Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About support0
support0
Path Finder
Member since:
06-15-2012
10-21-2025
Community Statistics
| Posts | 33 |
| Solutions | 2 |
| Karma Given | 39 |
| Karma Received | 4 |
| Member Since | 06-15-2012 |
Activity Feed
- Karma Re: Default Account Usage Correlation Search - All user as default for micahkemp. 06-05-2020 12:49 AM
- Karma Re: Align link type input in simple XML for mayurr98. 06-05-2020 12:49 AM
- Karma Re: Splunk Stream Built-in stream populating Dashboard vs Protocol Events for vshcherbakov_sp. 06-05-2020 12:49 AM
- Got Karma for Why does search head cluster captain configured to run ad hoc searches only still execute savedseaches?. 06-05-2020 12:49 AM
- Karma Re: Splunk App for Stream: Why does set_permissions.sh selectively set the permissions on one file when inputs.conf uses a different file? for gjanders. 06-05-2020 12:48 AM
- Got Karma for Sideview Utils: Why do I receive "Unknown parameter 'applyOuterIntentionsToInternalSearch' is defined for module StaticSelect" error in 6.5.2?. 06-05-2020 12:48 AM
- Got Karma for Marker clustering with string values. 06-05-2020 12:48 AM
- Karma Re: After installing Cisco Security Suite and Splunk Add-on for Cisco ASA, why do I see warnings about eventtype=cisco-esa? for yannK. 06-05-2020 12:47 AM
- Karma Re: SA-ldapsearch error SSL configuration issue: sslVersions=""['tls1.2']"" is an invalid combination for jamesarmitage. 06-05-2020 12:47 AM
- Karma Re: How to configure Chrome as a search engine for Splunk queries? for MuS. 06-05-2020 12:47 AM
- Karma Re: Make a SimpleXML multiselect revert to default value upon emptying box for Jason. 06-05-2020 12:47 AM
- Got Karma for Splunk Enterprise Security: Why are search results based on Data Models different across all search heads in our multisite search head cluster?. 06-05-2020 12:47 AM
- Karma Re: Getting SNMP Data into Splunk for Damien_Dallimor. 06-05-2020 12:46 AM
- Karma Re: forwarder configs for Mahieu. 06-05-2020 12:46 AM
- Karma Re: Apps Applications management for Mahieu. 06-05-2020 12:46 AM
- Karma Re: How can I confirm if missing, but previously indexed data has been rolled out or deleted on my behalf :( ? for Mahieu. 06-05-2020 12:46 AM
- Karma Re: How to extract the domain field from the URL ? for Mahieu. 06-05-2020 12:46 AM
- Karma Re: Monitor Universal forwarder for Mahieu. 06-05-2020 12:46 AM
- Karma Forwarders keep going down for Mahieu. 06-05-2020 12:46 AM
- Karma Re: Forwarders keep going down for Mahieu. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 |
01-30-2018
03:24 PM
Hello nethead,
Thanks for using the Add-on & the App.
Serial logging mode is implied indeed.
The Add-on is not yet compatible with concurrent mode as it uses another format.
Pros & Cons of both modes are being detailed here in "Concurrent Audit Log" section.
I had tested concurrent logging 2-3 years back but I did not stick with it as the format was different - unfortunately I cannot not retrieve a sample for it - and the whole "multiple files and directories" made it look more complex at the time.
I have seen environment running OK with several ModSecurity servers.
But I am afraid I cannot be of a greater help regarding scaling.
I would suggest to:
try to stick with serial as the Add-on is only compatible with that mode for now;
monitor your ModSec logging
This article seems to mention message events that can indicate a logging latency.
if needed, try concurrent mode and send a sample to our email in the readme, I will check if I can adapt the Add-on.
Best regards,
... View more
01-22-2018
01:44 AM
Works like a charm! Thanks a lot!
... View more
01-21-2018
12:03 PM
Hello there,
Is it somehow possible to align input type links on the same line in simple xml ?
For instance, in this screenshot :
I am trying, on the right panel, to put "Down", "Unchecked", "Checking" & "UP" links on the same line.
I have seen some css around, but cannot make it work for now.
Any idea ?
Thanks in advance,
... View more
01-20-2018
03:58 PM
It does work this way ! Thanks a lot !
