Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About w0lverineNOP
w0lverineNOP
Path Finder
Member since:
01-10-2015
06-05-2020
Community Statistics
| Posts | 26 |
| Solutions | 0 |
| Karma Given | 10 |
| Karma Received | 3 |
| Member Since | 01-10-2015 |
Activity Feed
- Karma Re: Stream App: Configuring the streamfwd.xml for jsie_splunk. 06-05-2020 12:47 AM
- Karma Re: Is it possible to know the amount of data passing through an ASA firewall for nkwong_splunk. 06-05-2020 12:47 AM
- Karma Re: Configuring Snort for renjith_nair. 06-05-2020 12:47 AM
- Karma Re: What is the best way to pass Snort logs into the Splunk for Snort app? for Jeremiah. 06-05-2020 12:47 AM
- Karma Re: How to troubleshoot why my universal forwarder is not phoning home? for aljohnson_splun. 06-05-2020 12:47 AM
- Karma Re: Is this the correct stanza and location to monitor specific files on a *nix server with a universal forwarder? for jbjerke_splunk. 06-05-2020 12:47 AM
- Got Karma for Running Stream against old PCAPS. 06-05-2020 12:47 AM
- Got Karma for How to troubleshoot why my universal forwarder is not phoning home?. 06-05-2020 12:47 AM
- Got Karma for How to troubleshoot why my universal forwarder is not phoning home?. 06-05-2020 12:47 AM
- Karma Re: Splunk forwarder for ChrisG. 06-05-2020 12:46 AM
- Karma Re: Remote access for BobM. 06-05-2020 12:46 AM
- Karma Re: How to get data from Remote Server? for sdaniels. 06-05-2020 12:46 AM
- Karma Re: universal forwarder for Steve_G_. 06-05-2020 12:45 AM
- Posted Re: Splunk for Snort: How to configure a universal forwarder to monitor Snort data for indexing? on All Apps and Add-ons. 01-29-2016 03:58 AM
- Posted Splunk for Snort: How to configure a universal forwarder to monitor Snort data for indexing? on All Apps and Add-ons. 01-28-2016 08:13 PM
- Tagged Splunk for Snort: How to configure a universal forwarder to monitor Snort data for indexing? on All Apps and Add-ons. 01-28-2016 08:13 PM
- Tagged Splunk for Snort: How to configure a universal forwarder to monitor Snort data for indexing? on All Apps and Add-ons. 01-28-2016 08:13 PM
- Tagged Splunk for Snort: How to configure a universal forwarder to monitor Snort data for indexing? on All Apps and Add-ons. 01-28-2016 08:13 PM
- Posted Re: How to troubleshoot why my universal forwarder is not phoning home? on Getting Data In. 01-28-2016 04:42 AM
- Posted Is this the correct stanza and location to monitor specific files on a *nix server with a universal forwarder? on Getting Data In. 01-28-2016 04:22 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
01-29-2016
03:58 AM
That was a typo. And yes splunk's inputs.conf is the receiver(indexer). Still unsuccessful after restarting both clients. I get data indexed still from the _internal . But it's only from the metrics.log file on the forwarder
host =bss source=/opt/splunkforwarder/var/log/splunk/metrics.log sourcetype = splunkd
My Forwarder Health App also sees the forwarder client but no "data coming into Splunk (Not Internal)". I have restarted my splunk, redownload splunk for snort. But I am getting this _internal error:
index=_internal NOT CASE(TcpOutputProc) source!=*metrics.log NOT (INFO DeployedServerclass) NOT (INFO DC:UpdateServerclassHandler) host=bss _raw="01-29-2016 05:43:48.949 -0600 ERROR TcpOutputFd - Connection to host=10.10.20.103:9997 failed" | cluster showcount=t | search cluster_count=239
My interpretation: It failed to connect to the forwarder but as I use netstat -an | grep 10.10.20.103 (IP address of indexer) I do get an established connection and my nmap shows the port is open on the indexer. I also have no router or firewall between them. Maybe the information I gave you above from the _internal index will help you.
