Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ageld
ageld
Path Finder
Member since:
02-24-2011
06-05-2020
Community Statistics
| Posts | 35 |
| Solutions | 3 |
| Karma Given | 1 |
| Karma Received | 12 |
| Member Since | 02-24-2011 |
Activity Feed
- Karma Re: I want to pass credentials for a Splunk search for elliotproebstel. 06-05-2020 12:49 AM
- Got Karma for Re: Splunk Add-on for Symantec Endpoint Protection stopped working when updating to Symantec Endpoint Protection v14. 06-05-2020 12:49 AM
- Got Karma for Re: Splunk Add-on for Symantec Endpoint Protection stopped working when updating to Symantec Endpoint Protection v14. 06-05-2020 12:49 AM
- Got Karma for Microsoft DNS debug logs. Massaging log format.. 06-05-2020 12:46 AM
- Got Karma for Re: Could someone provide some tips and tricks to configure Splunk for BlueCoat application?. 06-05-2020 12:45 AM
- Got Karma for Re: Could someone provide some tips and tricks to configure Splunk for BlueCoat application?. 06-05-2020 12:45 AM
- Got Karma for Could someone provide some tips and tricks to configure Splunk for BlueCoat application?. 06-05-2020 12:45 AM
- Got Karma for Re: Details on how to configure Ironport for E-Mails to log to Splunk. 06-05-2020 12:45 AM
- Got Karma for Re: UTC to Local Time zone conversion on the fly. Splunk for Bluecoat. 06-05-2020 12:45 AM
- Got Karma for UTC to Local Time zone conversion on the fly. Splunk for Bluecoat. 06-05-2020 12:45 AM
- Got Karma for Re: Strange character escaping in eval and rex. 06-05-2020 12:45 AM
- Got Karma for Re: Strange character escaping in eval and rex. 06-05-2020 12:45 AM
- Got Karma for Strange character escaping in eval and rex. 06-05-2020 12:45 AM
- Posted Processing Microsoft multi-factor authentication server logs on Deployment Architecture. 05-13-2019 08:51 AM
- Tagged Processing Microsoft multi-factor authentication server logs on Deployment Architecture. 05-13-2019 08:51 AM
- Posted Re: TA for Symantec Endpoint Protection (syslog): "Bad regex value...two named subpatterns have the same name" on All Apps and Add-ons. 11-28-2018 11:01 AM
- Posted Re: TA for Symantec Endpoint Protection (syslog): "Bad regex value...two named subpatterns have the same name" on All Apps and Add-ons. 11-28-2018 10:56 AM
- Posted Re: I want to pass credentials for a Splunk search on Security. 10-04-2018 02:54 PM
- Posted Re: Splunk Cisco UCS Add-On missing navbar and non-functioning UI since upgrade to Splunk 7.x on All Apps and Add-ons. 03-21-2018 10:20 AM
- Posted Re: Splunk Cisco UCS Add-On missing navbar and non-functioning UI since upgrade to Splunk 7.x on All Apps and Add-ons. 03-19-2018 05:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
05-13-2019
08:51 AM
I am injecting logs from Microsoft multi-factor authentication server. Unfortunately, the log entries are rather inconsistent. Here is the example of logs depicting successful SMS-based authentication in reverse chronological order
May 13 11:12:54 server01 pfsvc: i|pendingSmses|updateSmsResult|#25c50ee6-d8fa-4725-96dd-dc7be580fadf|Updated authentication result. Call status: SUCCESS_SMS_AUTHENTICATED - SMS Authenticated
May 13 11:12:17 server01 pfsvc: Pfauth failed for user 'user1.lastname@mydomain.com' from 184.152.232.200. Call status: SUCCESS_SMS_SENT - "One-way SMS Sent".
As you can see the username and IP address is listed on one line and the result of the authentication is on the other. How can I build correlation between usernames and authentication results? I am not sure if my idea of stitching lines together with different LINE BREAKER in props.conf is a good one, since there are other non-authentication related log entries, which such approach may screw up.
Please, advise. Your suggestions will be greatly appreciated.
... View more
- Tags:
- splunk-enterprise
11-28-2018
11:01 AM
Thanks a lot!
... View more
11-28-2018
10:56 AM
It has been a long while. I am not sure how exactly I fixed the issue. This is the statement I have now:
REGEX = (?:[[sep_file_preifx]])Site:\s(?P[[sep_file_field]]),\s*(?P[[sep_file_field]]),\s*(?P[[sep_file_field]]),\s*(?P[[sep_file_field]]),\s*(?P[[sep_file_field]]),\s*(?P[[sep_file_field]]),\s*(?P[[sep_file_field]])
It does not error out.
... View more
03-21-2018
10:20 AM
I am experiencing the same issue. Does anyone know how it can be fixed?
