Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About arsalanj
arsalanj
Path Finder
Member since:
04-05-2019
07-16-2021
Community Statistics
| Posts | 30 |
| Solutions | 2 |
| Karma Given | 13 |
| Karma Received | 0 |
| Member Since | 04-05-2019 |
Activity Feed
- Karma Re: How can I log in to update an expired Splunk license? for dkeck. 06-05-2020 12:50 AM
- Karma Re: Compare one field from the search with a field in the lookup table, and list if there is a difference for niketn. 06-05-2020 12:50 AM
- Karma Re: Compare one field from the search with a field in the lookup table, and list if there is a difference for somesoni2. 06-05-2020 12:50 AM
- Karma Re: Modifying usernames and sending emails to them when there is a match for n0str0m08. 06-05-2020 12:50 AM
- Karma Re: Modifying usernames and sending emails to them when there is a match for woodcock. 06-05-2020 12:50 AM
- Karma Re: Indexer Clustering for ragedsparrow. 06-05-2020 12:50 AM
- Karma Re: Indexer Clustering for Steve_G_. 06-05-2020 12:50 AM
- Karma Re: How to create inputs.conf blacklist with BOOLEAN for richgalloway. 06-05-2020 12:50 AM
- Karma Re: why are my post is currently awaiting moderation for horsefez. 06-05-2020 12:49 AM
- Karma Re: Where are my posts that are awaiting moderation for skoelpin. 06-05-2020 12:49 AM
- Karma Re: how to format date and time in searches for FritzWittwer_ol. 06-05-2020 12:47 AM
- Karma Re: Difference between maxHotIdleSecs and maxHotSpanSecs for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Changing SPLUNK_DB location for chandu245. 06-05-2020 12:46 AM
- Posted Re: Writing a join query to extract usernames from sessionID on Splunk Search. 03-10-2020 03:42 PM
- Posted Re: Writing a join query to extract usernames from sessionID on Splunk Search. 03-10-2020 03:40 PM
- Posted Re: Writing a join query to extract usernames from sessionID on Splunk Search. 03-10-2020 02:09 PM
- Posted Re: Writing a join query to extract usernames from sessionID on Splunk Search. 03-10-2020 11:49 AM
- Posted Re: Writing a join query to extract usernames from sessionID on Splunk Search. 03-10-2020 11:28 AM
- Posted Re: Writing a join query to extract usernames from sessionID on Splunk Search. 03-09-2020 08:15 PM
- Posted Writing a join query to extract usernames from sessionID on Splunk Search. 03-09-2020 04:08 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-10-2020
03:42 PM
Thanks again! I decided to do this in a different way by using Linux Audit logs.
I'll either update this page or create a new question if I run into problems.
Thanks,
... View more
03-10-2020
03:40 PM
@woodcock I wanted to thank you again for helping me with this.
I was reviewing the logs and realized that linux_secure logs are not the best option to do this.
I will consider doing this by using Linux Audit logs.
Thanks.
... View more
03-10-2020
02:09 PM
Unfortunately no. The search runs without any errors, but it's not returning anything.
... View more
03-10-2020
11:49 AM
Thank you @woodcock for the above queries.
Query number two, return pid, eventtype_count, name ( which is the user that has been added), and user (which is also has the same value as name or it's null).
I really like query number 1, but for some reason, I can't get it to work.
first, it complained about the latest time, I added the latest time but then it did not return anything.
... View more
03-10-2020
11:28 AM
Thanks Again.
I did a field extraction before, so we don't need this part: | rex "new user: name=(?[^,]+)"
So, with this query now I'm getting the pid and the user that has been added. But I don't get the username of the user who logged in in ssh_open event and ran that command.
This is what I'm getting:
pid adduser flag
2569 test1 2
I want to extract the admin field from ssh_open, then we can now to whom that pid belongs.
... View more
03-09-2020
08:15 PM
Thank you @to4kawa,
But this query will return all the users who also login but did not run the useradd command.
I'm only looking to find users who ran that command.
Some users have logged in to the systems a long time ago, and they are running commands, the only way for me to map them is by using their pid.
... View more
03-09-2020
04:08 PM
Hi there,
I need help writing a query that finds the username of whoever ran a command on A Linux server.
For example, if you look at the log below:
<86>Mar 5 18:41:44 server1 useradd[2569]: new user: name=test1, UID=1100, GID=5020, home=/home/test1, shell=/bin/bash
Someone with the session ID=2569 added a new user "test1".
If I run another query like this: "pid=2569 eventtype=ssh_open", I can see to whom that session belongs.
