We are sending logs received by our heavy forwarder to a 3rd-party syslog server. We thought we had it configured so that only WinEventLogs are being forwarded to the 3rd party, but it turns out they're getting everything (sourcetypes they don't need, etc). What is the best way to filter out all of these other events? Either from the universal forwarders to the HF, or from the HF to the 3rd party. For background, here's our basic setup. I'll post our config further down. UFs -> Heavy Forwarder -> 3rd party syslog-ng server The UFs themselves have two tcpouts: one to our indexers, and the other is the heavy forwarder. They are otherwise identical. The heavy forwarder has a props, transforms, and output that is supposed to only route WinEventLog:* to the syslog destination. It has a separate outputs.conf that tells it to turn off local indexing and disable the forwarderindex.filter (maybe this it the problem; not sure). We don't seem to have anything specifically telling the HF not to send anything except for WinEventLogs to the syslog destination; not sure how to implement that, if it's needed. [One side note, we eventually need to send dhcp logs to the 3rd-party. Right now, they're getting there, but the "source" is actually showing as the heavy forwarder. They're configured on the UFs to go to a different index from the Windows event logs, but I would need to stop the inserting of the heavy forwarder as the source, and allow for that index to be sent from the HF to the 3rd party. I might save this all for a different discussion post, but just throwing it out there.] Heavy forwarder props.conf: [source::WinEventLog:*] SEDCMD-tabreplace = s/(?m-s)[\r\n]+/ /g TRANSFORMS-routing = 3rdparty Heavy forwarder transforms.conf [3rdparty] REGEX =. SOURCE_KEY=MetaData:Host DEST_KEY =_SYSLOG_ROUTING FORMAT =to3rdparty Heavy forwarder outputs.conf [syslog] defaultGroup = to3rdparty [syslog:to3rdparty] sendCookedData=false server = 22.214.171.124:1111 (3rd-party syslog server) type = udp disabled = false priority = <13> maxEventSize = 16384 timestampformat = %b %d %H:%M:%S UF outputs.conf: [tcpout:our_HF] server= <HF info> useACK=true #sendCookedData = false forceTimebasedAutoLB = false UF inputs.conf [default] _TCP_ROUTING=primary_indexers,our_HF evt_resolve_ad_obj = 0 Thank you for any help!
... View more
Hello, I installed Splunk Free a while back on a test laptop and at some point, ran into some licensing violations because of the indexing rate. At some point, I was unable to run searches. I reinstalled Splunk Free recently, switched from Trial to Free, and when checking the Licensing page, saw this message: 1 pool warning reported by 1 indexer (Correct by midnight to avoid warning) The problem is, according to "Volume used today", my indexing rate in the Monitoring Console, and the actual size of my indexes, I'm not anywhere remotely close to hitting 500 MB/day. I was able to obtain a Splunk Dev license, and the issue persists after installing that. Now, I have pool: auto_generated_pool_enterprise, and volume used today (for example): 2 MB / 51,200 MB. I'm seeing the same message on a Linux VM I set up on the same laptop and installed Splunk Free on. Is this going to be something I need to worry about, or since my indexing rate is not anywhere close to 500 MB/day, I should be fine? If I need to address it, what is the best course of action? To me, it's difficult because there's not an index or data source I can narrow down and take action on. Perhaps it's because of the past issue with licensing violations. Thanks!
... View more
Yep, thank you for the link. We are already installed and configured. I'm just looking for ways others are using it from a searching and reporting standpoint, especially around website troubleshooting. (i.e. this website won't load for a user, so let's apply a particular search to the scenario, similar to how you might use output from Chrome Developer Tools or getting a .har file). I'm already doing that now, but know that there's probably a lot to be gained by using transactions.
... View more
I'm relatively new to Splunk and have been looking for ideas on searches I could use in our environment with regards to the Bluecoat add-on.
One scenario I'd be especially interested in is utilizing the transaction command, based on referring URLs, to potentially pinpoint what's causing a certain website not to load properly in a transparent proxy deployment. Does anyone run into this problem and use Splunk to troubleshoot it? I've been doing this so far without using transaction, but know there's a lot of potential there.
Any ideas on this or other scenarios would be appreciated. I'm just wondering how others are using the add-on for troubleshooting or threat hunting, etc. What are some of the use cases you've explored and searches you run frequently?
... View more