Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About morganfw
morganfw
Path Finder
Member since:
09-09-2011
Community Statistics
| Posts | 18 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 09-09-2011 |
Activity Feed
- Posted Splunk App for Salesforce on Splunk Cloud: "lookup_sfdc_accounts.csv" containing millions of rows- How do we resolve? on All Apps and Add-ons. 09-14-2022 03:11 AM
- Karma Re: Why does migrating universal forwarder to 6.4.3 display "unconfigured/disabled/deleted index='wineventlog'" message and event logs stopped forwarding? for jwelch_splunk. 06-05-2020 12:48 AM
- Posted Re: Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings? on All Apps and Add-ons. 06-03-2020 05:40 AM
- Posted Re: Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings? on All Apps and Add-ons. 05-28-2020 07:56 AM
- Posted Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings? on All Apps and Add-ons. 05-26-2020 09:12 AM
- Tagged Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings? on All Apps and Add-ons. 05-26-2020 09:12 AM
- Tagged Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings? on All Apps and Add-ons. 05-26-2020 09:12 AM
- Tagged Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1: How to configure proxy settings? on All Apps and Add-ons. 05-26-2020 09:12 AM
- Posted Re: Proofpoint - ET Splunk TA - Proxy settings on All Apps and Add-ons. 05-05-2020 03:24 AM
- Posted Proofpoint - ET Splunk TA - Proxy settings on All Apps and Add-ons. 03-30-2020 02:08 AM
- Tagged Proofpoint - ET Splunk TA - Proxy settings on All Apps and Add-ons. 03-30-2020 02:08 AM
- Tagged Proofpoint - ET Splunk TA - Proxy settings on All Apps and Add-ons. 03-30-2020 02:08 AM
- Tagged Proofpoint - ET Splunk TA - Proxy settings on All Apps and Add-ons. 03-30-2020 02:08 AM
- Tagged Proofpoint - ET Splunk TA - Proxy settings on All Apps and Add-ons. 03-30-2020 02:08 AM
- Posted Re: Shodan App, Proxy and Query Rate Limit on All Apps and Add-ons. 06-12-2019 07:52 AM
- Posted Shodan App, Proxy and Query Rate Limit on All Apps and Add-ons. 06-12-2019 03:33 AM
- Tagged Shodan App, Proxy and Query Rate Limit on All Apps and Add-ons. 06-12-2019 03:33 AM
- Tagged Shodan App, Proxy and Query Rate Limit on All Apps and Add-ons. 06-12-2019 03:33 AM
- Tagged Shodan App, Proxy and Query Rate Limit on All Apps and Add-ons. 06-12-2019 03:33 AM
- Posted "trendmicro" stanza typo in props.conf EVAL-severity expression on All Apps and Add-ons. 01-09-2019 08:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-14-2022
03:11 AM
Hello,
we are using Splunk App for Salesforce in the Splunk Cloud environment.
We noticed that the App through the saved search "Lookup - ACCOUNT_ID TO ACCOUNT_NAME" every week at midnight creates a CSV file called "lookup_sfdc_accounts.csv", which in our case is populated with over 4 million lines and consequently the size of the files are nearly 500MB.
The problem is that due to the size of this lookup, Splunk Cloud cannot replicate the bundle and the following message appears:
The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is [...].
We do not have the ability to filter events and reduce the size of the lookup.
Has anyone been in the same situation?
Is it possible to solve somehow, for example by migrating the lookup to KV Store?
Any suggestions?
The App is not directly supported by Splunk and I cannot find the developer's contacts to submit the case.
... View more
Labels
- Labels:
-
configuration
-
other
-
troubleshooting
-
upgrade
06-03-2020
05:40 AM
Hello,
I've found a WA for now.
On variables.py under $SPLUNK_HOME/etc/apps/Centurion/bin you need to insert proxy config for requests module:
import requests
proxies = {
'http': 'http://<your_proxy>:<your_proxy_port>',
'https': 'http://<your_proxy>:<your_proxy_port>',
}
then you need to configure single py services scripts that use Python requests module adding proxies import and configurations, following example is for abuseip.py, on line 8 modify script from:
from variables import abuseipkey,index_name
to
from variables import abuseipkey,index_name,proxies
then on requests.get on line 59, modify from:
res = requests.get(url, params=params)
to
res = requests.get(url, params=params, proxies=proxies)
and so on for all services that use Python requests module.
