Activity Feed
- Got Karma for Re: Universal Forwarder to remove files. 02-27-2024 05:48 AM
- Posted Re: Universal Forwarder to remove files on Installation. 01-11-2022 04:36 AM
- Posted 7.0.0 or better version of the UF for 32-bit Windows Server 2008 SP2 on Splunk Enterprise. 01-10-2022 10:54 AM
- Got Karma for Re: Anyone bringing NetScout data into Splunk?. 06-05-2020 12:47 AM
- Got Karma for Re: Anyone bringing NetScout data into Splunk?. 06-05-2020 12:47 AM
- Got Karma for Can I run two SEDCMDs together in one. 06-05-2020 12:46 AM
- Got Karma for Re: Getting my priority's straight. 06-05-2020 12:46 AM
- Got Karma for Limit Memory used by forwarder on Domain Controller. 06-05-2020 12:46 AM
- Got Karma for Limit Memory used by forwarder on Domain Controller. 06-05-2020 12:46 AM
- Got Karma for Who is BOSBURN?. 06-05-2020 12:46 AM
- Got Karma for Re: Who is BOSBURN?. 06-05-2020 12:46 AM
- Got Karma for Can I run multiple Universal Forwarders on Windows Server 2008?. 06-05-2020 12:46 AM
- Got Karma for Need Help with Time Prefix and "|" character. 06-05-2020 12:46 AM
- Got Karma for Re: Is it possible to Splunk Microsoft Office 365 Exchange?. 06-05-2020 12:46 AM
- Got Karma for Converting an encoded IP address to dotted decimal. 06-05-2020 12:46 AM
- Got Karma for Re: Converting an encoded IP address to dotted decimal. 06-05-2020 12:46 AM
- Got Karma for Re: Converting an encoded IP address to dotted decimal. 06-05-2020 12:46 AM
- Posted Re: How to collect "Analytic and Debug logs" from Windows Event Log? on Getting Data In. 03-06-2019 05:24 AM
- Posted splunking SuccessFactors on All Apps and Add-ons. 06-20-2018 11:38 AM
- Tagged splunking SuccessFactors on All Apps and Add-ons. 06-20-2018 11:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 2 | |||
| 0 | |||
| 0 |
01-11-2022
04:36 AM
1 Karma
I've been using the batch mode to clean up behind the UF for a long time. Our DBAs create an XML audit file for our databases and I read them with Splunk, then delete them (as long as the account running Splunk has the proper permission). Example inputs.conf below: [batch:///var/oracle/*.xml] disabled = 0 move_policy = sinkhole sourcetype = mfg:oracle:xml index = <my-index>
... View more
01-10-2022
10:54 AM
We're moving to Splunk Cloud, but we have some legacy hosts for which I need a forwarder upgrade. Is there any compatible UF version 7 or newer that runs on 32-bit Windows Server 2008 SP2 (not R2!) I've searched the available older versions and I'm coming up empty. I'm grabbing at the last straw here. Thank you in advance...
... View more
Labels
- Labels:
-
upgrade
03-06-2019
05:24 AM
OK - My ADFS team enabled this and they are dumping to a text file. I'm picking them up with this stanza:
[monitor://C:\Windows\System32\winevt\Logs\AD FS Tracing.evtx]
I did not have to specify a sourcetype and this is what showed up:
sourcetype="WinEventLog:AD FS Tracing/Debug"
Our admins are not enabling Debug all of the time, because (as you expect, it sure generates events!)
... View more
06-20-2018
11:38 AM
Is anyone successfully splunking SuccessFactors (An SAP company)?
... View more
- Tags:
- sap
- splunk-enterprise
11-22-2017
09:44 AM
We do have these events in our logs. 6273 is all related to EAP failures.
4825 is interesting - failed attempts for RDP. Does WMI fall under that?
... View more
11-22-2017
09:13 AM
Thanks - I expected that we might have to enable some auditing to get this. Googling didn't turn up much useful information.
We'll check the links and get cracking.
... View more
11-21-2017
10:35 AM
We are wondering if there is any Windows Event that captures execution of WMI from a remote host. Since you can remotely execute commands over WMI, we are assuming that Windows will log that if the proper audit setting is created. Anyone have the Event Codes that provide WMI activity logs?
We'd also like to know what events show other activity (like PtH, Golden Ticket, Silver Ticket)?
Are there any Splunk add-ons we can deploy to display this event data?
