Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About mfrost8
mfrost8
Builder
Member since:
04-05-2010
06-05-2020
Community Statistics
| Posts | 227 |
| Solutions | 11 |
| Karma Given | 59 |
| Karma Received | 87 |
| Member Since | 04-05-2010 |
Activity Feed
- Got Karma for Re: My Splunk userid doesn't work with Add-On Builder validation site "Login to the App Certification service failed". 04-19-2021 01:46 AM
- Karma Re: What is the basic difference between the lookup, inputlook and outputlookup commands for acharlieh. 06-05-2020 12:48 AM
- Karma Re: Where and how do I add the multisite attribute for a search head? for aholzer. 06-05-2020 12:48 AM
- Karma How can I remove the error "Unable to initialize modular input "jmx" defined inside the app "SPLUNK4JMX"" received on our search heads? for michael_sleep. 06-05-2020 12:48 AM
- Karma Re: How can I remove the error "Unable to initialize modular input "jmx" defined inside the app "SPLUNK4JMX"" received on our search heads? for lycollicott. 06-05-2020 12:48 AM
- Karma Re: Accessing apps in 6.4.x results in "Error connecting: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed" for jbarlow_splunk. 06-05-2020 12:48 AM
- Karma Re: Why am I getting "Invalid key in stanza [lookup:cam_category_lookup] in E:\Splunk\etc\apps\Splunk_SA_CIM\default\managed_configurations.conf, line 34: expose (value: 1)" for rpille_splunk. 06-05-2020 12:48 AM
- Karma What is the basic difference between the lookup, inputlook and outputlookup commands for janiceb. 06-05-2020 12:48 AM
- Got Karma for Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
- Got Karma for Why am I unable to add hosts with more than one Splunk instance to the Distributed Management Console?. 06-05-2020 12:48 AM
- Got Karma for Struggling with inputs.conf and conflicting rules. 06-05-2020 12:48 AM
- Got Karma for Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does the sendemail command fail and display "('system library', 'fopen', 'No such file or directory')" error?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-27-2011
06:54 AM
On the version we're running, 4.2.3, those events have a field at the end that looks like:
Context="source::SOURCE|host::HOST|SOURCETYPE|remoteport::PORT"
I didn't see what version of Splunk you're using, but perhaps this is something that was added to the latest versions of Splunk?
... View more
09-27-2011
01:42 PM
Perhaps things have changed, but last I recall, you could not create those single value widgets using simple XML, but rather had to use Advanced XML for it. I wanted to create the single-value widgets on my early Splunk dashboards and I was disappointed to find that I had to work harder to do it (i.e. learn something about advanced XML to do it).
The module that you'd use in advanced XML is the "SingleValue" module. There's also a nice "UI Examples" on Splunkbase with lots of examples on how to do things. Currently found here. The main page of that app has several single value examples and tells you how to look at the XML code they're based on.
Note that your search command is looking over the past day (i.e. last 24 hours) for results rather than the amount used today. Also, for the single value module, you're going to want to churn out a single value for it so something like
index=_internal source=*license_usage.log earliest=@d | eval MB=b/1024/1024 | stats sum(MB) by pool
should do it. The "@d" will cause the search to "snap" to the nearest day. See documentation on Splunk Time Modifiers here.
... View more
09-15-2011
12:56 PM
I should clarify. It seems to not matter whether or not I have startswith= specified (it can only apparently do harm). I would like to define it as startswith=")Entering" but no valid string works there. The results I get back, while correct, are all marked with closed_txn=0. Typical transactions appear to be combinations of 70-150 events which should, if I'm reading this correctly, be way less than the default memory and transaction limits in limits.conf of 5,000 (maxopentxn) and 100,000 (maxopenevents).
... View more
09-15-2011
12:22 PM
I've created a perfectly inverted transaction where according to Splunk nothing matches, but all evicted transactions look right. Works the same if I say startswith="foo".
Searching by essentially saying "show me all the rejects and that's my answer" here doesn't really seem right. What I have that works inversely is
index=sbr sourcetype=radius_log | transaction startswith="foo" endswith="Exiting" keepevicted=true host LogThreadID
... View more
09-15-2011
12:19 PM
I kind of backed into a semi-solution. I was originally going to go with startswith="Entering" endswith="Exiting" but I discovered that there were 2 forms of "Entering" one I wanted and one I didn't.
