It is recommended to deploy the UF, and Splunk TA Windows/AD on each domain controller. Also, with atleast the Windows Security Eventlog input enabled in the Splunk TA Windows. This will ensure you index all the audit events, because some are only collected locally on the authenticating DC. As for the admon ADMonitoring baseline=1 Splunk TA for AD input configuration, you only need to have this on one DC per Domain. Hope this answers your question, let me know if it doesn't. Thanks, Steve ... View more

Hi @vgollapudi, what version of Splunk you were using when you deployed this app and add-on successfully ? ... View more

"You stated you setup syslog-ng on your UF, the .conf is usually in either /etc or /use/local/etc, run a find" Are you referring to inputs.conf and outputs.conf? ... View more

The Splunk Add-on for ServiceNow and the Splunk App for ServiceNow are built and supported by Splunk. The ServiceNow Security Operations app was built by ServiceNow. The Helsinki release of ServiceNow introduced a different class of incidents and events that were more geared toward security rather than general. These integration endpoints for these classes of of incidents and events are different. So, ServiceNow created an app to integrate directly with these. Check out the release notes for Helsinki here where the Splunk integration is mentioned -> https://docs.servicenow.com/bundle/helsinki-release-notes/page/release-notes/security-operations/r_SecurityIncidentResponseRN.html Summary: The Splunk Add-on for ServiceNow is the foundation that collects data from ServiceNow and integrates with their APIs. There is very little user interface involved here and no out-of-the-box intelligence about the data. This add-on is built and supported by Splunk. The Splunk App for ServiceNow depends on the Splunk Add-on for ServiceNow to collect data. The Splunk App for ServiceNow has out-of-the-box intelligence about the ServiceNow data and several dashboards. This app is built and supported by Splunk. The ServiceNow Security Operations app adds security-specific incident and event integration. This app is Splunk Certified, but it is built and supported by ServiceNow. ... View more

I guess I will be testing for you 😉 Any suggestions for how to alter or setup use of a proxy for reaching SF? ... View more

Okay so thanks to your help I was able to discover that the issue was that the outputs.conf on the indexer pointed to an internal DNS entry that the UF located outside our network did not know about. So now the forwarder is connected and the apache logs are searchable in splunk. However, one of my apps is working properly and the other is not (I cannot see the logs on one of them). I can get logs from Apache but not a custom logging location. Are there are any troubleshooting steps you would recommend to see why an app is not able send logs to the splunk indexer. I have everything defined properly on the DS and Indexing server. ... View more

Thank you, that did the trick! ... View more

Thank you David, I'll give this a go in the next 2-3 weeks; disk space is a commodity at the moment; hoping to get this installed before .conf 😉 Your user report is definitely one report I am looking for. ... View more

We are now maintaining this TA to ensure its vetted and continues to parse (https://splunkbase.splunk.com/app/4238/) . We have a few updates happening over the next few days, so, please wait before downloading it .. but.. it is working well and vetted for cloud. ... View more

The Blue Coat ProxySG TA is compatible with the Blue Coat ProxySG App. The other could probably work but it may require changing the sourcetype or other items but I do not really know. ... View more

I can respect that, and THANK YOU for the TA! ... View more

i am also seeing the same in my production env .. server.pem is missing can we generate the same again ? we want to use server.pem for forwarders to indexers secure data trasnsfer ssl using certs please help ... View more

Here is what I am presently doing: My UF is listening inside of the TA, I am no longer receiving thru syslog-NG. The Inputs.conf in my TA reads: [udp://5514] connection_host = ip sourcetype = pan:log index = pan_logs no_appending_timestamp = true If you are running a Linux UF, test above with: $ netstat -a | grep 5514 The above should yield: udp 0 0 0.0.0.0:5514 0.0.0.0:* If you opt to receive thru your syslog-NG server, be sure you have no inputs defined in /opt/splunkforwarder/etc/apps/Splunk_TA_paloalto/local/, or have them commented out. I found no difference, but going back to my PA's to switch dest ports was more work, and I wanted to see my dashboards working. On my Indexers, which are clustered as yours, I have both the TA and the app deployed inside of the master-apps directory: Splunk_TA_paloalto SplunkforPaloAltoNetworks On my deployer for my SHC, I have both the app AND the TA deployed in /opt/splunk/etc/shcluster/apps: Splunk_TA_paloalto SplunkforPaloAltoNetworks The SplunkforPaloAltoNetworks still contains Splunk_TA_paloalto inside of the apps "install" directory, but I never saw the TA properly deployed inside of my SHC, thus requiring me to deploy as a separate app for my Search Head Cluster. Because the TA was not deploying properly, my dashboards were visually impaired. Once I pushed out the TA to my SHC, and after verifying they were present on my SHC members, my dashboards began to render properly. I am guessing this is your problem too. Please note, you may have to perform a rolling restart for your search head members. Let me know how this goes. ... View more

