Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About hayduk
hayduk
Path Finder
Member since:
11-22-2018
10-13-2021
Community Statistics
| Posts | 15 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 11 |
| Member Since | 11-22-2018 |
Activity Feed
- Got Karma for Re: Parsing src_domain from sourcetype=[msad:nt6:dns] to get clean dns record names. 10-08-2021 09:32 AM
- Got Karma for Re: Parsing src_domain from sourcetype=[msad:nt6:dns] to get clean dns record names. 07-16-2020 12:48 AM
- Got Karma for Splunk App for Windows - Missing Task Category, Event Code and Type. 06-05-2020 12:50 AM
- Got Karma for Splunk App for Windows - Missing Task Category, Event Code and Type. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk App for Windows - Missing Task Category, Event Code and Type. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk App for Windows - Missing Task Category, Event Code and Type. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk App for Windows - Missing Task Category, Event Code and Type. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk App for Windows - Missing Task Category, Event Code and Type. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk App for Windows - Missing Task Category, Event Code and Type. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk App for Windows - Missing Task Category, Event Code and Type. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk Add-on for Microsoft Exchange: ERROR "Search-AdminAuditLog : Object reference not set to an instance of an object.". 06-05-2020 12:49 AM
- Posted Re: Add Field to Result based on lookup with CIDRMATCH in Lookup file on Splunk Search. 02-17-2020 01:53 AM
- Posted Re: Add Field to Result based on lookup with CIDRMATCH in Lookup file on Splunk Search. 02-17-2020 01:35 AM
- Posted Add Field to Result based on lookup with CIDRMATCH in Lookup file on Splunk Search. 02-16-2020 11:52 PM
- Tagged Add Field to Result based on lookup with CIDRMATCH in Lookup file on Splunk Search. 02-16-2020 11:52 PM
- Tagged Add Field to Result based on lookup with CIDRMATCH in Lookup file on Splunk Search. 02-16-2020 11:52 PM
- Tagged Add Field to Result based on lookup with CIDRMATCH in Lookup file on Splunk Search. 02-16-2020 11:52 PM
- Tagged Add Field to Result based on lookup with CIDRMATCH in Lookup file on Splunk Search. 02-16-2020 11:52 PM
- Posted Re: Parsing src_domain from sourcetype=[msad:nt6:dns] to get clean dns record names on Getting Data In. 05-15-2019 10:54 AM
- Posted Parsing src_domain from sourcetype=[msad:nt6:dns] to get clean dns record names on Getting Data In. 05-15-2019 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 |
02-17-2020
01:53 AM
yes, i saw it! But is there also a way to do the same directly in SPL?
... View more
02-17-2020
01:35 AM
thanks, but your query misses the cidrmatch function. I have to match the ip address to the cidr notation!
... View more
02-16-2020
11:52 PM
Hi,
i try to find the correct way to query a lookup file based on a where clause with CIDRMATCH.
I have the following scenario:
We have a lookup table that contains a mapping between our customers and IP Address ranges that are assigned to them. So, the lookup table looks like the following example:
CusomterName Prefix
Customer A 10.1.1.0/24
Customer B 172.16.42.0/16
Customer C 192.168.1.0/24
Additionally, we have sFlow Data that contains explicit IP Addresses as source and destination information. We would like to add a field to each event that holds the CustomerName based on a cidrmatch query of the source or dest IP Address.
I can query the lookup table with cidrmatch to get the required information with the following query:
| inputlookup tenants.csv
| where (cidrmatch(myprefix,"10.66.148.3"))
| fields customer
| dedup customer
And I can query the sFlow Data to show the Connections information that comes from the sFlow Data, but I didn’t find a way to combine these two queries to get the result I want.
For example, I tried it with eval and inputlookup:
source="stream:sflow" | eval Customer=[| inputlookup tenants.csv | where (cidrmatch(myprefix,dest_ip)) | fields customer ]
Maybe someone can give me a hint how this should or can work!
Thanks in advance
Stefan
... View more
05-15-2019
10:54 AM
2 Karma
Thanks for your answer! Works great! But I would prefer to get it already in props.conf extracted. So, my users do not have to have the query at hand. I took your approach and came up with the following solution in props.conf:
[MSAD:NT6:DNS]
EVAL-src_domain_punct = trim(replace(src_domain, "\(\d+\)", "."),".")
