About afx

afx · ‎02-20-2020

Currently our Infrastructure is small, so I try to not involve yet another box. The funny thing is, the machine is pretty much idle when this happens. cheers afx

afx · ‎02-20-2020

Still on 7.2.4, but good to know, thx afx

afx · ‎02-20-2020

Thanks, looks like that worked (I also added a disabled=1 as I did not put it into a local file but pushed it via the deployment server). thx afx

afx · ‎02-20-2020

Not very efficeint in my eyes and the fill up the sysmon execution log. The only benefit is the liceence increase for Splunk ;-( Any ideas on how to disable this? thx afx

afx · ‎02-20-2020

Hi, why is my UF on Windows executing various splunk-* tools without them beeing configured in any input? Every few minutes I see them in sysmon: splunk-powershell.exe splunk-regmon.exe splunk-powershell.exe splunk-netmon.exe splunk-admon.exe splunk-MonitorNoHandle.exe splunk-winprintmon.exe I do not see them in any inputs.conf. thx afx

afx · ‎02-13-2020

Hidden files are explicitly forbidden, see https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Splunkbase/Approvalcriteria cheers afx

afx · ‎02-12-2020

Hi, are you sure that this is the exact raw string of the file? It seems to be missing a digit before the AU1 message identifier (that digit gets eaten by splunk when using my definition of the line breaker). I suggest opening an unmodified SAP audit log file in an editor where you can toggle the encoding (like Notepad++ or VIM) and checking it there to see if my defintion will work for it. The beginning of your Unknown4 definitely looks like a SAP message, but it seems to have garbage at the end as only the "B&0&A" are used by AU1. To me it looks like your SAP system is not nulling out buffers, but that should be extremely unlikely... Unfortunately, there is no documentation apart from the referenced SAP Blog post about the format of the file. cheers afx

afx · ‎02-11-2020

Great, silly me never noticed the subdued subscribe button. thx afx

afx · ‎02-10-2020

Our Splunk cluster has no Internet connection by policy. Any idea how to at least semi automate update checks for splunkbase apps? thx afx

afx · ‎02-10-2020

Hi, thanks to the wonderful website_monitoring app, I see some interesting but unexplained tidbits. We have two indexers with HEC configurued. Because of project delays those HEC inputs are idle. I use https://splunk-index1:8088/services/collector/health for the query in website_monitoring. And at least onece a day I do get a 5 second response time on one of the indexers, not the other. Usually this is less than 20ms. Checking _index/_audit for anything happening in parallel, I found nothing so far that would explain this monster increase. It is not linked to specific times. If I only use the port, the peak times are just up t0 60ms worst case. But that gives me an ugly 404 error, so I figured I might as well use a decent endpoint. Any ideas? thx afx

afx · ‎02-10-2020

The filename sounds ok. So I wonder, did they convert this for you for convenince or why is it different. After all, the SAL should be no different on AIX than the Linux ones I get. cheers afx

afx · ‎02-08-2020

Strange, this seems to have a header. Not something I have seen in my logs. As this is already a UTF8 file and the records are not of fixed length, I wonder how it was generated? I assume that this is not an original unmodified SAP audit file.. cheers afx

afx · ‎02-07-2020

From what you have shown me, the line breaker should be the same, but the events might be longer and then it gets confusing. Would you have a test file for me to look at? cheers afx

afx · ‎02-07-2020

Ok, this is different... When our systems where migrated, the audit log format stayed the same. Is this a fresh system with 750 or a migrated one? As I only have a few boxes, I do not have much systems to compare with. Do you still have 200 Character records? Check with NotePad++ or similar. The spare characters for the line break seem to be still there from your example, so if there is just a new lenght, that could be adjusted easily for a longer record length. cheers afx

afx · ‎01-31-2020

Interesting, so no clear reason why BE... cheers afx

afx · ‎01-31-2020

Hi becksboy, glad this was helpful! We do run 750 here and the blog post from the SAP guy references the added SAL events, so that should work fine. I am curious, do you know why you have UTF-16BE in one log? And what did you have to use for LINE_BREAKER and TIME_PREFIX? have a nice weekend afx

afx · ‎01-27-2020

Thank you, works perfectly! afx

afx · ‎01-27-2020

Yup, that was the reason. I was wrongly thinking that the report is based on the definition not the log entries. thx afx

afx · ‎01-27-2020

Silliy me.. Thnaks afx

afx · ‎01-24-2020

Thanks, that worked. This leaves only the rising column tracker files. Copy and paste of the first line from a system where I used the GUI seems to be the way to go. thx afx

afx · ‎01-23-2020

Hmm, looks like the default set there will populate the GUI settings. I was hopig for defaults that woul be automatically used without being explicity written ito the configuration file (I have more than 100 entries in there...) cheers afx

afx · ‎01-23-2020

Started to set up a website via the GUI and advanced options instead of the inputs.conf file of the app. Found a host setting there that said $decideOnStartup. So one explicitly needs to set up the host, it is not taken from the monitored URL. cheers afx

afx · ‎01-23-2020

Hi, the new response logging makes it a bit hard to find out where it comes from: thx afx

afx · ‎01-23-2020

Thanks, it works, also setting the default index which is not in the spec. thx afx

afx · ‎01-23-2020

Well, splunk show default-hostname splunk show servername both report the correct hostname.... And actually, I would think it makes more sense to set the host of the target URL than the querying host here. thx afx

Posts	142
Solutions	7
Karma Given	11
Karma Received	24
Member Since	‎05-02-2019

Online Status	Offline
Date Last Visited	a week ago

Various Errrors in "SANS ISC Adaptive Response Act...

Documentation for Knowledge Object Overview App fo...

JRE/JDK shipped with Splunk Enterprise?

How to access x509 objects in Splunk 8 / Python 3?

_introspection shows wrong memory usage for the de...

Alert Manager: How to suppress follow on alerts

Missing libraries when switching to Python 3

App for REST Lookup and Splunk 8

How can I block dbxquery from listening on the net...

TsidxStats Error after Splunk v8 Upgrade

Re: Analyzing HEC response times on idle

Re: Why is the Universal forwarder executing regmo...

Re: Why is the Universal forwarder executing regmo...

Re: Why is the Universal forwarder executing regmo...

Why is the Universal forwarder executing regmon, p...

Re: How can I upload Splunk app containing hidden ...

Re: How to Splunk the SAP Security Audit Log

Re: How to check for updated apps without an onlin...

How to check for updated apps without an online co...

Analyzing HEC response times on idle

Re: How to Splunk the SAP Security Audit Log

Re: How to Splunk the SAP Security Audit Log

Re: How to Splunk the SAP Security Audit Log

Re: How to Splunk the SAP Security Audit Log

Re: How to Splunk the SAP Security Audit Log

Re: How to Splunk the SAP Security Audit Log

Re: Website monitoring app defaults

Re: Duplicate entries website monitoring

Re: Website Monitoring 2.9 response logging

Re: Managing DB Connect and Heavy Forwarder in a d...

Re: Website monitoring app defaults

Re: Host shows as $decideOnStartup in website mon...

Website Monitoring 2.9 response logging

Re: Website monitoring app defaults

Re: Host shows as $decideOnStartup in website mon...

Are you a member of the Splunk Community?