What version of Exchange (including Service Pack) and what version of Windows is it running on? How are you running the Universal Forwarder? (Domain User or System Local) Are there are logs in index=_internal sourec=*splunkd.log that pertain to the data input? ... View more

It certainly seems high for an organization your size, but not unprecedented. It really depends on what your organization is doing. With the Exchange app, you can now find out who is using the mail server. You may find a spammer or two with infected workstations. ... View more

Your hub transport logs and CAS logs likely span many days. If this is your first import, then the entire logs - including all historical data - was read. Wait until tomorrow, then look at your ingest rate. You can use the metrics.log file in index=_internal for this purpose. ... View more

Hi Nick - we're sorry you haven't been contacted yet. Let me jump on this today and I will get the relevant person back to you. ... View more

Thanks for your patience. We have recompiled SA-ldapsearch 1.1.12 with Java 1.7. If you re-download the SA-ldapsearch 1.1.12 (the latest at http://apps.splunk.com/app/1151), then you will get the updated version that works on Java 1.7 ... View more

I'll post an answer here with what we do. ... View more

This should not be required. I'll get it fixed. ... View more

I should additionally comment, this affects ONLY the rpm install - there are certain directories, including and under the etc/apps/framework directory that are installed with 555 permissions (i.e. no write access) by default. This does not affect the TGZ bundle, nor does it affect Windows or Mac installs. ... View more

Thanks for the bug report. I've filed it and will get into a future release. ... View more

Also, I suspect that the Message field has a certain format. View the event in the event viewer and then extract just the information you need and display that. I suspect the Device ID, Device Type and username are logged in there. The actual processing doesn't care what size the event is - only the display. ... View more

Agreed - in the prior fix, we picked out several fields that we knew were UTF8 and disregarded the base64encoding() requirement. However, that isn't good enough and we know it. ... View more

Unfortunately, this has become a "we need more information than can be provided in an answer" situation. There is just not enough information nor access to the environment to solve this here. ... View more

If you aren't allowed to use PowerShell, then this functionality is not available to you. ... View more

In order to collect the Windows Security Log, the user that is running the Universal Forwarder needs access to the registry that deals with the Security log. By default LOCAL SYSTEM and NETWORK SERVICE have this permission - everyone else needs to be given it. Note that if you install the Universal Forwarder as LOCAL SYSTEM, then, of course, you get to read the Windows Security Event Log by default. To ensure the proper permissions: Add the user to the Event Log Readers local group Give the user read/write permissions to the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security Both of these things need to be done for a process to read the Security log. Given that other event logs work, I suspect the former is done but not the latter. ... View more

Your best bet for this is to create a lookup with the associated accounts in it. Create a table with the account name and the associated account. You should have a CSV file that looks like this: src_nt_domain,src_user,assoc_user XXX,Sara,Sara1 XXX,Sara,Sara2 XXX,Tom,Tom87 Whatever is appropriate to your environment. You can do this with an ldapsearch: |ldapsearch domain=XXX search="(&(objectClass=user)(!(objectclass=computer)))" attrs="sAMAccountName" | rename sAMAccountName as assoc_user | eval isAssoc=if(match(assoc_user,"\d+$"),1,0) | where isAssoc=1 | rex field=assoc_user "^(?<src_user>.*?)\d+$" | eval src_nt_domain=XXX | table src_nt_domain,src_user,assoc_user | outputlookup associated_users.csv Now, with that lookup, you can do what you want: sourcetype=WinEventLog:Security (EventCode=629 OR EventCode=4725) | lookup associated_users src_nt_domain,src_user OUTPUT assoc_user | ldapfilter domain=$src_nt_domain$ search="(sAMAccountName=$assoc_user$)" attrs="userAccountControl" | where userAccountControl!="*DISABLE*" | stats values(assoc_user) by src_nt_domain,src_user What you will get is a table with the domain and username of the newly-disabled user and the list of associated accounts that have not been disabled yet. (Note: search commands have not been verified independently, since I don't have your environment) ... View more

You can only find out the list of hosts that is being used - not the exact one. This is because of the underlying library we use. We tell it to use the list of hosts and it picks one (based on the speed of connection). ... View more

This is a basic "no data is being collected" problem. Either (a) the audit information is not being collected or (b) the PowerShell scripts are not being run. Go back and check which data sources are not being collected and concentrate on those. Some are Security logs and some are PowerShell output. Unfortunately, you have not provided any information about what CSV files, what data, what your tests have so far been. Thus, I can only provide generalized information. ... View more

The powershell addon lives on the universal forwarders. ... View more