About atyshke1

atyshke1 · ‎11-30-2018

Maybe, but it's works fine. I had no idea how can we did it another way

atyshke1 · ‎11-30-2018

Yeah, but where I can get the UF in zip format? How can I did it before: I installed one UF, then copy folder from Program Files to Desktop, remove this UF, then install second and Launched it then copy previous folder from desktop to back Program Files and then create a services previous UF. So that I have two installed and configured Splunk UF. But how can I update it now only the second UF?

atyshke1 · ‎11-30-2018

We use to UFs because one UF send the specific logs for outside department and we can not administrate Splunk which use this department. The second UF sends to our Splunk which we can administrate I mean that need to be updated the UF to a newest version.

atyshke1 · ‎11-30-2018

Hi All, I have two UF agents on the servers. One of them installed through Windows Installer, the second I unpackeged and installed by myself. So the question is How can I update the UF only one and which has not been installed by Windows Installer?

atyshke1 · ‎11-30-2018

So the error was because I used script file: runbase.path with the same name for two application. We need use different name for each application. For example for App1 we need use name runbase_App1.path for second App2 name runbase_App2.path and so on..

atyshke1 · ‎11-30-2018

I found... Need open a psm1 script: C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-SQLServer\bin\Common.psm1 Find code: function Get-SQLDatabases { [CmdletBinding()] Param( [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)] $Instance ) PROCESS { foreach ($i in $Instance) { $s = New-Object('Microsoft.SqlServer.Management.Smo.Server') $i.ServerInstance $s.Databases | %{ $DB = New-Object PSObject $DB | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name $DB | Add-Member -MemberType NoteProperty -Name ID -Value $_.ID $DB | Add-Member -MemberType NoteProperty -Name DatabaseGuid -Value $_.DatabaseGuid $DB | Add-Member -MemberType NoteProperty -Name DatabaseOwnershipChaining -Value $_.DatabaseOwnershipChaining $DB | Add-Member -MemberType NoteProperty -Name Parent -Value $_.Parent $DB | Add-Member -MemberType NoteProperty -Name CompatibilityLevel -Value $_.CompatibilityLevel $DB | Add-Member -MemberType NoteProperty -Name DboLogin -Value $_.DboLogin $DB | Add-Member -MemberType NoteProperty -Name DefaultSchema -Value $_.DefaultSchema $DB | Add-Member -MemberType NoteProperty -Name EncryptionEnabled -Value $_.EncryptionEnabled $DB | Add-Member -MemberType NoteProperty -Name LastBackupDate -Value $_.LastBackupDate $DB | Add-Member -MemberType NoteProperty -Name LastDifferentialBackupDate -Value $_.LastDifferentialBackupDate $DB | Add-Member -MemberType NoteProperty -Name LastLogBackupDate -Value $_.LastLogBackupDate $DB | Add-Member -MemberType NoteProperty -Name Owner -Value $_.Owner $DB | Add-Member -MemberType NoteProperty -Name PrimaryFilePath -Value $_.PrimaryFilePath $DB | Add-Member -MemberType NoteProperty -Name ReadOnly -Value $_.ReadOnly $DB | Add-Member -MemberType NoteProperty -Name Version -Value $_.Version $DB | Add-Member -MemberType NoteProperty -Name Urn -Value $_.Urn # Work out what mount point the PrimaryFilePath is on $LVM = [IO.Directory]::GetDirectoryRoot($_.PrimaryFilePath).TrimEnd("\") $DB | Add-Member -MemberType NoteProperty -Name LogicalDisk -Value $LVM # Add in relevant information from the instance $DB | Add-Member -MemberType NoteProperty -Name ServerInstance -Value $i.ServerInstance # Add in information about AutoShrink / AutoGrow if ($_.FileGroups -eq $Null -or $_.FileGroups[0] -eq $Null -or $_.FileGroups[0].Files -eq $Null) { $DB | Add-Member -MemberType NoteProperty -Name AutoShrink -Value "!ERROR" $DB | Add-Member -MemberType NoteProperty -Name AutoGrow -Value "!ERROR" $DB | Add-Member -MemberType NoteProperty -Name AutoGrowSetting -Value "!ERROR" $DB | Add-Member -MemberType NoteProperty -Name Warning -Value "SQL Authentication Issues" } else { $DB | Add-Member -MemberType NoteProperty -Name AutoShrink -Value $_.DatabaseOptions.AutoShrink $FileGroup = $_.FileGroups[0].Files[0] if ($FileGroup.Growth -ne $Null -and $FileGroup.Growth -gt 0) { $DB | Add-Member -MemberType NoteProperty -Name AutoGrow -Value $true [string] $g = "{0} {1}" -f $FileGroup.Growth,$FileGroup.GrowthType $DB | Add-Member -MemberType NoteProperty -Name AutoGrowSetting -Value $g } else { $DB | Add-Member -MemberType NoteProperty -Name AutoGrow -Value $false $DB | Add-Member -MemberType NoteProperty -Name AutoGrowSetting -Value "" } } # Calculate the checksum at this point [string]$Checksum = Get-Checksum -Object $DB # Add in the extra fields for non-checksum items $DB | Add-Member -MemberType NoteProperty -Name Size -Value $_.Size $DB | Add-Member -MemberType NoteProperty -Name Status -Value $_.Status $DB | Add-Member -MemberType NoteProperty -Name State -Value $_.State $DB | Add-Member -MemberType NoteProperty -Name SpaceAvailable -Value $_.SpaceAvailable $DB | Add-Member -MemberType NoteProperty -Name ActiveConnections -Value $_.ActiveConnections #$DB | Add-Member -MemberType NoteProperty -Name DataSpaceUsage -Value $_.DataSpaceUsage #$DB | Add-Member -MemberType NoteProperty -Name IndexSpaceUsage -Value $_.IndexSpaceUsage # Add in the Checksum $DB | Add-Member -MemberType NoteProperty -Name Checksum -Value $Checksum Write-Output $DB } } } } and instead this code to my: function Get-SQLDatabases { [CmdletBinding()] Param( [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)] $Instance ) PROCESS { foreach ($i in $Instance) { $s = New-Object('Microsoft.SqlServer.Management.Smo.Server') $i.ServerInstance $s.Databases | %{ $DB = New-Object PSObject $DB | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name $DB | Add-Member -MemberType NoteProperty -Name ID -Value $_.ID $DB | Add-Member -MemberType NoteProperty -Name DatabaseGuid -Value $_.DatabaseGuid $DB | Add-Member -MemberType NoteProperty -Name DatabaseOwnershipChaining -Value $_.DatabaseOwnershipChaining $DB | Add-Member -MemberType NoteProperty -Name Parent -Value $_.Parent $DB | Add-Member -MemberType NoteProperty -Name CompatibilityLevel -Value $_.CompatibilityLevel $DB | Add-Member -MemberType NoteProperty -Name DboLogin -Value $_.DboLogin $DB | Add-Member -MemberType NoteProperty -Name DefaultSchema -Value $_.DefaultSchema $DB | Add-Member -MemberType NoteProperty -Name EncryptionEnabled -Value $_.EncryptionEnabled $DB | Add-Member -MemberType NoteProperty -Name LastBackupDate -Value $_.LastBackupDate $DB | Add-Member -MemberType NoteProperty -Name LastDifferentialBackupDate -Value $_.LastDifferentialBackupDate $DB | Add-Member -MemberType NoteProperty -Name LastLogBackupDate -Value $_.LastLogBackupDate $DB | Add-Member -MemberType NoteProperty -Name Owner -Value $_.Owner $DB | Add-Member -MemberType NoteProperty -Name PrimaryFilePath -Value $_.PrimaryFilePath $DB | Add-Member -MemberType NoteProperty -Name ReadOnly -Value $_.ReadOnly $DB | Add-Member -MemberType NoteProperty -Name Version -Value $_.Version $DB | Add-Member -MemberType NoteProperty -Name Urn -Value $_.Urn If ($DB.Name -ne "tempdb"){ # Work out what mount point the PrimaryFilePath is on $LVM = [IO.Directory]::GetDirectoryRoot($_.PrimaryFilePath).TrimEnd("\") $DB | Add-Member -MemberType NoteProperty -Name LogicalDisk -Value $LVM # Add in relevant information from the instance $DB | Add-Member -MemberType NoteProperty -Name ServerInstance -Value $i.ServerInstance # Add in information about AutoShrink / AutoGrow if ($_.FileGroups -eq $Null -or $_.FileGroups[0] -eq $Null -or $_.FileGroups[0].Files -eq $Null) { $DB | Add-Member -MemberType NoteProperty -Name AutoShrink -Value "!ERROR" $DB | Add-Member -MemberType NoteProperty -Name AutoGrow -Value "!ERROR" $DB | Add-Member -MemberType NoteProperty -Name AutoGrowSetting -Value "!ERROR" $DB | Add-Member -MemberType NoteProperty -Name Warning -Value "SQL Authentication Issues" } else { $DB | Add-Member -MemberType NoteProperty -Name AutoShrink -Value $_.DatabaseOptions.AutoShrink $FileGroup = $_.FileGroups[0].Files[0] if ($FileGroup.Growth -ne $Null -and $FileGroup.Growth -gt 0) { $DB | Add-Member -MemberType NoteProperty -Name AutoGrow -Value $true [string] $g = "{0} {1}" -f $FileGroup.Growth,$FileGroup.GrowthType $DB | Add-Member -MemberType NoteProperty -Name AutoGrowSetting -Value $g } else { $DB | Add-Member -MemberType NoteProperty -Name AutoGrow -Value $false $DB | Add-Member -MemberType NoteProperty -Name AutoGrowSetting -Value "" } } # Calculate the checksum at this point [string]$Checksum = Get-Checksum -Object $DB # Add in the extra fields for non-checksum items $DB | Add-Member -MemberType NoteProperty -Name Size -Value $_.Size $DB | Add-Member -MemberType NoteProperty -Name Status -Value $_.Status $DB | Add-Member -MemberType NoteProperty -Name State -Value $_.State $DB | Add-Member -MemberType NoteProperty -Name SpaceAvailable -Value $_.SpaceAvailable $DB | Add-Member -MemberType NoteProperty -Name ActiveConnections -Value $_.ActiveConnections #$DB | Add-Member -MemberType NoteProperty -Name DataSpaceUsage -Value $_.DataSpaceUsage #$DB | Add-Member -MemberType NoteProperty -Name IndexSpaceUsage -Value $_.IndexSpaceUsage # Add in the Checksum $DB | Add-Member -MemberType NoteProperty -Name Checksum -Value $Checksum Write-Output $DB } } } } } So we need add additional expression which help us exclude check tempdb. I use this code 2 months and it's works fine for me.

