Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About jgedeon120
jgedeon120
Contributor
Member since:
09-13-2010
10-01-2024
Community Statistics
| Posts | 88 |
| Solutions | 11 |
| Karma Given | 1 |
| Karma Received | 33 |
| Member Since | 09-13-2010 |
Activity Feed
- Got Karma for Re: Why am I getting the error "You do not have the capability to add data. Please contact your administrator" when I try to add data?. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk Add-on for Unix and Linux: False positives for eventtype Failed_SU and how to correct this. 06-05-2020 12:48 AM
- Got Karma for Splunk Add-on for Unix and Linux: False positives for eventtype Failed_SU and how to correct this. 06-05-2020 12:48 AM
- Karma Re: Send multiple lines to nullQueue from XML file for MarioM. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk 4.3 upgrade question - disable?. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk 4.3 upgrade question - disable?. 06-05-2020 12:46 AM
- Got Karma for Re: Deleting Nessus app reports. 06-05-2020 12:46 AM
- Got Karma for Re: Deleting Nessus app reports. 06-05-2020 12:46 AM
- Got Karma for Re: Syslog in a Cluster. 06-05-2020 12:46 AM
- Got Karma for Re: Syslog in a Cluster. 06-05-2020 12:46 AM
- Got Karma for Re: Syslog in a Cluster. 06-05-2020 12:46 AM
- Got Karma for Re: Original submitting IP for syslog (514/udp) - lost or just hard to find?. 06-05-2020 12:46 AM
- Got Karma for Re: Scripted splunkforwarder deployment: FAILED: Error updating configuration.. 06-05-2020 12:46 AM
- Got Karma for Re: Redact syslog using Splunk?. 06-05-2020 12:46 AM
- Got Karma for Re: How to remove contents between tags in XML with regex?. 06-05-2020 12:46 AM
- Got Karma for Re: AD Authentication and Machine join domain. 06-05-2020 12:46 AM
- Got Karma for Re: Bro Splunk Integration. 06-05-2020 12:46 AM
- Got Karma for Re: splunkd is running but 8000 is disabled. 06-05-2020 12:46 AM
- Got Karma for Re: Will Splunk for Nagios work with Icinga?. 06-05-2020 12:46 AM
- Got Karma for Re: Send multiple lines to nullQueue from XML file. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 3 |
06-23-2016
09:47 AM
1 Karma
I was having this same issue. My issue was resolved by having an index that was not disabled on the host since it was an intermediate forwarder.
... View more
06-17-2016
04:57 AM
You should be fine installing the TA on 6.4 for the field extractions.
... View more
06-15-2016
01:39 PM
Done. Hopefully some of this can get fixed in the app. I'm not sure how it's gone this long without being corrected. 🙂
... View more
06-15-2016
01:38 PM
1 Karma
Updated the eventtype in the app:
[Failed_SU]
search= (NOT sourcetype=stash) ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
Updated the nix_vendor_actions.csv file with
+,success
-,failure
Created the following transform extraction:
[aix_su]
REGEX = (SU) \d{2}\/\d{2} \d{2}:\d{2} ([\+|\-]) (\S+) (\S+)-(\S+)
FORMAT = app::$1 vendor_action::$2 tty::$3 src_user::$4 user::$5
In the linux_secure sourcetype added:
REPORT-aix_su = aix_su
... View more
06-15-2016
06:51 AM
1 Karma
The current eventtype Failed_SU creates a large number of false positives for logs coming from /var/adm/sulog. The logs will always have a - between the src_user and the user. This is being picked up by the eventtype. To correct this, there needs to be spaces before and after the - between the quotes.
Current:
[Failed_SU]
search= (NOT sourcetype=stash) ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU "-") OR ("BAD SU ")
Updated:
[Failed_SU]
search= (NOT sourcetype=stash) ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
Also, the following could be used for the log messages field extractions and then update the nix_vendor_actions lookup table with:
+, success
-, failure
I use the following for the them as a transform extraction
[aix_su]
REGEX = (SU) \d{2}\/\d{2} \d{2}:\d{2} ([\+|\-]) (\S+) (\S+)-(\S+)
FORMAT = app::$1 vendor_action::$2 tty::$3 src_user::$4 user::$5
... View more
06-27-2014
12:27 PM
1 Karma
We use the Splunk universal forwarder to read the log files that we want to have in our Bro index.
... View more
05-23-2014
04:35 AM
1 Karma
Yes you can use AD LDAP authentication on a non domain server. The AD bind account that you set up will be the account that connects to your AD to authenticate users.
... View more
05-23-2014
04:34 AM
This all depends on what your Wireless access point logs. If you can share some a sample of the logs one may be able to tell you what the fields are or mean.
... View more
05-12-2014
09:45 AM
The known issues for 6.0.4 is still showing this issue, SPL-82389, as active and not fixed in 6.0.4.