... View more
01-28-2016
08:13 PM
I have successfully installed my universal forwarder and has a connection to Splunk. Though I am getting data (not sure if its my snort logs) in source=_internal with a host = bss (which is my host name for my Splunk forwarder) but Splunk for Snort is not indexing the data. Any help on how to properly configure a universal forwarder to send data to the correct index for Splunk for Snort would help!
I configured my forwarder inputs.conf to the following:
[default] host = bss
[monitor:///var/log/snort/snort.log.*]
disabled = false
sourcetype = snort_alert_full
source = snort
I configured my forwarder outputs.conf to the following:
[tcpout] defaultGroup =
default-auto1b-group
[tcpout:default-auto1b-group] server = 10.10.20.103:997
[tcpout-server://10.10.20.103:997]
Than I have configured my Splunk's inputs.conf to the following:
[default] host = Splunk
[splunktcp://:9997]
connection_host = bss # host_name for my forwarder
sourcetype = snort_alert_full source =
tcp:9997
disabled = 0
Splunk Web GUI:
--I have set snort's index to: snort_alert
--I have set snorts source type to: snort
And my forwarder is monitoring the correct files in snort, based of the cmd: ./splunk list monitor
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log/snort/snort.log.*
/var/log/snort/snort.log.1453951439
Not sure what I am doing wrong, let me know if you need anymore information to find out how I can configure my universal forwarder to send to the correct index so my Splunk for Snort app can index it?
... View more
01-28-2016
04:42 AM
Everything is Green. Though I did not configure my inputs.conf. I configured my outs.conf instead which is at the file location /opt/splunkforwarder/etc/system/local/inputs.conf.
default
host = bss
[monitor:///var/log/snort/snort.log.*]
sourcetype=snort
index=snort_alert
disabled=false
Would this be the correct way to set up my inputs.conf?
... View more
01-28-2016
04:22 AM
I am trying to have my universal forwarder monitor a specific file or sets of files on a *nix server:
Would this be the correct stanza to place into my outputs.conf file location?: /opt/spplunkforwarder/etc/system/local
stanza:
[monitor:///var/log/xxxxx/*]
Source: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Configureforwarderswithoutputs.confd
... View more
01-27-2016
06:40 PM
2 Karma
I installed my universal forwarder on an Ubuntu server. I have successfully established a connection to my Splunk Enterprise server (netstat). And as I continue pinging my Splunk server from my universal Forwarder, I still get nothing.
Source: https://www.youtube.com/watch?v=ioGKxQTdp9k
How can I successfully use my universal forwarder?
... View more
01-27-2016
04:51 PM
Universal Forwarders! That was going to be my answer. I had some friends tell me use mount but it didn't make sense. Thanks!
... View more
01-25-2016
07:04 PM
What is the best way to pass Snort logs into the Splunk for Snort App? Should I use a mount or a forwarder? Or any other suggestions?
... View more
01-25-2016
06:59 PM
I am trying to configure splunk to read my alerts files from snort but the documentation is vague in my understanding or I do not understand what they are asking.
From Splunk for snort app:
1.What do you mean by "enable appropriate inputs via inputs.conf"? The file is basically empty in /opt/splunk/etc/system/local/input.conf
Thanks alot!
... View more
- Tags:
- Splunk for Snort
01-19-2016
07:32 PM
I down voted this post because the web.conf file is not in system/local anymore
... View more
03-13-2015
04:40 PM
I have successfully ran the command ./streamfwd against a .cap file but I am not sure where the streamfwd indexed the data too.
I have not changed the default index in stream of the forwarder. So my question is where does streamfwd store the with the data once ./streamfwd runs through the .cap file?
I have looked through all the indexes and their is no data anywhere.
... View more
03-13-2015
04:22 PM
A little late in responding but a app called stream indexes pcaps!!