For services that not use Python requests module, you need to declare Proxy and add set_tunnel, so for AlienVault.py modify line 33 and 34 from:
conn = httplib.HTTPSConnection("otx.alienvault.com")
conn1 = httplib.HTTPSConnection("otx.alienvault.com")
to
conn = httplib.HTTPSConnection("<your_proxy>", <your_port>)
conn.set_tunnel("otx.alienvault.com")
conn1 = httplib.HTTPSConnection("<your_proxy>", <your_port>)
conn1.set_tunnel("otx.alienvault.com")
and so on for other services that not using Python requests module.
For neutrino.py on line 44 before string:
reqReputation = urllib2.Request(urlReputation, urllib.urlencode(params).encode("utf-8"))
you need to add following lines:
## Proxy Mod START
proxy = urllib2.ProxyHandler({'https': 'http://<your_proxy>:<your_proxy_port>'})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
## Proxy Mod END
I strongly suggest in next App version to make the ability to configure Proxy globally on App, not all companies have te ability to exit Internet directly from Splunk.
Regards
... View more
05-28-2020
07:56 AM
Sorry, I don't need proxy to be configured globally, but I need proxy configuration per App.
The proxy configuration mentioned in above url is for splunkd only and doesn't work with Apps.
... View more
05-26-2020
09:12 AM
Hello,
I've installed Centurion - Threat Hunting Feed Aggregator v1.0.1 on Splunk Enterprise version 7.2.9.1 and I need to configure a proxy for exit on the internet.
Any suggestion for where to put proxy settings for quick resolving with a WA?
I suggest making a modification on the next App version to add the option to allow the user to modify proxy settings through the App web interface on Splunk.
Regards
... View more
Labels
- Labels:
-
configuration
05-05-2020
03:24 AM
Hello,
I managed the change of the proxy with following modification in $SPLUNK_HOME/etc/apps/TA-etintel/bin/update_repdata.py
- Original script -
def make_url(authcode, fname):
url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format(
authcode, fname)
request = Request(url)
request.set_proxy('http://<your_proxy>:<your_port>','http')
logger.debug("Version is %s", VERSION)
agent = "ET-SPLUNK-TA (" + VERSION + ")"
logger.debug("User-agent is %s", agent)
request.add_header("User-agent", agent)
return request
- Modified script (adding "request.set_proxy" below line 104) -
def make_url(authcode, fname):
url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format(
authcode, fname)
request = Request(url)
request.set_proxy('http://<your_proxy>:<your_port>','http')
logger.debug("Version is %s", VERSION)
agent = "ET-SPLUNK-TA (" + VERSION + ")"
logger.debug("User-agent is %s", agent)
request.add_header("User-agent", agent)
return request
Thank you.
... View more
03-30-2020
02:08 AM
Hello,
I've installed Proofpoint - ET Splunk TA v1.1.5 on Splunk Enterprise v7.2.9.1 and I need to configure a Proxy for exit on Internet.
- Issue:
I need to use a Proxy for exit on Internet, and when I set Proxy globally on OS, I can contact all sites, but Proofpoint - ET Splunk TA cannot contact Proofpoint API through Proxy, I assume that App contact Proofpoint API directly.
After some debugging, I've seen line 101 on $SPLUNK_HOME/etc/apps/TA-etintel/bin/update_repdata.py file that reports
def make_url(authcode, fname):
url = 'https://rules.emergingthreatspro.com/{0}/reputation/{1}'.format(
authcode, fname)
request = Request(url)
logger.debug("Version is %s", VERSION)
agent = "ET-SPLUNK-TA (" + VERSION + ")"
logger.debug("User-agent is %s", agent)
request.add_header("User-agent", agent)
return request
I want to know how to setup Proxy lines into the script for exit Internet.
