Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About aalhabbash1
aalhabbash1
Path Finder
Member since:
04-04-2019
06-05-2020
Community Statistics
| Posts | 40 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 04-04-2019 |
Activity Feed
- Got Karma for What is the difference between rb bucket and db bucket?. 09-02-2020 08:26 AM
- Karma Re: Syslog path (/opt/syslog) is full on rsyslog server? for jkat54. 06-05-2020 12:50 AM
- Karma Re: Exclude events in index time? for gcusello. 06-05-2020 12:50 AM
- Got Karma for What is the difference between rb bucket and db bucket?. 06-05-2020 12:50 AM
- Posted Install splunk forwarder in Linux servers on Getting Data In. 12-04-2019 11:32 AM
- Tagged Install splunk forwarder in Linux servers on Getting Data In. 12-04-2019 11:32 AM
- Posted Integration between Splunk and SolarWinds on All Apps and Add-ons. 11-27-2019 10:01 PM
- Posted Re: Exclude events in index time? on Getting Data In. 11-11-2019 01:22 AM
- Posted Re: Exclude events in index time? on Getting Data In. 11-10-2019 04:34 AM
- Posted Re: Exclude events in index time? on Getting Data In. 11-09-2019 09:35 PM
- Posted Re: Exclude events in index time? on Getting Data In. 11-07-2019 12:35 AM
- Posted Re: Exclude events in index time? on Getting Data In. 11-06-2019 07:54 PM
- Posted Exclude events in index time? on Getting Data In. 11-06-2019 06:15 AM
- Posted Time stamp configuration in props.conf on Getting Data In. 09-11-2019 12:51 PM
- Posted merge search between 2 index on Splunk Search. 09-08-2019 12:43 PM
- Tagged merge search between 2 index on Splunk Search. 09-08-2019 12:43 PM
- Posted Re: search show results not existing in logs. on Splunk Search. 09-07-2019 10:33 PM
- Posted search show results not existing in logs. on Splunk Search. 09-05-2019 02:55 AM
- Tagged search show results not existing in logs. on Splunk Search. 09-05-2019 02:55 AM
- Posted Re: Duplicate logs. on Monitoring Splunk. 09-01-2019 04:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-18-2019
01:45 AM
Hi Spluker;
How I can open case on Admin On Demand Service for they can help me?
Best Regards; Abdullah Al-Habbash
... View more
Labels
- Labels:
-
other
08-18-2019
01:39 AM
Hi Splunker;
I have three search head cluster, and I running search automatically every day for update this the lookup table, and make search for exclude this result in lookup table from search, when I execute the search at the same time in search head cluster, appeared result and the lookup table is work in SH1 and 2, but when execute the search in search head 3 not appeared any results, why this behavior occurred, Please help me in that? and what is the reason?
Best Regards
... View more
08-04-2019
06:10 AM
Hi;
Is there script or bat file to install Splunk forwarder, I have tried script existing in the below link but not work.
Please make the bat script for install Splunk Forwarder then provide us it.
https://docs.splunk.com/Documentation/Forwarder/6.6.3/Forwarder/InstallaWindowsuniversalforwarderfromthecommandline
I need this script for necessity.
Best Regards;
... View more
07-30-2019
08:39 AM
2 Karma
Hi Splunker;
What is the difference between rb_* and db_* under splunk_cold and splunk_hot directory storage? you can see the example below.
rb_1564000917_1563984040_7538_0B51C6C4-28F7-4348-A8F4-51FD8D156178
db_1562576411_1562565181_7654_B0AF5CBE-9B45-46D7-B374-E398083AFE9E
And can I remove the rb bucket or not?
Regards
... View more
07-22-2019
06:36 AM
Dear Richgalloway,
Thank you to response; if you have this script please share the script with me.
Best Regards;
... View more
07-22-2019
03:46 AM
Hi Splunker;
Is there way for Splunk monitor password policy in AD, such as; what is content this policy about how number of characters used and how must be long the characters and so on.
Best Regards;
... View more
05-28-2019
07:52 AM
Hi Splunker;
I need to create alert when anyone make reset password for his account in windows logs exception the user did reset password because the his account expired password?
