Activity Feed
- Posted App Updates on All Apps and Add-ons. 10-27-2021 08:39 AM
- Posted Re: Upgrade Failing with OSError type 28 on Splunk Enterprise Security. 10-05-2021 05:51 AM
- Posted Why is pgrade Failing with OSError type 28? on Splunk Enterprise Security. 10-05-2021 05:21 AM
- Posted Re: Per Index Configuration on Getting Data In. 08-05-2021 01:54 PM
- Posted Per Index Configuration on Getting Data In. 08-05-2021 12:45 PM
- Posted Re: Fire Brigade Not Working on All Apps and Add-ons. 08-04-2021 03:15 PM
- Posted Fire Brigade Not Working on All Apps and Add-ons. 08-04-2021 12:30 PM
- Posted TA-MS-defender no incident logs on All Apps and Add-ons. 06-25-2021 09:41 AM
- Posted Re: Monitoring Console shows all SHC members with the same instance name on Monitoring Splunk. 03-15-2021 11:25 AM
- Posted Re: Monitoring Console shows all SHC members with the same instance name on Monitoring Splunk. 03-15-2021 08:16 AM
- Posted Monitoring Console shows all SHC members with the same instance name on Monitoring Splunk. 03-15-2021 06:50 AM
- Posted Windows TA- Why are we not seeing any data in Splunk? on All Apps and Add-ons. 03-09-2021 06:53 AM
- Tagged Windows TA- Why are we not seeing any data in Splunk? on All Apps and Add-ons. 03-09-2021 06:53 AM
- Posted Re: User Mapping on Splunk Enterprise. 02-15-2021 12:17 PM
- Posted User Mapping on Splunk Enterprise. 02-15-2021 09:41 AM
- Tagged User Mapping on Splunk Enterprise. 02-15-2021 09:41 AM
- Got Karma for Migrate ES standalone to Cluster. 01-13-2021 12:55 PM
- Posted Syslog Output missing header on Getting Data In. 12-22-2020 10:49 AM
- Got Karma for Migrate ES standalone to Cluster. 10-01-2020 04:51 PM
- Posted Migrate ES standalone to Cluster on Splunk Enterprise Security. 06-29-2020 07:40 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
2 |
a month ago
And you really think this is a common use case? I use windows at home in a VM with a GPU passthrough but I don't say that it's something used at a typical desktop.
... View more
08-28-2023
09:38 AM
We managed to resolve the the "type 28 / 500 internal server" Enterprise Security installation error by cleaning out /tmp.
... View more
10-27-2021
08:39 AM
Hello All, On my ADHOC search head, I use to be able to go see all the apps installed and see what apps that needed to be updated. I do not see that that anymore. I am not sure why I do not see them anymore. Any ideas? thanks ed
... View more
Labels
- Labels:
-
configuration
-
Other
-
troubleshooting
-
upgrade
10-05-2021
04:53 AM
I'm getting the same error. Did you ever find a solution? I just set up the incidents input today. It seems like permissions, so that's where I am starting to look Prerequisites An Azure Active Directory application registration Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello-world Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents: https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide
... View more
08-05-2021
06:12 AM
Have you checked permissions on the app itself? And have you verified the DMC has access to all the indexes you think it should? With something like: | tstats count where index=* by index
... View more
03-15-2021
11:25 AM
But why did it change?
... View more
02-16-2021
10:39 AM
Thanks for straightening me out, @scelikok . I ran a quick test and the mapping of user to role(s) is indeed in passwd. Authorize.conf maps the roles to capabilities and other settings. I'll remove my erroneous answer to avoid confusion.
... View more
12-22-2020
10:49 AM
Hello All I found a similar question but did not see an answer. https://community.splunk.com/t5/Getting-Data-In/No-time-or-host-in-forwarded-syslog-messages/m-p/52627 I am forwarding Checkpoint logs that are coming in via tcp://514 and I am trying to forward the data to an HA syslog-ng environment. There is a NetScaler in front two different syslog-ng servers with round robin load balancing happening. I disabled the second syslog-ng host so that all logs get sent to sys-01. I see the following coming in: Msg: 2020-12-22 18:30 host-blah-blah.xxx.xxx.xxx.com time=1608661800|hostname=logger|product=Firewall|layer_name=xx-stl-private Security|layer_uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|match_id=197|parent_rule=0|rule_action=Accept|rule_uid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|action=Accept|conn_direction=Internal|ifdir=inbound|ifname=eth2-01.716|logid=0|loguid={0x00000000,0x00,0x0000000,0xc0000000}|origin=xxx.xxx.xxx.xxx|originsicname=blah_gw-stl-prv|sequencenum=199|time=1608661800|version=5|dst=xxx.xxx.xxx.xxx|log_delay=1608661800|proto=6|s_port=47298|service=7031|src=xxx.xxx.xxx.xxx| From the previous link that seems to be a bug, but I am going to assume that it is an old bug and should not exist in Splunk version 8.0.6. Is there a way in the outputs.conf to force a header that has the hostname? Thanks ed
... View more
08-27-2020
08:39 AM
We missed that that the Splunk_TA_ontap App is incompatible with Splunk 8 in our upgrade planning. Apparently the configuration dashboards use Advanced XML, so they're not usable anymore. The existing app infrastructure seems unaffected though, so data ingest continues and the accompanying splunk_app_netapp and our own dashboards still work (as long as we don't need to make any changes to the data collection configuration).