I thought I'd made it work with startswith="radAuthHandleRequest*Entering" endswith="Exiting" keepevicted=true. It was almost perfect. Except I discovered that it was perfectly evicting every transaction, but they were all seemingly correct. Problem is you can't regex the startswith so that effectively never matches. But if I have no startswith=, it's always wrong. So somehow (continued)
... View more
08-26-2011
11:44 AM
Thanks. I'd tried that particular endswith once before, but I think I'd paired it with something else for startswith. I've been evaluation the success of a transaction statement by using keepevicted=t and seeing if I get any closed_txn=0 results. (I don't get any closed_txn=0 results when using endswith="Packet containing".) However, what's weird is that when I look at the resulting transactions that Splunk built, some of them actually show that "Packet containing" and some of them don't which doesn't make sense to me.
I didn't show some of the many other formats contained in these events
... View more
08-25-2011
09:23 AM
1 Karma
The answer here ended up being that the info being loaded were what I believe were called "extended ACL data". That information is not recognized by any of the Cisco apps neither for field extractions nor for any dashboards. We wrote our own field extractions for the data and will eventually create some dashboards.
FYI.
... View more
08-25-2011
07:27 AM
Yes, I forgot to mention that I'd tried using various combinations of the "Exiting" and "Entering" lines to break the transaction on (startswith and/or endswith). It seemed to work in many cases, but not all. Ultimately, I'm thinking this data just might not break well into transactions and I was wondering if my strategy here of using 'transaction' might not be the right strategy.
... View more
08-23-2011
03:29 PM
Anything in your splunkd.log file that might indicate the source of a problem?
Does the logging seem to happen for a particular length of time or a certain amount of data before out to lunch (i.e. every 7 days or every 1GB of data)?
... View more
08-23-2011
02:15 PM
2 Karma
I'm trying to work with data from Juniper's Steel-Belted Radius servers and am struggling with it. I'm not sure I'm approaching this properly, but would like to generate reports on successful authentications, failed authentications, types of users attempting these types of authentications, etc. Also to exclude some event "chunks" where the authentication is really something done by a load balancer to check if the node is alive rather than a real person.
The approach I assumed was the right one was to try to use the "transaction" command to build transactions, then pare off each authentication attempt's info and filter from there. Aside from dealing with the slowness of the transaction command (there's lots of events), I'm finding that I cannot get Splunk to correctly identify a transaction.
Here's a sample of what an actual transaction might look like with elements randomized for safety. Note that A lot of the stuff in the middle could vary depending on the authentication type, but I'm trying to focus on this one common case first.
08/23/2011 16:01:58 (74c)-----------------------------------------------------------
08/23/2011 16:01:58 (74c)Authentication Request
08/23/2011 16:01:58 (74c)Received from: ip=1.2.3.4 port=12345
08/23/2011 16:01:58 (74c)
08/23/2011 16:01:58 (74c)Raw Packet :
08/23/2011 16:01:58 (74c)000: 0136004b 1f9da8d9 7ad4b701 8bf22849 |.6.K....z.....(I|
08/23/2011 16:01:58 (74c)010: 6a7d6e13 010d6466 776c627a 2d757365 |j}n...sanlbz-use|
08/23/2011 16:01:58 (74c)020: 720212dc 3af804d2 f1ac1f8f 90bfab2d |r...:..........-|
