We're attempting to ingest from ELK servers into Splunk using ELK -> HEC, but are having difficulties getting past ssl. Due to FW constraints, we're only able to send to one heavy forwarder on port 8088, which already has ssl enabled. We don't have certificate validation enabled. The data is going to be coming in from a company that we've purchased, so they're not on our domain, and I'm not certain if their root ca cert is in effect in our domain, nor certain if that matters here. They are sending using the following structure: http_method => "put" format => "json" url => https://nattdip:8088/services/collector headers => {"Authorization" =>"Bearer d****d-9f84-4a3a-a9fd-6*******e"} content_type => "application/json" We've tried both put and post as the method, and they get the same error: [HTTP Output Failure] Could not fetch URL {:url=>"https://nattdip:8088/services/collector", :method=>:post, I see the following in my _internal log: 08-28-2018 15:45:13.287 -0400 WARN HttpListener - Socket error from sourceip while idling: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown We've added their rootca to our pem file that Splunk is using to protect web & hec, but get same error. Any suggestions would be great. Thanks very much. ... View more

I'm trying to ingest historical Windows security event logs from Nitro into Splunk. The event fields are delimited by a double-pipe. I'm green on creating a transforms that will deal with this data, and would love some input. An example event is shown below: 2017 Feb 28 23:57:31,172.30.66.143||Security||4094031727||Microsoft-Windows-Security-Auditing||4656||61||1488344058||4||DCNDCDNSFF01.domain.dev||||File System||16||S-1-5-18||DCNDCDNSFF01$||domain||0x3e7||Security||File||C:\Windows\Boot\PCAT||0x154||{00000000-0000-0000-0000-000000000000}||%25%251538%0D %09%09%09%09%25%251539%0D %09%09%09%09%25%251540%0D %09%09%09%09%25%251542%0D %09%09%09%09||%25%251538:%09%25%251804%0D %09%09%09%09%25%251539:%09%25%251804%0D %09%09%09%09%25%251540:%09%25%251801%09SeTakeOwnershipPrivilege%0D %09%09%09%09%25%251542:%09%25%251801%09SeSecurityPrivilege%0D %09%09%09%09||0x10e0000||SeSecurityPrivilege%0D %09%09%09SeTakeOwnershipPrivilege||0||0x208||C:\Windows\System32\services.exe||A handle to an object was requested.%0D %0D Subject:%0D %09Security ID:%09%09S-1-5-18%0D %09Account Name:%09%09DCNDCDNSFF01$%0D %09Account Domain:%09%09domain%0D %09Logon ID:%09%090x3e7%0D %0D Object:%0D %09Object Server:%09%09Security%0D %09Object Type:%09%09File%0D %09Object Name:%09%09C:\Windows\Boot\PCAT%0D %09Handle ID:%09%090x154%0D %0D Process Information:%0D %09Process ID:%09%090x208%0D %09Process Name:%09%09C:\Windows\System32\services.exe%0D %0D Access Request Information:%0D %09Transaction ID:%09%09{00000000-0000-0000-0000-000000000000}%0D %09Accesses:%09%09READ_CONTROL%0D %09%09%09%09WRITE_DAC%0D %09%09%09%09WRITE_OWNER%0D %09%09%09%09ACCESS_SYS_SEC%0D %09%09%09%09%0D %09Access Reasons:%09%09READ_CONTROL:%09Granted by Ownership%0D %09%09%09%09WRITE_DAC:%09Granted by Ownership%0D %09%09%09%09WRITE_OWNER:%09Granted by%09SeTakeOwnershipPrivilege%0D %09%09%09%09ACCESS_SYS_SEC:%09Granted by%09SeSecurityPrivilege%0D %09%09%09%09%0D %09Access Mask:%09%090x10e0000%0D %09Privileges Used for Access Check:%09SeSecurityPrivilege%0D %09%09%09SeTakeOwnershipPrivilege%0D %09Restricted SID Count:%090 I've created a sourcetype, winevent:sec:archive, and on ingesting the events into my local splunk instance, a single pipe, |, seems to break the fields up, while a double pipe just shows the time field, and no other fields, telling me that splunk doesn't like a double-pipe delimiter. FWIW, here's the props I've got, but I need help setting up the transforms with field names, of which I have most of them. [wineventlog:sec:archive] DATETIME_CONFIG = FIELD_DELIMITER = | HEADER_FIELD_DELIMITER = | INDEXED_EXTRACTIONS = psv KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Structured description = Pipe-separated value format. Set header and other settings in "Delimited Settings" disabled = false pulldown_type = true I hope this question makes sense. I'd appreciate any help you can provide. Thanks. ... View more