atyshke1 · ‎10-29-2018

I found a screpts which call blocks in SQL: 1. [powershell://Databases] 2. [powershell://DBInstances] Could you help me to find, what in this powershell block acount System in SQL?

atyshke1 · ‎10-24-2018

Many thanks!

atyshke1 · ‎10-24-2018

I want install UF through command line use bat or VBS script. If I will use .msi I need enter some parameters of installation. But I think If I use zip I can create an ini file for installation.

atyshke1 · ‎10-24-2018

How about a Windows version?

atyshke1 · ‎10-24-2018

Hello! Could you help me to find zip package of UF 7.2.0??? Where Can I download it?

atyshke1 · ‎10-16-2018

Hi After deployed TA-SQLServer I can see many errors in temp.db at all sql servers. Account SYSTEM which I use as per documentation splunk: "Open your SQL Server Management Studio and log in as sysadmin (sa). Go to Security ->Logins -> NT AUTHORITY\SYSTEM (Properties) and grant the user sysadmin Server Role. Apply the change and restart your Splunk service. Once you have all these steps done, then go into the app and run the Lookup Table Rebuilder (Searches & Reports->Lookup Table Rebuilder)" The error is: How I understand when splunk try to check capacity of database, tranaction and etc. he is lock and use in monopoly mode because of this our application can't read or write a date from databases. How can we fix monopoly mode for splunk scripts?

atyshke1 · ‎10-11-2018

Got it. Thank you very much for gave me right way 🙂 I just need use this one: index="wineventlog" | rex "\s+server_principal_name:(?<server_principal_name>.*)" | stats count by server_principal_name | replace "*\\*" with "*\\\\*" in server_principal_name

atyshke1 · ‎10-11-2018

I tried in search this one: index="wineventlog" | rex "\s+server_principal_name:(?<server_principal_name>.*)" | stats count by server_principal_name | replace "\\" with "\\\\" in server_principal_name But it doesn't replace one symbol "\" on two "\"

atyshke1 · ‎10-11-2018

How can I use replace in code? I didn't get you. This search code: index="wineventlog" host=$EventHost$ | rex "\s+server_principal_name:(?<server_principal_name>.*)" | stats count by server_principal_name finding and filling dropdown. When I select from this dropdown menu it automatically inserted in search and looks.

atyshke1 · ‎10-11-2018

Hello Dear Team, I'm having some trouble. I created a dropdown menu and this menu fulling from search: index="wineventlog" host=$EventHost$ | rex "\s+server_principal_name:(?<server_principal_name>.*)" | stats count by server_principal_name The search is ok. When I select from the dropdown menu account with a name that doesn't contain "\" (for example account name: $first0ne), the search works fine. But when I try to select an account with a domain name like FOEU\$ahhfty, the search doesn't work. I understand that the reason why the search doesn't work is because the dropdown was put into search row "server_principal_name:$server_principal_name$" value with one "\" but needed to be inserted in search with two symbols "\": source="WinEventLog:App*" index="wineventlog" host="*" server_principal_name:$server_principal_name$ | bin _time span=1d | rex "\s+server_principal_name:(?<server_principal_name>.*)" | rex "statement:(?<statement>.*)" | rex "target_server_principal_name:(?<target_server_principal_name>.*)" | rex "event_time:(?<Event_time>\S+\s\w+:\w+:\w+)" | rename host as Host statement as Statement, server_principal_name as Account, target_server_principal_name as "Target Account" Event_time as "Event Time" | stats sparkline as "Magnitude Trend" count as Count by Host, Statement, Account, "Target Account", "Event Time" How can I add an additional "\" into the search code that has a value for search like "FOEU\$ahhfty" ?

atyshke1 · ‎10-10-2018

In your search your have replaced the where command with | where mvcount(MemberName)<2 and since the MemberName field is unique the filter does not work. Replace this with the original | where mvcount(EventCode)<2 and it should work fine. Yeah, yeah you are right Thank you very much for excellent help! I use the next code and it seems works fine: source="WinEventLog:Sec*" index="wineventlog" EventCode=4732 OR EventCode=4733 | rex field=_raw "Message=(?\S+.*)" | rex field=_raw "Subject:\s+.*\s+Account Name:\s+(?\S+.*)" | rex field=_raw "Member:\s+Security ID:\s+(?\S+.*)" | rex field=_raw "Group:\s+.*\s+Group Name:\s+(?\S+.*)" | transaction host MemberName | where mvcount(EventCode)<2 | fieldformat Date=strftime(Date,"%x %X") | table host, EventCode, Descript, UserName, MemberName, GName, _time | rename host as Host EventCode as "Event Code" MemberName as "Member Name" GName as "Local Group" _time as Date Descript as Description UserName as CDSID