08/23/2011 16:01:58 (74c)030: f4b9f604 06c02e23 2b201264 66776c62 |.......#+ .sanlb|
08/23/2011 16:01:58 (74c)040: 31612e70 6273672e 707674 |1a.sal.pvt |
08/23/2011 16:01:58 (74c)
08/23/2011 16:01:58 (74c)-----------------------------------------------------------
08/23/2011 16:01:58 F:\build\zMhtHo68zI\SBR\xradius\radauthd.c radAuthHandleRequest() 3022 (92c)Entering
08/23/2011 16:01:58 (92c)Looking up shared secret
08/23/2011 16:01:58 (92c)Looking for RAS client 1.2.3.4 in DB
08/23/2011 16:01:58 (92c)Matched 1.2.3.4 to RAS client SANLBZ1C
08/23/2011 16:01:58 (92c)Parsing request
08/23/2011 16:01:58 (92c)Initializing cache entry
08/23/2011 16:01:58 (92c)Doing inventory check on request
08/23/2011 16:01:58 (92c)Getting info on requesting client
08/23/2011 16:01:58 (92c)NAS-IP-Address in request: 2.3.4.5
08/23/2011 16:01:58 (92c)Looking for RAS client 2.3.4.5 in DB
08/23/2011 16:01:58 (92c)NAS-ID in request: "sanlb1a.sal.pvt"
08/23/2011 16:01:58 (92c)-----------------------------------------------------------
08/23/2011 16:01:58 (92c)Authentication Request
08/23/2011 16:01:58 (92c)Received From: ip=1.2.3.4 port=12345
08/23/2011 16:01:58 (92c)Packet : Code = 0x1 ID = 0x36
08/23/2011 16:01:58 (92c)Client Name = SANLB1A.SAL.PVT Dictionary Name = Radius.dct
08/23/2011 16:01:58 (92c)Vector =
08/23/2011 16:01:58 (92c)000: 1f9da8d9 7ad4b701 8bf22849 6a7d6e13 |....z.....(Ij}n.|
08/23/2011 16:01:58 (92c)Parsed Packet =
08/23/2011 16:01:58 (92c)User-Name : String Value = sanlbz-user
08/23/2011 16:01:58 (92c)User-Password : Value =
08/23/2011 16:01:58 (92c)000: dc3af804 d2f1ac1f 8f90bfab 2df4b9f6 |.:..........-...|
08/23/2011 16:01:58 (92c)NAS-IP-Address : IPAddress = 2.3.4.5
08/23/2011 16:01:58 (92c)NAS-Identifier : String Value = sanlb1a.sal.pvt
08/23/2011 16:01:58 (92c)Funk-Source-IP-Address : IPAddress = 1.2.3.4
08/23/2011 16:01:58 (92c)-----------------------------------------------------------
08/23/2011 16:01:58 (92c)Determining if request is for a tunnel
08/23/2011 16:01:58 (92c)Determining if this radius should act as a proxy
08/23/2011 16:01:58 (92c)CreateRequestEx: using virtual realm RETRealm for authentication.
08/23/2011 16:01:58 (92c)Determining user class
08/23/2011 16:01:58 (92c)Authenticating user SANLBZ-USER with authentication method Native User
08/23/2011 16:01:58 (92c)Determined that SANLBZ-USER of class Native-User is the user
08/23/2011 16:01:58 (92c)Getting attribute info on requesting user
08/23/2011 16:01:58 (92c)Getting profile info for requesting user
08/23/2011 16:01:58 (92c)Merging saved attributes with user info
08/23/2011 16:01:58 (92c)Merging profile info with user info
08/23/2011 16:01:58 (92c)Comparing checklist items with user/profile items
08/23/2011 16:01:58 (92c)Appending echo values, if any
08/23/2011 16:01:58 (92c)User SANLBZ-USER being passed to attribute editing authentication methods
08/23/2011 16:01:58 (92c)Class subattribute: DistName : String Value = SANLBZ-USER
08/23/2011 16:01:58 (92c)Class subattribute: AuthType : String Value = 0
08/23/2011 16:01:58 (92c)Class subattribute: TransactionId : Value =
08/23/2011 16:01:58 (92c)000: 47c56dd3 cd1344ef 0000701a |G.m...D...p. |
08/23/2011 16:01:58 (92c)Class subattribute: VirtualRealm : String Value = RETRealm
08/23/2011 16:01:58 (92c)Sent accept response for user SANLBZ-USER to client SANLB1A.SAL.PVT
08/23/2011 16:01:58 (92c)-----------------------------------------------------------
08/23/2011 16:01:58 (92c)Authentication Response
08/23/2011 16:01:58 (92c)Packet : Code = 0x2 ID = 0x36
08/23/2011 16:01:58 (92c)Vector =
08/23/2011 16:01:58 (92c)000: 50f735a0 f2f07130 76f872ae 55c95701 |P.5...q0v.r.U.W.|
08/23/2011 16:01:58 (92c)Class : Value =
