Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About hfernandez_
hfernandez_
Path Finder
Member since:
10-09-2019
06-12-2020
Community Statistics
| Posts | 16 |
| Solutions | 2 |
| Karma Given | 3 |
| Karma Received | 1 |
| Member Since | 10-09-2019 |
Activity Feed
- Posted Help with Extracting WinEventLog Fields on Getting Data In. 06-12-2020 09:33 AM
- Tagged Help with Extracting WinEventLog Fields on Getting Data In. 06-12-2020 09:33 AM
- Tagged Help with Extracting WinEventLog Fields on Getting Data In. 06-12-2020 09:33 AM
- Karma Splunk community NEEDS an answer for getting SCCM data into Splunk for nick405060. 06-05-2020 12:50 AM
- Got Karma for Re: What is the best way to forward Jamf Pro logs to Splunk?. 06-05-2020 12:50 AM
- Karma Why am I getting error "Data channel is missing" using HTTP Event Collector with Splunk Light? for otryshko. 06-05-2020 12:48 AM
- Karma Re: Why am I getting error "Data channel is missing" using HTTP Event Collector with Splunk Light? for gblock_splunk. 06-05-2020 12:48 AM
- Posted Re: Enterprise Security: Should we use the Cisco StealthWatch Add-On in addition to ES? on Splunk Enterprise Security. 03-19-2020 10:06 AM
- Posted Re: Regex help - Cisco WSA syslog data on All Apps and Add-ons. 01-16-2020 02:35 PM
- Posted Re: Regex help - Cisco WSA syslog data on All Apps and Add-ons. 01-16-2020 09:40 AM
- Posted Qualys TA/App: Missing some of the vulnerability titles on All Apps and Add-ons. 01-16-2020 08:09 AM
- Tagged Qualys TA/App: Missing some of the vulnerability titles on All Apps and Add-ons. 01-16-2020 08:09 AM
- Tagged Qualys TA/App: Missing some of the vulnerability titles on All Apps and Add-ons. 01-16-2020 08:09 AM
- Tagged Qualys TA/App: Missing some of the vulnerability titles on All Apps and Add-ons. 01-16-2020 08:09 AM
- Posted Re: Regex help - Cisco WSA syslog data on All Apps and Add-ons. 01-13-2020 11:41 AM
- Posted Regex help - Cisco WSA syslog data on All Apps and Add-ons. 01-10-2020 10:38 AM
- Tagged Regex help - Cisco WSA syslog data on All Apps and Add-ons. 01-10-2020 10:38 AM
- Tagged Regex help - Cisco WSA syslog data on All Apps and Add-ons. 01-10-2020 10:38 AM
- Tagged Regex help - Cisco WSA syslog data on All Apps and Add-ons. 01-10-2020 10:38 AM
- Tagged Regex help - Cisco WSA syslog data on All Apps and Add-ons. 01-10-2020 10:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-12-2020
09:33 AM
Hi Splunkers, Has anyone seen this or something similar? We are collecting Windows Events Logs from Windows servers via a logging tool and they are being forwarded to a Splunk HF. Due to the logging system format, Splunk is not parsing the fields automatically. Here is a sample event: Jun 11 12:00:08 LOGGING-SERVER.domain.com 1 2020-06-11T19:00:03.529Z WINSVR001 - - - [Originator@6876 eventid="4624" task="Logon" keywords="Audit Success" level="Information" channel="Security" opcode="Info" eventrecordid="383694869" providername="Microsoft-Windows-Security-Auditing"] An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: WINSVR001-V$
Account Domain: AD
Logon ID: 0x3e4
Logon Type: 8
New Logon:
Security ID: S-1-5-21-503695880-123456789-3595387526-4510
Account Name: jdoe
Account Domain: AD
Logon ID: 0x139c67d30
Logon GUID: {F325D620-6114-0657-01BF-F25C4AD21656}
Process Information:
Process ID: 0x3f8
Process Name: D:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
Network Information:
Workstation Name: WINSVR001-V
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
We are using Splunk Add-on for Microsoft Windows 8.0. Is it possible to modify the existing conf files to have the fields parsed? Using the add-on with all the defined fields will integrate with CIM and ES nicely. I'm trying to avoid reinventing the wheel and doing a brute force regex on the whole event. If you're up to the challenge, I'm looking for: -Is it possible to modify the Splunk Add-on for Microsoft Windows 8.0 to recognize the above wineventlog format? -Can some help me with the regex to parse all the wineventlog fields and values? I appreciate the help in advance. Thanks, H
... View more
Labels
- Labels:
-
Windows
03-19-2020
10:06 AM
Hi danielbb,
I'm looking at implementing this Add-on in my environment with ES. Were you able to implement it successfully, since the Add-on is from Dec 2017? Were there any gotchas or lessons learned?
