Activity Feed
- Got Karma for Re: Windows Eventlog Blacklist Failing. 04-19-2023 06:03 AM
- Got Karma for Re: Assets Exceeding Field Limits, Source: [merge]. 01-06-2023 06:32 AM
- Got Karma for Re: Assets Exceeding Field Limits, Source: [merge]. 05-25-2022 11:32 PM
- Posted Re: TA-MS-AAD - Pulling Duplicate azure:aad:signin Logs on All Apps and Add-ons. 01-26-2022 09:38 AM
- Posted Splunk_TA_Windows 8.2.0 - User DN incorrect extraction on Getting Data In. 12-09-2021 11:28 AM
- Tagged Splunk_TA_Windows 8.2.0 - User DN incorrect extraction on Getting Data In. 12-09-2021 11:28 AM
- Posted Downsample Line Chart fails to load after ES Upgrade on Dashboards & Visualizations. 12-07-2021 10:31 AM
- Got Karma for Re: Assets Exceeding Field Limits, Source: [merge]. 08-16-2021 10:02 AM
- Got Karma for Re: Assets Exceeding Field Limits, Source: [merge]. 08-09-2021 03:47 AM
- Got Karma for Re: Assets Exceeding Field Limits, Source: [merge]. 06-30-2021 03:06 AM
- Got Karma for Re: Windows Eventlog Blacklist Failing. 06-29-2021 04:59 PM
- Posted Re: Windows Eventlog Blacklist Failing on Getting Data In. 06-29-2021 11:50 AM
- Posted Re: Windows Eventlog Blacklist Failing on Getting Data In. 06-09-2021 10:17 AM
- Posted Re: Windows Eventlog Blacklist Failing on Getting Data In. 06-09-2021 09:11 AM
- Posted Windows Eventlog Blacklist Failing on Getting Data In. 06-09-2021 08:11 AM
- Posted TA-MS-AAD - Pulling Duplicate azure:aad:signin Logs on All Apps and Add-ons. 02-26-2021 08:17 AM
- Tagged TA-MS-AAD - Pulling Duplicate azure:aad:signin Logs on All Apps and Add-ons. 02-26-2021 08:17 AM
- Got Karma for Re: Assets Exceeding Field Limits, Source: [merge]. 10-19-2020 11:32 PM
- Posted Re: One User Cannot Authenticate to Splunk on Splunk Enterprise. 09-10-2020 11:28 AM
- Posted Re: One User Cannot Authenticate to Splunk on Splunk Enterprise. 09-10-2020 10:21 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
01-26-2022
09:38 AM
From what I've seen it seems like there isn't really a fix to pulling duplicate logs. I've had to compensate by deduping logs by their ID within my search criteria whenever I'm including them.
... View more
12-09-2021
11:28 AM
Edit: After working with Splunk support, this issue is fixed in TA version 8.5.0. I recently upgraded our Windows TA from 8.0.0 to 8.2.0. I've noticed that with the Event IDs relating to users being removed or added to groups (4728, 4729, 4732) the user removed or added is logged by Windows with their full DN. Splunk before the upgrade was pulling the full DN and extracting it into the user field. Now it seems to not be doing the same. Our DNs contain "Lastname, Firstname" with the log having that first comma escaped. 12/09/2021 00:00:00 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4732
EventType=0
Type=Information
ComputerName=domaincontroller
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1111111111
Keywords=Audit Success
Message=A member was added to a security-enabled local group.
Subject:
Security ID: CONTOSO\user_admin
Account Name: user_admin
Account Domain: CONTOSO
Logon ID: 0xD5D5D5DA
Member:
Security ID: CONTOSO\FLastname
Account Name: CN=Lastname\, Firstname,OU=Users,DC=CONTOSO,DC=com
Group:
Security ID: CONTOSO\Group_RW
Group Name: Group_RW
Group Domain: CONTOSO This is extracted correctly into the Account_Name field, though both the Subject and Member users are placed into Account_Name as an mv field. For some reason, when this same value is extracted into user, it gets extracted only as "Lastname\" I've done a diff on the default\props and transforms and didn't see any changes to the extractions of this field that I can find, and I had no customization here. I'm at a bit of a loss as to why this would even change. We are using the WinEventLog:Security sourcetype as well. Other extractions seem to be working as intended.
... View more
- Tags:
- splunk_ta_windows
Labels
- Labels:
-
sourcetype
-
Windows
12-07-2021
10:31 AM
Did an upgrade from Splunk ES 6.1.1 to 6.6.2 and now any dashboard that uses the Downsampled Line Chart viz fails to load with a "Failed to load source for Downsampled Line Chart visualization. " In fact, any of the visualiztions below the "More" header when selecting a chart type (includes histogram, box plot, 3D scatter plot.) Has anyone run into such an issue after upgrading?
... View more
Labels
- Labels:
-
timechart
06-29-2021
11:50 AM
2 Karma
Seems I'm just not careful enough and my stanza name had a typo. The blacklist works as intended once I corrected that.
... View more
06-09-2021
10:17 AM
It is, sorry. I am actually doing the same filter for similar events on both event codes 72 and 27, and got my examples mixed up. I'll correct that.
