Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mikefg
mikefg
Path Finder
Member since:
07-24-2019
01-07-2021
Community Statistics
| Posts | 45 |
| Solutions | 3 |
| Karma Given | 0 |
| Karma Received | 2 |
| Member Since | 07-24-2019 |
Activity Feed
- Posted Add CPU cores and changing limits.conf ? on Splunk Enterprise. 01-07-2021 12:10 PM
- Posted Re: Vendor api token, but no add-on on Getting Data In. 12-29-2020 10:59 AM
- Posted Vendor api token, but no add-on on Getting Data In. 12-28-2020 03:09 PM
- Posted Re: Does Splunk ES need the add-on and app or just the add-on? on Splunk Enterprise Security. 12-23-2020 02:05 PM
- Posted Re: Remove Security Essentials on Security. 12-23-2020 02:04 PM
- Posted Remove Security Essentials on Security. 12-23-2020 07:56 AM
- Posted Re: Does Splunk ES need the add-on and app or just the add-on? on Splunk Enterprise Security. 12-23-2020 07:01 AM
- Posted Re: Splunk ES Content Management Enable All on Security & the Enterprise. 12-23-2020 06:58 AM
- Posted Does Splunk ES need the add-on and app or just the add-on? on Splunk Enterprise Security. 12-22-2020 01:46 PM
- Posted Splunk ES Content Management Enable All on Security & the Enterprise. 12-22-2020 01:36 PM
- Posted Re: ES 6.4 Fresh Install on Security & the Enterprise. 12-11-2020 09:23 AM
- Posted ES 6.4 Fresh Install on Security & the Enterprise. 12-11-2020 06:59 AM
- Posted ES 6.4 Fresh Install on Splunk Enterprise Security. 12-08-2020 07:21 AM
- Posted Re: Run Splunk as non-root user on Deployment Architecture. 07-23-2020 08:50 AM
- Posted Re: Run Splunk as non-root user on Deployment Architecture. 07-22-2020 11:49 AM
- Posted Re: Run Splunk as non-root user on Deployment Architecture. 07-22-2020 06:44 AM
- Posted Run Splunk as non-root user on Deployment Architecture. 07-21-2020 03:10 PM
- Tagged Run Splunk as non-root user on Deployment Architecture. 07-21-2020 03:10 PM
- Posted UF Batch Import Unreadable File Type Error on Splunk Enterprise. 06-30-2020 01:53 PM
- Posted Re: Get data from an MS SQL audit file using DB Connect or UF? on Splunk Enterprise. 06-25-2020 08:24 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-07-2021
12:10 PM
I will be adding CPU cores to my search head (virtual). After I have added the cores, do I need to manually update limits.conf? Currently at 8 cores, going to 12 or 16. limilts.conf is currently using defaults. # The base number of concurrent searches. base_max_searches = 6 # Max real-time searches = max_rt_search_multiplier x max historical searches. max_rt_search_multiplier = 1 # The maximum number of concurrent searches per CPU. max_searches_per_cpu = 1
... View more
Labels
- Labels:
-
configuration
12-29-2020
10:59 AM
It looks like HEC is the wrong way to go since it sends data from an application to Splunk. Is creating my own add-on the right way to go?
... View more
12-28-2020
03:09 PM
I have a vendor that will provide an api token so I can retrieve SIEM event data. There is no add-on available for this vendor that I can find. I will also want to make this data available to Splunk Enterprise Security. The data will be available from the vendor using a path like this. https://siem.vendor.com/authapi/api/siem The event data is intended to be used with a SIEM so it will be in fields like this. event_id=message source=threat ip=127.0.0.1 I'm assuming I will need to create an add-on, but have not done this before. Or is this a use case for the HTTP Event Collector?
... View more
Labels
- Labels:
-
other
12-23-2020
02:05 PM
Gotcha, thanks!
... View more
12-23-2020
07:56 AM
How do I remove the Security Essentials app? Just remove the directory from apps/ on the search head?
... View more
Labels
- Labels:
-
other
12-23-2020
07:01 AM
I understand that the ES app itself is needed, my question is about the rest of the technologies; firewalls, etc. As I understand it I only need to install the add-on for these on the ES search head and not the app, unless I want to use the app on the ES search head, correct? I went through the install and I don't remember a step asking me about choosing add-ons. Fresh install of ES 6.4.
... View more
12-23-2020
06:58 AM
Thank you for the clarification.
... View more
12-22-2020
01:46 PM
Working on a new ES install. Does the ES search head need the app and add-on for each technology or just the add-on? Does it matter if the app and add-on are both installed?
... View more
12-22-2020
01:36 PM
Setting up a new ES install and looking at Content Management. It looks like there are a lot of Disabled items, mostly correlation search. Are there any guidelines for which of these to enable? Is enabling all of them a bad idea?
