Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jgedeon120
jgedeon120
Contributor
Member since:
09-13-2010
06-05-2020
Community Statistics
| Posts | 88 |
| Solutions | 11 |
| Karma Given | 1 |
| Karma Received | 33 |
| Member Since | 09-13-2010 |
Activity Feed
- Got Karma for Re: Why am I getting the error "You do not have the capability to add data. Please contact your administrator" when I try to add data?. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk Add-on for Unix and Linux: False positives for eventtype Failed_SU and how to correct this. 06-05-2020 12:48 AM
- Got Karma for Splunk Add-on for Unix and Linux: False positives for eventtype Failed_SU and how to correct this. 06-05-2020 12:48 AM
- Karma Re: Send multiple lines to nullQueue from XML file for MarioM. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk 4.3 upgrade question - disable?. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk 4.3 upgrade question - disable?. 06-05-2020 12:46 AM
- Got Karma for Re: Deleting Nessus app reports. 06-05-2020 12:46 AM
- Got Karma for Re: Deleting Nessus app reports. 06-05-2020 12:46 AM
- Got Karma for Re: Syslog in a Cluster. 06-05-2020 12:46 AM
- Got Karma for Re: Syslog in a Cluster. 06-05-2020 12:46 AM
- Got Karma for Re: Syslog in a Cluster. 06-05-2020 12:46 AM
- Got Karma for Re: Original submitting IP for syslog (514/udp) - lost or just hard to find?. 06-05-2020 12:46 AM
- Got Karma for Re: Scripted splunkforwarder deployment: FAILED: Error updating configuration.. 06-05-2020 12:46 AM
- Got Karma for Re: Redact syslog using Splunk?. 06-05-2020 12:46 AM
- Got Karma for Re: How to remove contents between tags in XML with regex?. 06-05-2020 12:46 AM
- Got Karma for Re: AD Authentication and Machine join domain. 06-05-2020 12:46 AM
- Got Karma for Re: Bro Splunk Integration. 06-05-2020 12:46 AM
- Got Karma for Re: splunkd is running but 8000 is disabled. 06-05-2020 12:46 AM
- Got Karma for Re: Will Splunk for Nagios work with Icinga?. 06-05-2020 12:46 AM
- Got Karma for Re: Send multiple lines to nullQueue from XML file. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 3 |
06-23-2016
09:47 AM
1 Karma
I was having this same issue. My issue was resolved by having an index that was not disabled on the host since it was an intermediate forwarder.
... View more
06-17-2016
04:57 AM
You should be fine installing the TA on 6.4 for the field extractions.
... View more
06-15-2016
01:39 PM
Done. Hopefully some of this can get fixed in the app. I'm not sure how it's gone this long without being corrected. 🙂
... View more
06-15-2016
01:38 PM
1 Karma
Updated the eventtype in the app:
[Failed_SU]
search= (NOT sourcetype=stash) ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
Updated the nix_vendor_actions.csv file with
+,success
-,failure
Created the following transform extraction:
[aix_su]
REGEX = (SU) \d{2}\/\d{2} \d{2}:\d{2} ([\+|\-]) (\S+) (\S+)-(\S+)
FORMAT = app::$1 vendor_action::$2 tty::$3 src_user::$4 user::$5
In the linux_secure sourcetype added:
REPORT-aix_su = aix_su
... View more
06-15-2016
06:51 AM
1 Karma
The current eventtype Failed_SU creates a large number of false positives for logs coming from /var/adm/sulog. The logs will always have a - between the src_user and the user. This is being picked up by the eventtype. To correct this, there needs to be spaces before and after the - between the quotes.
Current:
[Failed_SU]
search= (NOT sourcetype=stash) ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU "-") OR ("BAD SU ")
Updated:
[Failed_SU]
search= (NOT sourcetype=stash) ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
Also, the following could be used for the log messages field extractions and then update the nix_vendor_actions lookup table with:
+, success
-, failure
I use the following for the them as a transform extraction
[aix_su]
REGEX = (SU) \d{2}\/\d{2} \d{2}:\d{2} ([\+|\-]) (\S+) (\S+)-(\S+)
FORMAT = app::$1 vendor_action::$2 tty::$3 src_user::$4 user::$5
... View more
06-27-2014
12:27 PM
1 Karma
We use the Splunk universal forwarder to read the log files that we want to have in our Bro index.
... View more
05-23-2014
04:35 AM
1 Karma
Yes you can use AD LDAP authentication on a non domain server. The AD bind account that you set up will be the account that connects to your AD to authenticate users.
... View more
05-23-2014
04:34 AM
This all depends on what your Wireless access point logs. If you can share some a sample of the logs one may be able to tell you what the fields are or mean.
... View more
05-12-2014
09:45 AM
The known issues for 6.0.4 is still showing this issue, SPL-82389, as active and not fixed in 6.0.4.
... View more
04-20-2014
06:30 AM
1 Karma
<body>.+<\/body>|<cont>.+<\/cont>
A site that will help you test regex, http://www.regexr.com/
... View more
04-09-2014
02:50 PM
1 Karma
Yes you can do this. If you are collecting using a heavy forwarder to either read the log files you can do it there or with an intermediate forwarder. It needs to be the first Splunk Enterprise system that cooks the data.
http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/Anonymizedatausingconfigurationfiles
... View more
03-26-2014
03:45 PM
It can be any Splunk Enterprise install but not a Splunk Universal forwarder.
... View more
03-26-2014
03:06 PM
1 Karma
$SPLUNK_HOME/bin/splunk enable webserver then restart splunk, if this is a splunk universal forwarder then there is no web interface.
... View more
08-17-2013
08:07 AM
Sounds like your system is being overloaded when the dashboard is loaded. If the install is on linux you can look to see how many searches are running, ps -ax | grep splunkd, also the top command will show you any load that is going on.
Another search I would also check your metrics.log for any blocked queues. Search for "blocked=true"
... View more
08-17-2013
07:37 AM
On the search head in $SPLUNKHOME/var/run/splunk/dispatch.
... View more
08-17-2013
07:33 AM
appender.A1.fileName=/var/log/splunk/splunkd.log, change to appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
You may want to look at other entries.
... View more
08-17-2013
07:30 AM
If you run $SPLUNK_HOME/bin/splunk monitor-list show the files being monitored? You can also check the logs on the UF to see if there are issues reported with reading the files.
... View more
07-19-2013
07:32 AM
Well then you will need to add another servers to the mix and one would be a Splunk master node. You will then be able to create index replication. You will not be able to use the indexers as a search head.
Looking at what you are trying to accomplish you should be looking at a Splunk 5 cluster.
... View more
07-19-2013
06:12 AM
You're using each indexer as a stand alone indexer search head. What do you want to sync? If it is the apps and users then you can mount those on an NFS mount.
... View more
07-19-2013
05:28 AM
Add the following and then add the field time to your table.
| convert ctime(_time) as time
Then set your search range for past seven days or specify the time range in the time range picker.
... View more
