Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About BRFZ
BRFZ
Communicator
Member since:
03-26-2024
06-09-2025
Community Statistics
| Posts | 63 |
| Solutions | 0 |
| Karma Given | 26 |
| Karma Received | 1 |
| Member Since | 03-26-2024 |
Activity Feed
- Posted Log retention with archiving in Splunk for a specific index on Getting Data In. 05-22-2025 01:31 AM
- Posted Re: SSL/TLS Configuration on Splunk Forwarder (Windows) on Getting Data In. 03-28-2025 01:46 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for kiran_panchavat. 03-28-2025 01:45 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for kiran_panchavat. 03-28-2025 01:45 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for PickleRick. 03-28-2025 01:44 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for kiran_panchavat. 03-28-2025 01:44 AM
- Posted Re: SSL/TLS Configuration on Splunk Forwarder (Windows) on Getting Data In. 03-24-2025 05:47 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for kiran_panchavat. 03-24-2025 05:45 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for livehybrid. 03-24-2025 05:45 AM
- Posted SSL/TLS Configuration on Splunk Forwarder (Windows) on Getting Data In. 03-24-2025 04:23 AM
- Posted Enterprise security app on Splunk Enterprise Security. 03-21-2025 07:12 AM
- Posted Splunk log retention on Splunk Enterprise. 03-13-2025 03:53 AM
- Posted Re: SSL Configuration Error on Splunk Enterprise. 01-21-2025 05:13 AM
- Posted Re: SSL Configuration Error on Splunk Enterprise. 01-10-2025 02:49 AM
- Posted Re: SSL Configuration Error on Splunk Enterprise. 01-09-2025 07:50 AM
- Posted SSL Configuration Error on Splunk Enterprise. 01-09-2025 02:39 AM
- Tagged SSL Configuration Error on Splunk Enterprise. 01-09-2025 02:39 AM
- Tagged SSL Configuration Error on Splunk Enterprise. 01-09-2025 02:39 AM
- Posted Re: How to secure the Splunk platform with SSL on Deployment Architecture. 01-02-2025 01:15 AM
- Karma Re: How to secure the Splunk platform with SSL for isoutamo. 01-02-2025 01:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-12-2024
05:21 AM
Hello, I have a distributed Splunk architecture with a single search head, two indexers, and management tier : License Master, Monitoring Console, and Deployment Server, in addition to the forwarders. SSL has already been configured for the web interfaces, but I would now like to secure the remaining components and establish SSL-encrypted connections between them as well. The certificates we are using are self-generated. Could you please guide me on how to proceed with securing all internal communications in this setup? Specifically, I would like to know if I should auto-generate a new certificate for each component and each connection or if there’s an efficient way to manage SSL across the entire environment. Thank you in advance for your help!
... View more
- Tags:
- certificate
- ssl
- tls
Labels
10-14-2024
07:27 AM
Hi, I encountered an issue where my indexer disconnected from the search head (SH), and similarly, the SH and indexer1 disconnected from the deployment server and license master. I keep receiving the following error message: Error [00000010] Instance name "A.A.A.A:PORT" Search head's authentication credentials rejected by peer. Try re-adding the peer. Last Connect Time: 2024-10-14T16:23:23.000+02:00; Failed 5 out of 5 times. I've tried re-adding the peer but the issue persists. Does anyone have suggestions on how to resolve this? Thanks in advance!
... View more
10-08-2024
12:08 AM
Hi Splunk Community, I’ve generated self-signed SSL certificates and configured them in web.conf, but they don't seem to be taking effect. Additionally, I am receiving the following warning message when starting Splunk: WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Could someone please help me resolve this issue? I want to ensure that Splunk uses the correct SSL certificates and that the hostname validation works properly.
