[WinEventLog://ForwardedEvents] disabled = 0 checkpointInterval = 5 current_only = 0 start_from = oldest index = wineventlog # Filtering can be done with regex on the following field names :  Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User whitelist = EventCode=%^(400|1102|4610|4624|4625|4656|4662|4663|4697|4698|4723|4724|4728|4738|4756|4759|4765|4768|4769|4771|4776|4794|1|2|3|7|11|13|22)$% blacklist01 = User=%^.*\$$% blacklist02 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml = true suppress_text = true suppress_sourcename= true suppress_keywords= true suppress_task = true suppress_opcode = true   ... View more

Hey, I have asked the support and they have no solution but to submit the idea 😞 So if you are interested by this, please vote for the idea here : Allow the removal of the "View dashboard" link in the emails | Ideas (splunk.com) Cheers     ... View more

This was the trick for me :  it worked when I added % arround my regex like follow : %<Data Name='LogonType'>3<\/Data>% ... View more

Hi,  I have the same issue : I've created an add-on with Splunk Add-on builder and it was working fine until I upgraded Splunk to version 8.0.6. Now I get the following message evertime I run a test :  Traceback (most recent call last): File "/data/splunk/etc/apps/TA-nexthink/bin/nxengine_dgsi11test_1607030152_560.py", line 14, in <module> import input_module_nxengine_dgsi11test_1607030152_560 as input_module File "/splunk/etc/apps/TA-nexthink/bin/input_module_nx11test_1607030152_560.py", line 29, in <module> from cloudconnectlib.client import CloudConnectClient File "/splunk/etc/apps/TA-nexthink/bin/ta_nexthink/aob_py3/cloudconnectlib/client.py", line 8, in <module> from .configuration import get_loader_by_version File "/splunk/etc/apps/TA-nexthink/bin/ta_nexthink/aob_py3/cloudconnectlib/configuration/__init__.py", line 1, in <module> from .loader import get_loader_by_version File "/splunk/etc/apps/TA-nexthink/bin/ta_nexthink/aob_py3/cloudconnectlib/configuration/loader.py", line 15, in <module> from ..core.exceptions import ConfigException File "/splunk/etc/apps/TA-nexthink/bin/ta_nexthink/aob_py3/cloudconnectlib/core/__init__.py", line 1, in <module> from .engine import CloudConnectEngine File "/splunk/etc/apps/TA-nexthink/bin/ta_nexthink/aob_py3/cloudconnectlib/core/engine.py", line 6, in <module> from .http import HttpClient File "/splunk/etc/apps/TA-nexthink/bin/ta_nexthink/aob_py3/cloudconnectlib/core/http.py", line 26, in <module> 'http_no_tunnel': socks.PROXY_TYPE_HTTP_NO_TUNNEL, AttributeError: module 'socks' has no attribute 'PROXY_TYPE_HTTP_NO_TUNNEL'   Context : Proxy : none Url : https Authentication : basic   I guess it is linked to the upgrade, but the we should not be the only ones to experience this. Anyone else as this ? ... View more

Hi aljohnson, Thanks for your answer, it would greatly help to have it integrated in the documentation... Find below a little amendment that helps to size correctly the lines : sourcetype="access_combined" | table host categoryId product_name | appendpipe [stats count by host categoryId | rename host as source, categoryId as target] | appendpipe [stats count by categoryId product_name | rename categoryId as source, product_name as target] | search source=* | fields source target count ... View more

Hi FYI, we did it with the following SPL request : | inputlookup lookup_FILTER_EMAIL.csv | map search="search index=xxx | search filter=$FILTER$ | eval mail=$EMAIL$ | sendemail to=\"$EMAIL$\" subject=\"test $FILTER$\" sendresults=false sendcsv=true " maxsearches=20 ... View more

It does work with 6.6.1 if you use localop index=xxx encoded=* |localop | decrypt f=encoded atob emit('decrypted') | rex field=decrypted mode=sed "s/.//g" ... View more