08/23/2011 16:01:58 (92c)000: 53425232 434ca3f1 addd9eb4 a6c4f7c0 |SBR2CL..........|
08/23/2011 16:01:58 (92c)010: 11803701 80028198 8002800d 81a291ca |..7.............|
08/23/2011 16:01:58 (92c)020: f4e289b4 adaad4e8 d5900880 0a81a794 |................|
08/23/2011 16:01:58 (92c)030: 89c59395 c2ecb6c0 12800e81 a3f1addd |................|
08/23/2011 16:01:58 (92c)040: 9eb4a6c4 f7c08087 80e8 |.......... |
08/23/2011 16:01:58 (92c)-----------------------------------------------------------
08/23/2011 16:01:58 (92c)-----------------------------------------------------------
08/23/2011 16:01:58 (92c)Authentication Response
08/23/2011 16:01:58 (92c)Sent to: ip=1.2.3.4 port=12345
08/23/2011 16:01:58 (92c)
08/23/2011 16:01:58 (92c)Raw Packet :
08/23/2011 16:01:58 (92c)000: 02360060 50f735a0 f2f07130 76f872ae |.6.`P.5...q0v.r.|
08/23/2011 16:01:58 (92c)010: 55c95701 194c5342 5232434c a3f1addd |U.W..LSBR2CL....|
08/23/2011 16:01:58 (92c)020: 9eb4a6c4 f7c01180 37018002 81988002 |........7.......|
08/23/2011 16:01:58 (92c)030: 800d81a2 91caf4e2 89b4adaa d4e8d590 |................|
08/23/2011 16:01:58 (92c)040: 08800a81 a79489c5 9395c2ec b6c01280 |................|
08/23/2011 16:01:58 (92c)050: 0e81a3f1 addd9eb4 a6c4f7c0 808780e8 |................|
08/23/2011 16:01:58 (92c)
08/23/2011 16:01:58 (92c)-----------------------------------------------------------
08/23/2011 16:01:58 (92c)Packet containing 96 bytes successfully sent
08/23/2011 16:01:58 F:\build\zMhtHo68zI\SBR\xradius\radauthd.c radAuthHandleRequest() 3777 (92c)Exiting
My most recent attempts have been with
* | transaction maxspan=15s keepevicted=t host endswith="Packet containing"
The 15 seconds are arbitrary (I'm not certain how long an auth attempt might be, but I believe it's usually pretty quick) and I know that an auth attempt usually will not span multiple radius hosts. Identifying the transaction using the lines of dashes isn't really correct as those lines exist within a real transaction. When I run the command above, it identifies the section starting with the "(92c)" lines ending with the "Packet containing" line as a transaction, but then orphans the first 13 lines instead of including it in the transaction. I only see those because of the "keepevicted" parameter. Note that the line line that precedes the first event listed here is also a "Packet containing ..." line.
That number right after the date is called the LogThreadID, but it's not particularly useful here as from what I can see it's reused for multiple transactions (i.e. not unique per transaction) and from the example above, there are 2 different LogThreadIDs in just this one authentication attempt.
While I thought doing a transaction based solely on time might work better, I can't really be certain those parameters ("maxspan=1s"?) would really be correct all the time. Maybe a barrage of requests would come in all at once or maybe an auth session could take 2 seconds.
So is my approach here right given the quite unstructured format of this data? Any suggestions about how I might want to handle this differently?
Thanks
... View more
- Tags:
- transactions
08-22-2011
07:44 PM
I'm not sure if I have what you're looking for, but here's some more info that might be helpful.
First, I don't believe that the crcSalt line is going to help here. My understanding is that that just helps Splunk understand when it might or might not be looking at the same file (or the events in a file) that it's indexed previously. I don't think that has anything to do with adding the file to the list of files to monitor.
So what did "splunk list monitor" report? Did it show that at least /log was being monitored but the blahblah*.log file was not being monitored?
