Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About _joe
_joe
Communicator
Member since:
04-09-2019
07-20-2023
Community Statistics
| Posts | 84 |
| Solutions | 2 |
| Karma Given | 19 |
| Karma Received | 14 |
| Member Since | 04-09-2019 |
Activity Feed
- Got Karma for Re: Linux UF boot-start issues and non-impacting errors on 9.0.0. 09-11-2023 03:26 PM
- Got Karma for Linux UF boot-start issues and non-impacting errors on 9.0.0. 09-11-2023 03:25 PM
- Posted Re: Why is Splunk Add-on for Microsoft Security for GCC not working? on All Apps and Add-ons. 07-20-2023 09:38 AM
- Posted Re: Why is Splunk Add-on for Microsoft Security for GCC not working? on All Apps and Add-ons. 07-20-2023 09:25 AM
- Got Karma for Re: Linux UF boot-start issues and non-impacting errors on 9.0.0. 07-13-2023 04:28 AM
- Tagged Has anyone been able to use Certificate Transparency Log add-on for Splunk Enterprise version 9? on All Apps and Add-ons. 05-04-2023 08:17 AM
- Posted Has anyone been able to use Certificate Transparency Log add-on for Splunk Enterprise version 9? on All Apps and Add-ons. 05-04-2023 08:16 AM
- Got Karma for Re: Linux UF boot-start issues and non-impacting errors on 9.0.0. 04-18-2023 02:29 AM
- Got Karma for Re: Splunk says bundle directory contains a large lookup file in .delta file but the .delta file does not contain a larg. 03-22-2023 08:22 PM
- Got Karma for Re: Linux UF boot-start issues and non-impacting errors on 9.0.0. 03-01-2023 08:00 PM
- Got Karma for Linux UF boot-start issues and non-impacting errors on 9.0.0. 01-04-2023 03:27 AM
- Got Karma for Re: Linux UF boot-start issues and non-impacting errors on 9.0.0. 01-04-2023 03:27 AM
- Got Karma for Re: Getting duplicate data. 10-20-2022 03:55 PM
- Posted Has anyone set up CIM parsing for Akamai SIEM TA? on All Apps and Add-ons. 09-13-2022 12:36 PM
- Karma Re: Splunk Deployment Server Listening on HTTP 8088 for TheColorBlack. 08-10-2022 12:40 PM
- Posted Re: Executing Web Scanner on Splunk WebUI on Security. 07-29-2022 09:30 AM
- Posted Re: Splunk says bundle directory contains a large lookup file in .delta file but the .delta file does not contain a larg on Splunk Search. 07-18-2022 05:02 AM
- Posted Re: Linux UF boot-start issues and non-impacting errors on 9.0.0 on Installation. 06-28-2022 11:12 AM
- Posted Re: Splunk Add-on for CyberArk EPM Login with SAML on All Apps and Add-ons. 06-28-2022 09:08 AM
- Posted Linux UF boot-start issues and non-impacting errors on 9.0.0 on Installation. 06-21-2022 06:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-20-2023
09:38 AM
Sorry, only GCC (literally the "GCC" selection an the API input configuration). I have not had the opportunity to work with GCC high yet so I cannot confirm if it works.
... View more
07-20-2023
09:25 AM
I believe when I posted this support had not yet been added. At this time, this app does support GCC and I have gotten it working in at least one environment. My guess would be you are running into an Azure permissions issue. https://splunkbase.splunk.com/app/6207
... View more
05-04-2023
08:16 AM
Hello,
Has anyone been able to ingest Certificate Transparency logs (via Certificate Transparency Log add-on for Splunk or any other app) on Splunk Enterprise version 9?
... View more
Labels
- Labels:
-
configuration
-
development
09-13-2022
12:36 PM
Has anyone setup CIM parsing for the Akamai SIEM TA? I am assuming these events should be going to the Alerts data model, but there is almost no parsing in the app.
https://splunkbase.splunk.com/app/4310/
... View more
Labels
- Labels:
-
installation
07-29-2022
09:30 AM
I don't have a whole lot of information about this, just wanted to comment that personally I've had an issue with Burp Suite crashing Splunk. We have had to ask them to turn back the Burp Suite threads to half.
