renaming the TA is exactly what i did. So in my case i have a ta_windows_endpoints and a ta_windows_servers. Create your separate server classes and then reload the deployment server configs using: https://<yourserver>:8089/services/deployment/server/config/_reload Not saying this is the best way, but it certainly works for me. ... View more

Hi @abhijittikekar, I too am struggling with the field extraction regex for Change Auditor events. I can't tell if you made any more progress on this since March 2019, so i just want to add what I have to the knowledge base. I was able to extract some fields, but only if the field value is a single word string with no spaces. I also have a different regex for the Message line because I did not have any luck getting my regex to work using \n . So below are the 4 fields that I managed to get working. The only catch is these regex still fails if the values for Attribute Name, Object Class or Client Computer contains a space.... In addition, the regex I used for Message is only applicable if Client Computer comes directly after it in the next line. This is true for almost all Change Auditor logs except for those rare ones where it's just a Message. Those I don't care for as they're more system level errors that's not applicable to what I'm using Change Auditor logs for. FYI, I thought using \s\s help finding the \n and \t that comes between each fields/lines; figuring that carriage return and tab are technically a "space" character. However, this seem to just work to pull values that does not contain a space. 😞 [source::WinEventLog:InTrust for AD] EXTRACT-signature = Message\=(?<signature>.+)\s+Client Computer : EXTRACT-attribute_name = Attribute Name : (?<attribute_name>[^(\s\s)]+) EXTRACT-object_class = Object Class : (?<object_class>[^(\s\s)]+) EXTRACT-src = Client Computer : (?<src>[^(\s\s)]+) Hope this is helpful to anyone else trying to do custom field extracts for Change Auditor logs. Best, Will ... View more

Thanks Michael. You are correct. We did try with another VMAX(Version 8.4+) and ran into the exact same error. I'll drop an email to support with all the details. ~ Abhi ... View more

Thank you. That helps. ... View more

Thanks Nick. ... View more

You could edit the bookmark file with the time you want to start from then run it. ... View more

Asked the question little too soon. While going through the app came across the section for "Security", which does have few dashboards that make use of the Syslog Data. For all other dashboards related to system performance etc, looks like REST is the only way to go. ~ Abhi ... View more

Hi, From the name, it looks like you are using the old eStreamer app. If on FMC Version 6.X, you might want to check out the newer eNcore app for Splunk. https://splunkbase.splunk.com/app/3662/ ~ Abhi ... View more

Okay. Even we faced with this issue after upgrading splunk to 7.0.1 PFA a similar link where a workaround is provided : https://answers.splunk.com/answers/114064/indexes-from-peer-nodes-not-visible-in-role-creation-on-search-head.html Please note, the issue has reoccurred in Splunk 7.0 and the following bug has been raised for this matter: SPL-145546 - in 7.x in Roles admin Indexes are for local search head only Workaround: Step 1) Create a local directory in the search app on the SH with the correct permissions for splunkd to access i.e. $SPLUNK_HOME/etc/apps/search/local/data/ui/manager Step 2) Copy an old "authentication_roles.xml" file from "$SPLUNK_HOME/etc/apps/search/default/data/ui/manager" in any 6.x version or simply download a new 6.x version of Splunk and extract the file there, then place it into the folder created in step 1. Step 3) Refresh the SH configuration with debug refresh via the web browser: http://:8000/en-US/debug/refresh Step 4) Create a new role on the SH and you should see all your indexes configured on the index cluster. Note: In the workaround provided above, there is a known issue (SPL-146171) where only 1000 indexes is displayed in the UI. If you have more than 1000 indexes, you should modify authorize.conf to add the index(es) to role(s) instead ... View more

If you have a GlassTable in ES, just go to Settings -> Content_Management , select the ones you want to move and Export. Then download the app created in the export to the other instance. Done ... View more

After re-casting of sourcetype, will field extractions match up between the field names as presented by the encore eStreamer AddOn and the old Cisco FireSIGHT , or, is it expected to redo field aliasing between fields from new eStreamer AddOn and old Cisco FireSIGHT ? ... View more

Just curious, are you on AMD hardware? Your FMC or your eStreamer server? ... View more

Issue got resolved after deploying the patch for CSCve44987. Thanks, ~ Abhi ... View more

I found that in windows you go into windows services and restart splunkd. ... View more

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below: eStreamer eNcore https://splunkbase.splunk.com/app/3662/ eNcore Dashboard https://splunkbase.splunk.com/app/3663/ It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9. Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads. ... View more

Is this ITSI? ... View more

Regarding the issues raised: Having consistent uids across your infrastructure is essential to the centralised interpretation of audit events because auditd logs with uids. There are ways to work around this, but they involve things that are essentially hacks and would also necessitate significant changes to the fundamentals of how the app is designed to work. The 4294967295 uid issue has been fixed in the latest release. Please upgrade and let me know how it goes (remembering to also upgrade the TA). ... View more

Very strange, as you can see, in my test it works. tell me how Support will answer! Bye. Giuseppe ... View more

check the props and make sure Field alias is happening only after the Fields extraction cmd: /opt/splunk/bin/splunk cmd btool props list --debug|grep ... View more

I downvoted this post because it doesn't even begin to answer the question. the new version in the comment is also incompatible with es and requires hacks to make it work ... View more

You can go to permissions [ via Manage Apps and selecting the estreamer app] and give read/write permissions to required roles and 'tick' All Apps under 'sharing for config file-only objects. This will make all knowledge objects global and ES and search app will be able to use it. Also, if you want ES to specifically use it, you need to update etc/apps/SplunkEnterpriseSecuritySuite/local inputs.conf's regex to include "eStreamer" ... View more

Thanks smoir. That was the issue here. We were on an older version. ... View more

I'm not having any trouble with this log file. My guess is your test log files are to similar to those already indexed. To handle the header, you probably want to set Should Linemerge to true, and set the timestamp lookahead to exclude the time in the header. ... View more