... View more
05-15-2019
12:45 AM
We're ingesting logfiles from Windows DNS Servers. This Log entries contrain the src_domain as
(6)config(4)edge(5)skype(3)com(0)
(6)s-0001(8)s-msedge(3)net(0)
(4)api3(7)central(6)sophos(3)com(0)
(4)tsfe(14)trafficshaping(3)dsp(2)mp(9)microsoft(3)com(0)
(12)settings-win(4)data(9)microsoft(3)com(0)
To further process this kind of information i'm trying to normalize the src_domain field to look like a regular dns record. Eg.
config.edge.skype.com
api3.central.sophos.com
I've already replaced the entire (digit) occurence with . in my props.conf with a calculated field.
EVAL-src_domain_punct = replace(src_domain, "(\d+)", ".")
So I get
.config.edge.skype.com.
.api3.central.sophos.com.
But a would like to omit the first and last . so I get a clean DNS Record.
Is there a way to do this kind of parsing?
Regards
... View more
- Tags:
- dns
- splunk-enterprise
05-02-2019
03:06 AM
1 Karma
First of all it is required to run the Splunk Forwarder Server with a Domain Account and set the correct permissions in Exchange for this account. This was already stated in previous answers.
Additionally:
I think i've found a workaround for the Search-AdminAuditLog issue. The problem is somehow related to the way the exchange PowerShell snap-ins are loaded.
In the Exchange TAs the Snap-Ins are loaded with the -PSConsoleFile "%Exchangepath%\bin\exshell.psc1" Parameter of PowerShell.exe
It seems that if you load the exchange cmdlets this way especially the Search-AdminAuditLog cmdlet is not working as expected.
The only way I’ve found to mitigate this behaivior is to load the exchange snaps-in the correct way. To do this you have to modify the read-audit-logs_2010_2013.ps1 and the read-mailbox-audit-logs_2010_2013.ps1 in the Exchange TAs. You must add the following lines at the beginning of the script:
$CallEMS = ". '$env:ExchangeInstallPath\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto -ClientApplication:ManagementShell "
$null = Invoke-Expression $CallEMS
Additionally, to prevent the start-up output of the Exchange Cmdlets are logged to Splunk you have to modify the following files:
In the Exchange Installation Directory modify the following files:
"C:\Program Files\Microsoft\Exchange Server\V15\Bin\ConnectFunctions.ps1"
"C:\Program Files\Microsoft\Exchange Server\V15\Bin\CommonConnectFunctions.ps1"
"C:\Program Files\Microsoft\Exchange Server\V15\Bin\RemoteExchange.ps1"
Search for lines starting with set-variable VerbosePreference and comment them out!
After that you will receive the correct log information.
I know that’s a little bit brutal, but it will work.
... View more
11-29-2018
07:43 AM
Cool! Thats great!
... View more
11-29-2018
05:58 AM
Hi,
I try to monitor the Registry Hive HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters. Unfortunately, it didn’t get any Event from this registry hive.
I have setup the Monitoring the following way:
[WinRegMon://hklm_dnsserver]
disabled = 0
hive = HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Services\\DNS\\Parameters\\.*
proc = .*
type = set|create|delete|rename
index = windows
If already tried a lot of different path defintions like
hive = \\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\DNS\\Parameters\\.*
or
hive = \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\.*
or
hive = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\DNS\\Parameters\\.*
other registry keys, for example, under HKLM\SOFTWARE are working without Problems.
Did anyone managed to get a working registry Monitoring for HKLM\CurrentControlSet?
Kind regards
Stefan
... View more
11-27-2018
04:53 AM
Thank You! It worked as You descibed. The correct query would be:
index="wineventlog" source="WinEventLog:Security" TaskCategory="User Account Management" EventCode=4724 [| ldapsearch search="(&(objectclass=user)(!(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=262144))"
| fields sAMAccountName
| rename sAMAccountName as Account_Name]
... View more
11-27-2018
02:11 AM
Hi guys,
I would like to Filter Events based on the result of a LDAP search. Especially, I would like to get all Password Reset Events for Smartcard-only Users in my Active Directory Domain.
I have the SPL for the Smartcard-only Users:
| ldapsearch search="(&(objectclass=user)(!(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=262144))"
So, I got a list of all users that have Smartcard-only Flag set.
