Activity Feed
- Got Karma for Splunk Alert for specific time period. 06-05-2020 12:49 AM
- Karma Re: Does Enterprise Security automatically re-enable data model acceleration? for Lowell. 06-05-2020 12:47 AM
- Got Karma for How to create a report on Cisco ASA VPN Users including Username, VPN connection duration, Source IP, Start Time and End Time?. 06-05-2020 12:47 AM
- Posted Re: Splunk Alert for specific time period on Alerting. 04-25-2018 01:47 AM
- Posted Re: Splunk Alert for specific time period on Alerting. 04-25-2018 01:46 AM
- Posted Splunk Alert for specific time period on Alerting. 04-04-2018 12:47 AM
- Tagged Splunk Alert for specific time period on Alerting. 04-04-2018 12:47 AM
- Tagged Splunk Alert for specific time period on Alerting. 04-04-2018 12:47 AM
- Tagged Splunk Alert for specific time period on Alerting. 04-04-2018 12:47 AM
- Posted Solaris Configuration Change logs on All Apps and Add-ons. 03-06-2018 04:45 AM
- Tagged Solaris Configuration Change logs on All Apps and Add-ons. 03-06-2018 04:45 AM
- Posted Getting McAfee ESM logs to Splunk on Getting Data In. 09-19-2016 11:46 PM
- Posted Re: Cisco IPS SDEE - Configuration Changes Events on All Apps and Add-ons. 09-13-2015 12:03 PM
- Posted Re: Why is Splunk detecting the wrong timestamp for SUSE Linux Syslog when using a universal forwarder? on Getting Data In. 08-30-2015 11:51 PM
- Posted Why is Splunk detecting the wrong timestamp for SUSE Linux Syslog when using a universal forwarder? on Getting Data In. 08-30-2015 03:05 AM
- Tagged Why is Splunk detecting the wrong timestamp for SUSE Linux Syslog when using a universal forwarder? on Getting Data In. 08-30-2015 03:05 AM
- Tagged Why is Splunk detecting the wrong timestamp for SUSE Linux Syslog when using a universal forwarder? on Getting Data In. 08-30-2015 03:05 AM
- Tagged Why is Splunk detecting the wrong timestamp for SUSE Linux Syslog when using a universal forwarder? on Getting Data In. 08-30-2015 03:05 AM
- Tagged Why is Splunk detecting the wrong timestamp for SUSE Linux Syslog when using a universal forwarder? on Getting Data In. 08-30-2015 03:05 AM
- Posted Cisco IPS SDEE - Configuration Changes Events on All Apps and Add-ons. 08-13-2015 12:59 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
1 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
1 |
04-25-2018
01:47 AM
have configured multiple alerts currently and wanted to find if it is possible in a single alert.
... View more
04-25-2018
01:46 AM
should run in realtime. And only on weekends and non-working hours.
... View more
04-04-2018
12:47 AM
1 Karma
Hi, does anyone know how to create a realtime alert which should trigger the alert only from Thursday 6PM to Sunday 6AM and any other day between 6PM to 6 AM ?
the search query will be something similar to the below.
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 user="Administrator"
I need to get an alert if this particular event occurs between Thursday 6PM to Sunday 6AM and any other day between 6PM to 6 AM.
Can this be done in a single alert or do we have to create multiple alerts with different cron schedules. ?
Looking forward to your suggestions.
Regards
Sajin
... View more
03-06-2018
04:45 AM
Hi, we have Solaris 11.3 and have installed the splunk forwarder. Would like to know if anybody is aware how to get the audit logs from the solaris as the solaris 11 TA does not provide any scripts for the audit logs.
... View more
09-19-2016
11:46 PM
Hi All,
Have a requirement with a client that they are looking at integrating their Existing McAfee ESM with the Splunk ES. The requirement is as below.
The network devices/servers/applications will send the logs to ESM. From ESM, the logs have to be forwarded to Splunk. It can either be cooked or raw data which ever is feasible. Have anyone had the chance to do similar integration, please let me know how to take it forward.
Regards
Sajin
... View more
- Tags:
- mcafee
- splunk-cloud
09-13-2015
12:03 PM
Cannot find any events. Would like to know if getting these events are possible.
... View more
08-30-2015
11:51 PM
Thanks for the response. I also want to use the timestamp inside the event and the use of DATETIME_CONFIG=CURRENT was for testing. Below is the details of the syslog event which comes to splunk indexer via universal forwarder. In the event, date time is coming exactly after the IP address. The IP address is 172.5.41.12 and date is Aug 30 an time is 10.18.43. Unfortunately the year is not in the event and splunk detects the last bit of IP as the year which is 12 as 2012.