... View more
01-20-2018
02:59 AM
Hello there,
I have a panel with two choices :
<panel>
<input type="link">
<choice value="link1">Down</choice>
<choice value="link2">Up</choice>
<default>Down</default>
<change>
<condition value="link1">
<set token="pools_down">true</set>
<unset token="pools_up"></unset>
</condition>
<condition value="link2">
<unset token="pools_down"></unset>
<set token="pools_up">true</set>
</condition>
</change>
</input>
<table depends="$pools_down$">
<search>
<query>foo</query>
</search>
</table>
<table depends="$pools_up$">
<search >
<query>bar</query>
</search>
</table>
</panel>
It works fine:
I am trying to drilldown from a single value panel using pools_down or pools_up tokens.
It also works :
<panel>
<single>
<search>
<query>foo</query>
</search>
<drilldown>
<set token="pools_up">true</set>
<unset token="pools_down"></unset>
</drilldown>
</single>
</panel>
However, the highlighted choice value is not being refreshed in the process:
Not a big deal I agree but I am still trying to figure out how the highlighted choice could be somehow refreshed.
I have tried using an additional token but without success so far.
Any hint ?
Thanks in advance
... View more
12-12-2017
05:12 AM
Alright,
More clearer now.
So I usually build my TAs mapped to Authentication DM like this :
tags.conf
[eventtype=foo]
authentication = enabled
default = enabled
Thanks for making me realize that this was a bad habit!
It should be :
[eventtype=bar]
authentication = enabled
AND/OR :
[eventtype=foo]
authentication = enabled
privileged = enabled
for special authentication events for which you know its a privileged access.
For instance in Windows TA :
[windows_special_privileges]
search = sourcetype=*:Security (EventCode=4672 OR EventCode=576)
tags = authentication privileged
Then ES adds a default/privilged tag based on :
administrative_identities.csv
configured identities.csv
Thanks a lot!
... View more
12-11-2017
08:37 AM
Hello there,
On ES (4.7.2), the correlation search "Default Account Usage" is supposed to create notable events for default accounts as stated in its description:
"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."
It seems however that the correlation search does not differentiates between regular users and default accounts.
When looking at the correlation search, it does simply search into tag= auth + default data model.
| tstats summariesonly=true allow_old_summaries=true max(_time) as "lastTime",values(Authentication.tag) as "tag",count from datamodel=Authentication.Authentication where nodename=Authentication.Default_Authentication.Successful_Default_Authentication by "Authentication.dest","Authentication.user","Authentication.app" | rename "Authentication.dest" as "dest","Authentication.user" as "user","Authentication.app" as "app"
Event in Splunk Demo platform, all users are listed in the results not just default accounts like admins and the like.
I am deducing that, the CIM Authentication should be understood like this :
regular user -> tag = auth
default account -> tag = auth + default
priviledged user -> tag = auth + priviledged
Thing is :
sub dataset names are hardly explained. What is expected in these sub datasets is hard to know.
if this is the case, then most TAs should be reworked because most of them map the default tag for all authentication events (cf. Win / Nix TAs)
it seems that there was a lookup to filter default account in the previous version of ES (see : https://answers.splunk.com/answers/120628/manage-splunk-app-for-enterprise-security-default-account-recognition.html). Is there an equivalent in 4.7 version ?
Maybe identity lookup should just contain this default accounts categorized as default. But it is not done this way in the demo identity lookup, so I am not sure.
If anyone has a clue on this, it would be great!
... View more
12-08-2017
04:16 AM
Thanks for your feedback,
The run statistics is very handy indeed and some failing report_acceleration could surely be optimized or scheduled.
But it's more like :
DMs -> all 100 % OK
Report Accel > all Complete, no pending.
So I have this high skip ratio.
It has been reduced by configuring parallel summarization.
It still is 30 %.
But only on report_acceleration
So I will try to tune "auto_summary_perc" parameter.
But I'm like, if configuring the captain to run ad hoc searches only really is a good practice to reduce load on the captain, then I do not understand the 100 % skip ratio, and I do not undersand even more the reason still being "max # auto summarization".
If it is just a logging issue, then it would save me from having to tune the SHC here and there.
... View more
12-08-2017
03:58 AM
Hello there,
We have a Search Head Cluster in 6.5.3 which configured by default in "member by member".
Our configuration :
shc_role_quota_enforcement="0"
shc_local_quota_check="1"
Splunk Documentation :
To enforce quotas on a member-by-member basis, use this configuration:
shc_role_quota_enforcement=false
shc_local_quota_check=true
Version Default enforcement
6.3-6.4 cluster-wide
6.5+ member-by-member
However, while investigating skip ratio, it appears that logs are saying the opposite :
index=_internal sourcetype=scheduler status=skipped | stats count by concurrency_context
cluster-wide 1636
saved-search_cluster-wide 144
Does anyone knows if this is a logging issue or else ?
Thanks for any hint!