Pretty weird situation here. Bringing in multiple palo alto syslog sources, all going to the same main syslog directory, then divvied up by host name, so /var/log/syslog/PaloAlto/host1/host1-PaloAlto.log, etc. Host 1 is showing the correct date in the event that matches the log 13:49:48,010108000857,TRAFFIC,end,1,2017/08/28 13:49:48,172.30.69.194,172.30.5.69,0.0.0.0,0.0.0.0,DC_Dea_Any,,,tanium,vsys3,DC_DEA_TRUSTED,DC_DEA_UNTRUSTED,ethernet6/4.1028,ethernet6/3.1028,Log_Fwd_PA-7050,2017/08/28 13:49:48,1343232963,1,54123,17472,0,0,0x5e,tcp,allow,3133,893,2240,14,2017/08/28 13:49:29,17,any,0,0,0x0,172.16.0.0-172.31.255.255,172.16.0.0-172.31.255.255,0,9,5,tcp-fin,43,0,0,0,DC-DEA,host1,from-policy 8/28/17 1:49:48.010 PM while host 2 is showing 13:49:49,007801000317,TRAFFIC,end,0,2017/08/28 13:49:28,204.76.30.253,172.217.2.46,0.0.0.0,0.0.0.0,PUBLIC_TO_INTERNET,,,google-analytics,vsys10,IPS_IN,IPS_IN,ethernet1/1,ethernet1/1,Log_Fwd,2017/08/28 13:49:28,120421,1,57690,443,0,0,0x53,tcp,allow,6609,1706,4903,17,2017/08/28 13:46:38,168,computer-and-internet-info,0,31998418668,0x8000000000000000,United States,United States,0,9,8,tcp-fin,892,0,0,0,IPS_TEST,host2,from-policy,,,0,,0,,N/A 8/2/17 1:49:49.007 PM We're uncertain how long this has been going on. I've added the following props for the sourcetype, but it's had no effect: [pan:traffic] DATETIME_CONFIG = NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_FORMAT = %Y/%m/%d %H:%M:%S TIME_PREFIX = \S+\,\S+\,\S+\,\S+\,\S+\, category = Custom pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 19 I tried it without the timestamp_lookahead, but no change. Any help here would be appreciated. ... View more

I've got the Splunk_TA_nix app installed on all of my *nix servers, and only want to get top, ps and vmstat from certain servers. I copied the Splunk_TA_nix app to a new app, copied over the inputs that I wanted and deployed to that server. I'm not getting those sourcetypes from a search on that server, and a skim of splunkd on that server shows: 08-08-2017 15:30:52.479 -0400 WARN IConfCache - Stanza has an expansion [script:///opt/splunk/etc/apps/Splunk_TA_nix/bin/ps.sh], ignoring alternate expansion [script:///opt/splunk/etc/apps/Splunk_TA_nix_DHIS/bin/ps.sh] in inputs.conf 08-08-2017 15:30:52.479 -0400 WARN IConfCache - Stanza has an expansion [script:///opt/splunk/etc/apps/Splunk_TA_nix/bin/top.sh], ignoring alternate expansion [script:///opt/splunk/etc/apps/Splunk_TA_nix_DHIS/bin/top.sh] in inputs.conf 08-08-2017 15:30:52.479 -0400 WARN IConfCache - Stanza has an expansion [script:///opt/splunk/etc/apps/Splunk_TA_nix/bin/vmstat.sh], ignoring alternate expansion [script:///opt/splunk/etc/apps/Splunk_TA_nix_DHIS/bin/vmstat.sh] in inputs.conf What am I doing wrong here? Thanks. ... View more

Running a 2 site indexer cluster configuration, with 2 search head clusters. Site 1 shows a search head with the following error: Search peer site1sh08u has the following message: Bundle Replication: Problem replicating config (bundle) to search peer ' 172.30.63.42:8089 ', error while transmitting bundle data. Site 2 is showing the following error: Search peer site2sh01u has the following message: Bundle Replication: Problem replicating config (bundle) to search peer ' 172.31.133.16:8089 ', got http response code 401 HTTP/1.1 401 Unauthorized. Search peer site2sh01u has the following message: Bundle Replication: Problem replicating config (bundle) to search peer ' 172.31.133.17:8089 ', got http response code 401 HTTP/1.1 401 Unauthorized. Search peer site2sh01u has the following message: Bundle Replication: Problem replicating config (bundle) to search peer ' 172.31.133.18:8089 ', got http response code 401 HTTP/1.1 401 Unauthorized. What authentication is the message from site 2 referring to? Where can I find more information about these messages? ... View more