2012-08-30 13:18:44 08/30/2015 13:18:44 local 172.5.41.12 udp:514 linux_secure Aug 30 13:18:44 172.5.41.12 Aug 30 10:18:43 bccdb 13:18:13 Checkpoint Statistics - Avg. Txn Block Time 0.000, # Txns blocked 0, Plog used 2, Llog used 2
... View more
08-30-2015
03:05 AM
Hi,
We have configured SUSE linux servers to send the syslogs to a Universal Forwarder. We found a very strange issue while the logs are indexed. Splunk is detecting the wrong year in the time stamp.
For example: If the linux server IP is 172.20.41.11, Splunk detects the year in the time stamp as 2011. If the IP is x.x.x.12, it detects year as 2012. If the IP is x.x.x.16 or x.x.x.17 or anything above 15, it detects as 2015.
I have tried to forward syslogs to Splunk Indexer directly instead of a universal forwarder and the time stamp is perfect. I tried to set DATETIME_CONFIG=CURRENT in props.conf in the indexer for the linux source types, but still no luck when the logs are coming through the forwarder. Can someone help to find a solution?
... View more
08-13-2015
12:59 AM
Hi,
We have Cisco IPS for which we use Cisco Security Suite and Splunk add for CIsco IPS to get the events using SDEE. We are getting the intrusions and vulnerabilities events. Is there a way with which we can get the configuration changes in IPS. We would like to get all the user/account changes and other configuration changes in IPS.
Regards
Sajin
... View more
07-14-2015
12:24 AM
Hi,
Has anyone configured splunk to receive SNMP traps or poll attributes using SNMP?
I am trying to configure using the SNMP modular input application without any luck. I have an IPS module on Cisco ASA which supports only SNMP and would like to get the traps to the splunk. If anyone has configured it, please post it here..
Regards
Sajin
... View more
07-07-2015
02:28 AM
I did not try editing anything in the props and transforms. I have used splunk add on for Cisco ASA, splunk add on for Cisco ISE and Cisco Network Add on. After that I changed the configuration in the data inputs page in splunk. Have created udp inputs with specific ip address and syslog ports and manually defined the source type. It has translated the source type for all the events to cisco:asa, cisco:ise:syslog and cisco:ios respectively and I am able to get the cisco apps working fine.
Please let me know if there will be any operational impact or technical difficulty in implementing the Splunk ES with this kind of data input configurations.
Thanks a lot for the suggestions.
Regards
sajin
... View more
06-30-2015
11:11 PM
I was also thinking to do the below.
[set_sourcetype_ciscoasa]
SOURCE_KEY = MetaData:Host
REGEX = ^host::192.168.1.251$
FORMAT = sourcetype::cisco:asa
DEST_KEY = MetaData:Sourcetype
[set_sourcetype_ciscoise]
SOURCE_KEY = MetaData:Host
REGEX = ^host::192.168.1.250$
FORMAT = sourcetype::cisco:ise:syslog
DEST_KEY = MetaData:Sourcetype
[source::udp:1026]
TRANSFORMS-set_sourcetype_sonicwall = set_sourcetype_ciscoasa set_sourcetype_ciscoise
But still how do I move it to a different index.
I will try the first option given by @stephanefotso and if that doesn' help, will look at the later.
Will update you all today.
Regards
Sajin
... View more
06-30-2015
01:40 AM
The above url shows how to get data into splunk which is already done. The data is currently coming as source=udp1026 and sourcetype=syslog.
What I require is:
1. Sourcetype for Cisco ASA logs to be changed to cisco:asa and moved to an index cisco_asa.
2. Sourcetype for Cisco ISE logs to be changed to cisco:ise:syslog and moved to an index cisco_ise
Regards
Sajin
... View more
06-29-2015
10:44 PM
Hi,
I have cisco ASA and cisco ISE syslogs coming to splunk on udp1026 port. I would like to differentiate the sourcetype and index for both.
Cisco ASA logs source type has to be changed as cisco:asa and moved to an index called cisco_asa.
Cisco ISE logs source type has to be changed to cisco:ise:syslog and moved to an index called cisco_ise.
Please help to build the props and transforms for the above.
Regards
Sajin
... View more
Hi,
We have a Cisco ASA which is sending syslog messages to Splunk for VPN traffic. I would like to know how to create a report with the following details.
Username, duration of the VPN connection, Source IP(Public IP), Start time and End time.
Has anyone created this report already? If yes, please share the search.
Regards
Sajin
... View more