... View more
03-13-2015
04:14 PM
./streamfwd is the answer ha
... View more
03-13-2015
04:11 PM
./streamfwd That was my problem.
Thank you for trying to help!!!
... View more
03-13-2015
02:05 PM
No change. And I also tried chmod 755 streamfwd
I tried to move my data.cap into the ../bin directory with streamfwd. It disappeared. Also I tried to cat streamfwd doesn't even recognize streamfwd is their (though I see it in the directory)
The file permissions for bin is the following:
-rwxr-xr-x
I am wondering could you run the streamfwd? I have reinstalled the app twice ... I might need to reinstall Splunk??
... View more
03-13-2015
01:11 PM
It is the correct path. Though I tried that and still the same error. If it was a working directory error wouldn't streamfwd command be recognized and I would receive a directory path not found error?
Could it actually be the command itself?
... View more
03-13-2015
12:33 PM
I am trying to run Stream against pcap data. I am having trouble executing the streamfwd command. I am in $SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_86_64/bin
I run:
>>#streamfwd -r /data.cap
>>streamfwd: command not found
What do you think is causing this error? I have confirmed the following:
I ran the file command on streamfwd and the output is: setuid ELF 64 bit executable
The [streamfwd://streamfwd] stanza contains the correct location (URI) of your splunk_app_stream installation
setuid.sh is running as root
Any troubleshooting suggestions would be greatly appreciated. Another way of solving my problem of trying to index pcaps with stream is to run tcpreplay on a specific interface and have the streamfwd listening on the specific interface, this technique should work as well if all else fails correct?
UPDATE: ./streamfwd
... View more
03-13-2015
08:10 AM
Okay. In the GUI. I get an error once I re-installed the stream app and enabled the streamfwd (had to restart again) it says the following:
Unable to intialize the modular input "streamfwd" defined inside the app "Splunk_TA_stream": Unable to locate suitable script for introspection
I went into the script section and I have 4 scripts (I have no other app installed) and both .py scripts are enabled. Any suggestions?
... View more
03-13-2015
08:02 AM
Well that was well hidden. And I ran the command as directed in the ..../bin folder and I am still getting "streamfwd: command not found" error again.
streamfwd is in the directory. Splunk is running and I ran it as root. ...Give me a few minutes I am going to re-install the whole app again. (I might have fooled with something earlier)
... View more
03-13-2015
07:39 AM
Yes perfect! but which path do I need to be in to run streamfwd? It says:
Streamfwd command not found
I was in in my $Splunk_Home when I ran the command
... View more
03-12-2015
03:19 PM
In the streamfwd.xml file do I need to delete the previous xml script in it before I add my capture script into the streamfwd.xml?
... View more
03-12-2015
03:16 PM
I wish I could upload screen captures but I do not have enough points yet. But imagine the above script without the 5. and adding capture at the beginning and the end of the script.
... View more
03-12-2015
03:00 PM
Following the Documentation provided by splunk. I inserted the following in the streamfwd.xml file in $Splunk_Home/etc/apps/Splunk_TA_stream/local
*
/opt/splunk/pcaps/data.cap
true
tcp port 80
false
true
1000000
*
I do have "capture" in the xml script (will not let me add it in their)
But I am getting an error in the file:
Checking configuration...Error while parsing '/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.xml*' :
junk after document element: Line 9 column 0 ; which is the line beginning with capture
... View more
- Tags:
- pcap
- Splunk Stream
03-06-2015
07:47 AM
1 Karma
I am trying to run Stream against a few old pcaps. My set up includes the following:
Created a index that is pointing to an uploaded file of old pcaps had the Stream Forwarder pointed to the index
I have my host ip address added to the whitelist and is still being caught and indexed.
Any suggestions?
... View more
- Tags:
- pcap
- Splunk Stream
03-06-2015
05:42 AM
And to stop splunk:
cd /opt/splunk/bin
./splunk stop
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
| User | Karma Count |
|---|---|
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