<86>Jan 24 18:34:03 test1 sshd[2569]: pam_unix(sshd:session): session opened for user admin by (uid=0)
I was trying to write a query like this, but I keep hitting the wall :
|multisearch
[search index="linux_secure"
eventtype=useradd
| stats values(pid) AS pid1]
[search index="linux_secure" eventtype=ssh_open
| stats values(pid) AS pid2]
| where pid1=pid2
The query above is not correct, and it returns errors like subsearch 1 contains a non-streaming command.
I want to write something that checks for the identical pid and extracts the username from search2 and the action from search 1.
Any help would be appreciated.
Thanks,
Arsalan
... View more
10-04-2019
10:43 AM
Yes, I do. I could make it work by creating a blacklist in inputs.conf
The question was, how can I filter such events in transforms.conf.
How can I AND things in the (REGEX = ) field.
Because my regex matches the multiline logs but Splunk is not dropping them.
props.conf
[source::WinEventLog:Security]
TRANSFORMS-null = drop1
transforms.conf
[drop1]
REGEX = (EventCode=4688)(?:.*\n){1,}(New Process Name:\s+.*splunk-.*exe)
DEST_KEY = queue
FORMAT = nullQueue
... View more
10-03-2019
07:12 PM
Appreciate your response @richgalloway
I thought it deals with the raw data.
I see that it only works on Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
TaskCategory, Type, User.
The keyword that I wanted to AND with was "splunk-" and I used the Message field.
I could make it work, thanks so much.
Could you please tell me what format should I use if I want to drop them in transforms.conf?
I tried a few regexes that again worked in regex editors but splunk ignored it.
... View more
10-03-2019
03:41 PM
Hi there,
I want to create a blacklist in the universal forwarder or in my heavy forwarder with the following conditions:
1)EventCode=4688
2)splunk*.exe
so I want the regex to be something like EventCode=4688 AND splunk*.
I tried many different combinations like this one:
(?:.*\n){1,}EventCode=4688(?:.*\n){1,}.*splunk-.*\.exe(?:.*\n){1,}(?:.*\n)
The above regex matches the event but it's not working in the transforms.conf or inputs.conf.
This is how the event looks like:
##########
10/03/2019 03:33:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=Win1-New
TaskCategory=Process Creation
OpCode=Info
RecordNumber=2926293
Keywords=Audit Success
Message=A new process has been created.
Subject:
Security ID: S-1-1-12
Account Name: WIN$1
Account Domain: LOCALGROUP
Logon ID: 0x3e7
Process Information:
New Process ID: 0x143c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x1504
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Any ideas how should I proceed?
Thanks.
... View more
08-08-2019
02:37 PM
@richgalloway
The 6 months was just an example.....
So for 6 months, in this case, do you agree with those values?
one of the guys in slack just told me to just modify frozenTimePeriodInSecs( 180days) and maxHotSpanSecs (7days).
I don't know which one is the most preferred way to do this.
... View more
08-08-2019
01:13 PM
@richgalloway
that's a total of 3 hours in the hot buckets.
also there will be 3 hours in warm according to this: maxWarmDBCount = 3
Because of maxHotSpanSecs=3600, every hour it creates a new bucket.
The timestamps should be correct.
So how should I proceed?
For GDPR, we have to delete application logs after 3 months.
I have to understand how this works in order to implement it on a bigger scale. This is what I was planning to do for 6 months of retention:
maxTotalDataSizeMB = 500000
maxHotBuckets = 3 >>>> 3 days of data
maxHotSpanSecs = 1 day
maxHotIdleSecs = 0
maxWarmDBCount = 177
frozenTimePeriodInSecs = 180 days
... View more
08-08-2019
12:07 PM
Hi everyone,
I'm planning to create some indexes for compliance requirements to remove the old data.
I wanted to start small and created this index, but I'm having a hard time understanding how it works.
[test]
homePath = /splunkdb/test/db
coldPath = /splunkdb/test/colddb
thawedPath =/splunkdb/test/thaweddb
coldToFrozenDir =/splunkdb/test//frozen
maxTotalDataSizeMB = 5000
maxHotBuckets = 3 (3 hours in Hot)
maxHotSpanSecs = 3600 ( 1 hour)
maxHotIdleSecs = 0
maxWarmDBCount = 3 3( Hours in Warm)
frozenTimePeriodInSecs = 7200 ( 2 hours)
from my understanding, I should I have 6 hours of data in Hot/Warm buckets.
what I don't understand is how frozenTimePeriodInSecs works.
it is now 10:40 and It has been almost 18 hours since I created that index. I created that index at 16:14.