I suggest to make a modification on next App version, and add option to allow the user to modify Proxy Settings through App Web Interface on Splunk.
Any suggestion for quick resolve with a WA?
Regards
... View more
06-12-2019
07:52 AM
The WA works like a charm and fixes the second issue.
I also suggest you to add some detailed documentation about App, to better understand all the functionalities.
Thank you for quick WA and for this awesome App.
... View more
06-12-2019
03:33 AM
Hello,
I've installed Hurricane Labs App for Shodan v2.0.1 on Splunk Enterprise v7.2.4 and I've found some issues in App usage and functionality.
- First Issue:
I need to use a Proxy for exit on Internet, and when I set Proxy globally on OS, I can contact all sites, but Shodan App cannot contact Shodan API through Proxy, App contact Shodan API directly (I've done some tcpdumps to hit the problem).
After some debugging, I've found the issue and modified line 173 on $SPLUNK_HOME/etc/apps/Hurricane_Labs_App_for_Shodan/bin/shodan/client.py file that reports
def __init__(self, key, proxies=None):
"""Initializes the API object.
:param key: The Shodan API key.
:type key: str
:param proxies: A proxies array for the requests library, e.g. {'https': 'your proxy'}
:type proxies: dict
"""
now I can contact Shodan API through Proxy.
I suggest to make a modification on next App version, and add option to allow the user to modify Proxy Settings through App Web Interface on Splunk.
- Second Issue:
I need to add several subnets starting from /24 ending to /29, and after adding almost 20 subnets on "Configure Subnets" section, I receive a message that indicate the App cannot sync with Shodan:
No IPs to use. Add an IP above.
So I try to execute manual command to force list refresh:
| getshodan [|inputlookup shodan_my_subnets | stats values(ipAddress) AS ips | eval netlist=mvjoin(ips, ",") | table netlist] | outputlookup shodan_output
and after some seconds it answer with Request rate limit reached:
APIError at "$SPLUNK_HOME/etc/apps/Hurricane_Labs_App_for_Shodan/bin/shodan/client.py", line 255 : Request rate limit reached (1 request/ second). Please wait a second before trying again and slow down your API calls.
that's a problem, because App don't consider Shodan API Request rate limit, and this is a big problem.
Also I suggest to modify next App version with Shodan API Requests rate limit.
Any suggestion for quick resolve with a WA?
Regards
... View more
01-09-2019
08:38 AM
Hi,
I've installed TA-trendmicro_cm_cef (Control Manager) v1.0.2 and splunkd.log reported following warning message
WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-severity' in stanza [trendmicro]: The expression is malformed. Expected ).
I've analyzed and seen there's a typo in TA default/props.conf EVAL-severity expression, Information word was not quoted correctly
EVAL-severity = case(CLF_SeverityCode="0","Unknown", CLF_SeverityCode="1","Information, CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3","Error", CLF_SeverityCode="4", "Critical")
I've created a workaround in local/props.conf and pasted corrected strings for above eval expression
[trendmicro]
KV_MODE = none
REPORT-trendmicro_cef = trendmicro_cef
REPORT-cefevents = cefHeaders, tmcefKeys, cefKeys
EVAL-date = date_month+" "+date_mday+" "+date_year
EVAL-action = case((act=="File deleted" OR act=="Unable to upload file" OR act=="File cleaned" OR act=="File quarantined" OR act=="Quarantine successfully" OR act=="Action Required" OR lower(act)=="block" OR act=="File replaced" OR act=="3" OR category=="WB:36" OR ActionResult=="File cleaned" OR act=="2" OR act=="8" OR ActionResult=="Reboot system successfully"), "blocked", (act=="Unable to clean" OR act=="Unable to delete" OR act=="File passed" OR act=="Access Denied" OR act=="Encrypted" OR act=="No action" OR act="1003" OR ActionResult=="Access denied" OR lower(act)=="pass" OR ActionResult=="File passed" OR ActionResult=="Unable to clean file"),"allowed",(act like "%Unable%" OR act like "%Action Required%"), "deferred")
