEY = MetaData:Sourcetype
[bsf_scan]
REGEX = (?:[^\s\n]*\s){5}([\w/]*)\[(\d*)\]:\s(.*\]|127.0.0.1)\s([\w\d-]*)\s(\d*)\s(\d*)\s(SCAN)\s(.*)
FORMAT = barracuda_process::$2 barracuda_pid::$3 client_ip::$4 message_id::$5 start_time::$6 end_time::$7 service::$8 info::$9
[bsf_send]
REGEX = (?:[^\s\n]*\s){5}([\w/]*)\[(\d*)\]:\s(.*\]|127.0.0.1)\s([\w\d-]*)\s(\d*)\s(\d*)\s(SCAN)\s(.*)
FORMAT = barracuda_process::$2 barracuda_pid::$3 client_ip::$4 message_id::$5 start_time::$6 end_time::$7 service::$8 info::$9
[bsf_recv]
REGEX = (?:[^\s\n]*\s){5}([\w/]*)\[(\d*)\]:\s(.*\]|127.0.0.1)\s([\w\d-]*)\s(\d*)\s(\d*)\s(SEND)\s(.*)
FORMAT = barracuda_process::$2 barracuda_pid::$3 client_ip::$4 message_id::$5 start_time::$6 end_time::$7 service::$8 info::$9
... View more
06-01-2011
03:58 PM
I'm trying to extract fields for a Barracuda Spam Firewall. For those deeply interested, they've politely documented their syslog output here.
I've gotten as far as the following regex:
(?:[^\s\n]*\s){5}(?<barracuda_process>[\w/]*)\[(?<barracuda_pid>\d*)\]:\s(?<client_ip>.*\]|127.0.0.1)\s(?<message_id>[\w\d-]*)\s(?<start_time>\d*)\s(?<end_time>\d*)\s(?<service>RECV|SCAN|SEND)\s(?<info>.*)
The problem is that my info field should really be multiple fields based on the value of the service field.
For example, if service="SCAN", the subsequent fields should be:
Encrypted Sender Recipient Score Action Reason ReasonExtra "SUBJ:"Subject
While, if service="SEND", the subsequent fields should be:
Encrypted Action QueueID Response
What's the best way to get these fields extracted?
Thanks, all 'yall!
... View more
05-31-2011
08:00 AM
Another option would be to have your ESXi hosts send to Splunk directly. See VMware KB article Enabling syslog on ESXi
... View more
05-31-2011
07:56 AM
I'm no rsyslog expert, but I've been doing some reading and it looks like, by default, rsyslog ignores incomming timestamps and substitutes its own. This makes me think that either you have a timezone issue on the server running rsyslog or that maybe you want to set the appropriate "...IgnoreMsgTimestamp" directive in rsyslog to off for the socket being used to accept the incomming ESXi logs.
... View more
05-31-2011
07:13 AM
Could it be that the first timestamp is put in by rsyslogd and the second timestamp (the one after "Vpxa: [" is the real timestamp from ESXi?
In that case, you could use
TIME_PREFIX = Vpxa:
TZ = UTC
In your props.conf. This will tell it to skip anything that comes before the text, "Vpxa:", thus skipping the first timestamp and using the second one.
The second timestamp is cooler anyway, as it has subsecond resolution. 🙂
NOTE: in this case, you wouldn't need the MAX_TIMESTAMP_LOOKAHEAD parameter.
FYI, The docs for timestamp recognition are here.
... View more
05-31-2011
07:00 AM
From props.conf:
TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00), use that.
* If TZ is set to a valid timezone string, use that.
* Otherwise, use the timezone of the system that is running splunkd.
* Defaults to empty.
Because your events are saying they're UTC+2 (note the +02:00 on your timestamp), the timestamp in the event is taking precedence over your TZ setting.
Per VMware KB article 1436, ESXi is always in UTC, so my guess is that either rsyslog is adding the timestamp, or maybe you're using the full ESX instead of ESXi. If you're using ESX, the KB article above will show you how to fix your timezone.
Although fixing your timezone in your source is the preferred fix, you could also try adding
MAX_TIMESTAMP_LOOKAHEAD = 19
To your props.conf so timestamp extraction ignores the timestamp in the event. This is a hack though. Fixing the timestamp on the incomming events is a better deal.
... View more
05-27-2011
06:08 AM
Maybe try msg.exe like in this answer?
... View more
05-27-2011
06:00 AM
Here's my guess on why the splunkd service couldn't pop a window... Think of two administrators logged into RDP sessions. When admin A runs your popup script, you wouldn't expect Admin B to see the window because they're in different sessions. Same idea with the splunkd service. It's in a different session. Plus, I think that services are normally "non-interactive". That is, they're specifically disallowed from manipulating the local GUI. That's why things like SQL Server need those little helpers running in your system tray. So something exists that the service can interact with.
... View more
Does test2.bat work when run manually?
Have you considered writing something that instantiates Microsoft's MSG command instead of having Python create a dialog directly? That way, you should be able to get the message to pop-up on a system other than the one generating the alert.
... View more
05-26-2011
11:15 AM
Sorry, it was a typo on my part. The subsearch (the part in the square brackets) needs to start with the search command. I fixed the query above. I'm pretty sure Araitz's approach is more efficient. I was just trying to illustrate a different approach.
Unfortunately, I've been indexing Windows DHCP events since before Araitz wrote his app, so my field names are guesses based on Araitz's comment. Hopefully I got them right. 🙂
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-29-2025
04:52 PM
|