Best Regards;
Abdullah Al-Habbash
... View more
- Tags:
- splunk-enterprise
05-27-2019
01:54 AM
Hi @DavidHourani,
You mean must put ($InputTCPMaxListeners) for each port configuration before ( $InputTCPServerRun 1514) as the following:
### TCP 1514 (Palo Alto Firewall/Trap Syslog HQ ###
#################################################################
$RuleSet remotetcp1514
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogPaloAltoHQTCP1514,"/data/syslog/security/paloalto/hq/%fromhost-ip%/PA_syslog.log"
. -?SyslogPaloAltoHQTCP1514
$InputTCPServerBindRuleset remotetcp1514
$InputTCPMaxSessions 30
$InputTCPServerRun 1514
$PrivDropToUser splunk
#################################################################
### TCP 1515 (Kaspersky Antivirus Syslog HQ ###
#################################################################
$RuleSet remotetcp1515
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogKasperskyHQTCP1515,"/data/syslog/security/kaspersky/hq/%fromhost-ip%/Kaspersky_syslog.log"
. -?SyslogKasperskyHQTCP1515
$InputTCPServerBindRuleset remotetcp1515
$InputTCPMaxSessions 30
$InputTCPServerRun 1515
$PrivDropToUser splunk
Thank you for your interesting.
Best Regards;
... View more
05-26-2019
05:58 AM
Hi @DavidHourani
No, I didn't changing any original configuration, I took backup from original rsyslog.conf, then I took copy and paste and modified on this file (add new configuration), Now I have 10 configuration port on rsyslog.conf, if I add new port removed one old port existing before?
Best Regards;
Abdullah Al-Habbash.
... View more
05-26-2019
02:35 AM
Hi koshyk;
The rsyslog.conf is normal as any other rsyslog.conf, but my question is there limitation port for rsyslog.conf file or not, and why that is occurred?
Thank you.
... View more
05-26-2019
02:02 AM
Hi koshyk;
Kindly find the information below which contain content the rsyslog.conf file:
# rsyslog configuration file
# note that most of this config file uses old-style format,
# because it is well-known AND quite suitable for simple cases
# like we have with the default config. For more advanced
# things, RainerScript configuration is suggested.
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog") # provides kernel logging support (previously done by rklogd)
#module(load"immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
######################################################
### UDP 1514 (Palo Alto Syslog HQ) ###
######################################################
$RuleSet remoteudp1514
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogPaloAltoHQUDP1514,"/data/syslog/security/paloalto/hq/%fromhost-ip%/Kaspersky_syslog.log"
*.* -?SyslogPaloAltoHQUDP1514
$InputUDPServerBindRuleset remoteudp1514
$UDPServerRun 1514
$PrivDropToUser splunk
######################################################
### UDP 1515 (Kaspersky Antivirus Syslog HQ) ###
######################################################
#$RuleSet remoteudp1515
#$RulesetCreateMainQueue on # create ruleset-specific queue
#$template SyslogKasperskyHQUDP1515,"/data/syslog/security/kaspersky/hq/%fromhos#t-ip%/Kaspersky_syslog.log"
#*.* -?SyslogKasperskyHQUDP1515
#$InputUDPServerBindRuleset remoteudp1515
#$UDPServerRun 1515
#$PrivDropToUser splunk
######################################################
### UDP 1516 (Websense Proxy Activity Syslog HQ) ###
######################################################
$RuleSet remoteudp1516
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogWebsenseHQUDP1516,"/data/syslog/security/websense/hq/%fromhost-ip%/Websense_syslog.log"
*.* -?SyslogWebsenseHQUDP1516
$InputUDPServerBindRuleset remoteudp1516
$UDPServerRun 1516
$PrivDropToUser splunk
######################################################
### UDP 1517 (F5 Syslog HQ) ###
######################################################
$RuleSet remoteudp1517
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogF5HQUDP1517,"/data/syslog/security/f5/hq/%fromhost-ip%/F5_syslog.log"
*.* -?SyslogF5HQUDP1517
$InputUDPServerBindRuleset remoteudp1517
$UDPServerRun 1517
$PrivDropToUser splunk
