Following are my AMPQ-ModularInput configuration details. For some reason I am not able to get the data from AMPQ-ModularInput to Splunk 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at com.splunk.modinput.amqp.AMQPModularInput$MessageReceiver.run(Unknown Source) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at com.splunk.modinput.amqp.AMQPModularInput$MessageReceiver.connect(Unknown Source) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:612) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:588) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at com.rabbitmq.client.impl.FrameHandlerFactory.create(FrameHandlerFactory.java:32) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at java.net.Socket.connect(Socket.java:607) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" at java.net.PlainSocketImpl.socketConnect(Native Method) 12-09-2019 15:10:55.871 +0000 ERROR ExecProcessor - message from "python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py" Stanza amqp://Rabbit_MQ : Error connecting : java.net.ConnectException: Connection timed out (Connection timed out) 12-09-2019 15:01:56.435 +0000 INFO ExecProcessor - New scheduled exec process: python /apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py 12-09-2019 15:01:56.434 +0000 INFO ExecProcessor - Removing status item "/apps/splunk/splunk/etc/apps/amqp_ta/bin/amqp.py (isModInput=yes) [amqp://Rabbit_MQ] ack_messages = 0 activation_key = 1BE1C5DD7DA1CD8BFD93319BB9AA3A6A3974465751 exchange_name = CEE_Events hec_batch_mode = 0 hec_https = 0 host = server01 hostname = 10.10.10.10 index = main index_message_envelope = 1 index_message_propertys = 1 output_type = stdout password = dummy_password port = 5672 queue_name = CEPA sourcetype = _json use_ssl = 0 username = dummy_user ```xml server01 https://127.0.0.1:8089 zN9dv8iBq6K5ly8qdLcl7f_KNdHAJ5IjcNKp8ErVfGyXXmH5lVIFrIOakKkp3^tS2U78oc1c2GeRUPpK9wrZhL7egy6qlioTB5Nna3QtyDOhlx7DFgr1^C /apps/splunk/splunk/var/lib/splunk/modinputs/amqp <stanza name="amqp://Rabbit_MQ" app="launcher"> <param name="ack_messages">0</param> <param name="activation_key">1BE1C5DD7DA1CD8BFD93319BB9AA3A6A3974465751</param> <param name="exchange_name">CEE_Events</param> <param name="hec_batch_mode">0</param> <param name="hec_https">0</param> <param name="host">server01</param> <param name="hostname">10.10.10.10</param> <param name="index">main</param> <param name="index_message_envelope">1</param> <param name="index_message_propertys">1</param> <param name="output_type">stdout</param> <param name="password">dummy_password</param> <param name="port">5672</param> <param name="queue_name">CEPA</param> <param name="sourcetype">json</param> <param name="use_ssl">0</param> <param name="username">dummy_username</param> </stanza> ``` ... View more

Say, when a user connects his VPN, it will do policy checking (event--> policy_checking) and within 5 minutes will be completed (event--> policy_checking_completed) and allows the user to connect through the VPN, till then it becomes complied policy_checking events will be generated. If the policy_checking_completed event is not generated in 5 minutes we need to get an alert. If the VPN goes down because of the poor connection or anything else; then it will go through the policy check again. My search is like this: index=vpn [search index=vpn policy="policy_checking" | eval earliest=_time | eval latest=_time+300 | fields earliest,latest, Name] | eval status = if(policy="policy_checking_completed",1,0) | eventstats sum(status) as statscount by Name | table _time Name policy statscount | search statscount=0 We have used bin span=5m but it checks the values between 09:00 and 09:05 (NOT 09:03 and 09:08). This search works fine for if the system generates has one set of events, if the user has multiple disconnection and re-connection say in 1 hr, the search will go for a toss because of statscount. Is there any other workaround? ... View more

We are using SA-ldapsearch to pull the data from AD. As part one of the security use cases, I need to pull all the users which are part of multiple groups from the same OU. Say I have OU named Admin groups, inside that OU there are 300+ groups (all the group starts with adm-). Each group has 3-5 users. I need to pull the details of all the users from these 300groups. ``` | ldapsearch search="(&(objectClass=Group)(!(objectClass=computer))(sAMAccountName=adm-*))" | table sAMAccountName This will list all the Groups but not any users inside the group. There is another search i can use to pull the user details based on the Group name | ldapsearch search="(memberOf=CN=adm-ABCD,ou=Admin,ou=Groups,dc=xyz,dc=com)" but the issue is that i need to feed each group with an OR clause. Wild card (adm-*) doesn't work. ``` So I have 2 questions: Is there any better way to query to get all the users in the 3000+ groups in one ldapquery. Say, if i ran the first search and get all the 3000+ groups in a table, is there anyway i can pass each value in the table to the second ldapsearch (the value need to be after | ldapsearch search="(memberOf=CN= ... View more

For one of the Security usecase, we need to extract Group Memberships from the Domain. The trickier part is some of the Group Memberships doesnt have domain name in front of it. I am attaching the Regex link which is working fine on Regex101- https://regex101.com/r/X2YAAd/1 but for some strange reasons, when i use the same regex on Splunk its not working. This is to extract Group membership on EventCode=4627 Could anyone help me here.. ... View more

Hello, we have Splunk ES and using Malware datamodel. Requirement is like this and everything need to be in one search. --- If a same malware signature is detected on 50 hosts in 10minutes window of search then we need a notable event Severity Low and the same signature is picked up in 100 hosts in 1 hour time then a new notable events with Severity Medium. If its picked up on 200 or more host in 6 hours then its High. Thanks in advance...!! ... View more

Hello guys, We are using SH Clustering with Eneterprise SEcurity with F5 Load balancer. We have a requirement from our SOC team to display the dashboard on the TV - 24/7 so that they can monitor it continuously. Our users are connected through LDAP. I am aware off the setting - ui_inactivity_timeout in web.conf to zero so that it will never expires. We want to create only for one generic_user (soc_anaylsts) which is in the AD. If we have to create the user locally in the SH, will it work as we have a Load balancer and as far as i know, it will create only on one SH not on all. Pls help ... View more