... View more
Labels
- Labels:
-
configuration
-
using Splunk Enterprise
09-18-2024
07:30 AM
Hello, I am responsible for providing self-signed SSL certificates for Splunk servers. Could you guide me, considering that I am working in a distributed architecture consisting of SH, 2 INDEXERS plus a server handling DS, and forwarders? How many certificates will I need to generate, and do the forwarders also require SSL certificates? If possible, I would greatly appreciate it if you could provide any relevant documentation to assist me in this process. Best regards,
... View more
- Tags:
- certificate
- https
- ssl
Labels
09-13-2024
05:08 AM
Hello @gcusello, Is this not achievable via a search, please? Best regards,
... View more
09-13-2024
03:22 AM
Hello, Could you please provide guidance on how to retrieve the daily quantity of logs per host? Specifically, I am looking for a method or query to get the amount of logs generated each day, broken down by host. Best regards,
... View more
Labels
08-29-2024
08:03 AM
Hello, I am currently working on project that involves integrating Splunk with Azure Virtual Desktop (AVD). Could you please provide me with any available documentation or resources that detail the process or best practices for this integration? Any guidance or links to relevant materials would be greatly appreciated. Thank you in advance for your assistance. Best regards,
... View more
08-26-2024
01:45 AM
Hello, I've noticed that the application is marked as archived and unsupported. When I try to download it from your link, I receive the following message: "Archived apps are unsupported. These apps were removed from Splunkbase or archived by the developer. Splunk does not provide support for these apps."
... View more
08-26-2024
01:32 AM
Hello, I need to collect logs from a firewall Stormshield. Do you have any suggestions on how to gather these logs, or is there a specific add-on available for this purpose? Thank you in advance.
... View more
08-19-2024
07:13 AM
For example, in some events, we have the IP address, while in others, we just see a dash ("-") or 0, even for the same event ID. Exemple : <Event xmlns=' http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID> 4624 </EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2014-04-24T18:38:37.868683300Z'/><EventRecordID>412598</EventRecordID><Correlation/><Execution ProcessID='192' ThreadID='210980'/><Channel>System</Channel> <Computer>TEST</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S18</Data><Data Name='SubjectUserName'>BOB</Data><Data Name='SubjectDomainName'>GOZ</Data><Data Name='SubjectLogonId'>x0</Data><Data Name='TargetUserSid'>s20</Data><Data Name='TargetUserName'>BOBT</Data><Data Name='TargetDomainName'>TESTTGT</Data><Data Name='TargetLogonId'>x0</Data><Data Name='LogonType'>x</Data><Data Name='LogonProcessName'>usr </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>tst</Data><Data Name='LogonGuid'>{845152}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>mspam</Data><Data Name='ProcessName'>test.ee</Data><Data Name='IpAddress'>x.x.x.x</Data><Data Name='IpPort'>0</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>mlmpknnn</Data><Data Name='TargetOutboundUserName'>-</Data><Data </EventData></Event> In this example, it's related to the IP address and port. In some cases, we have a specific IP address, while in others, it's just a dash ("-"). Similarly, for the port, sometimes it shows a dash ("-"), and other times it shows a 0, or sometimes the port is correctly specified.
... View more
08-19-2024
05:36 AM
Hello @gcusello, The missing data includes certain event IDs that don’t appear at all, and there are also instances where information is incomplete. For example, several fields are filled with dashes ("-"), indicating a lack of information.
... View more
08-19-2024
03:00 AM
Hello everyone, I installed and configured the Splunk Forwarder on a machine. While the logs are being forwarded to Splunk, I’ve noticed that some data is missing from the logs that are coming through. Could this issue be related to specific configurations that need to be adjusted on the forwarder, or is it possible that the problem is coming from the machines themselves? If anyone has experienced something similar or has insights on how to address this, I would greatly appreciate your advice. Thank you in advance for your help! Best regards,
... View more
07-29-2024
01:00 AM
Hello @yuanliu, Yes, but often I encounter events like this (just an example) 01/01/2014 11:10:38 AM LogName=Security EventCode=4625 EventType=0 ComputerName=TestY SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=2746 Keywords=Échec de l’audit TaskCategory=Ouverture de session OpCode=Informations Message= Echec d'ouverture de session d'un compte. Sujet : ID de sécurité : S-0 Nom du compte : - Domaine du compte : - ID d’ouverture de session : 0x0 Type d’ouverture de session : 3 Compte pour lequel l’ouverture de session a échoué : ID de sécurité : S-0 Nom du compte : Albert Domaine du compte : - When I try to display the logs in statistics, it shows one event with a user (-) and another event with a user (Albert), even though it is a single event. This happens because it extracts the account name in the "Subject" section and also in the "Logon Type" section. Regarding your question, for the conversion to XML, no, I just modified the configuration by adding 'renderXml=1'
... View more
07-26-2024
12:46 AM
@yuanliuPlease find below an example when logs are generated in French, which causes issues during field extraction. This is why I converted them to XML to see if it could resolve the language problem. Do you have any other solutions to this issue, please? 04/29/2014 02:50:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=sacreblue
TaskCategory=Ouverture de session spéciale
OpCode=Informations
RecordNumber=2746
Keywords=Succès de l'audit
Message=Privilèges spéciaux attribués à la nouvelle ouverture de session.