Hi, Were you able to share the script somewhere ? Rgds Dan ... View more

Guys, did you find a solution ? Cheers ... View more

Hi, I had the same difficulties on a Linux search head. The solution was to modify the inputs.conf as follow [script://.\bin\alert_manager_scheduler.path] changed to [script://./bin/alert_manager_scheduler.path] Also, the index "alerts" was created on the cluster, but it was not enough. It was required to create an empty one on the search head as well, as you would do on heavy forwarders. Rgds Dan ... View more

Did you try this : https://github.com/kurtfalde/EMET-Reporting ... View more

Yes, it finally worked for me. Initially the default cron time was never used. So I changed it for a number of seconds and it does now work properly. Check this parameter in : - Data Input - Scripts - $SPLUNK_HOME/etc/apps/qualys_splunk_app/bin/qualys_detection_logger.sh Of yourse, you also have need to have the feature api enabled by Qualys which come with a price... Regards ... View more

same here, any news on your side ? ... View more

desiredAccess,desiredAccessDescription 0x1,FILE_READ_DATA 0x2,FILE_WRITE_DATA 0x4,FILE_APPEND_DATA 0x8,FILE_READ_EA 0x10,FILE_WRITE_EA 0x20,FILE_EXECUTE 0x80,FILE_READ_ATTRIBUTES 0x100,FILE_WRITE_ATTRIBUTES 0x10000,DELETE 0x20000,READ_CONTROL 0x40000,WRITE_DAC 0x80000,WRITE_OWNER 0x100000,SYNCHRONIZE 0x1000000,ACCESS_SYSTEM_SECURITY 0x2000000,MAXIMUM_ALLOWED 0x10000000,GENERIC_ALL 0x20000000,GENERIC_EXECUTE 0x40000000,GENERIC_WRITE 0x80000000,GENERIC_READ cf : https://msdn.microsoft.com/en-us/library/ee442175.aspx ... View more

I downvoted this post because not a reply ... View more

In my case the event_code.csv is not correct and I had to modify it as follow : event,eventDescription 0x1,ReadSec 0x2,ReadFile 0x4,WriteFileRequest 0x8,CreateFile 0x10,RenameFile 0x20,DeleteFile 0x200,NewFileName 0x400,WriteFile 0x10000,CreateDir 0x20000,RenameDir 0x40000,DeleteDir 0x100000,ReadDirSec But this is only my best interpretation : I'd rather use an official EMC reference. Anyone aware of where the official table might be hidden ? Rgds ... View more

Hey, Your comment seems to mean that this was solved. Could you please explain how to use the proxy option ? rgds ... View more

Hi, find below how I it worked for me 1> Installation of splunk and the EMC CEE Framework on Linux and configuration of the EMC CEE Framework to forward the logs to the app. The file to amend is the following here : /opt/CEEPack/emc_cee_config.xml <Audit> <Configuration> <Enabled>1</Enabled> <EndPoint>Splunk@http://IP.1.2.3:12229</EndPoint> </Configuration> </Audit> 2> Configuration of the Isilon cluster to send logs to the EMC CEE Framework : http://IP.1.2.3:12228/CEE 3> Installation of the app in Splunk 4 >Configuration of the app via splunk : data source > EMC CEPA > Isilon > advanced config 5>Activation of the lookups(ntstatus, flag and event) Enjoy !-) ... View more

Hello, I used the following modification in /etc/profile PROMPT_COMMAND='logger -i -p local5.info -t bash "$USER $(tty): $(history 1)"' or trap 'logger -i -p local5.info -t bash "$USER $(tty): $(fc -ln -1)"' DEBUG And rsyslog.d/shell.conf to store it on a common file for all users : local5.* -/var/log/shell.log My only issue is that I can't get sh or ksh commands with this. any suggestions ? Rgds ... View more