EVAL-severity = case(CLF_SeverityCode="0", "Unknown", CLF_SeverityCode="1", "Information", CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3", "Error", CLF_SeverityCode="4", "Critical")
EVAL-signature = if(isnotnull(VirusName),VirusName,category_detail)
EVAL-sender = case(isnotnull(shost) AND isnotnull(dhost),suser)
EVAL-dest_ip = case((isnotnull(shost) AND isnull(dhost)),src,(isnull(shost) AND isnotnull(dhost)),dst)
EVAL-dest_host = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)
FIELDALIAS-file_name = fname AS file_name
FIELDALIAS-file_path = filePath AS file_path
EVAL-product = "TrendMicro"
FIELDALIAS-product_version = VLF_PatternNumber AS product_version
EXTRACT-act = act=(?P<act>.+?) [\w\d]+=
EXTRACT-shost = shost=(?P<shost>.+?) [\w\d]+=
EXTRACT-fname = fname=(?P<fname>.+?)\s\w+=
EXTRACT-filepath = filePath=(?P<filePath>.+?)\s\w+=
EXTRACT-dhost = dhost=(?P<dhost>.+?) [\w\d]+=
FIELDALIAS-dest = dhost AS dest
FIELDALIAS-dest1 = shost AS dest
Is it possible to fix typo in next TA release?
Regards
... View more
01-08-2019
11:37 AM
Same issue for me on single Splunk v6.6.3 instance (SH and Indexer on single Server) with FireEye App for Splunk Enterprise v3.1.1.
If I try search in FireEye App, fieldalias doesn't work, so dashboards not populated correctly.
When I try search in Splunk default search App, all fieldalias extracting correctly.
I've tried setting global permission on App with no chance.
Any suggestion?
Regards
... View more
11-12-2018
08:18 AM
Thank you for answer.
I'll submit a case to Splunk Support.
... View more
11-12-2018
07:51 AM
Hi walterk82 and thank you for your answer.
I try to explain, I think there's another issue, in TA default/eventtypes.conf 61-62 lines there's configured:
[f5_bigip_apm_username_received]
search = sourcetype="f5:bigip:apm:syslog" ": Username"
above stanza recall authentication dataset action in default/tags.conf 117-123 lines:
[eventtype=f5_bigip_apm_username_received]
network = enabled
communicate = enabled
session = enabled
authentication = enabled
default = enabled
web = enabled
so when I try to searching for tag=authentication the action field was populated in "Access policy result:" rows only, not in "Username" rows with field values "success" or "failure" that are CIM expected values for Authentication datasets for populate Splunk ITSI or Splunk ES Premium Apps.
May know a temporary workaround to put in the TA local/props.conf for extract Username success or failure action as expected?
Thank you in advance for any help.
... View more
11-09-2018
02:05 PM
Hello,
I've installed Splunk Add-on for F5 BIG-IP v2.6.0 and Splunk Common Information Model (CIM) v4.12.0 on Splunk Enterprise 6.6.3 when I try to search authentication logs for apm (F5 VPN)
index="f5" sourcetype="f5:bigip:apm:syslog" tag=authentication
authentication actions field reports allowed or blocked on Access Policy logs only (not in Username logs), instead of success or failure that CIM authentication dataset documentation reports.
Below log example
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490500:5: /Common/ap_web_auth:Common:85157209: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.172 Listener /Common/ap_web_auth_vs (Reputation=Unknown)
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm1[15435]: 01490506:5: /Common/ap_web_auth:Common:85157209: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0).
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490500:5: /Common/Network_Access_02:Common:8c6be305: New session from client IP 1.23.45.67 (ST=WA/CC=US/C=US) at VIP 192.168.131.174 Listener /Common/Network_Access_02_vs (Reputation=Unknown)
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice tmm3[15435]: 01490506:5: /Common/Network_Access_02:Common:8c6be305: Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%208.0%3b%20Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f4.0%3b%20SLCC2%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.5.30729%3b%20.NET%20CLR%203.0.30729%3b%20Media%20Center%20PC%206.0).