Sujet :
ID de sécurité : AUTORITE NT\Système
Nom du compte : Système
Domaine du compte : AUTORITE NT
ID d'ouverture de session : 0x3e7
Privilèges : SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
... View more
07-24-2024
02:50 AM
@PickleRickno, the installation architecture is a distributed, non-clustered deployment, and I do not use a HF.
... View more
07-24-2024
01:14 AM
@PickleRickcould you share some documentation on this ? Or is it enough to add this in the sourcetypes configuration in the inputs configuration file, if I'm not mistaken ?
... View more
07-24-2024
12:45 AM
@richgalloway I am trying to extract them using RegEx. I select the event, choose Action, the Extract Fields, and select the method of extraction by regular expression.
... View more
07-24-2024
12:37 AM
@yuanliu Yes, I had to convert them to XML, so that I could extract the fields I needed. The logs are in French, and I was having issues parsing them
... View more
07-23-2024
07:36 AM
Hello @richgalloway Here is an example (not complete), but for instance, when I try to extract the event ID, the user 'bob', and the time, I cannot do it for everything. Moreover, it doesn't extract from all events, so I try to do it manually, and it shows me another error. { <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2014-04-24T18:38:37.868683300Z'/><EventRecordID>412598</EventRecordID><Correlation/><Execution ProcessID='192' ThreadID='210980'/><Channel>System</Channel> <Computer>TEST</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S18</Data><Data Name='SubjectUserName'>BOB</Data><Data Name='SubjectDomainName'>GOZ</Data><Data Name='SubjectLogonId'>x0</Data><Data Name='TargetUserSid'>s20</Data><Data Name='TargetUserName'>BOBT</Data><Data Name='TargetDomainName'>TESTTGT</Data><Data Name='TargetLogonId'>x0</Data><Data Name='LogonType'>x</Data><Data }
... View more
07-23-2024
07:00 AM
Hello, While parsing the logs, I'm trying to extract fields, but at some point, I receive the following message "The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings." Even when I try to highlight the fields that it fails to extract, I get the same message. Could this issue be related to the configuration file "limits.conf"
... View more
Labels
- Labels:
-
field extraction
-
fields
-
regex
-
rex
07-22-2024
08:07 AM
Hello, I installed the forwarder on a Windows machine, and during the installation, I selected the Windows performance monitor to collect performance data. However, I am not sure where to find this data in Splunk or which on default index it is stored in.
... View more
Labels
07-19-2024
02:11 AM
Hello, Would it be possible to create a dashboard where we can receive alerts directly ?
... View more
Labels
- Labels:
-
Dashboard Studio
07-11-2024
05:57 AM
Hello @gcusello , I don't want to specify a particular index for each sourcetype, but I do want the host to send these logs to a specific index. The sourcetypes I have include WinEventLog:Security, WinEventLog:System, WinEventLog:Application et ActiveDirectory Monitoring.
... View more
07-11-2024
05:26 AM
Hello, I have successfully configured the Splunk Universal Forwarder on a Windows machine to send WinEventLog: System, Security, and Application logs to a specific index. Now, I need to include logs from sourcetype = 'ActiveDirectory'. Could you please guide me through the necessary steps to specify the index for Active Directory logs in the configuration files inputs.conf [WinEventLog://Application]
disabled=0
index = test
... View more
Labels
- Labels:
-
index
-
indexer
-
sourcetype
-
universal forwarder
07-04-2024
02:55 AM
Hello, I want to collect logs from a machine that is set to French. Consequently, the logs are generated in French, making parsing them difficult. Is it possible to collect logs from the machine in English while keeping the machine's language set to French ?
... View more
Labels
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-09-2025
06:51 AM
|
Karma given to