Thanks,
H
... View more
01-16-2020
02:35 PM
Ok, I implemented the changes and it worked. I appreciate the help. PavelProstine you're AWESOME!!!
... View more
01-16-2020
09:40 AM
Hi PavelProstine,
This looks promising. Let me give it a try.
Thanks,
... View more
01-16-2020
08:09 AM
Hi Splunkers,
I have installed the following Qualys TA and app into our Splunk Cloud environment:
Qualys Technology Add-on (TA) for Splunk Version 1.6.4
Qualys VM App for Splunk Enterprise Version 1.0.4
Is anyone having this similar problem or have seen this before? The Qualys App dashboard is missing some vulnerability titles. See the following image:
What's interesting is that when I login to Qualys, I see the Title info for that QID from the KnowledgeBase:
Is there a way to reset the knowledge base to rebuild/update the info? Any help is much appreciated.
Thanks,
... View more
01-13-2020
11:41 AM
Hi PavelP,
I appreciate the feedback. We are currently running WSA v11.8.0-440. I have nothing defined in for custom fields on this filter and using the defaults. Let me play around with that regex.
Thanks,
... View more
01-10-2020
10:38 AM
Hi Splunkers,
I am sending Cisco WSA data via syslog to a Heavy Forwarder in squid format. The data is getting there but it is not getting parsed correctly by the add-on. The current add-on, Splunk Add-on for Cisco WSA v3.3.0 (https://splunkbase.splunk.com/app/1747/) supports parsing via the ftp of the file but not the syslog solution. Looks like the regex works up to x_resp_dvs_verdictname then fails.
Has anyone been successful in parsing Cisco WSA data or is up to this Regex challenge?
Here is the REGEX from the add-on:
REGEX = (?<timestamp>[0-9.]+)\s+(?<x_elapsed_time>[0-9]+)\s+(?<src_ip>[a-zA-Z0-9:.]*)\s+(?<txn_result_code>[A-Z_]*)\/(?<status>[0-9]*)\s+(?<bytes_in>[0-9]*)\s+(?<http_method>\w*)\s+(?<url>\S*)\s+["|']?(?<user>[^\s"']+)["|']?\s+(?<server_contact_mode>[^\/]+)\/(?<dest>\S*)\s+(?<http_content_type>\S*)\s+(?<acltag>\S*)\s+(?:<|<)(?<x_webcat_code_abbr>[^,]+),(?<wbrs_score>[^,]+),["|']?(?<x_webroot_scanverdict>[0-9]{0,2}|\-|\w+)["|']?,["|']?(?<webroot_threat_name>[^,"']+)["|']?,(?<x_webroot_trr>[^,]+),(?<x_webroot_spyid>[^,]+),(?<x_webroot_trace_id>[^,]+),(?<x_mcafee_scanverdict>[^,]+),["|']?(?<x_mcafee_filename>[^,]+?)["|']?,(?<x_mcafee_scan_error>[^,]+),(?<x_mcafee_detecttype>[^,]+),(?<x_mcafee_av_virustype>[^,]+),["|']?(?<x_mcafee_virus_name>[^,]+?)["|']?,(?<x_sophos_scanverdict>[^,]+),(?<x_sophos_scancode>[^,]+),["|']?(?<x_sophos_file_name>[^,]+?)["|']?,["|']?(?<x_sophos_virus_name>[^,]+?)["|']?,(?<x_ids_verdict>[^,]+),(?<x_icap_verdict>[^,]+),(?<x_webcat_req_code_abbr>[^,]+),["|']?(?<x_webcat_resp_code_abbr>[^,]+?)["|']?,["|']?(?<x_resp_dvs_threat_name>[^,]+?)["|']?,["|']?(?<x_wbrs_threat_type>[^,"']+)["|']?,["|']?(?<x_avc_app>[^,"']+)["|']?,["|']?(?<x_avc_type>[^,"']+)["|']?,["|']?(?<x_avc_behavior>[^,"']+)["|']?,["|']?(?<x_request_rewrite>[^"',]+)["|']?,(?<x_avg_bw>[^,]+),(?<x_bw_throttled>[^,]+),(?<x_user_type>[^,]+),["|']?(?<x_resp_dvs_verdictname>[^,"']+)["|']?,["|']?(?<x_req_dvs_threat_name>[^,"']+)["|']?(,["|']?(?<x_amp_verdict>[^,"']+)["|']?,["|']?(?<x_amp_malware_name>[^"']+)["|']?,(?<x_amp_score>[^,]+),(?<x_amp_upload>[^,]+),["|']?(?<x_amp_filename>[^,]+?)["|']?,["|']?(?<x_amp_sha>[^"',]+)["|']?)?(,["|']?(?<x_file_verdict>[^"',]+)["|']?)?(,(?<x_archive_scan_verdict>[^,]+),["|']?(?<x_archive_scan_verdict_reason>[^"']+)["|']?)?(?:>|>)\s*(?<vendor_suspect_user_agent>-|["|']?[^"']+["|']?)?\s*(?<bytes_out>[0-9]*)?[^\r\n]*$