######################################################
## UDP 1518 (Infoblox Syslog HQ) ###
######################################################
#
$RuleSet remoteudp1518
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogInfobloxHQUDP1518,"/data/syslog/security/infoblox/hq/%fromhost-ip%/infoblox_syslog.log"
*.* -?SyslogInfobloxHQUDP1518
$InputUDPServerBindRuleset remoteudp1518
$UDPServerRun 1518
$PrivDropToUser splunk
######################################################
## UDP 1519 (Websense Syslog HQ) ###
######################################################
#$RuleSet remoteudp1519
#$RulesetCreateMainQueue on # create ruleset-specific queue
#$template SyslogWebsenseHQUDP1519,"/data/syslog/security/websense/hq/%fromhost-ip%/websense_syslog.log"
#*.* -?SyslogWebsenseHQUDP1519
#$InputUDPServerBindRuleset remoteudp1519
#$UDPServerRun 1519
#$PrivDropToUser splunk
######################################################
## UDP 1520 (Mailgatway Syslog HQ) ###
######################################################
#$RuleSet remoteudp1520
#$RulesetCreateMainQueue on # create ruleset-specific queue
#$template SyslogMailGetwayHQUDP1520,"/data/syslog/security/mailg/hq/%fromhost-ip%/mail_syslog.log"
#*.* -?SyslogMailGetwayHQUDP1520
#$InputUDPServerBindRuleset remoteudp1520
#$UDPServerRun 1520
#$PrivDropToUser splunk
######################################################
## UDP 1521 (WAF F5 Syslog HQ) ###
######################################################
#$RuleSet remoteudp1521
#$RulesetCreateMainQueue on # create ruleset-specific queue
#$template SyslogWAFF5HQUDP1521,"/data/syslog/security/waff5/hq/%fromhost-ip%/waf_f5.log"
#*.* -?SyslogWAFF5HQUDP1521
#$InputUDPServerBindRuleset remoteudp1521
#$UDPServerRun 1521
#$PrivDropToUser splunk
######################################################
## UDP 1522 (ATA Syslog HQ) ###
######################################################
#$RuleSet remoteudp1522
#$RulesetCreateMainQueue on # create ruleset-specific queue
#$template SyslogATAHQUDP1522,"/data/syslog/security/ata/hq/%fromhost-ip%/ata_.log"
#*.* -?SyslogATAHQUDP1522
#$InputUDPServerBindRuleset remoteudp1522
#$UDPServerRun 1522
#$PrivDropToUser splunk
######################################################
## UDP 514 (Network Syslog) ###
######################################################
$RuleSet remoteudp514
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogMiscUDP514,"/data/syslog/network/misc/%fromhost-ip%/misc_syslog.log"
*.* -?SyslogMiscUDP514
$InputUDPServerBindRuleset remoteudp514
$UDPServerRun 514
$PrivDropToUser splunk
#################################################################
### TCP 1514 (Palo Alto Firewall/Trap Syslog HQ ###
#################################################################
$RuleSet remotetcp1514
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogPaloAltoHQTCP1514,"/data/syslog/security/paloalto/hq/%fromhost-ip%/PA_syslog.log"
*.* -?SyslogPaloAltoHQTCP1514
$InputTCPServerBindRuleset remotetcp1514
$InputTCPServerRun 1514
$PrivDropToUser splunk
#################################################################
### TCP 1515 (Kaspersky Antivirus Syslog HQ ###
#################################################################
$RuleSet remotetcp1515
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogKasperskyHQTCP1515,"/data/syslog/security/kaspersky/hq/%fromhost-ip%/Kaspersky_syslog.log"
*.* -?SyslogKasperskyHQTCP1515
$InputTCPServerBindRuleset remotetcp1515
$InputTCPServerRun 1515
$PrivDropToUser splunk
#################################################################
### TCP 1516 (Websense Proxy Activity Syslog HQ) ###
#################################################################
$RuleSet remotetcp1516
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogWebsenseHQTCP1516,"/data/syslog/security/websense/hq/%fromhost-ip%/Websense_syslog.log"
*.* -?SyslogWebsenseHQTCP1516
$InputTCPServerBindRuleset remotetcp1516
$InputTCPServerRun 1516
$PrivDropToUser splunk
################################################################
## TCP 1517 (F5 Syslog HQ) ###
################################################################