... View more
12-07-2017
01:55 AM
1 Karma
Hello there,
On a Search Head Cluster (6.5.3), when performing an Health Check, I have had a warning for having a high skip ratio - between 60 & 80 %.
It seemed like it only affected the SHC captain.
I found out that, in order to reduce the load on the SHC captain - which is executing savedsearches, ad hoc searches and delegating savedsearches between other peers -, it was recommended to configure the captain to run ad hoc searches only.
It is documented here :
https://docs.splunk.com/Documentation/Splunk/7.0.0/DistSearch/Adhocclustermember#Configure_the_captain_to_run_ad_hoc_searches_only
This way, the captain only launches ad hoc searches & still delegates seavedsearches between cluster members.
I believed this would resolve our issue.
However, the skip ratio is now of 100%, still only on the captain.
It is always 100% which is weird.
To me it is more like an issue in the way internal log are being generated.
Logs are saying : this savedsearch has been skipped on this host which is the captain, reason : the max number of auto summarization has been reached ...
While it should rather be saying : this savedsearch has been skipped on this host which is the captain, reason : captain configured to run ad hoc searches only.
The thing that makes me doubt about this is the reason savedsearches are being skipped on the captain : "the max number of auto summarization has been reached"
So I am wondering if :
it is really a good practice & it's more like a logging issue
or
it is not a good practice
Note that there are no errors on the Data Models savedsearches are flagged as being skipped -> Build 100 %
Would anyone have an idea on this ?
Thanks for any feedback!
... View more
Labels
- Labels:
-
captain
-
search head
-
search head clustering
11-10-2017
01:44 AM
Hello,
I had the same issue.
6.5.3
Actually, when you first go to Indexer Clustering Section and select Data Rebalance, and select index : it shows only the 10 first indexes.
But if you go to Indexes, and switch from displaying 10per page to more, then all indexes are displayed in Data Rebalance > Indexes
May be it has been fixed since then.
... View more
10-10-2017
07:15 AM
Hi Matt,
Thanks for your feedback.
We tried to play with sslVerifyServerCert & require Cert wihtout luck so far.
Quick question, you have mentioned SHC, do you execute ldad searches locally by setting :
[ldapsearch]
local = true
etc
or NOT ?
If not, I guess ldapsearch add-on is deployed on your Indexers as well, right ?
Thanks in advance,
... View more
10-05-2017
11:47 AM
I had completely missed the "Configured Streams" part, thanks!!
... View more
10-05-2017
06:03 AM
Hi there,
I have deployed Splunk Stream on a distributed environment.
SH ES > Stream App + Stream TA
IDX > Stream TA
Win UF > Stream TA + imputs config received from SH ES
It worked with DNS data so I did not pay much attention to it, but then I realized I could only pull data from Streams entitled "Built-in stream populating XXX Dashboard".
The ones named XXX Protocol Events, I am not able to pull data from it.
Anyone knows the difference between Built-in stream populating XXX Dashboard & XXX Protocol Events stream.
What could be the cause for having one kind working and not the other one ?
I have tried to investigate _internal data without luck so far.
Thanks in advance for any advice,
... View more
10-05-2017
05:20 AM
Hi,
Thanks for the help,
Actually I had the same issue than the one described there :
https://answers.splunk.com/answers/475630/splunk-app-for-stream-why-does-set-permissionssh-s.html
So I resolved it the same way.
Thanks
... View more
10-01-2017
08:58 AM
Hi Rafael,
Yes, Duane Waddle .conf are always consistent and were really helpful!
But in our case LDAP auth. is OK on the platform, what is not is ldapsearch and only on a SH part of the SHC.
... View more
09-30-2017
02:21 AM
Hi there,
I have deployed Splunk Stream on a distributed environment to ingest DNS first.
I have followed howtos here and there and everything is fine with collected data.
One thing remains unclear.
I have Splunk Stream + Stream TA on my ES Search Head
Stream TA on another Search Head > just for parsing
Stream TA on Deployement Server > just for parsing
Stream TA on Indexer > for indexing, timestamp etc.
Stream TA + inputs on DNS servers
However I do receive error messages from SH, DS & IDX mentioning permission issues :
Unable to initialize modular input "streamfwd" defined inside the app "Splunk_TA_stream": Introspecting scheme=streamfwd: Unable to run "/opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd --scheme": child failed to start: Permission denied
I have already used set_permissions.sh so that might be due to the the fact that Splunk is running as non-root.
However, on these instance, the TA is not there for capturing any stream, so isn't better to just turn off TA's network capturing capability ?
I am wondering what files should I removed from the TA to do this and if this is is a good idea to do so.
