Activity Feed
- Posted Re: How to get domain controllers sending event logs to the splunk server? on Getting Data In. 03-04-2020 03:23 PM
- Posted Re: How to get domain controllers sending event logs to the splunk server? on Getting Data In. 03-04-2020 02:58 PM
- Posted Re: How to get domain controllers sending event logs to the splunk server? on Getting Data In. 02-27-2020 01:26 PM
- Posted Re: How to get domain controllers sending event logs to the splunk server? on Getting Data In. 02-27-2020 12:21 PM
- Posted Re: How to get domain controllers sending event logs to the splunk server? on Getting Data In. 02-26-2020 03:19 PM
- Posted How to get domain controllers sending event logs to the splunk server? on Getting Data In. 02-26-2020 08:47 AM
- Tagged How to get domain controllers sending event logs to the splunk server? on Getting Data In. 02-26-2020 08:47 AM
- Tagged How to get domain controllers sending event logs to the splunk server? on Getting Data In. 02-26-2020 08:47 AM
- Tagged How to get domain controllers sending event logs to the splunk server? on Getting Data In. 02-26-2020 08:47 AM
- Tagged How to get domain controllers sending event logs to the splunk server? on Getting Data In. 02-26-2020 08:47 AM
- Posted Re: Getting "unauthorized" errors when trying to pull reports on Reporting. 10-29-2019 02:15 PM
- Posted Getting "unauthorized" errors when trying to pull reports on Reporting. 10-29-2019 10:43 AM
- Tagged Getting "unauthorized" errors when trying to pull reports on Reporting. 10-29-2019 10:43 AM
- Tagged Getting "unauthorized" errors when trying to pull reports on Reporting. 10-29-2019 10:43 AM
- Tagged Getting "unauthorized" errors when trying to pull reports on Reporting. 10-29-2019 10:43 AM
- Tagged Getting "unauthorized" errors when trying to pull reports on Reporting. 10-29-2019 10:43 AM
- Posted Re: How to send search reports to a network share on Reporting. 10-15-2019 02:52 PM
- Posted Re: How to send search reports to a network share on Reporting. 10-15-2019 12:55 PM
- Posted How to send search reports to a network share on Reporting. 10-15-2019 09:14 AM
- Tagged How to send search reports to a network share on Reporting. 10-15-2019 09:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
03-04-2020
03:23 PM
Note to soutamo,
There was a deploymentclient.conf file, and it was pointing to the correct server:port#.
It didn't have a [deployment-client] stanza though, so I added that, per the document you linked to.
... View more
03-04-2020
02:58 PM
Still not feeling the love yet 😞
I saw this error at the top of the page this afternoon:
"the lookup table 'audit_host_inventory' does not exist it is referenced by configuration linux:audit"
There are a couple of Windows workstations that are sending event logs to splunk, but not the Linux workstations.
When I looked in Settings | Lookups | Automatic lookups, none of the Automatic Lookups have an owner - they all say "no owner". Is that normal?
Every Auto lookup IS set to "Global" for Sharing, though
... View more
02-27-2020
01:26 PM
Neither of the ../local folders had an outputs.conf file in it
... View more
02-27-2020
12:21 PM
I found 2 "outputs.conf" - one in "\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default"
and one in "\Program Files\SplunkUniversalForwarder\etc\system\default".
Is that first one the correct one to edit? (The 2nd one had a warning about "don't edit this file directly")
Neither one had a "server =" parameter set.
I added "server = :8089" to the first one - let's see if it starts generating some events now ....
... View more
02-26-2020
03:19 PM
One other thing that is probably relevant - the domain controllers that were replaced were also the DNS servers. Possibly the issue is being caused by different IP addresses for DNS, rather than the domain controllers per se?
The events stopped coming in right around the time the DNS/domain changes were made.
... View more
02-26-2020
08:47 AM
Our splunk administrator jumped ship shortly after getting splunk set up, and there wasn't anybody that officially took over his role, thus, no real splunk experts here. I'm trying to fill in some gaps. 😞
We recently decommissioned a couple of domain controllers and replaced them with new ones, and then some reports stopped sending events related to accounts getting locked out, password resets, and users that weren't logging out at night. (there's probably more but these are the three that management is specifically complaining about)
I went into "Settings | Data Inputs | Active Directory monitoring" and added the names of the two new domain controllers - it was just running with "default" before. That didn't seem to fix the issue.
Where else in splunk would any pointers to domain controllers be configured that might affect the splunk server not getting these events?
This is splunk version 6.6.4, running on Windows.
(hopefully this question isn't too vague to work with 😞 )
... View more
10-29-2019
02:15 PM
Figured it out - the user account that was referenced in the script was missing from splunk - when I re-added it the scripts seemed to work fine. It was kind of a "well, duh!" moment when the light bulb went off
... View more
10-29-2019
10:43 AM
I have some daily scripts set up on an NFS file server that are supposed to pull reports from the splunk server (splunk 6.6.4 running on Windows 2012).
The NFS server recently changed and moved to a new virtual server. The old NFS server had selinux disabled and didn't have any attribute settings configured. The new server (centos 7) did have selinux enabled so I disabled selinux and manually removed all of the selinux attributes using setfattr -x, but that didn't seem to help.
The script being used to pull the reports is:
curl -u report:report1234 -k 'https://splunk:8089/services/pdfgen/render?input-dashboard=user_account_unlocked'
( "user_account_unlocked" is the name of the report it's trying to pull)
The full script includes a line appending the output to a file on the local NFS server -
I used just the above for the sake of troubleshooting. The script does generate a PDF file but you get a "file corrupted" error when trying to open it.
When running the line above I'm getting an xml response Unauthorized, which would seem to indicate a permissions issue.
The user that originally created all the scripts isn't here anymore but he is still the owner of all of the scripts. His accounts are still active in Active Directory though.
Any suggestions?
... View more
10-15-2019
02:52 PM
Oh, I finally figured it out. The previous admin had configured scripts on the remote share to pull the reports from the Splunk server - the Splunk server wasn't pushing the reports to the NFS share.
Thank you to richgalloway for the response
... View more
10-15-2019
12:55 PM
I don't see any field where you enter an NFS mount. Do you specify a destination where you want the report to go at the end of the query string (as I've seen mentioned in some other related posts?)
Because this splunk server is running on Windows and doesn't have a native NFS client, does the splunk application handle the NFS communication?
... View more
10-15-2019
09:14 AM
A previous splunk admin had some daily search reports in PDF format coming from the splunk server (version 6.6.4 running on Windows 2012) being sent to a remote NFS file share on a Linux file server.
The NFS file share was moved to a different host, which broke sending the daily reports.
Fixing it should be easy - just edit the script that's sending the reports to the NFS share and point to the new host, but I'm pretty new to splunk and can't figure out where such a configuration might be.
Where would the normal location be for such a script to reside? Or, how would that be configured within the Splunk GUI console?
Thanks in advance
... View more