... View more
- Tags:
- splunk-enterprise
- wmi
05-15-2017
08:14 AM
I don't think that the Splunk App for Windows Infrastructure will handle these events. The data coming from the TA for MS Cloud Services in JSON.
There are a couple of dashboards, which I think are actually for ES.
... View more
03-17-2016
09:40 AM
1 Karma
Yep - Using our Netscout collectors to convert the binary, we were then forwarding text data to Splunk.
... View more
03-10-2016
06:41 AM
1 Karma
Just this week, we fired up some of our Netflow data, forwarding from a single Netscout collector to a Heavy Forwarder. We knew that the binary data flow was about 30 GB, but when it was expanded to ASCII, it was over 200 GB. It overran our license. We shut it down.
For now, we are planning to gather the new ASR record instead of Netflow. That will sort of integrate our Netflow with the packet data from the Infinistreams into one source.
So before you do this, figure out how much Netflow you have, how much ASCII it will expand into, and how big your license is. Our Splunkers here think that Netflow is something to be very careful about.
... View more
04-24-2015
07:28 AM
Any guidelines on how long data should be kept in _introspection? The default size is 500,000. Is six months enough?
... View more
04-17-2015
12:45 PM
I tried to get the OneDrive for Business Activity report and I got this error:
Encountered the following error while trying to save: In handler 'o365ToSplunkDataImport': An error occured while validating your crendentials against report: SPOOneDriveForBusinessFileActivity
(spelling errors are as is from the app)
That account can get the other reports that I've tried. And it is a portal admin, if that's the correct terminology.
What could be wrong?
... View more
04-17-2015
12:38 PM
It was actually pretty easy to get started once I had the proper account and a Windows HF. There's a trick to understanding how often the app makes its queries.
... View more
04-17-2015
12:36 PM
1 Karma
Say - I've got this working and it's pretty slick. However, the Windows Splunk server is not an indexer, so I'm forwarding the data to my real indexers. I'd like to choose a different index besides "default", "main", "summary" or "history". I looked at the XML file for the panel and I wonder if I can make my own drop-down list.
Also, I would like to get activity logs from SharePoint in the cloud. That doesn't look like an available report.
... View more
03-24-2015
07:37 AM
We got out of the Domino business in the meantime. Sorry I'm no help.
... View more
01-29-2015
11:25 AM
No, I went the route of a Windows VM with a heavy forwarder. Path of least resistance.
... View more
01-05-2015
07:32 AM
So I could do this with a Windows VM running a heavy forwarder and then pump the records up to my main Linux indexers. That could work.
... View more
01-05-2015
06:17 AM
Linux - does it have to be a Windows Splunk server?
... View more
01-05-2015
05:38 AM
Definitely excited about this app. Installed it from the .tgz file on a 6.0.3 test server. I got these messages"
01-05-2015 08:17:06.648 -0500 ERROR ModularInputs - No script to handle scheme "o365ToSplunkDataImport" was found. This modular input will be disabled.
01-05-2015 08:17:06.648 -0500 ERROR ModularInputs - Unable to initialize modular input "o365ToSplunkDataImport" defined inside the app "o365ToSplunkDataImport": Unable to locate suitable script for introspection.
I don't see the Office 365 input in the local list.
... View more
10-23-2014
12:35 PM
We have a powershell script executing that dumps records from the O365 messageTrace table into a local SQL DB. From there, we use DBConnect to index the records.
I didn't write the script so I don't know what is really going on there. There is a lot of data coming. We tried adding other data feeds, but are overrunning the capability of part of the infrastructure.
... View more
08-28-2014
08:20 AM
Looking at the documentation, I'm a little confused. I'm aiming to get the audit logs from Celerra. I have a heavy forwarder that I use to collect info from other servers. Can I install the CEE tools on that? I hope I don't have to install anything on the EMC datamover appliance.
... View more
08-26-2014
07:17 AM
Never got an answer on this. Now I'm waiting for the next event to get a DIAG and open a ticket with support.
Admin is still excited. It makes the DC unresponsive until the forwarder is restarted.
... View more
05-02-2014
04:38 AM
I am seeing this now in version 6.0.3.
... View more
04-25-2014
11:50 AM
Splunk 6 allows you to grab a diag file remotely. This saved me today as I was writing a diag with debug information that was too large for the remaining space in /opt/splunk/ on the server.
bin/splunk/diag -uri https://splunk-server:mgmt-port
brings the diag file to your current server.
... View more
03-24-2014
02:05 PM
That backslash is in the regex. It's a hassle to add regex to this discussion because you have to escape the backslash character and I missed that one.
... View more