... View more
05-20-2020
02:56 PM
Hello @edwardrose,
small corrections:
TIME_PREFIX = ^\w+\s\d+\s\d+:\d+:\d+\ssvr\-\w+\-nac-(01|02)\s
it is better to use \w+ instead of .* - the first requires 58 steps instead of 126 steps, compare:
https://regex101.com/r/cOQ2a2/1 - 126 steps
https://regex101.com/r/cOQ2a2/2 - 58 steps
... View more
05-18-2020
09:03 AM
Hello,
I am assuming that you are referring to using props and transforms to change the sourcetype. Am I wrong?
So I would use the current sourcetype in props.conf
[stream:netflow]
TRANSFORMS-set_sourcetype = set_netscaler
Then I would setup the transforms.conf
[set_netscaler]
FORMAT = sourcetype::citrix_netscaler_netflow
DEST_KEY = MetaData:Source
But that would change the sourcetype for all data that comes in via the original sourcetype stream:netflow.
Thanks
ed
... View more
05-08-2020
10:33 AM
Hello All,
We were using Splunk_TA_ipfix to collect the NetScaler Appflow logs and send them to our index cluster. With the release of Splunk_TA_citrix_netscaler 7.0.1, it states to collect Appflow logs using Splunk Stream. I am not sure what I am doing wrong. Here is my distributed environment:
2 Non-Clustered ADHOC SH
1 Non-Clustered ES SH
13 Node Index cluster
I installed the NetScaler TA on all SHs and all indexers
I installed Stream one of my ADHOC SH that is not busy
I installed Stream TA on a heavy forwarder that was configured to receive data Appflow data when ipfix TA was installed.
Splunk_TA_stream configuration files:
streamforward.conf :
[streamfwd]
netflowReceiver.0.ip = 0.0.0.0
netflowReceiver.0.port = 4739
netflowReceiver.0.protocol = udp
netflowReceiver.0.decoder = netflow
inputs.conf :
[streamfwd://streamfwd]
splunk_stream_app_location = https://adhoc_sh_1:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0
I do not see any data being forwarded to the ad hoc SH nor do I see any data being sent to the indexers for the NetScaler appflow sourcetype. The instructions for collect IPFIX/APPFLOW are as about as clear as mud on a moonless night on a cloudy night in the middle of winter. I know I do not have the inputs setup properly and I am not sure what else I have wrong. Any help would be greatly appreciated.
Thanks,
Ed
... View more
02-19-2020
06:21 AM
Yes, host matching patterns can be used for in [host::]. All the attributes under this stanza are applied to the data from matching hosts. You need to make sure whatever field extractions and data transformation you write under this stanza works for logs coming from all the hosts.
... View more
12-03-2019
12:57 PM
Hello All,
I have internal private certs for our Splunk environment. Currently after I install a UF on Windows or Linux I have to edit the etc\system\local\server.conf file to change the sslkeysfilepassword. If I do not change password it will never check in with the deployment server. Is there a way to set the sslkeysfilepassword at the time of installation?
thanks
ed
... View more
12-02-2019
04:00 PM
You need to install the TAs individually, that are relevant to the technologies you are ingesting.
https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallTechnologyAdd-ons#Deploy_add-ons_to_forwarders has links to many common TAs on https://splunkbase.splunk.com, where you can find others as well.
