Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Mannyi31
Mannyi31
Explorer
Member since:
07-28-2011
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 4 |
| Member Since | 07-28-2011 |
Activity Feed
- Got Karma for Re: Best method for pulling Microsoft DNS logs with Splunk. 06-05-2020 12:46 AM
- Got Karma for Re: Best method for pulling Microsoft DNS logs with Splunk. 06-05-2020 12:46 AM
- Got Karma for Re: Best method for pulling Microsoft DNS logs with Splunk. 06-05-2020 12:46 AM
- Got Karma for Add a lookup csv colum information to the results of a inputlookup search. 06-05-2020 12:46 AM
- Posted Is there a Splunk App for FISMA reporting? on All Apps and Add-ons. 03-22-2012 07:21 AM
- Tagged Is there a Splunk App for FISMA reporting? on All Apps and Add-ons. 03-22-2012 07:21 AM
- Posted Re: Add a lookup csv colum information to the results of a inputlookup search on Splunk Search. 03-05-2012 07:27 AM
- Posted Add a lookup csv colum information to the results of a inputlookup search on Splunk Search. 03-02-2012 07:42 AM
- Tagged Add a lookup csv colum information to the results of a inputlookup search on Splunk Search. 03-02-2012 07:42 AM
- Tagged Add a lookup csv colum information to the results of a inputlookup search on Splunk Search. 03-02-2012 07:42 AM
- Tagged Add a lookup csv colum information to the results of a inputlookup search on Splunk Search. 03-02-2012 07:42 AM
- Tagged Add a lookup csv colum information to the results of a inputlookup search on Splunk Search. 03-02-2012 07:42 AM
- Posted Re: Windows DNS log file configuration - poor syntax for keeping history (Splunk) on Monitoring Splunk. 01-17-2012 05:38 AM
- Posted Re: Can Splunk cause DNS logs Event 3152? on Getting Data In. 01-17-2012 05:38 AM
- Posted Re: Can Splunk cause DNS logs Event 3152? on Getting Data In. 01-17-2012 05:14 AM
- Posted Can Splunk cause DNS logs Event 3152? on Getting Data In. 01-11-2012 05:09 AM
- Tagged Can Splunk cause DNS logs Event 3152? on Getting Data In. 01-11-2012 05:09 AM
- Tagged Can Splunk cause DNS logs Event 3152? on Getting Data In. 01-11-2012 05:09 AM
- Posted Re: Best method for pulling Microsoft DNS logs with Splunk on Getting Data In. 01-06-2012 06:14 AM
- Posted Re: Microsoft DNS debug logs. Massaging log format. on Splunk Search. 01-05-2012 07:13 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 |
03-22-2012
07:21 AM
The Splunk App for FISMA Continuous Monitoring PDF mentions of a FISMA app for Splunk but I cannot locate it. Has this been discontinued?
... View more
- Tags:
- fisma
03-05-2012
07:27 AM
Thanks Ayn, Your answer worked after I made some modifications and below is the end result:
sourcetype=firewall [|inputlookup ipwatchlist.csv | fields ip_address | rename ip_address as dest_ip] | stats count by src_ip dest_ip | sort desc - count | lookup ipwatchlist ip_address as dest_ip OUTPUT category | table src_ip dest_ip category count
... View more
03-02-2012
07:42 AM
1 Karma
Hi,
I have a lookup search that works fine but I would like to add information from the lookup table that the source log does not have. let me explain:
example of lookup table called ipwatchlist.csv:
category ip_address isbad
Fake-AV 109.235.251.49 TRUE
Fake-AV 109.235.251.51 TRUE
This is my search:
sourcetype=firewall [|inputlookup ipwatchlist.csv | fields ip_address | rename ip_address as dest_ip] | stats count by src_ip dest_ip | sort desc - count
This gives me a result of:
src_ip dest_ip count
192.168.1.1 109.235.251.49 50
Now I would like to add the field in the ipwatchlist.csv of category to see what is the IP associated with, I would like to get a result like:
src_ip dest_ip Category count
192.168.1.1 109.235.251.49 Fake-AV 50
Does anyone has an idea how to do this?
... View more
01-17-2012
05:38 AM
Check this link in order to see the possible fix action for this symptom:
http://godlessheathenmemoirs.blogspot.com/2011/08/gathering-detailed-dns-debug-logs-from.html
... View more
01-17-2012
05:38 AM
It seems that Splunk was the cause but M$ is the one to blame. See this link that explanes the situation and its fix action:
http://godlessheathenmemoirs.blogspot.com/2011/08/gathering-detailed-dns-debug-logs-from.html
... View more
01-17-2012
05:14 AM
It seems that Splunk is causing this. I have turned off indexing and DNS debug logging is working fine.
I have search around and found out I am not the only one with this problem. http://splunk-base.splunk.com/answers/27537/windows-dns-log-file-configuration-poor-syntax-for-keeping-history-splunk
Also this MS article is about the same issue: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c48f8bbe-960b-4fbe-a56a-683038d53bb5/
... View more
01-11-2012
05:09 AM
I am running in to multiple DNS server having this event 3152 almost daily and the symptoms are that the DNS server was unable to open the DNS debug log file for write. I am thinking that an application has a lock on the file wile DNS is writing to it and once it reaches its quota of 500MB it removes the file but cannot write a new one. I see this as the DNS log file disapeers but DNS claims it cannot open the file to write a new log.
I have made sure that AV software is not scanning this file and taking a look at current open files on the server I notice that the Splunk the service account is the only one that has this file open. This occurs if on both Win2003 and Win2008R2 with both Universal Forwarder and using regular file monitoring via the indexer. Has anyone experienced this wile using Splunk to monitor the DNS debug file?
... View more
01-06-2012
06:14 AM
I have not done this but looking around I found this article talking about doing exacly what you are trying to do. It is for an older version of Splunk (4.1.3) but it is usefull:
http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help
Also check on this link for the updated information on SEDCMD, REGEX and SED:
http://docs.splunk.com/Documentation/Splunk/4.2.5/Data/Anonymizedatausingconfigurationfiles
Basically this is used to anonymize confidential data from the logs and can be used to replace values with different ones like what you are trying to do
... View more
01-05-2012
07:13 AM
I have not done this but looking around I found this article talking about doing exacly what you are trying to do. It is for an older version of Splunk (4.1.3) but it is usefull:
http://splunk-base.splunk.com/answers/4546/field-extraction-regex-fu-help
Also check on this link for the updated information on SEDCMD, REGEX and SED:
http://docs.splunk.com/Documentation/Splunk/4.2.5/Data/Anonymizedatausingconfigurationfiles
Basically this is used to anonymize confidential data from the logs and can be used to replace values with different ones like what you are trying to do.
... View more
11-30-2011
05:51 AM
3 Karma
I have implemented different approaches on how to do just this and the best one that has worked without giving me problems is the universal Forwarder method. If you are going to use this method you will need to enable the creation of DNS debug file on the local server (anyware on the server is fine as long as you got enough space) and configure the universal forwarder during installation to monitor the DNS debug file and send the data to the Indexer on the port that you chose.
This method is recommended not just because the forwarder is keeping track of the data as mentioned but this has the ability to monitor other types of event logs and forward them using the same forwarder in case that you want more than just DNS logs.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