One important thing to note is that the line
[monitor:///log/blahblah_.*\.log]
is probably not doing what you think it is. Remember that in this context, there are some regex shortcuts that are being taken. If your file really is named
blahblah_0.0.0.653_9110.log
then
[monitor:///log/blahblah_.*.log]
(i.e. no escaped '.' since '.' is the literal period character) should work. Remember that this is creating an implicit whitelist. I'm actually not sure what the '.' would do, but I'd guess that it might actually look for a backslash followed by a dot.
I would have thought your whitelist version might have worked assuming you were using a version of newer version of Splunk where "whitelist" replaced the older "_whitelist" keyword.
Lowell and gkanapathy were kind enough to write up some nice details to a question I had a while back about the use of wildcards and regexes in inputs.conf at
http://splunk-base.splunk.com/answers/2775/regexs-and-windows-paths-in-inputsconf-and-propsconf
in case that might also provide some further clues.
... View more
08-08-2011
12:11 PM
1 Karma
In addition to the other comments, I would say it depends on what you mean by performance. Total messages through a given queue up to that point? That's a queue parameter that's reset to 0 at midnight and could picked off as a queue attribute. At least on what IBM calls the "distributed" platforms (nix and I think Windows), some events are logged to the SYSTEM.ADMIN..EVENT queues, but you would need to know the format to extract from there (or locate one of those IBM support pacs that might let you extract that to a log which you could log periodically).
We do pull in the queue manager logs and extract fields for use with Splunk, but that's really only part of the picture and not really about queue throughput. While I think you could get Splunk to get this data for you, you would need to roll your own way to extract it. MQ does not log individual messages as that would really hurt performance. Other tools exist (BMC's Middleware Management Performance and Availability is one example) to go in and look at all the specific MQ components out of the box.
... View more
07-29-2011
07:28 AM
Our search heads are on our indexers (i.e. they're the same thing). We're looking at doing search head pooling in that scenario.
When using NAS I tend to think not so much of "if" the storage will be unavailable but when. I realize that if it's disappears, searches (scheduled and manual) won't happen. What I'm most concerned about is if indexing of data would stop and Splunk would grind to a halt.
It would of course, be very cool if even searches would continue because Splunk switched to a "plan B" where it realized it couldn't write to the shared dir (NAS) but instead wrote to something locally until the NAS became available again.
What does Splunk do when the NAS used for search head pooling goes away and the search heads are also indexers?
Thanks
... View more
06-23-2011
01:24 PM
I guess this depends a bit on what you want to do. We have some Linux cron jobs that run periodically (perl scripts) that run SQL against a database to get the values we care about, then write that out to a CSV file daily. There are some safeguards so as not to overwrite the existing good file with a bad one in case the SQL fails for example.
Splunk is then configured to do lookups using those CSV files.
In our case, it was a perl script, but really anything you can write that creates CSVs would work.
But that's for lookups. From your question, I'm wondering a little bit if you aren't referring to field extractions rather than lookups?
... View more
06-23-2011
12:53 PM
I'm not certain how that works. I would guess that might create configuration within a user's own, local configuration ($SPLUNK_HOME/etc/users/ ) so it's not tweaking the global config.
If you don't even want that, you might want to file an enhancement request asking for field extractions to be a capability you can remove from the "user" role (I don't see it there currently as a capability).
... View more
06-23-2011
12:38 PM
2 Karma
My understanding is that the Splunk for Cisco Firewalls app is intended to be an add on to the Splunk for Cisco Security Suite. According to the README.txt:
The Splunk for Cisco Firewalls add-on
allows you to consume, analyze, and
report on Cisco firewall data for
Cisco ASA, PIX and FWSM firewalls.
This add-on is designed to work with
the Splunk Cisco Security Suite;
install these together to access
reports and dashboards that give you
visual insight into your Cisco
Firewall data.
So you'd want to install the Splunk for Cisco Security Suite app which provides the main screens for Cisco stuff. When the Firewalls app is added, it shows the additional dashboards on the Splunk for Cisco Security Suite app.
The same is true for the other Cisco apps. They mostly are addons to Splunk for Cisco Security Suite.
... View more
06-23-2011
12:28 PM
Unless I'm mistaken, the strings you're searching for are case-insensitive. In fact, I had asked this a while back, but I don't think you can have Splunk do a case-sensitive search. So in your case, you really only need
error OR alert OR fail ...