I have 7 buckets in my Frozen bucket.
The oldest data is from 23:40. So I have almost 10 hours of searchable events.
I Don't have anything in my Colddb.
These file are in my db folder:
-rw-------. 1 splunk splunk 10 Aug 7 16:14 CreationTime
-rw-------. 1 splunk splunk 0 Aug 7 20:02 db_1565223179_1565219580_0.rbsentinel
-rw-------. 1 splunk splunk 0 Aug 7 20:01 db_1565226054_1565223180_1.rbsentinel
-rw-------. 1 splunk splunk 0 Aug 7 21:02 db_1565229653_1565226054_2.rbsentinel
-rw-------. 1 splunk splunk 0 Aug 7 22:01 db_1565233253_1565229654_3.rbsentinel
-rw-------. 1 splunk splunk 0 Aug 7 23:42 db_1565236853_1565233254_4.rbsentinel
-rw-------. 1 splunk splunk 0 Aug 8 03:21 db_1565240453_1565236854_5.rbsentinel
-rw-------. 1 splunk splunk 0 Aug 8 10:21 db_1565246453_1565240454_6.rbsentinel
drwx--x---. 2 splunk splunk 6 Aug 7 16:14 GlobalMetaData
drwx--x---. 3 splunk splunk 4096 Aug 8 11:24 hot_v1_7
drwx--x---. 3 splunk splunk 4096 Aug 8 11:24 hot_v1_8
drwx--x---. 3 splunk splunk 4096 Aug 8 11:25 hot_v1_9
These files are in my frozen folder:
drwx--x---. 3 splunk splunk 21 Aug 7 20:02 db_1565223179_1565219580_0
drwx--x---. 3 splunk splunk 21 Aug 7 20:01 db_1565226054_1565223180_1
drwx--x---. 3 splunk splunk 21 Aug 7 21:02 db_1565229653_1565226054_2
drwx--x---. 3 splunk splunk 21 Aug 7 22:01 db_1565233253_1565229654_3
drwx--x---. 3 splunk splunk 21 Aug 7 23:42 db_1565236853_1565233254_4
drwx--x---. 3 splunk splunk 21 Aug 8 03:21 db_1565240453_1565236854_5
drwx--x---. 3 splunk splunk 21 Aug 8 10:21 db_1565246453_1565240454_6.
I was thinking that after 6 hours ( 6 buckets), every hour the oldest bucket will get deleted. So after 18 hours, I was expecting to have 3 hours of data deleted. But I think I was wrong and I don't know how it works now.
can anyone please help me understand how these FROZEN bucket rotation/rollover works? with my current settings how much searchable data I should be able to see?
Best,
Arsalan
... View more
07-05-2019
04:01 PM
Let's say I have a cluster with replication factor=2. If I realize that after a while the indexer is running out of disk space, is it possible to add new indexer peers and instruct Splunk to send the new data to the newly added nodes and those nodes only replicate the new data to each other?
So, indexer 1 and indexer 2 have the same data. when they run out of disk space I add indexer 3 and indexer 4. I will stop sending the logs to indexer 1 and indexer 2. I will only send the logs to indexer 3 and indexer 4. Indexer 3 and Indexer 4 have the same data but they don't have the data resides on indexer 1 and indexer 2. Is this something that can be accomplished with Splunk?
Regards, Arsalan
... View more
Labels
- Labels:
-
indexer clustering
-
resource usage
06-20-2019
05:50 PM
Thank you so much guys for a quick answer.
I'm reviewing the documents but like I said I want to use Splunk only for a small segment of the infrastructure and I want to have some sort of redundancy if something happens to the primary. Something like an active/standby mode.
If I'm not mistaking, by using Splunk terms, I want to have a replication factor of 1.
If I bring up two instances, with the same hardware configuration then I'll have 1 search head and one indexer ( primary) and then One indexer and one search head ( let's call it replica).
Now, Can I enable indexer clustering? or when I enable indexer clustering the primary won't do any indexing and will just manage the peers?
If the primary won't index then I have to have two more indexers in order to have a replication factor of 1?
so in total 3 servers?
... View more
06-19-2019
05:48 PM
I have a small all in one Splunk environment.
I want to enable indexer clustering.
Is it possible to make my current indexer as Master and add one other server as a peer just for indexer clustering?
What happens if the all in one instance failed? Let's say hardware failure.