I also have the query for a Password Reset successful Events:
index="wineventlog" source="WinEventLog:Security" TaskCategory="User Account Management" EventCode=4724
So, I get all Events with Password Reset attempts.
But how can I merge them together, so I only get the Events from Smartcard-only Users? I have to match the sAMAccountName AD Attribute with the Account_Name Field of the Events.
I don’t get it on my own, so maybe someone can give me a hint how the achieve the requested result?
... View more
11-26-2018
05:40 AM
5 Karma
I finally identified the root cause of the Problem. It seems to me that there is a bug in the Default/props.conf of the splunk_app_windows_infrastructure. As soon as this app is deployed the TaskCategory Field is missing.
In the props.conf File is a Field alias defined which will Override the TaskCategory Field with empty Information from the CategoryString Field which does not exist, so both fields arent displayed in search.
###### Add an Alias for TaskCategory and CategoryString from the Windows Events #####
FIELDALIAS-CategoryString_for_windows = CategoryString as TaskCategory
I think the correct Configuration should be:
FIELDALIAS-CategoryString_for_windows = TaskCategory AS CategoryString
I think the fields CategoryString and TaskCategory got twisted. As soon as I correct the field order, I got TaskCategory and CategoryString as available Fields in Search.
Maybe someone can report this directly to the Splunk support Team, so they can fix it. I'm currently just evaluating the product so I have no support Agreement with them and cannot report Bugs. 🙂
... View more
11-24-2018
01:19 AM
Yes my user is has the winfra-admin role assigned. I think the Problem is more related to the Splunk Add-on for Microsoft Windows than to the Splunk 5.x App for Microsoft Windows. From my Point of view is the field extraction from the Windows Add-on not working properly.
... View more
11-23-2018
03:20 AM
1 Karma
For clarification regarding the fields and search here some Screenshots:
... View more
11-23-2018
03:17 AM
Sure …
[WinEventLog://Application]
disabled = true
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index=wineventlog
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="5136" Message="Class:(?!\s*groupPolicyContainer)"
blacklist4 = 4689,4703,4985,4799,5158
blacklist5 = EventCode="4688" Message="(?:Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkd.exe)|.+(?:Splunk UniversalForwarder\\bin\\btool.exe)"
blacklist6 = EventCode="4688" Message="(?:Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunkwinprintmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkpowershell.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkregmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkadmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkMonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkwinevtlog.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkperfmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-wmi.exe)"
blacklist7 = EventCode="4688" Message="(?:Process Command Line:).+(?:--scheme)|.+(?:--no-log)|.+(?:-Embedding)"
blacklist8 = EventCode="4634" Message="(?:Account Name:).+(?:\$$)|.+(?:SYSTEM)"
blacklist9 = EventCode="4624" Message="(?:Account Name:).+(?:\$$)|.+(?:SYSTEM)"
renderXml=false
index=wineventlog
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = SourceName="Microsoft-Windows-DistributedCOM"
blacklist2 = SourceName="Microsoft-Windows-Security-SPP"
blacklist3 = SourceName="Microsoft-Windows-LSA"
blacklist4 = SourceName="MsiInstaller"
renderXml=false
index=wineventlog
[WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Execution]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
index=wineventlog
[WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Deployment]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
index=wineventlog
[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
index=wineventlog
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
index=wineventlog
[admon://default]
disabled = true
monitorSubtree = 1
[WinRegMon://hkcu_run]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows
[WinRegMon://hklm_run]
disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows
But I don't think that the Problem is related to the Inputs.conf. If I check the Windows Events, I see a TaskCategory Field, but i cannot search for it.
... View more
11-22-2018
02:05 AM
2 Karma
Hi,
i've tried to implement the Splunk App for Windows and getting Events into the System. But i have a problem espacially with the Windows Event Monitoring Dashboard. There should be the fields Task Category, Event Code and Type populated but they are empty. So the Dashboard is not showing Data.
I've already looked at the lookup table that should populate this fields but the Task Category Field is empty.
I've followed the guide for implementing the app, so i think i've done everything corrept, but i'm totaly new to Splunk so i've maybe missed something.
Does anyone know how the Task Category Field is populated or can give me a hint what i'm missed?
Thanks in Advance
Stefan
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-13-2021
04:16 AM
|
Karma from