Here's some example data from my environment:
Jan 8 07:37:35 server.com Jan 08 07:37:34 server.com wsa_access_logs_splunk: Info: 1578497849.565 51 xxx.xxx.xxx.xxx NONE_SSL/504 0 POST https://device.com:443/SE/app - DIRECT/device.com - OTHER-NONE-eun_internal_group-NONE-NONE-NONE-DefaultGroup-NONE <"IW_edu",5.0,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_edu",-,"-","Education","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","-",-,"-",-,-,"-","-",-,-,"-",-> -
Jan 8 07:37:35 server.com Jan 08 07:37:34 server.com wsa_access_logs_splunk: Info: 1578497849.513 101 xxx.xxx.xxx.xxx NONE_SSL/200 0 TCP_CONNECT xxx.xxx.xxx.xxx:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE-NONE <"-",-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"-",-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
Jan 8 07:35:34 server.com Jan 08 07:35:34 server.com wsa_access_logs_splunk: Info: 1578497734.661 0 xxx.xxx.xxx.xxx TCP_DENIED_SSL/403 0 POST https://xxx.xxx.xxx.xxx:443/server/php/index.php - NONE/- - BLOCK_ADMIN_HTTPS_NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE-NONE <"-",-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"-",-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
I appreciate the help with this one.
Thanks,
... View more
01-09-2020
02:44 PM
ah, i figured it out. I'm suppose to custom instead of computer.
Thanks,
... View more
01-09-2020
02:08 PM
Hi Alex,
I just implemented the Jamf add-on, but I'm not getting any data. For config, I used
JSS URL https://ourjamf_website.com:443
API Call Name: computer <default>
Search Name: /JSSResource/computers
Is that what you used to get the data in?
Thanks,
Herman
... View more
12-20-2019
12:52 PM
Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.
The Splunk Cloud HEC URL to use is:
curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'
Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.
... View more
12-02-2019
02:18 PM
Hi All,
I'm currently trying to integrate Palo Alto's Primsa Cloud with our on-prem HEC on an on-prem HF (via documentation: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrations-on-prisma-cloud/integrate-prisma-cloud-with-splunk) and I get the following error when I try to test the connection:
Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.
On the Splunk HF, I have configured the HEC with the following:
Global Settings:
All Tokens: Enabled
Default Source Type: _json
Default Index: Default
Default Output Group: None
Use Deployment Server: Checked
Enable SSL: Checked
HTTP Port Number: 8088
Created a token:
Name: prisma_hec
Source: prismacloud
Set Source Type: _json
Select Allowed Indexes: prisma
On the Prisma Cloud side (based on that link above):
Integration Type: Splunk
Integration Name: prisma_hec
Splunk HTTP event collector URL: https://hec_ip:8088/services/collector/event
Auth Token: token
When I test the connection, I get that error above.