App does not report virus at all ... View more

You can configure it by a scheduled search on the search head cluster if possible. If it's a script then you configure it as an alert action and pack the searches and scripts to an app and deploy. This will make sure that the search executes only on one of the members and you have high availability. Other possibility is that configure your app locally on any of the search head member (/etc/apps/)- you do not have redundancy in this case ie . if that search head is down, then your application will not work. ... View more

Both options should work fine. Here's the reference doc: http://docs.splunk.com/Documentation/Splunk/6.3.1/DMC/WheretohostDMC Two things to note though: DMC instance is required to be a search head of the indexer cluster, which means in either Option A or Option B, you need to convert DMC instance to a search head by clicking "Settings -> indexer cluster", then enable indexer cluster and choose role as search head node, point this instance to the indexer cluster master. DMC instance is required to NOT be a search head cluster member. Actually DMC will be disabled on search head cluster members. So in your case, the DMC instance will be part of the indexer cluster but cannot be part of the search head cluster. ... View more

Yes, two decoders, one to capture non-SSL, the other to receive from a decryption device; both the same concentrator. Will send via PM. Thank you, -mi ... View more

Yes, my PA recently denied an inbound SMTP connection. I am able to see the returned email, but the action never appears on my Splunk dash. ... View more

Assuming that you would like to create a CSV file with IP addresses to be excluded from search results : 1)As the first step a list of ip addresses should be created as a csv file, in this case with only one column, for example ip 10.0.1.1 192.168.0.23 192.168.0.24 It can be uploaded to Splunk using Settings >> Lookups >> Lookup table files >> New 2) it can be registered as a lookup using Settings >> Lookups >> Lookup definitions >> New there the previous csv file should be selected and named, for example as src_ip_blacklist 3) the following can be added to the query, to filter out the ip addresses NOT [|inputlookup src_ip_blacklist | rename ip AS src_ip | fields src_ip] The updated query would be look like: `netflow_search_rule_20067` NOT [|inputlookup src_ip_blacklist | rename ip AS src_ip | fields src_ip] | where NOT ( cidrmatch("10.0.0.0/8",dest_ip) OR cidrmatch("172.16.0.0/12",dest_ip) OR cidrmatch("192.168.0.0/16",dest_ip) OR cidrmatch("169.254.0.0/16",dest_ip) ) | `fix_src_ip_mapping` | `fix_dest_ip_mapping` | lookup protocol_lookup protocol AS protocol | `format_port_column(dest_port_string, dest_port)` | search ( dest_port_string="*(pop*)" OR dest_port_string="*(imap*)" OR dest_port_string="*(smtp)" OR dest_port_string="*(rdp)") | `sampling(bytes_in)` | `sampling(packets_in)` | `sampling(flow_count)` | stats sum(bytes_in) AS TrafficAmount sum(packets_in) AS PacketsAmount sum(flow_count) AS Connections max(_time) as max_time min(_time) as min_time by exp_ip src_ip dest_ip dest_port_string | `pct_of_total(pct, "20067", TrafficAmount)` | `default_preparation_for_comma_formatted_table` | table exp_ip_name src_ip dest_ip dest_port_string "Average Bits/s" "Total Traffic Bytes" pct "Average Packets/s" "Total Packets" "Total Connections" | rename exp_ip_name as "Device" | rename dest_port_string as "Destination Port" | rename pct as "% of Total" ... View more

Accepting the answer since this is def the right answer. BTW: This related post may be of interest: What are the Splunk apps and add-ons for Microsoft technologies, and what do I use them for? ... View more

I will try to populate it using Qualys... ... View more

Just stumbled across this as I just implemented your TA. Has there been any updates on making the TA and Splunk for RSA compatible? Thanks, Casey ... View more

I changed sourcetype on my UF's inputs.conf from cisco:ios to syslog and now all my devices are showing up with their IP addresses; thank you. ... View more

Accepted, however I was hoping for more than the obvious, like reports, features, etc. ... View more

Option 1 and I just posted more details that might be effective for your needs How do I collect basic Windows OS Event Log data from my Windows systems? ... View more