... View more
11-20-2019
09:50 AM
Hello All,
I am working on tuning the Network-Unroutable Host Activity -Rule search and we are trying to exclude our VPN networks and DNS hosts that are sending data to 192.0.0.0 from the search. I thought I could run a loop for every IP address of our dns servers. Here is what I added to the fully blown out search but it does not seem to be working like I thought it would.
| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count,values(sourcetype) from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src,All_Traffic.dest
| rename "All_Traffic.*" as "*"
| tstats prestats=true local=false summariesonly=true allow_old_summaries=true append=true count,values(sourcetype) from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.src,IDS_Attacks.dest
| rename "IDS_Attacks.*" as "*"
| tstats prestats=true local=false summariesonly=true allow_old_summaries=true append=true count,values(sourcetype) from datamodel=Web.Web by Web.src,Web.dest
| rename "Web.*" as "*"
| stats count,values(sourcetype) as sourcetype by src,dest
| lookup local=true bogonlist_lookup_by_cidr ip AS "src" OUTPUTNEW is_bogon AS "src_is_bogon",is_internal AS "src_is_internal"
| lookup local=true bogonlist_lookup_by_cidr ip AS "dest" OUTPUTNEW is_bogon AS "dest_is_bogon",is_internal AS "dest_is_internal"
| search (NOT dest=169.254.* NOT src=169.254.* ((dest_is_internal!=true dest_is_bogon=true) OR (src_is_internal!=true src_is_bogon=true)))
| search (NOT dest=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip] NOT src=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip] ((dest_is_internal!=true dest_is_bogon=true) OR (src_is_internal!=true src_is_bogon=true)))
| eval bogon_ip=if(((dest_is_bogon == "true") AND (dest_is_internal != "true")),dest,bogon_ip), bogon_ip=if(((src_is_bogon == "true") AND (src_is_internal != "true")),src,bogon_ip)
| fields + sourcetype, src, dest, bogon_ip
I added the following line:
| search (NOT dest=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip] NOT src=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip] ((dest_is_internal!=true dest_is_bogon=true) OR (src_is_internal!=true src_is_bogon=true)))
But like I stated it does not seem to be working like I thought it should. Any help would be appreciated.
Thanks
ed
... View more
07-25-2019
12:00 PM
well it took care of the server.conf but the web.conf sslPassword is still unencrypted 😞
... View more
07-27-2019
12:28 PM
Your log files are not truly empty; they must be receiving some whitespace or unprintable control characters. Let's assume the former and do something like this:
In props.conf:
[source::/your/source/here]
TRANSFORMS-drop_empty_lines = drop_empty_lines
In transforms.conf:
[drop_empty_lines]
REGEX = ^\s+$
DEST_KEY=queue
FORMAT=nullQueue
So instead of parsing these lines and not finding a timestamp, these are thrown away.
... View more
05-15-2019
03:00 PM
Thanks, converted to answer - feel free to accept it 🙂
cheers, MuS
... View more
12-05-2019
02:54 AM
Hey,
it looks like a permission issue:
Go to "Manage Apps" and find the "Splunk Add-On for Citrix NetScaler", then click on "Permissions" and below change it from "This app only" to "All apps"
... View more
02-06-2019
11:32 PM
@edwardrose,
I dont think it will be problem. If you are sending data outside Splunk then the configuration will be there in outputs.conf and we are not specifying any ssl use there.
... View more
07-31-2019
05:53 AM
Hi edwardrose,
if you're satisfied by this answer, please accept and/or upvote it.
Bye, see next time.
Giuseppe
... View more
11-19-2018
09:26 AM
1 Karma
Hello All
I originally asked a similar question
https://answers.splunk.com/answers/682992/how-do-i-use-a-comparison-search-to-find-all-devic.html
It did seem to work but, it now seems not to be working. So here is what I am doing.
Get a list of all hosts and IP in our DMZs that are being report live/active via Qualys scan of our networks
I take results from Qualys scan and place into a lookup file called dmzhosts.csv
I then take the dmzhosts.csv and run a search for hostname or IP address against index=. I am doing it this way as due to the fact that not every device that is reporting into Splunk has a universal forwarder. I use the following search:
`index=
[ inputlookup dmzhosts.csv
| table IP
| rename IP AS host
| format] OR
[ inputlookup dmzhosts.csv
| table hostname
| rename hostname AS host
| format]
| eval host=upper(host)
| stats count by host
| append [inputlookup dmzhosts.csv | eval count=0, hostname=upper(hostname)|rename hostname as host | fields host, count]
| stats sum(count) AS Total by host
| where Total=0
| outputlookup missingdmzhosts.csv`
The search is only run over for the last 24 hrs and is ran every morning at 6am. My issue is that I have actually setup and verified manually several hosts that were missing, these systems are appliances and can only send syslog, but again I have verified that I see their logs in Splunk. But my search still shows them as missing dmz hosts.
any help would be appreciated.
thanks
ed
... View more