... View more
12-11-2020
09:23 AM
This helps. One question on the TA For Indexers. Why are these two settings optional when downloading the package? Include index time properties Include index definitions
... View more
12-11-2020
06:59 AM
I am working on a fresh install of ES 6.4. I already have a Splunk Ent environment with an indexer tier, apps, single search head, etc. ES has been installed on a standalone search head, but not configured. I have configured ES before, but it was a few versions and a few years back. What are some good resources to get ES configured besides the install docs? Since I already have a Splunk environment with forwarders, add-ons, etc. it looks like my next step might be 'Create the Splunk_TA_ForIndexers and manage deployment manually'. If I go to this step am I skipping something I shouldn't skip? https://docs.splunk.com/Documentation/ES/6.4.0/Install/InstallTechnologyAdd-ons
... View more
12-08-2020
07:21 AM
I am working on a fresh install of ES 6.4. I already have a Splunk Ent environment with an indexer tier, apps, single search head, etc. ES has been installed on a standalone search head, but not configured. I have configured ES before, but it was a few versions and a few years back. What are some good resources to get ES configured besides the install docs? Since I already have a Splunk environment with forwarders, add-ons, etc. it looks like my next step might be 'Create the Splunk_TA_ForIndexers and manage deployment manually'. If I go to this step am I skipping something I shouldn't skip? https://docs.splunk.com/Documentation/ES/6.4.0/Install/InstallTechnologyAdd-ons
... View more
Labels
- Labels:
-
configuration
07-23-2020
08:50 AM
Using systemd without specifying a user seems to run it as 'root'.
... View more
07-22-2020
11:49 AM
OS is CentOS. I tried systemd and it didn't seem to work, Splunk is still shown as run by user 'splunk'. Tried both of these. /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk /opt/splunk/bin/splunk enable boot-start -systemd-managed 0 -user splunk
... View more
07-22-2020
06:44 AM
Splunk Enterprise 8.0.5 I have a local 'splunk' user account that has all permissions (chown and chgrp) that is running Splunk. The problem is that the vulnerability conditions are satisfied with this configuration. 1. Is met with Splunk being run as non-root user 'splunk' 2. Is met because in order to run splunk, the user has to have permissions to the dirs. 3a. Is met when Splunk is set to run at boot as specified user. 3b. Is met because the splunk user has to be set in splunk-launch.conf. I don't see a way out of this with the recommended mitigation configuration. ### vuln info from https://www.splunk.com/view/SP-CAAAP3M Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192) Description: Specific configurations that have Splunk Enterprise, Splunk Light, or a Splunk Universal Forwarder running as non-root that match all the following characteristics: 1. Splunk Enterprise, Splunk Light, or the Universal Forwarder are running as non-root user. 2. $SPLUNK_HOME and $SPLUNK_HOME/etc both are owned by the running splunk user. 3. Satisfied one of the following conditions a. A Splunk init script created via $SPLUNK_HOME/bin/splunk enable boot-start –user <user> on Splunk 6.1.x or later. b. A line with SPLUNK_OS_USER=<user> exists in $SPLUNK_HOME/etc/splunk-launch.conf The above specific configurations of Splunk Enterprise, Splunk Light and Universal Forwarders, are vulnerable to the Splunk Administrator being able to induce code execution as root.
... View more
07-21-2020
03:10 PM
I've been working on remediating this vulnerability https://www.splunk.com/view/SP-CAAAP3M "Potential Local Privilege Escalation through instructions to run Splunk as non-root user" and the 'fixes' don't seem to work. It seems like no matter the tactic - boot-start, init.d, systemd, etc. the requirements for the vulnerability always seem to be met; 1, 2, and 3a and/or 3b . "Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)" Is there a way to configure splunk to startup and run that will mitigate the vulnerability?
... View more
Labels
- Labels:
-
other
06-30-2020
01:53 PM
I have some SQL audit files filename.sqlaudit that I want to import using batch. I have the configuration all done and working for test files like a .txt file, but the .sqlaudit file will not import. Running '.\splunk.exe list inputstatus' give me 'type = unreadable file type'. I have the Splunk Add-on for Microsoft SQL Server installed on the search head, so that should parse the file once it's imported, correct? How do I get the UF to process the file?
... View more
Labels
- Labels:
-
using Splunk Enterprise
06-25-2020
08:24 AM
Using the MS SQL addon I see this reference to audit logs 'uses the sys.fn_get_audit_file function via DB Connect.' https://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/Datatypes
... View more
06-25-2020
07:42 AM
Please see my reply above. The audit files are being created per Splunk instructions, but how do I get them into Splunk?
... View more