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490248:5: /Common/Network_Access_02:Common:8c6be305: Received client info - Hostname: Type: IE Version: 8 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490102:5: /Common/Network_Access_02:Common:8c6be305: Access policy result: Full
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490005:5: /Common/Network_Access_02:Common:8c6be305: Following rule 'fallback' from item 'Resource Assign' to ending 'Allow'
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490128:5: /Common/Network_Access_02:Common:8c6be305: Webtop '/Common/Network_Access_02_webtop' assigned
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490008:5: /Common/Network_Access_02:Common:8c6be305: Connectivity resource '/Common/Network_Access_02_na_res' assigned
Nov 9 12:37:05 x.x.x.x Nov 9 12:37:05 ##hostname## notice apmd[11023]: 01490010:5: /Common/Network_Access_02:Common:8c6be305: Username 'uuu'
Anyone experienced same issue?
Thank you in advanced for any help.
... View more
03-17-2017
03:04 AM
Ok I did the trick!
Forwarder Upgrade with no custom options create Splunk_TA_windows that override my "domain_controller" app under UF path "$SPLUNK_HOME\etc\apps", I ran btool command and output following result:
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog
so I've uninstalled UF and reinstalled with "Customize Options" and uncheck all flags under "Windows Event Logs", after installation I've checked that "Splunk_TA_windows" directory that not exists under "$SPLUNK_HOME\etc\apps" then Start SplunkUniversalForwarder Service, Deployment Server pushed configurations to Deployment Client and now I receive logs.
Thx all for support!!!
... View more
03-17-2017
01:53 AM
No override, local directory is empty.
... View more
03-17-2017
01:52 AM
Ok I'll try to execute above command and paste output.
... View more
03-16-2017
02:16 PM
I know that events going to new index that not exists, but my trouble is another.
I've plain Splunk Enterprise Core, no TA, my issue is particular because before with SUF 5.0.2 to Indexer 6.4.1 Windows Event Log was Forwarded, after "clean" upgrade to SUF 6.4.3 Forwarder stop to send Event Log to Indexer 6.4.1.
Before SUF upgrade Event Logs were going to "main" index with no explicit declaration in inputs.conf, so I've tried to configure explicitly the previous used index in inputs.conf and reload serverclasses with no success, and I don't need to create new index because prior upgrade this worked.
In Preproduction Environment all works fine and SUF forward events log to Indexer.
I hope I explained myself.
... View more
03-16-2017
12:34 PM
Hi all,
I've 3 Splunk 6.4.1 Indexers and a Splunk 6.4.1 Search Head + Distributed Management Console (DMC) on Linux Red Hat 6.6.
I've tested Windows Event Log in Windows 2008 R2 Domain Controller Servers in Preproduction environment with 1 Splunk 6.4.1 Indexer + Search Head + DMC, forwarded Event Logs all ok.
I've migrated Splunk Universal Forwarder (SUF) in Production from 5.0.2 to 6.4.3 with clean Installation (Uninstall SUF 5.0.2, Reboot Server and Reinstall SUF 6.4.3), and before with SUF 5.0.2 Windows Events was forwarded with no problem, after SUF Clean Upgrade to 6.4.3 I receive once following message:
Received event for unconfigured/disabled/deleted index='wineventlog' with source='source::WinEventLog:Security' host='host::my-host' sourcetype='sourcetype::WinEventLog:System' (1 missing total)
and Event Logs stopped to be forwarded.
I haven't changed configuration on my Indexers and Search Head, below my configuration:
$SPLUNK_HOME/etc/system/local/serverclass.conf
List item
[serverclass:domain_controller]
host = my-dc-host
[serverclass:domain_controller:app:domain_controller]
* $SPLUNK_HOME/etc/deployment-apps/domain_controller/default/inputs.conf
[WinEventLog://Security]
disabled = 0
(I've also tried to add "index = main" on bottom of above stanza with no results).
And other configurations to send logs globally from deployment clients to deployment server...
I've tried to uninstall and reinstall SUF 6.4.3, but no issue resolved, I've also read all Splunk Answers on same problem, but before SUF upgrade Windows Event Logs was Forwarded with no problem, and in Preproduction all works fine.
Any suggestion?
Regards.
... View more