atyshke1 · ‎10-10-2018

Now I use this code: source="WinEventLog:Sec*" index="wineventlog" EventCode=4732 OR EventCode=4733 | rex field=_raw "Message=(?\S+.*)" | rex field=_raw "Subject:\s+.*\s+Account Name:\s+(?\S+.*)" | rex field=_raw "Member:\s+Security ID:\s+(?\S+.*)" | rex field=_raw "Group:\s+.*\s+Group Name:\s+(?\S+.*)" | transaction host MemberName startswith=4732 endswith=4733 | where mvcount(MemberName)<2 | fieldformat Date=strftime(Date,"%x %X") | table host, EventCode, Descript, UserName, MemberName, GName, _time | rename host as Host EventCode as "Event Code" MemberName as "Member Name" GName as "Local Group" _time as Date Descript as Description UserName as CDSID And it seems that it's work but it's work incorrect. For example, I know that first event in a pictures has in 4732 and 4733 events, but why search it show me??

atyshke1 · ‎10-09-2018

I don't understand the reason for all the field extraction, eval and renaming I need extract the fields which has contains in only one of two events 4732 or 4733 for accounts I want report if account in 4732 or 4733 that allow me understand that account was added or deleted. If event for account registered in 4732 and 4733 that told is ok. Account was added and deleted. But if account only in one of 4732 or 4733 that is tell us we need to check why the account registered in only one event 4732 or 4733 I tried the search code: source="WinEventLog:Sec*" index="wineventlog" EventCode=4732 OR EventCode=4733 | rex "Security ID:\s+(?.*)" | rex "Account Name:\s+(?.*)" | rex "Group Name:\s+(?.*)" | transaction host MemberName startswith="4732" endswith="4733" | where mvcount(EventCode)<2 | eval Date=strftime(_time, "%d/%y") | table Date MemberName EventCode | rename MemberName as "Member Name" EventCode as "EventCode" but it doesn't show me anything

atyshke1 · ‎10-09-2018

The first code is working. But the is second not. I use next search: (source="WinEventLog:Sec*" index="wineventlog" EventCode=4732 ) OR (source="WinEventLog:Sec*" index="wineventlog" EventCode=4733) | rex field=_raw "Message=(?<Descript>\S+.*)" | eval Description=Descript | rex field=_raw "Subject:\s+.*\s+Account Name:\s+(?<UserName>\S+)" | eval CDSID=UserName | rex field=_raw "Member:\s+Security ID:\s+(?<MemberName>\S+)" | eval MCDSID=MemberName | rex field=_raw "Group:\s+.*\s+Group Name:\s+(?<GName>\S+.*)" | eval LocalGroup=GName | rename host as Host EventCode as "Event Code" MCDSID as "Member Name" LocalGroup as "Local Group" _time as Date | fieldformat Date =strftime(Date,"%x %X") | transaction Host "Member Name" startswith="4732" endswith="4733" | where mvcount("Event Code")<2 | table Date, "Member Name", "Event Code"

atyshke1 · ‎10-09-2018

This is example of event code 4732: 09/28/2018 02:42:44 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=ser02056.servers.fo.com TaskCategory=Security Group Management OpCode=Info RecordNumber=17799424 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: FOEU1\$LKRUD Account Name: $LKRUD Account Domain: FOEU1 Logon ID: 0x72857CA Member: Security ID: FOEU1\AAGURI Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - The log for 4733 is the same. Different only with description "Message=A member was added to a security-enabled local group."