... View more
04-20-2014
06:30 AM
1 Karma
<body>.+<\/body>|<cont>.+<\/cont>
A site that will help you test regex, http://www.regexr.com/
... View more
04-09-2014
02:50 PM
1 Karma
Yes you can do this. If you are collecting using a heavy forwarder to either read the log files you can do it there or with an intermediate forwarder. It needs to be the first Splunk Enterprise system that cooks the data.
http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/Anonymizedatausingconfigurationfiles
... View more
03-26-2014
03:45 PM
It can be any Splunk Enterprise install but not a Splunk Universal forwarder.
... View more
03-26-2014
03:06 PM
1 Karma
$SPLUNK_HOME/bin/splunk enable webserver then restart splunk, if this is a splunk universal forwarder then there is no web interface.
... View more
08-17-2013
08:07 AM
Sounds like your system is being overloaded when the dashboard is loaded. If the install is on linux you can look to see how many searches are running, ps -ax | grep splunkd, also the top command will show you any load that is going on.
Another search I would also check your metrics.log for any blocked queues. Search for "blocked=true"
... View more
08-17-2013
07:37 AM
On the search head in $SPLUNKHOME/var/run/splunk/dispatch.
... View more
08-17-2013
07:33 AM
appender.A1.fileName=/var/log/splunk/splunkd.log, change to appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
You may want to look at other entries.
... View more
08-17-2013
07:30 AM
If you run $SPLUNK_HOME/bin/splunk monitor-list show the files being monitored? You can also check the logs on the UF to see if there are issues reported with reading the files.
... View more
07-19-2013
07:32 AM
Well then you will need to add another servers to the mix and one would be a Splunk master node. You will then be able to create index replication. You will not be able to use the indexers as a search head.
Looking at what you are trying to accomplish you should be looking at a Splunk 5 cluster.
... View more
07-19-2013
06:12 AM
You're using each indexer as a stand alone indexer search head. What do you want to sync? If it is the apps and users then you can mount those on an NFS mount.
... View more
07-19-2013
05:28 AM
Add the following and then add the field time to your table.
| convert ctime(_time) as time
Then set your search range for past seven days or specify the time range in the time range picker.
... View more
07-19-2013
05:08 AM
Yes it is possible but you will need to have the available license for it as you are indexing the data twice.
Set up you would set your forwarders to send data to both indexers in a non load balancing manner.
[tcpout]
defaultGroup = indexera,indexerb
[tcpout:indexera]
server = indexera:9997
[tcpout:indexerb]
server = indexerb:9997
... View more
07-11-2013
05:56 PM
3 Karma
You should send the syslog to a syslog server that is collecting/recieving it and writing it to the needed files and then have a universal forwarder read those files and load balance the to the cluster. Syslog does not do auto load balancing and you will end up with duplicates in your indexed that you will have to manually take care of.
We create a syslog-ng cluster for redundancy and they also are intermediate forwarders that all the deployment clients load balance against they then are the only ones that can connect to our indexers from external areas.
... View more
03-15-2013
05:02 AM
1 Karma
Yrajah,
I reached out to the microsoft team yesterday and they are currently working on the issues. Hopefully it will be sometime soon. They did not give a date yet. You can subscribe to the app/project and be notified of updates.
... View more
03-07-2013
06:51 PM
1 Karma
Dark_Ichigo,
Take a look at the configuration file precedence. It will come in handy when trying to trouble shoot why something works for one user but not another.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Wheretofindtheconfigurationfiles
Local folders are basically read before the defaults. Then what is set in the local files takes priority over the defaults. Think of it as a first in wins.
Example:
local/limits.conf
[thruput]
maxKBps = 512
defualt/limits.conf
[thruput]
maxKBps = 256
Your maxKBps is going to be 512, even though default says 256. It doesn't override it per-say, it ignores it because it is already set. Overriding something, something has to be set before it can be overridden. And with the order the config files are read/loaded, local conf files are before default conf files.
... View more
03-07-2013
06:38 PM
On the indexer set up rsyslog or syslog-ng and configure it to listen on tcp 2000 also configure syslog to write to files for the indexer to read those files. This is actually the preferred method over receiving on a port using Splunk.
It's not that hard to configure and you can also filter easier.
http://www.rsyslog.com/receiving-messages-from-a-remote-system/
You can then have multiple systems set syslog to that server and written to files to be monitored.
A basic example in syslog-ng receiving would be:
source s_net { tcp(port(2000)) };
filter f_filtername { set(filters_here); };
destination d_filterdest { file("/var/log/remote/$HOST/sourcetype/log.log"); };
log {
source(s_net);
filter(f_filtername);
destination(d_filterdest);
};
On the Splunk indexer the monitor example:
.../local/inputs.conf
[monitor:///var/log/*/sourcetype/log.log]
disabled = 0
sourcetype = your_sourcetype
host_segment = 3
index = your_index
... View more