Thanks in advance,
... View more
- Tags:
- Splunk Stream
09-13-2017
01:49 PM
Hi Koshyk,
Thanks for your help!
Indeed there is another App, but I meant to say that this App was deployed on both SH & HF. I might have been unclear.
If I run "splunk cmd btool ssl list", there is nothing interesting since ssl.conf is only used by ldapsearch while other apps use server.conf.
With "splunk cmd btool server list sslConfig --debug", there is one unique difference I did not spot earlier.
The SH checks for sslCommonNames while the HF does not:
sslCommonNameToCheck = splunk-searchhead,splunk-forwarder,splunk-indexer...
I did try to configure ldapsearch's ssl.conf with requireClientCert set to false and even with an empty sslCommonNameToCheck.
I did not try to put LDAP DC CommonName yet.
But I already went through sslCommonNameToCheck errors and I believe the generated error is pretty explicit in such case.
Might worth trying.
... View more
09-11-2017
03:58 AM
Hi there,
Does anyone here have succeeded in configuring SA-ldapsearch using TLS on a SHC ?
We have successfully configured it on a Heavy Forwarder part of our architecture but it does not work on a Search Head member of our Search Head Cluster where it does not seem to event load SSL settings.
Here is some details:
SSL Config is the same on both instances :
SH $ splunk cmd btool --app=SA-ldapsearch ssl list
[sslConfig]
caCertFile = /opt/splunk/etc/auth/ca.pem
sslVersions = tls
HF $ splunk cmd btool --app=SA-ldapsearch ssl list
[sslConfig]
caCertFile = /opt/splunk/etc/auth/ca.pem
sslVersions = tls
There is also an sslConfig stanza in another App, also indentical :
[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
serverCert = $SPLUNK_HOME/etc/auth/splunk-cert.pem
requireClientCert = true
sslVerifyServerCert = true
certCreateScript =
sslVersions = tls1.1, tls1.2
sslVersionsForClient = tls1.1, tls1.2
SA-ldapsearch.log on the HF OK :
2017-09-11 18:56:32,218, Level=DEBUG, Pid=16868, File=search_command.py, Line=294, LdapTestConnectionCommand arguments: ['/opt/splunk/etc/apps/SA-ldapsearch/bin/ldaptestconnection.py', 'EXECUTE', 'domain="default"']
2017-09-11 18:56:32,220, Level=DEBUG, Pid=16868, File=search_command_internals.py, Line=296, LdapTestConnectionCommand: ldaptestconnection domain="default"
2017-09-11 18:56:32,220, Level=DEBUG, Pid=16868, File=ldaptestconnection.py, Line=48, Command = ldaptestconnection domain="default"
2017-09-11 18:56:32,220, Level=DEBUG, Pid=16868, File=configuration.py, Line=47, Command = ldaptestconnection domain="default"
2017-09-11 18:56:32,242, Level=DEBUG, Pid=16868, File=configuration.py, Line=536, Configuration = ldaptestconnection(server=[Server(host='domain.local', port=636, use_ssl=True, allowed_referral_hosts=[(u'', True)], tls=Tls(validate=2, version=2, ca_certs_file='/opt/splunk/etc/auth/ca.pem'), get_info=3), Server(host='domain.local', port=636, use_ssl=True, allowed_referral_hosts=[(u'', True)], tls=Tls(validate=2, version=2, ca_certs_file='/opt/splunk/etc/auth/ca.pem'), get_info=3), Server(host='domain.local', port=636, use_ssl=True, allowed_referral_hosts=[(u'*', True)], tls=Tls(validate=2, version=2, ca_certs_file='/opt/splunk/etc/auth/ca.pem'), get_info=3)], credentials=CN=Splunk,OU=Admins,DC=domain,DC=local, alternatedomain=domain.local, basedn=dc=domain,dc=local, decode=True, paged_size=1000)
2017-09-11 18:56:32,242, Level=DEBUG, Pid=16868, File=ldaptestconnection.py, Line=65, Testing the connection to ldaps://domain.local:636
SA-ldapsearch.log on the SH KO, seems like SSL parameters are not loaded:
2017-09-11 18:54:06,998, Level=DEBUG, Pid=9063, File=search_command.py, Line=294, LdapTestConnectionCommand arguments: ['/opt/splunk/etc/apps/SA-ldapsearch/bin/ldaptestconnection.py', 'EXECUTE', 'domain="default"']
2017-09-11 18:54:07,000, Level=DEBUG, Pid=9063, File=search_command_internals.py, Line=296, LdapTestConnectionCommand: ldaptestconnection domain="default"
2017-09-11 18:54:07,000, Level=DEBUG, Pid=9063, File=ldaptestconnection.py, Line=48, Command = ldaptestconnection domain="default"
2017-09-11 18:54:07,001, Level=DEBUG, Pid=9063, File=configuration.py, Line=47, Command = ldaptestconnection domain="default"
2017-09-11 18:54:07,006, Level=ERROR, Pid=9063, File=search_command.py, Line=346, Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/searchcommands/search_command.py", line 320, in process
self.execute(operation, reader, writer)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/searchcommands/generating_command.py", line 79, in _execute
for record in operation():
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/ldaptestconnection.py", line 49, in generate