$RuleSet remotetcp1517
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogF5HQTCP1517,"/data/syslog/security/f5/hq/%fromhost-ip%/F5_syslog.log"
*.* -?SyslogF5HQTCP1517
$InputTCPServerBindRuleset remotetcp1517
$InputTCPServerRun 1517
$PrivDropToUser splunk
######################################################
## TCP 1518 (Infoblox Syslog HQ) ###
######################################################
$RuleSet remotetcp1518
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogInfobloxHQTCP1518,"/data/syslog/security/infoblox/hq/%fromhost-ip%/infoblox_syslog.log"
*.* -?SyslogInfobloxHQTCP1518
$InputTCPServerBindRuleset remotetcp1518
$InputTCPServerRun 1518
$PrivDropToUser splunk
######################################################
## TCP 1519 (Websense Syslog HQ) ###
######################################################
$RuleSet remotetcp1519
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogWebsenseHQTCP1519,"/data/syslog/security/websense/hq/%fromhost-ip%/websense_syslog.log"
*.* -?SyslogWebsenseHQTCP1519
$InputTCPServerBindRuleset remotetcp1519
$InputTCPServerRun 1519
$PrivDropToUser splunk
######################################################
## TCP 1520 (MailGetway Syslog HQ) ###
######################################################
$RuleSet remotetcp1520
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogMailGetwayHQTCP1520,"/data/syslog/security/mailg/hq/%fromhost-ip%/mailg_syslog.log"
*.* -?SyslogMailGetwayHQTCP1520
$InputTCPServerBindRuleset remotetcp1520
$InputTCPServerRun 1520
$PrivDropToUser splunk
######################################################
## TCP 1521 (WAF_F5 Syslog HQ) ###
######################################################
$RuleSet remotetcp1521
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogWAFF5HQTCP1521,"/data/syslog/security/waff5/hq/%fromhost-ip%/waf_f5.log"
*.* -?SyslogWAFF5HQTCP1521
$InputTCPServerBindRuleset remotetcp1521
$InputTCPServerRun 1521
$PrivDropToUser splunk
######################################################
## TCP 1522 (ATA Syslog HQ) ###
######################################################
$RuleSet remotetcp1522
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogATATCP1522,"/data/syslog/security/ata/hq/%fromhost-ip%/ata.log"
*.* -?SyslogATATCP1522
$InputTCPServerBindRuleset remotetcp1522
$InputTCPServerRun 1522
$PrivDropToUser splunk
######################################################
## TCP 1523 (dlp Syslog HQ) ###
######################################################
$RuleSet remotetcp1523
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogdlpTCP1523,"/data/syslog/security/dlp/hq/%fromhost-ip%/dlp.log"
*.* -?SyslogdlpTCP1523
$InputTCPServerBindRuleset remotetcp1523
$InputTCPServerRun 1523
$PrivDropToUser splunk
######################################################
## TCP 1524 (AlienVault Syslog HQ) ###
######################################################
$RuleSet remotetcp1524
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogalienvaultTCP1524,"/data/syslog/security/alienvault/hq/%fromhost-ip%/alienvault.log"
*.* -?SyslogalienvaultTCP1524
$InputTCPServerBindRuleset remotetcp1524
$InputTCPServerRun 1524
$PrivDropToUser splunk
#################################################################
### TCP 1525 (Palo Alto Firewall/Trap Syslog HQ ###
#################################################################
$RuleSet remotetcp1525
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogPaloAltoHQTCP1525,"/data/syslog/security/paloalto/hq/%fromhost-ip%/PA_syslog.log"
*.* -?SyslogPaloAltoHQTCP1525
$InputTCPServerBindRuleset remotetcp1525
$InputTCPServerRun 1525
$PrivDropToUser splunk
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
... View more
05-26-2019
01:18 AM
Hi Splunker;
The issue is from rsyslog.conf file and when I added new configuration (port) in rsyslog.conf
Then execute (netstat -plnt | grep rsyslog) command, the first port which added before removed, and when remove the new port added then execute (netstat -plnt | grep rsyslog) command the old port return appears, why that is occurred?