atyshke1 · ‎10-09-2018

The first code is work. But the second not. I use next search: (source="WinEventLog:Sec*" index="wineventlog" EventCode=4732 ) OR (source="WinEventLog:Sec*" index="wineventlog" EventCode=4733) | rex field=_raw "Message=(?<Descript>\S+.*)" | eval Description=Descript | rex field=_raw "Subject:\s+.*\s+Account Name:\s+(?<UserName>\S+)" | eval CDSID=UserName | rex field=_raw "Member:\s+Security ID:\s+(?<MemberName>\S+)" | eval MCDSID=MemberName | rex field=_raw "Group:\s+.*\s+Group Name:\s+(?<GName>\S+.*)" | eval LocalGroup=GName | rename host as Host EventCode as "Event Code" MCDSID as "Member Name" LocalGroup as "Local Group" _time as Date | fieldformat Date =strftime(Date,"%x %X") | transaction Host "Member Name" startswith="4732" endswith="4733" | where mvcount("Event Code")<2 | table Date, "Member Name", "Event Code"

atyshke1 · ‎10-09-2018

Yes, you are right, I need to find the "orphaned" accounts. I tried both codes and didn't work

atyshke1 · ‎10-09-2018

Hello, I am using two searches for seeking two windows events 4732 and 4733. I want to print into a new table events which registered only one of two events. For example, usually when local admin add in any groups at servers windows, a security event with number 4732 is created. And after deleting this user, Windows creates the new event 4733. I want to try find in events 4732 or 4733, which ones registered only in one of events 4732 or 4733. I used search: (source="WinEventLog:Sec*" index="wineventlog" EventCode=4732 ) OR (source="WinEventLog:Sec*" index="wineventlog" EventCode=4733) | rex field=_raw "Message=(?\S+.*)" | eval Description=Descript | rex field=_raw "Subject:\s+.*\s+Account Name:\s+(?\S+)" | eval CDSID=UserName | rex field=_raw "Member:\s+Security ID:\s+(?\S+)" | eval MCDSID=MemberName | rex field=_raw "Group:\s+.*\s+Group Name:\s+(?\S+.*)" | eval LocalGroup=GName | rename host as Host EventCode as "Event Code" MCDSID as "Member Name" LocalGroup as "Local Group" _time as Date | stats Count by Host, "Event Code", Description, CDSID, "Member Name", "Local Group", Date | fieldformat Date =strftime(Date,"%x %X") | table Host, "Event Code", Description, CDSID, "Member Name", "Local Group", Date, Count How can I compare and print only unique event which not the same account name in both events 4732 and 4733 at the same time?

atyshke1 · ‎09-10-2018

I did it. CHeck please now

Posts	67
Solutions	2
Karma Given	1
Karma Received	2
Member Since	‎06-08-2018

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

How can I update one UF at server where installed ...

I need ZIP packed of splunk universal forward agen...

Splunk Add-on for Microsoft SQL Server blocked SYS...

Can you help me with "\\" in a dropdown?

Can you help me compare two searches and then prin...

Will you help me extract rows which contain Remote...

Universal Forwarder: Why does the following error ...

How can I get a license ID?

How to extract only successful and failed logins u...

Can't launch bat file at UF

Re: How can I update one UF at server where instal...

Re: How can I update one UF at server where instal...

Re: How can I update one UF at server where instal...

How can I update one UF at server where installed ...

Re: Universal Forwarder: Why does the following er...

Re: Splunk Add-on for Microsoft SQL Server blocked...

Re: Splunk Add-on for Microsoft SQL Server blocked...

Re: I need ZIP packed of splunk universal forward ...

Re: I need ZIP packed of splunk universal forward ...

Re: I need ZIP packed of splunk universal forward ...

I need ZIP packed of splunk universal forward agen...

Splunk Add-on for Microsoft SQL Server blocked SYS...

Re: Can you help me with "\\" in a dropdown?

Re: Can you help me with "\\" in a dropdown?

Re: Can you help me with "\\" in a dropdown?

Can you help me with "\\" in a dropdown?

Re: Can you help me compare two searches and then ...

Re: Can you help me compare two searches and then ...

Re: Can you help me compare two searches and then ...

Re: Can you help me compare two searches and then ...

Re: Can you help me compare two searches and then ...

Re: Can you help me compare two searches and then ...

Re: Can you help me compare two searches and then ...

Can you help me compare two searches and then prin...

Re: Will you help me extract rows which contain Re...