Can I then bring up a new Search Head and connect it to the peer indexer and mark that peer indexer as a master? Or can I install the Search Head on the peer and make that node a single all in one instance?
Thanks,
Arsalan
... View more
04-30-2019
04:50 PM
It worked!
So, for anyone reading this post, I'm not sure that that it will work for you if you just copy the files over to the new destination, as mentioned in the documentation.
... View more
04-30-2019
04:38 PM
I deleted the content of the new index and copying files over using rsync this time.
I will update this case soon.
... View more
04-30-2019
02:11 PM
Hi there,
I used this article "https://docs.splunk.com/Documentation/Splunk/7.2.6/Indexer/Moveanindex" to move my indexes to a new location in a *nix machine.
I followed the instructions and Splunk services started successfully without any errors.
However, I can't see any of my data prior to the index move.
The new DB path is correct in $SPLUNK_HOME/etc/splunk-launch.conf file.
The $SPLUNK_DB variable exists.
Any ideas of what might went wrong?
Thanks.
... View more
04-29-2019
11:37 AM
Thank you, @Woodcock,
I finally managed to make it work and this is how I did it:
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com" | iplocation src_ip
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time |table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user | sendresults
... View more
04-26-2019
11:22 AM
I Just deleted both Splunk_TA_nix and TA-linux_secure.
My source type is syslog and it extracts the host values and I see no difference from when I had those TAs.
My selected fields and interesting fields are the same before and after deleting those TAs with syslog source type.
Now I'm wondering what difference does it make for having those TA's?
... View more
04-26-2019
10:46 AM
Hi @vishaltaneja07011993,
actually, I already have it installed, but it doesn't make any difference.
When the source type is syslog, it can extract the host values.
I already tried the following:
App context=TA-linux_secure with source type linux_secure
App context=Splunk_TA_nix with source type linux_secure
They both can't extract the host value.
But if I choose syslog as source type, it can extract the host value no matter what app context I select.
So what is the right of doing this?
shouldn't we change something in transform.conf or somewhere else?
... View more
04-25-2019
02:32 PM
Hi there,
We are forwarding all of our /var/log/secure logs to a syslog server "syslogserver.local " and from there it's being forwarded to Splunk over a TCP port.
The Splunk is configured as a single instance.
in Data Inputs I created a TCP listener and the source type is linux_secure.
In the search app most of the fields are getting extracted except the hostname "myhost " .
The host field only shows the name of that syslog server instead of the name of the server that alert was generated.
<85>Apr 25 15:22:03 myhost unix_chkpwd[20316]: password check failed for user (jon.doe)
date_hour = 15 date_mday = 25 date_minute = 22 date_month = april date_second = 3 date_wday = thursday date_year = 2019 date_zone = local eventtype = err0r error eventtype = nix_errors error eventtype = nix_security os unix host = syslogserver local index = linux_index linecount = 1 pid = 20316 process = unix_chkpwd source = tcp:40515 sourcetype = linux_secure splunk_server = splunk.local src = syslogserver.local tag = error tag = os tag = unix timeendpos = 20 timestartpos = 4
As you can see, the value of the host and src are the same.
syslogserver.local is the server that aggregates all the syslogs. and there is no field that shows "myhost"
Any ideas of where the problem might be?
... View more
- Tags:
- splunk-enterprise
04-23-2019
06:35 PM
Hi @n0str0m08
The ".company.com" part worked perfectly.
They are hundreds of users, so creating separate alert actions won't efficient.
Thank you for that resource too, I saw it before, but I had the problem of modifying that field.
Now that I can extract the user field thanks to you I can try different tokens to see how it works.
I wish I could just add $Cisco_ASA_User$ as a recipient in the alert section, but I don't think it will be that easy!
I'll keep updating this case.
... View more
04-23-2019
01:09 PM
Hi everyone,
I am fairly new to Splunk, and I’m having problems creating a rule that when a user login, sends an email to that user.
The users are logging in using RSA VPN, so the Cisco_ASA_user field does not have @company.com .
Some Users also have different profiles when they login, for example, jon.doe may have the following user IDs:
1)jon.doe-ad
2)jon.doe-office
3-jon.doe-dev
The email address of jon.doe is [email protected] . The email syntax in general is [email protected] .
I managed to use this to remove the -* part: eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")
So, now the Cisco_ASA_user field shows the username without any extensions.
The next step is to add @company.com to the Cisco_ASA_user and this the part that I don’t know how to do and how to send emails when there is a match.
This is how the query looks like so far:
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039 | eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")
Any ideas of how to do this?
... View more