... View more
06-23-2011
12:24 PM
1 Karma
I don't have a solution for you, but perhaps more of a question. Is it your intent to prevent non-admin users from being able to say, change their password? non-admin users don't get all the of the admin content from manager. In our shop, we leave that all alone as there's nothing sensitive or damaging that non-admin roles get access to.
If it really has to go away completely for non-admins, I would think that that is unusual enough that yes, you'd need to modify the XML.
... View more
06-13-2011
02:16 PM
1 Karma
Our networking team has sent us some of their syslog data from Cisco Nexus 7000 switches and Catalyst 6500 switches. I was expecting that I could point this into Splunk for Cisco Security and/or some of the other Splunk for Cisco apps. I'm finding that these apps don't do anything with these events.
The heart of the matter seems to be that the Splunk for Cisco apps all rely on setting sourcetypes either to do field extractions (like src_ip and dest_ip) or to use in searches/eventtypes. The sourcetype-setting things I see in the apps (most in the Cisco Firewalls app) set those sourcetypes based on the existence of a string in the event. My problem is that none of those strings exist in the events I have. Therefore no sourcetypes get set beyond what I set myself and the Cisco apps do nothing.
'%' strings that occur in the events I'm looking at are:
%AFLSEC-6-OALDP
%SEC-6-IPACCESSLOGP
%ACLLOG-6-ACLLOG_FLOW_INTERVAL
%SIBYTE-SW1_DFC9-4-SB_EXCESS_COLL
for instance. I don't believe any of these uniquely identify the device, but from what I can see, they're definitely security-related messages so I would think they'd be appropriate for the apps.
I'm trying to figure out how/if I can make the Splunk for Cisco apps useful for these events if possible.
Am I doing something wrong?
Thanks
... View more
05-25-2011
08:43 AM
So for search head pooling, what happens if (when) the NAS share between the shared servers goes down? Since this would only be a subset of the full set of configuration files, I'd expect that Splunk could still function. If all of those configuration files are perhaps loaded into memory, then that might be OK. In particular, config files that might have information about how to index incoming data. Thanks.
... View more
05-18-2011
08:15 AM
I'm trying to construct a search containing data across 3 Juniper Steel-Belted Radius files. The first two files, sourcetyped as radius_act_log and radius_auth_log , are straight-forward CSV files with well-defined headers. I have extracted fields like User_Name for instance, allowing me to search with User_Name="Bob" for instance.
The third file, sourcetyped as radius_log , contains interleaved session information and this file is where the "meat" of our searching will hopefully be. Contents of the radius_log sourcetype look like this
...
05/18/2011 09:43:02 (17904)-----------------------------------------------------------
05/18/2011 09:43:02 (17904)Accounting Request
05/18/2011 09:43:02 (17904)Received From: ip=1.2.3.4 port=41234
05/18/2011 09:43:02 (17904)Packet : Code = 0x4 ID = 0x40
05/18/2011 09:43:02 (17904)Client Name = 3.4.5.6 Dictionary Name = Radius.dct
05/18/2011 09:43:02 (17904)Vector =
05/18/2011 09:43:02 (17904)000: dff32d66 b0f78418 a85647c8 043609fb |..-f.....VG..6..|
05/18/2011 09:43:02 (17904)Parsed Packet =
05/18/2011 09:43:02 (17904)NAS-Identifier : String Value = 3.4.5.6
05/18/2011 09:43:02 (17904)**User-Name : String Value = Bob**
05/18/2011 09:43:02 (17904)NAS-IP-Address : IPAddress = 3.4.5.6
05/18/2011 09:43:02 (17904)NAS-Port : Integer Value = 252151
05/18/2011 09:43:02 (17904)Framed-IP-Address : IPAddress = 2.3.4.5
05/18/2011 09:43:02 (17904)3GPP2-Correlation-ID : String Value = 9zrsaI2e
05/18/2011 09:43:02 (17904)Calling-Station-Id : String Value = 310002346738412
05/18/2011 09:43:02 (17904)Acct-Status-Type : Integer Value = 1
05/18/2011 09:43:02 (17904)Acct-Session-Id : String Value = 423ADCBE
05/18/2011 09:43:02 (17904)Funk-Source-IP-Address : IPAddress = 1.2.3.4
05/18/2011 09:43:02 (17904)-----------------------------------------------------------
05/18/2011 09:43:02 (17904)Determining if this radius should act as a proxy
05/18/2011 09:43:02 (17904)Sending accounting response
05/18/2011 09:43:02 (17904)Created new session record without old-style Class attribute for user Bob
05/18/2011 09:43:02 (17904)Accounting start contains ip address 2.3.4.5 currently in use
05/18/2011 09:43:02 (17904)Sending accounting response
05/18/2011 09:43:02 (17904)-----------------------------------------------------------
...