... View more
07-18-2022
05:02 AM
1 Karma
Something like this would work best: index = _internal sourcetype = splunkd component=Archiver
Archiving large_file=*
| stats count latest(size_in_bytes) by large_file
... View more
06-28-2022
11:12 AM
5 Karma
This warning got added to "known issues" for 9.0.0 Date filed Issue number Description 2022-06-23 SPL-226019 Warning appears in the universal forwarder whenever any spl command is run: Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk /opt/splunkforwarder". This warning is expected and will not affect functionality.
... View more
06-28-2022
09:08 AM
No actually. I was trying to use the App to ingest from an onprem server which isn't even supported (Only CyberArk SaaS).
... View more
06-21-2022
06:11 AM
2 Karma
Is anyone else running into boot-start/permissions issues with the 9.0.0 UF running on Linux using init.d scripts for bootstart? Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder" I am also finding that "./splunk disable boot-start" does not correctly remove the /etc/init.d/splunk script and, contrary to documentation, splunk UF 9.0.0 uses systemd as default. https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/ConfigureSplunktostartatboottime Also systemd scripts seem to fail getting the permissions needed even when trying to enable-boot as root. A key error I am seeing is "Failed to create the unit file" when running the install. But it seems to be a total fail. ## When upgrading (from 8.2.5)
runuser -l splunk -c "/opt/splunkforwarder/bin/splunk stop"
tar -xzvf /tmp/splunkforwarder-9.0.0-6818ac46f2ec-Linux-x86_64.tgz -C /opt
chown -R splunk:splunk /opt/splunkforwarder/
runuser -l splunk -c "/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt"
runuser -l splunk -c "/opt/splunkforwarder/bin/splunk status"
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder"
(NOTE: Seems to be non-impacting) ### When doing a new install
tar -xzvf /tmp/splunkforwarder-9.0.0-6818ac46f2ec-Linux-x86_64.tgz -C /opt
chown -R splunk:splunk /opt/splunkforwarder
[root]# sudo -H -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder"
This appears to be your first time running this version of Splunk.
IMPORTANT: Because an admin password was not provided, the admin user
will not be created. You will have to set up an admin username/password
later using user-seed.conf.
Creating unit file...
Current splunk is running as non root, which cannot operate systemd unit files.
Please create it manually by 'sudo splunk enable boot-start' later.
Failed to create the unit file. Please do it manually later.
Splunk> Now with more code!
sudo -H -u splunk /opt/splunkforwarder/bin/splunk status
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder"
splunkd is running (PID: 3132350).
splunk helpers are running (PIDs: 3132354). # sudo -H -u splunk /opt/splunkforwarder/bin/splunk stop
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder"
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
. [ OK ]
Stopping splunk helpers...
[ OK ]
Done.
# /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
Systemd unit file installed by user at /etc/systemd/system/SplunkForwarder.service.
Configured as systemd managed service.
systemctl start SplunkForwarder.service
Job for SplunkForwarder.service failed because the control process exited with error code.
See "systemctl status SplunkForwarder.service" and "journalctl -xe" for details.
systemctl status SplunkForwarder.service
● SplunkForwarder.service - Systemd service file for Splunk, generated by 'splunk enable boot-start'
Loaded: loaded (/etc/systemd/system/SplunkForwarder.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2022-06-21 12:58:55 UTC; 27s ago
Process: 3141480 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/SplunkForwarder.service (code=exited, status=0/SUCCES>
Process: 3141478 ExecStartPost=/bin/bash -c chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/SplunkForwarder.service (code=exited, status=0/SUCCESS)
Process: 3141477 ExecStart=/opt/splunkforwarder/bin/splunk _internal_launch_under_systemd (code=exited, status=203/EXEC)
Process: 3141475 ExecStartPre=/bin/bash -c chown -R splunk:splunk /opt/splunkforwarder (code=exited, status=0/SUCCESS)
Main PID: 3141477 (code=exited, status=203/EXEC)
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Failed with result 'exit-code'.
Jun 21 12:58:55 <host> systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'.
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Service RestartSec=100ms expired, scheduling restart.
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Scheduled restart job, restart counter is at 5.
Jun 21 12:58:55 <host> systemd[1]: Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'.
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Start request repeated too quickly.
Jun 21 12:58:55 <host> systemd[1]: SplunkForwarder.service: Failed with result 'exit-code'.
Jun 21 12:58:55 <host> systemd[1]: Failed to start Systemd service file for Splunk, generated by 'splunk enable boot-start'.
