About dillardo_2

edoardo_vicendo · ‎12-22-2022

Exactly, I confirm in our environment the issue was mainly due to thruput constraint, but we put 25 MB/s instead of unlimited. The only strange thing that didn't allowed us to quickly identify the root cause was that, for the windows events locally generated by the WEC server itself, the Splunk Universal Forwarder had no delay collecting them. The only delay was observed on forwarding with the Splunk Universal Forwarder the events stored by the Windows Event Collector (WEC) coming from the other machines through Windows Event Forwarding (WEF). limits.conf [thruput] maxKBps = 25600 To understand the thruput limit in your environment you can use this query (stay quite higher than the maximum you observe) index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) hostname=your_WEC_host | timechart minspan=30s max(eval(tcp_KBps)) as "KB/s", max(tcp_eps) as "Events/s"

pellegrini · ‎11-28-2022

DS init failed: Deployment Server not available on a dedicated forwarder. This is not a real error on an Universal Forwarder. There is no Deployment Server on an Universal Forwarder. There is just a Deployment Client on the UF. I think this event is show everytime the UF starts. This is how it looks in version 7.1.2 and 7.36, both Windows and Linux: INFO DS_DC_Common - Deployment Server not available on a dedicated forwarder.

engrimranzakir · ‎12-30-2021

any other method to collect logs other than wec.

to4kawa · ‎08-09-2020

https://qiita.com/odorusatoshi/items/5a703b9befc253ab7deb @jeremyfer this blog is japanese, but there is a lot of trouble shoot method. please check this.

dillardo_2 · ‎01-27-2020

This works for us, but rsyslog stops processing data and has to be restarted.

dillardo_2 · ‎10-09-2019

Thanks @richgalloway, this did the trick!

dillardo_2 · ‎10-05-2019

Hi @gcusello, thanks for your response. Events stopped on 10/4 on only this DNS server. We have a second DNS server that is forwarding events just fine. It appears to be isolated to this one DNS server.

dillardo_2 · ‎10-03-2019

Changed use_threads to use 15 threads. (Made no difference) Enabled: On the rest of the Windows Event Collectors suppress_sourcename suppress_checkpoint suppress_keywords suppress_type suppress_opcode Note: Splunk recommends not changing these settings without speaking with support first. This is the result. While we are pleased with this after months. We will evaluate how it affects Enterprise Security.

lnetto_splunk · ‎03-19-2020

We are no longer publishing eventgen configs with TAs :(. I'm going to try to reach out to you directly.

dillardo_2 · ‎09-09-2019

Thanks for the assist, @harsmarvania57. Turned out to be a temporary issue with our Anomali feed.

dillardo_2 · ‎08-13-2019

Thanks for the assist!

woodcock · ‎08-31-2019

You got a talk slot? GOOD FOR YOU! I will not miss it.

Posts	20
Solutions	1
Karma Given	23
Karma Received	1
Member Since	‎01-09-2019

Online Status	Offline
Date Last Visited	‎10-20-2020 01:48 PM

Rsyslog Log Rotation

Why does metadata command returns only one sourcet...

DNS Server NOT Forwarding Windows Security Events

SA-Eventgen and Splunk SPL Examples - Help Generat...

Health Check: msg="A script exited abnormally with...

Re: Extreme Latency with Windows Events on one Win...

Re: Installing a universal forwarder in low privil...

Re: Forwarding logs from Windows Event Collector

Re: How do you troubleshoot missing windows event ...

Re: Rsyslog Log Rotation

Re: Why does metadata command returns only one sou...

Re: DNS Server NOT Forwarding Windows Security Eve...

Re: What are the implications of enabling suppress...

Re: SA-Eventgen and Splunk SPL Examples - Help Gen...

Re: Health Check: msg="A script exited abnormally ...

Re: Search that shows scheduled time of saved sear...

Re: Need help with Configurations Analytics App fo...