Hi there, We are receiving logs from a Data Loss Prevention (DLP) system about what users access, etc and we want to analyze it with Enterprise Security. (Semi) Out-of-the-box solutions preferred. I found a DLP Data model, but couldn't find any dashboard, etc. which uses it for any correlations. Also, ES Content Updates App doesn't provide use cases for DLP Data model. So does anybody have an experience on this topic, what should I do with this logs? Regards, István ... View more

Hi there! We are receiving logs from a NetApp file server about what user access, etc. Log format very similar/same as the Windows Events in XML. (So parsing looks good) We also have Enterprise Security license. So far I didn't find what can ES do with these logs, one tip is to try to use Change Adult/Endpoint changes/Filesystem changes Data Model. So does anybody have an experience on this topic, what should I do with this logs? Regards, István ... View more

Hi, I have to monitor exported events from a remote Windows system. These files are XML files in text format, one XML record per line. Splunk also running on Windows. Now the events_last.xml file being written, after the rotate, it gets a new name. Monitoring only this events_last.xml file, can I miss some record because of the logrotate? What do you suggest how to Index these files? Can I monitor events_last.xml, or need to wait for the logrotate? Should we limit the file size because of Splunk? Update: Based on the answers as I understand: It's safe to monitor the directory including the events_last.xml and the rotated files. CRC check will handle it by default. What if I only monitoring the events_last.xml? The log source continuously writes the file, and when the time comes, it immediately rotates it. Can Splunk catch the last lines? Or rotate process can be faster and Splunk can miss some lines? I also checked some docs (eg. http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Monitorfilesanddirectories) but did not found detailed one. For [monitor://*] stanza I didn't find any interval attributes. Update2 Finally, we monitoring only the rotated files. The delta listening didn't works well because of the XML format. The exporter system puts the new logs not absolutely to the end of file (it puts before the last tag), Splunk re-reads the full file, not just the new logs. Thanks for the help. Regards, István ... View more

Hi, I have to index exported .evxt files on a Windows box. I can process these evtx files with Splunk and events looks likes as in Windows Event viewer's "General" tabs shows it. Unfortunately, because of the structure of the event, I need the events in the format as the "Detailed" tab show them. So the question: how can I index evtx files in "Detailed" (XML) format? So far renderXml stanza doesn't help me. Currently I user simple Monitor stanza to monitor the directory of the evtx files. To be more specific: these are NetApp-Security-Audit files, about events accessing shared files. How should I handle this files, does anyone has (good) experience whit them? Regards, István ... View more

Hi, I have a theoretical question about Search Head Cluster(SHC) operation in a multisite environment: - We have multiple sites. - We have a multisite indexer cluster. - We have an SHC cluster with nodes on both sites with Enterprise Security for example. Situation: the two site lost the connection between them. - The primary site can select a new captain. Life goes on on this site:) - A captain cannot be selected dynamically on the secondary site. Just ad-hoc searches can be run. The question: what happens if during the split brain situation we statically assign a captain on the secondary site, too (or VMware boots up all the server on both sides)? There will be 2 captains. Data accelerations, ES correlations will run and fill up indexes, summary tables, etc on the local indexer cluster on both sites. After a recovery, can IXC merge this tables, indexer or it will throw some interesting errors? Will it accelerate, summary events twice and messed up all the notable events? I know, the double captain is not supported, but in some environment, it can happen... Regards, Istvan ... View more

Hi, I am new to Data models and accelerations, too. I am trying to parse log for a data model and ES. The log parsing is moving now, but far from the final solution, I can search by Data model/Pivot. I checked the Enterprise Security dashboard, but it does not show anything that can be linked to this logs. I executed the dashboards searches manually, still shows no event matched. (| tstats...) Then I checked Data model acceleration status: ACCELERATION Rebuild Update Edit Status Building Access Count 0. Last Access: - Size on Disk 0 B Summary Range 31536000 second(s) Buckets 0 Updated 1/1/70 1:00:00.000 AM What couse the problem, how can I debug and fix it? This is the Malware data model, there are events with tag malware and attack. There are events with some action and dest fields to. Regards, István ... View more