Best Regards;
Abdullah Al-Habbash
... View more
- Tags:
- splunk-enterprise
05-26-2019
12:49 AM
Mr.Koshyk
Done; many thank you, this is which I want, appreciate that
Best Regards;
... View more
05-25-2019
11:34 AM
Hi Splunker;
How to detected a index stop receiving logs from any technology last 2 hours, I need for indexes not sourcetype?
Appreciate your support.
Best Regards;
... View more
- Tags:
- splunk-enterprise
05-20-2019
05:02 AM
Hi splunker;
I want to pull feeds from (https://otx.alienvault.com/taxii/discovery) url for Taxii feeds, and I have got the API key from (https://www.alienvault.com/blogs/security-essentials/otx-is-now-a-free-stix-taxii-server), and this kind of feeds splunk can't monitor url by use threat intelligent or rest API app, because the url which i want to monitoring don't work on browser, I think for pull this feeds must connect by connector (API).
Please how can pull these feeds to splunk?
Best Regards;
Abdullah Al-Habbash
... View more
05-18-2019
06:46 AM
Hi splunker;
When I install splunk forwarder version 7.2.6 on redhat server version 7.4 successfully installed, but the home directory like /etc and /root change permission from root to splunk, and this is not normal behavior, can anyone help me why this is occurred?
Best Regards;
... View more
05-09-2019
01:57 AM
We want to integration between splunk enterprise and traps cloud.
Traps will use port (tls 6514) for send logs to splunk and this require wildcard certificate, how can I upload wildcard certificate to syslog server (universal forwarder server), you can see the following url from traps team to integrate.
https://docs.paloaltonetworks.com/cloud-services/apps/log-forwarding/log-forwarding-app-getting-started/get-started-with-log-fowarding-app/forward-logs-from-logging-service-to-syslog-server
https://docs.paloaltonetworks.com/cloud-services/apps/log-forwarding/log-forwarding-app-getting-started/get-started-with-log-fowarding-app/trusted-root-ca-log-forwarding-app.html#
And when I do configuration on rsyslog.conf file I do configuration as the following:
for port udp send to splunk:
$RuleSet remoteudp1514
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogPaloAltoHQUDP1514,"/data/syslog/security/paloalto/hq/%fromhost-ip%/Kaspersky_syslog.log"
. -?SyslogPaloAltoHQUDP1514
$InputUDPServerBindRuleset remoteudp1514
$UDPServerRun 1514
$PrivDropToUser splunk
and for TCP send to splunk:
$RuleSet remotetcp1514
$RulesetCreateMainQueue on # create ruleset-specific queue
$template SyslogPaloAltoHQTCP1514,"/data/syslog/security/paloalto/hq/%fromhost-ip%/PA_syslog.log"
. -?SyslogPaloAltoHQTCP1514
$InputTCPServerBindRuleset remotetcp1514
$InputTCPServerRun 1514
$PrivDropToUser splunk
If I need receive logs from TLS 6514, how do for this port configuration on rsyslog.conf file?
... View more
05-02-2019
05:15 AM
Hi Splunker;
In initial the connect between deployment server and windows forwarder is good and splunk receiving logs from it.
Then occurred losing connect from it, and I check to splunkforwarder status, the splunkforwarder status is stropped and check ports the ports is open, and I executed (splunk start) command appeared the following error:
(Timed out waiting for splunkd to start).
And some times the splunk agent service suddenly stopped in windows devices and I must execute the splunk start command for run, this case is always repeated, please I need your advise in that.
Regards;
... View more
04-24-2019
11:48 PM
Hi Splunker
Is There way to do restart for splunk agent via the deployment server by use a particular app or configuration?
Please help me in that.
Regards
... View more
04-04-2019
03:10 AM
Hi Splnker;
Is there way for Splunk take action from Kaspersky, means if appeared hash in splunk from Kaspersky how splunk take action for remove or block this hash from Kaspersky?
appreciate your support
Best Regards
... View more
- Tags:
- splunk-enterprise
- « Previous
-
- 1
- 2
- Next »
