Thanks. We also have some potential options for collecting logs when connected to our VPN. Last I looked I don't recall options for local log storage on a UF (only buffer and queue) to be uploaded when connected to a VPN, is this still the case?  ... View more

It looks like HEC is the wrong way to go since it sends data from an application to Splunk. Is creating my own add-on the right way to go?  ... View more

Using systemd without specifying a user seems to run it as 'root'.  ... View more

OS is CentOS. I tried systemd and it didn't seem to work, Splunk is still shown as run by user 'splunk'.  Tried both of these. /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk /opt/splunk/bin/splunk enable boot-start -systemd-managed 0 -user splunk   ... View more

Splunk Enterprise 8.0.5 I have a local 'splunk' user account that has all permissions (chown and chgrp) that is running Splunk.  The problem is that the vulnerability conditions are satisfied with this configuration. 1. Is met with Splunk being run as non-root user 'splunk' 2. Is met because in order to run splunk, the user has to have permissions to the dirs. 3a. Is met when Splunk is set to run at boot as specified user. 3b. Is met because the splunk user has to be set in splunk-launch.conf. I don't see a way out of this with the recommended mitigation configuration.   ### vuln info from https://www.splunk.com/view/SP-CAAAP3M Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192) Description: Specific configurations that have Splunk Enterprise, Splunk Light, or a Splunk Universal Forwarder running as non-root that match all the following characteristics: 1. Splunk Enterprise, Splunk Light, or the Universal Forwarder are running as non-root user. 2. $SPLUNK_HOME and $SPLUNK_HOME/etc both are owned by the running splunk user. 3. Satisfied one of the following conditions a. A Splunk init script created via $SPLUNK_HOME/bin/splunk enable boot-start –user <user> on Splunk 6.1.x or later. b. A line with SPLUNK_OS_USER=<user> exists in $SPLUNK_HOME/etc/splunk-launch.conf The above specific configurations of Splunk Enterprise, Splunk Light and Universal Forwarders, are vulnerable to the Splunk Administrator being able to induce code execution as root. ... View more

Using the MS SQL addon I see this reference to audit logs 'uses the sys.fn_get_audit_file function via DB Connect.' https://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/Datatypes   ... View more

Please see my reply above. The audit files are being created per Splunk instructions, but how do I get them into Splunk? ... View more

Thank you, I have been through this article and either I'm missing something or the article is missing something. Following the steps to 'Create audit objects in Microsoft SQL Server for the Splunk Add-on for Microsoft SQL Server' I now have audit files being written to disk. CREATE SERVER AUDIT MSSQL_Database_Audit TO FILE ( FILEPATH = 'C:\\SQLAudit' ) ;  However, I do not see steps in the article for how to get the file data into Splunk. ... View more