... View more
06-09-2021
09:11 AM
Thanks, but the key I am using (Message) is listed. The "Account Name" piece also does show up in the Message field in the final extract results as well. Splunk documentation also lists what I am trying to do as a example on this doc, under Example 5: https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata?r=searchtip
... View more
06-09-2021
08:11 AM
Having issues with a blacklist of mine. Trying to filter out specific instances of an event code using regex. When I test out the pattern with regexr for example, it matches without issue. But the events are coming in regardless. My blacklist would be: blacklist7 = EventCode = "4672" Message = "Account\sName\:\s+ACCOUNTNAME\$" And an example event would be: 06/09/2021 07:55:08 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=HOSTNAME
TaskCategory=Special Logon
OpCode=Info
RecordNumber=3400724885
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: ACCOUNTNAME$
...
... View more
Labels
- Labels:
-
inputs.conf
-
universal forwarder
02-26-2021
08:17 AM
Noticed that the Azure Addon is pulling the same logs repeatedly, roughly about 12 copies per log. We're using version 3.0.1 of the addon. I did see in another thread "2.0.1 fixes the duplicate alert data issue" but we're still getting it. Haven't upgraded to 3.1.0 as I didn't see any mention in the release notes about this particular issue. Anyone else run into this and found a way to fix it?
... View more
Labels
- Labels:
-
troubleshooting
09-10-2020
11:28 AM
Alright, changed primary group to a different group (Domain Users) and they can log in now. Odd since the primary group for the affected user was the same as an unaffected user.
... View more
09-10-2020
10:21 AM
In the first log the backslash is escaping the comma, but in the second its escaping the literal 5C characters (it looks like). I have tried using the query via Get-Aduser, but it receives no results. I also get no results when I swap out the CN for a user who is able to log into Splunk. I'm using get-aduser -LDAPFilter and just copying/pasting the query from the log. Edit: I tried creating a test user that I know would fail. The log was the same, except that it didn't have the \5C, instead just the escaped comma as I would expect. 09-10-2020 10:32:21.035 -0700 ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="splunkauthtest". Search filter="(&(member=CN=splunkauthtest,OU=OU2,OU=OU1,OU=Users,DC=company,DC=com)(|(CN=USERROLE*)(CN=OTHERUSERROLE*)))" strategy="Company-LDAP-USERROLE"
... View more
09-10-2020
09:42 AM
Having issues with one user trying to authenticate into Splunk. We're using LDAP auth. User has the same primary group as another individual that can log in. That primary group is used to grant access to Splunk. User does not have any other group memberships that are mapped in Splunk for authentication, so no conflicts that I can tell. User is in the same OU as users that can authenticate. Only have 1 LDAP strategy, and only this 1 user is affected. Have confirmed that the user used for the LDAP strategy can query and see the affected user via Get-Aduser. One thing I noticed in splunkd.log is the search filter appears a bit odd. 09-10-2020 09:30:35.191 -0700 DEBUG AuthenticationManagerLDAP - Attempting to get roles for user="flastname" with DN="CN=Last\, First,OU=OU2,OU=OU1,OU=Users,DC=company,DC=com" in strategy="Company-LDAP-USERROLE" 09-10-2020 09:30:35.194 -0700 ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="flastname". Search filter="(&(member=CN=Last\5C, First,OU=OU2,OU=OU1,OU=Users,DC=company,DC=com)(|(CN=USERROLE*)(CN=OTHERUSERROLE*)))" strategy="Company-LDAP-USERROLE" In the filter I see what looks to be an added 5C, which is hex code for \ in ASCII. Is it adding an additional piece that shouldn't be there? Might be a red herring though.
... View more
- Tags:
- authentication
- ldap
Labels
- Labels:
-
troubleshooting
08-11-2020
01:19 PM
6 Karma
Sorry for the late reply, I have actually, and completely forgot to post it. Someone referred me to a search that I pasted below. You may need to adjust the ..mv_limit it looks for according to what you have configured in ES. For us it turned out the cause was from load balances responding to our vulnerability scanner with the same MAC address, causing merges. I nulled out the MACs from my search that populated the corresponding lookup with the vuln scanner info and haven't had any merge issues since. | inputlookup asset_lookup_by_str | eval es_lookup_type="asset_lookup_by_str" | inputlookup append=t asset_lookup_by_cidr | eval es_lookup_type=coalesce(es_lookup_type, "asset_lookup_by_cidr") | inputlookup append=t identity_lookup_expanded | eval es_lookup_type=coalesce(es_lookup_type, "identity_lookup_expanded")
| rename _* AS es_lookup_*
| eval es_lookup_mv_limit=25
| foreach asset ip mac nt_host dns identity [eval count_<<FIELD>>=coalesce(mvcount(<<FIELD>>), 0), es_lookup_is_problem=mvappend(es_lookup_is_problem, if(count_<<FIELD>> >= es_lookup_mv_limit, "yes - field <<FIELD>> has over ". es_lookup_mv_limit . " entries", null()))]
| where isnotnull(es_lookup_is_problem)
| table es_lookup_*, count_*, *
... View more
06-12-2020
08:05 AM
Been getting messages saying that some identities are exceeding the field limits. I've increased the limit on some of them, but I'm having difficulty finding the exact field that is causing this issue. Is there a way to find the exact instance where this limit is being exceeded? Identity: 25 assets are currently exceeding the field limits set in the Asset and Identity Management page. Data truncation will occur unless the field limits are increased. Sources: [merge].
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
05-12-2020
07:54 AM
Are you on Splunk version 8.x? I ran into the same issue, confirmed with Duo support that it's because 8.x is unsupported. They didn't have an ETA on when that might be supported either.
... View more