... View more
Labels
- Labels:
-
universal forwarder
-
upgrade
06-08-2022
08:13 AM
You are correct, it is missing when you switch to kvstore. You can add it in the transforms.conf manually and it works - but any further saving to the lookup definition through the Web UI will overwrite/remove the change. A little frustrating. [lookup_definition_name] ... case_sensitive_match = 0
... View more
05-23-2022
09:29 AM
Hello, Nothing has changed from my prior note. It is working pretty well, I no longer have scripted restarts. As a side note, restarting streamer doesn’t work very well and might even cause issues. Our ingest volume is about 5million a day with "workerProcesses": 1. I am not sure what a good “workerProcesses to ingest rate” would be but more workerProcesses did cause us issues. I believe we may have been told by Cisco that we should upgrade to version 5.x as other people have had special characters crash their ingest but we haven’t had that happen. I'm sure you've noticed, but it looks like they pushed 5.10 a few days ago. We are still on 4.8. Unfortunately, it really does seem like Cisco is using their customers as their dev department which is frustrating.
... View more
05-09-2022
05:49 AM
Thanks for your comment. I have looked at that TA, but the props/transforms doesn't seem to have anything that could handle the logs I had mentioned.. It has line breaking (which matches) and very limited parsing for "extract_jira_issue" which just collects <key>:<value> (a pattern I am only seeing in about 25% of the "thread" fields), practically nothing else from a props/transforms standpoint.
... View more
05-09-2022
04:53 AM
Hello all, I need to ingest audit logs from Atlassian Jira, Confluence, and Bitbucket. Most of that is pretty straight forward, but I am finding the Jira audit logs (atlassian-jira.log and atlassian-servicedesk.log) seem very random (sometimes fields are missing, occasionally a field will be long with multiple words and spaces with no fields or brackets). Are there any TAs that can assist with parsing for on-prem Jira audit logs (atlassian-jira.log and atlassian-servicedesk.log)? Or any Splunk guidance I can give the Jira admin to help make logging better. So far they have told me they don't want to update their log4j properties files because it will just get overridden the next time they upgrade.
... View more
- Tags:
- Add-on for Atlassian JIRA Service Desk alert action
- Add-on for JIRA
- atlassian-jira.log
- atlassian-servicedesk.log
- JIRA Cloud Audit Logs Add-On for Splunk
Labels
- Labels:
-
configuration
04-25-2022
06:49 AM
Hello all,
I suspect I am missing something obvious, but where are all the CIM fields for ESXi audit logs?
- I have VMware logs being sent to a syslog port. Have a mix of vmware 7.0 and 6.7 vcenters (Splunk 8.2) # https://docs.splunk.com/Documentation/AddOns/released/VMW/ESXihosts - I am using the latest Splunk Add-on for VMware ESXi Logs (4.2.1) - I have had to modify line breaking rules - I have an index cluster, so I had to update the DATETIME_CONFIG field (from .../apps/... to slave_apps) - I am capturing the hostname via rsyslog and putting into into the directory. I am reading it as my host value
(example: /var/log/vmware/hostname/day_hour/log.log) - I am capturing logs as "vmw-syslog," logs are being renamed to things such as "vmware:esxlog:vpxd" by the TA
The TA as-is captures application and message fields for most events. But I don't see any configurations that would capture a user or action field, CIM fields or tags for login events, etc. Am I missing something?
I am seeing logs that look like this, but no attempt to parse CIM fields:
2022-04-21T17:37:17.686700+00:00 <host> vpxd 3115 - - Event [49110010] [1-1] [2022-04-21T17:37:17.685845Z] [vim.event.UserLogoutSessionEvent] [info] [AD\<user>] [] [49111254] [User AD\<user>@127.0.0.1 logged out (login time: Thursday, 21 April, 2022 05:27:42 PM, number of API invocations: 1, user agent: VMware vim-java 1.0)]
2022-04-21T17:27:42.654618+00:00 <host> vpxd 3115 - - Event [49109228] [1-1] [2022-04-21T17:27:42.654052Z] [vim.event.UserLoginSessionEvent] [info] [AD\<user>] [] [49104519] [User AD\<user>@127.0.0.1 logged in as VMware vim-java 1.0]
... View more
Labels
- Labels:
-
configuration
03-23-2022
06:12 AM
Hello all,
It would seem a swift migration to Splunk Add-on for Microsoft Security is highly recommended:
"Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation."
I haven't been able to get this app to work with GCC, has anyone else? Anyone know when that support is coming?
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-20-2023
09:59 PM
|
Karma from
Karma given to
