Yeah, this is from the windows app: DHCP [monitor://$WINDIR\System32\DHCP] disabled = 1 whitelist = DhcpSrvLog* crcSalt = sourcetype = DhcpSrvLog index = windows ... View more

Yeah, that one's a pain. I just use eval to lower() the field that's causing me trouble: ... | eval host=lower(host) As stated, search qualifiers will ignore case, but this will help with the stats grouping. ... View more

I commented on another thread as well: I'm seeing the same issue. I believe it is because if you look at the default config files in both the App and the Windows TA add-ons, the indexes are NOT the same. The Win Infra App looks for windows event logs in an index named "winevents" while the TA-Add-On saves event logs to index "wineventlog". I'm not sure how the Infra App config file could possibly work since it doesn't even look in the same locations". I'm working on trying to fix all of those mis-matches myself. Looking at the default eventtypes in the Infra App and the TA-Add-On, they're not the same either.......ugh. ... View more

At a customer site I'm serving, 9 out of 10 problems with "missing data" is a mismatch between what is stated in the inputs.conf on the UF side and what is configured on the indexer side (i.e. the index you have in inputs.conf stanzas must also be present (and correctly configured) on the indexer side). A quick way to determine if data is entering your indexes, is to check Manager -> Indexes. Locate your index and check the Earliest / Latest Event columns. Depending on how your access controls with regards to accessing your indexes are configures, you might need to specify index= in the search field. ... View more

Generally, dhcpd logs are sent via syslog from the dhcpd server to Splunk. The linux/unix conf file /etc/dhcpd.conf contains configuration settings for, among other items, logging wherein you can specify the facility that dhcpd logs to and then use the system syslog instance to control how those facilities are handled (socket, file, etc) ... View more

You can find instructions for setting up search and alerting here: http://www.splunk.com/base/Documentation/latest/user/SchedulingSavedSearches#Start_by_defining_and_saving_a_search You'd use a custom schedule with a cron job like syntax. I believe the following should work, it wouldn't hurt to double check: 0-8,18-21 * * * ... View more

Forwarders send data to receivers, which are usually indexers. The "enable listen" command is the command that you run on the receiver, not the forwarder. It allows the receiver to listen for data coming from a forwarder. How you set up a deployment server to communicate with deployment clients is a separate issue, which is convered in the earlier steps in that example. For more information on forwarding and receiving, refer to: http://www.splunk.com/base/Documentation/latest/Deploy/Aboutforwardingandreceivingdata ... View more

Cool, so basically i just have to set the servers on Net a to send their stuff to "Box A" and then just set "Box A" as a forwarder and send its stuff to box B? ... View more

I suggest getting in touch with your Splunk sales contact. They will be able to give you a quote as well as more information about the enterprise apps. Basically they include the app as well as professional services to help you integrate the apps into your environment. ... View more

Hey, I started working through this one and so far I have this for one of my searches: ("Login succeeded" OR "Logout from" OR "Session timed out" OR "Max session timeout" OR "Remote address for user") | rex field=_raw "[(? \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})]\s+(? \w+)((? [^)]+))[(? [^]]*)" | rex field=_raw "(session:(? [^)]+))" | transaction user src keepevicted=true startswith="Login succeeded" endswith=("Session timed out" OR "Logout from" OR "Max session timeout" OR "Remote address for user") | search NOT ("Logout from" OR "Session timed out" OR "Max session timeout" OR "Remote address for user") | eval user = lower(user) | table _time user realm src sessionid host | sort user this is starting to give me a printout of the currently logged in users. I have to tweak it a bit cuz i think it's not catching some logout/login conditions but here it is if it helps anyone else ... View more

Does this server by any chance have two processors? I am seeing the exact same behavior only affecting 2008 servers. If they have a single processor the Splunkd service has it locked at 100%, 2 processors 50%, 4 processors 25% etc. I am using Splunk 4.2.1 build 98164 of the splunk forwarder. ... View more

Event types are not suited to group set of related events. For instance, it would be hard (if not impossible) to create the event type "more than 4 failed login attempts". You could however create the event type "failed login attempt", and then a search counting those events per user in the last X minutes. Then you could create a simple dashboard with that and other searches in it, to monitor all the possible weird events in the infrastructure. (or schedule the searches and let them notify you when they find anything strange) ... View more

I created an eventtype called BOTS that will match bots that I know of (i.e. http_user_agent="crawler" OR ...etc..). When I want to filter out events created by BOTS, I add it to my search query: something=something NOT eventtype=BOTS etc This works very well for me. Periodicly, I see a new bot show up & add it to my list. ... View more

Never mind 🙂 I've been able to create these extractions myself. EXTRACT-RT_SCREEN_ICMP (?i)-RT_SCREEN_ICMP: (?P .+?)\s+\w+:\D+(?P \d+.\d+.\d+.\d+)\,\sdestination:\D+(?P \d+.\d+.\d+.\d+)\,\szone\sname:\s(?P \S+)\,\sinterface\sname:\s(?P \S+) EXTRACT-RT_SCREEN_TCP (?i)-RT_SCREEN_TCP: (?P .+?)\s+\w+:\D+(?P \d+.\d+.\d+.\d+):(?P \d+)\,\sdestination:\D+(?P \d+.\d+.\d+.\d+):(?P \d+)\,\szone\sname:\s(?P \S+)\,\sinterface\sname:\s(?P \S+) EXTRACT-RT_SCREEN_IP (?i)-RT_SCREEN_IP: (?P .+?)\s+\w+:\D+(?P \d+.\d+.\d+.\d+)\,\sdestination:\D+(?P \d+.\d+.\d+.\d+)\,\sprotocol-id:\s(?P \d+)\,\szone\sname:\s(?P \S+)\,\sinterface\sname:\s(?P \S+) Hope this helps others. ... View more

Helped me to get rid of "unix-all-logs" eventtypes: 1) move "unix" app from folder etc/apps 2) restart splunk 3) copy "unix" app back to etc/apps folder 4) restart splunk ... View more

Hmm, but say that i monitor all events in a 15 minutes interval, i have some stuff from the firewall that shows up in the "src" field. I also log some stuff from one of the linux server, and i want it to be able to show the source of the ssh stuff (or from the apache server) in the same "src" field as the firewall. ... View more

Your timestamps are probably incorrect, possibly due to TZ issues. Run this search and make sure that avg(lagSeconds) is small and >0: index=* | eval lagSeconds=_index_time - _time | stats avg(lagSeconds) by sourcetype,host,index ... View more

is it possible to check those configs on ng version 3? Those are really different it seems! ... View more

Thanks! Yeah maybe its best to deploy both nagios and ossec and intergrate them with splunk to get the best out of it. ... View more