I can, of course, setup another field extraction to pull User_Name from the radius_log sourcetype as well. The trick here is that the user name appears only occasionally in radius_log . The number in parens, 17904 above, is the LogThreadId (also already extracted as a field) and that's what would link related events together. It's really their idea of a session, except that it's not a value that's logged in any other file. It's just a unique number they generate to help you see events relating to a particular session.
What I would like to be able to do is construct a search that will show me all activity by user Bob in the last 24 hours across all 3 files and similar kinds of searches. It seems to me that I need to identify the user name in radius_log , then look at what the LogThreadId field is for that user name in say the last 24 hours and return those (plus perhaps the results from the other 2 CSV files where it's just a simple User_Name="Bob" search). Or something like that. I'm just not sure how to do that.
I had toyed with the idea of having Splunk treat things from radius_log as a single event -- breaking on the "-------------" lines perhaps, but since each event has a separately logged date and time, that seemed kind of weird. In most cases where I see those, the time is identical but not always.
I'm hoping this is an easy one for someone who has better search skills than I.
Thanks
... View more
- Tags:
- search-help
05-17-2011
06:20 PM
Interesting. I must have missed this as a new feature. Note that these are both indexers. We don't run separate search heads. I'm assuming search head pooling would still work on this case if it's really on indexers rather than just search heads?
I didn't see anything in the docs that indicated how the saved searches run. While they'd be known on both servers, which server would run a given saved search?
... View more
05-13-2011
07:51 AM
We have 2 production auto-load balanced indexers that are currently getting all of our production data. Both running 4.2.1, both are the same hardware configuration (2 quad-core CPUs, 24GB RAM, 1TB RAID10 storage).
Up to this point, we'd been setting up the first server of the pair to be the server that people login to and run searches from. That is, it's where we populate the apps, saved searches for users to run, dashboards, etc. This would also be where the user accounts are created for non-admins.
We'd been designating the second server as the one to run scheduled searches on and in theory, we wouldn't create user accounts there. Partly because we didn't think we wanted users running searches there too, but also because we hadn't planned on copying the apps to both servers to avoid the inevitable question of "why don't I see X when I go to this box?" from users.
The problem of course, is if we let the scheduled searches include links, the URL always refers to the second server because that's where the scheduled search runs (and where the cached search results are stored). So then we end up having to create accounts for users anyway on the second server.
So I'm thinking that this plan isn't going to work. We could just mix everything together -- apps sync'd on both machines, user accounts created on both machines and scheduled searches running from either machine. That doesn't really sound appealing to me. Or we could just run all the scheduled searches that users might receive from the first server where they already have accounts, but then we're under-utilizing the second server.
Unfortunately the users and data here are varied. Not a single type of app or data or user.
Any thoughts of suggestions are appreciated.
Thanks
... View more
05-03-2011
12:39 PM
So then at least with the universal forwarder configuration, why would you even need a package to hold the deploymentclient.conf (assuming it's really going to be the "permanent" DS)? The advantage I thought I had with a package was that I could easily change the DS. But if I don't need to change it at all, I could just let the UF create the deploymentclient.conf in system/local (the windows one does that anyway) and be done with it, right?
... View more
04-29-2011
05:37 PM
Interesting. So bottom line what you seem to be saying is that the deploymentclient.conf that I seed our installer with should be the permanent one and that I should not need to be looking to find a way to swap the temporary app that carries it out with another one. Given the other options I have.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma from
Karma given to