configuration = app.Configuration(self)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/app/configuration.py", line 52, in __init_
self.read_configuration()
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/app/configuration.py", line 432, in _read_configuration
settings = self._read_default_configuration()
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/app/configuration.py", line 457, in _read_default_configuration
response = service.get('properties/ldap/default', namespace.owner, namespace.app, namespace.sharing)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 241, in wrapper
return request_fun(self, *args, **kwargs)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 62, in new_f
val = f(*args, **kwargs)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 586, in get
response = self.http.get(path, self._auth_headers, **query)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 1056, in get
return self.request(url, { 'method': "GET", 'headers': headers })
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 1108, in request
response = self.handler(url, message, **kwargs)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 1226, in request
connection.request(method, path, body, head)
File "/opt/splunk/lib/python2.7/httplib.py", line 1057, in request
self._send_request(method, url, body, headers)
File "/opt/splunk/lib/python2.7/httplib.py", line 1097, in _send_request
self.endheaders(body)
File "/opt/splunk/lib/python2.7/httplib.py", line 1053, in endheaders
self._send_output(message_body)
File "/opt/splunk/lib/python2.7/httplib.py", line 897, in _send_output
self.send(msg)
File "/opt/splunk/lib/python2.7/httplib.py", line 859, in send
self.connect()
File "/opt/splunk/lib/python2.7/httplib.py", line 1278, in connect
server_hostname=server_hostname)
File "/opt/splunk/lib/python2.7/ssl.py", line 352, in wrap_socket
_context=self)
File "/opt/splunk/lib/python2.7/ssl.py", line 579, in __init_
self.do_handshake()
File "/opt/splunk/lib/python2.7/ssl.py", line 808, in do_handshake
self._sslobj.do_handshake()
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:603)
Thanks in advance for any feedback!
... View more
08-27-2017
03:54 PM
Hello tavitakeda,
Bug is now fixed in 6.6.3. Thanks again!
... View more
08-02-2017
05:40 AM
Hello tavitakeda,
Yes, I am getting the same error in 6.6.2 now, did not notice it before.
I will try to fix it and notify you.
Thanks a lot for letting us know!
... View more
08-02-2017
04:36 AM
According to the link you have posted, even using Anomaly Scoring Detection Mode, ModSecurity events seem to be like "Message: Message [stuff ...]" :
--0a4c3b0e-H--
Message: Pattern match "\bselect\b.{0,40}\buser\b" at ARGS:foo. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "67"] [id "959514"] [rev "2.0.9"] [msg "Blind SQL Injection Attack"] [data "select * from user"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Pattern match "\bunion\b.{1,100}?\bselect\b" at ARGS:foo. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "257"] [id "959047"] [rev "2.0.9"] [msg "SQL Injection Attack"] [data "union select"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:0. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "18"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10, SQLi=10, XSS=): Last Matched Message: SQL Injection Attack"] [data "Last Matched Data: union select"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_60_correlation.conf"] [line "36"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10, SQLi=10, XSS=): SQL Injection Attack"]
Action: Intercepted (phase 2)
Stopwatch: 1290012416382280 122228 (8369 120370 -)
Producer: ModSecurity for Apache/2.5.13dev2 (http://www.modsecurity.org/); core ruleset/2.0.9.
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2
--0a4c3b0e-Z--
Are you sure there is no custom setting in your configuration set on the way alerts are being logged/written?
... View more
08-02-2017
01:41 AM
Hello jairjr,
I somehow did not get notified of your comment so I am sorry for the very late answer, I'll check on supporting it both ways and get back to you !
... View more
06-30-2017
12:59 AM
Yes, search looks like this :
base search | eval markerColor = case(like(connectivity, "false"), "red", like(connectivity, "true"), "green", 1=1, "blue"), icon=case(like(connectivity, "false"), "exclamation", like(connectivity, "true"), "check-circle", 1=1, "circle") | table latitude, longitude, description, markerColor, icon
I think I can do something with priorities but does not really solve my problem. A de-aggregating method ?
... View more