Since we have the incoming IP addresses locked down to the Cloud Prisma server, we can't simply test. I'm going to submit a request to allow another local IP address for testing the connection. From the doc: https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/UsetheHTTPEventCollector, I have the right configuration and URL. Has anyone see this before and can point me in the right direction for troubleshooting?
I appreciate any help.
Thanks,
Herman
... View more
- Tags:
- http-event-collector
11-21-2019
11:03 AM
1 Karma
Hi AlexeySh,
Did you find a good Splunk/JAMF integration solution? I'm looking for one too. I just saw that a new add-on was released:
Jamf Pro Add-on for Splunk - https://splunkbase.splunk.com/app/4729/
I wanted to see if you gave this a try.
Thanks,
Herman
... View more
10-11-2019
07:41 AM
Hi Giuseppe,
Yes, I was able to put together all the pieces and got it to work. I appreciate the help in pointing me in the right direction.
... View more
10-10-2019
09:04 AM
Ok, I was able to get it to work. I applied your regex and the the following code to the the TA's props.conf and transforms.conf files. Here is the code:
TA-cisco_ios\props.conf
[source::udp:514]
TRANSFORMS-force_host= force_real_host
and
TA-cisco_ios\transforms.conf
[force_real_host]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+[^ ]*\s+\d+\s+([^:]*)
FORMAT = host::$1
DEST_KEY = MetaData:Host
I appreciate the help. Hope this helps others.
... View more
10-10-2019
08:14 AM
Hi Giuseppe,
I appreciate the reply and guidance. The sample code comes from the etc/system/default/transforms.conf file under the stanza:
# This will strip the syslog header (date stamp and host) from a syslog event
[syslog-header-stripper-ts-host]
REGEX = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]*\s(.*)$
FORMAT = $1
DEST_KEY = _raw
Ah, here's more background info. We have Splunk Cloud and the app and TA are installed to both Cloud SHs and INDs. The syslog data is being sent to an on-prem HF via UDP port and I'm configuring the TA there. The challenge is that the App Dashboards show the host and dvc as the syslog server vs the actual network device. I would simply change the field name in the code, but the actual device name is not capture. How do I go about setting the host and/or dvc to the actual device name at index time in the TA? I appreciate it.
... View more
10-09-2019
04:56 PM
Hi Answers,
I'm currently using the following apps:
Cisco Networks App for Splunk Enterprise 2.5.8 (https://splunkbase.splunk.com/app/1352/)
Cisco Networks Add-on for Splunk Enterprise 2.5.8(https://splunkbase.splunk.com/app/1467/)
I'm collecting the logs from the devices via syslog:
Here is how the raw log looks in Splunk:
Oct 9 16:14:04 syslog-server.domain.com 1 aa-bbbb-ccc: *pemReceiveTask: Oct 09 16:13:56.935: %DTL-6-OSARP_ADD_FAILED: [SS]dtl_arp.c:1549 Unable to add an ARP entry for x.x.x.x to the operating system. No such device.*
syslog-server.domain.com = syslog server (some device names have "-" in them)
aa-bbbb-ccc = device (some device names have "-" in them)
Splunk extracts the host=syslog-server.domain.com and dvc=syslog-server.domain.com. When I apply the syslog-header-stripper-ts-host to both the props.conf and transforms.conf, but that doesn't change the host and dvc values.
TA-cisco_ios\props.conf
[source::udp:514]
TRANSFORMS-strip-syslog = syslog-header-stripper-ts-host
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 100
TA-cisco_ios\transforms.conf
# This will strip the syslog header (date stamp and host) from a syslog event
[syslog-header-stripper-ts-host]
REGEX = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]*\s\d\s(.*)$
FORMAT = $1
DEST_KEY = _raw
The syslog-header-stripper-ts-host data looks like:
aa-bbbb-ccc: *pemReceiveTask: Oct 09 16:09:56.926: %DTL-6-OSARP_ADD_FAILED: [SS]dtl_arp.c:1549 Unable to add an ARP entry for x.x.x.x to the operating system. No such device.*
In this case the host and dvc still are set to syslog-server.domain.com. How do I change the value of host and dvc to aa-bbbb-ccc ?
I appreciate the help.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-12-2020
10:03 AM
|