... View more
03-19-2018
05:14 AM
I have the same issue. How can we reach the developers of the app?
... View more
12-20-2017
11:23 AM
There was a method to pass user credentials to a "splunk search" command. I want to execute it from within bash script. If I recall it properly there was something like
-user
-password
flags. I cannot find mentioning of those parameters in the syntax of "splunk search" command anymore. Is there a method to do that?
Thanks!
... View more
11-07-2017
01:09 PM
2 Karma
Does Splunk Add-on for Symantec Endpoint Protection work on version 7.0?
I am facing the same issue as flynhi66. We have been using "TA for Symantec Endpoint Protection ". After we upgraded to version 14 of SEP, field extraction stopped working for "symantec:ep:risk:syslog" sourcetype. However, it still works for "symantec:ep:agt:system:syslog", symantec:ep:behavior:syslog, and "symantec:ep:scan:syslog" sourcetypes.
Unfortunately, I could not find where the problem can be fixed. Not a single field for that sourcetype is being extracted. I will greatly appreciate any help regarding this matter.
Thank you.
... View more
11-07-2017
12:52 PM
Could you, please, elaborate more on this answer? Could you paste the actual REGEX here?
I could not fix the issue by placing (?J) after REGEX =
Thank you.
... View more
11-02-2017
12:04 PM
Has anyone successfully accomplished the integration between Quest (Dell) ChangeAuditor and Splunk? I would love to be able to send ChangeAuditor logs to Splunk.
Thank you!
... View more
02-07-2012
11:02 AM
I am having the same issue. On the Universal forwarder (Windows host) I have configured the following in $SPLUNK_HOME/etc/system/local/props.conf:
[sourcetype::DNSSrvLog]
SEDCMD-dns_name = s/((\(\d+\))/./g
and logs appeared not changed on the indexer
I tried different REGEXes. The one above. The ones below:
s/(\(\d+\))/./g
s/(\(\d+\))/./g
s/\(\d+\)/./g
s/(\d+)/./g
None of that worked. Any assistance will be appreciated.
... View more
01-04-2012
12:20 PM
1 Karma
I have sending DNS debug log from forwarder on Windows 2003 to Splunk indexer:
The DNS names in the log appear like this:
(3)dns(8)msftncsi(3)com(0)
(3)www(16)google-analytics(3)com(0)
I would like they to appear as:
dns.msftncsi.com
www.google-analytics.com
I want prepending (\d+) to be replaced with nothing and the other ones to be replaced with dots except the trailing one.
I've figured out how to extract DNS names from the logs:
(?i)] \w+\s+(?P (.+))
I found a way to rid of (\d+) stuff with the following statements in search: sourcetype="DNSDebugLog" | eval dns_name=replace(dns_name,"(\d+)",".") | eval dns_name=replace(dns_name,"^.","") | table dns_name
but I do not want those to appear in the log at all. I want to replace those on the forwarder before the logs are sent to the indexer
... View more
- Tags:
- search
01-04-2012
09:15 AM
I can get rid of (\d+) stuff with the following statements in search:
sourcetype="DNSDebugLog" | eval dns_name=replace(dns_name,"(\d+)",".") | eval dns_name=replace(dns_name,"^.","") | table dns_name
but I do not those to appear in the log at all. I want to replace those on the forwarder before the logs are sent to the indexer
... View more
01-04-2012
08:57 AM
Mannyi31, have you figured out how to get rid of (\d+) in dns names of debug file log entries:
(3)dns(8)msftncsi(3)com(0)
(3)www(16)google-analytics(3)com(0)
I would like they to appear as:
dns.msftncsi.com
www.google-analytics.com
I want prepending (\d+) to be replaced with nothing and the other ones to be replaced with dots except the trailing one.
I've figured out how to extract DNS names from the logs:
(?i)] \w+\s+(?P (.+))
but I am puzzled how to do post-processing to get rid of those numbers in parenthesis. My guess it has to be done in transforms.conf file.
... View more
Finally, it is solved.
The following steps are to configure Splunk for Cisco Ironport EMail Security application:
On the Ironport :
-- System Admininstration -> Log Subscriptions
-- Create a subscription with log type: "IronPort Text Mail Logs" with log level "Information". Send log to a syslog server using "SyslogPush". I run separate syslog daemon on Splunk server, which logs into files.
On Splunk server:
-- Create the following inputs.conf file in /etc/apps/Splunk_CiscoIronportEmailSecurity/local directory:
[monitor:///var/log/ ]
disabled = false
followTail = 0
sourcetype = cisco_esa
Some searches I found useful.
Find e-mails encrypted by TLS:
sourcetype="cisco_esa" | transaction maxspan=180s keepevicted=true mid dcid icid | search "TLS success" | eval mailto=lower(mailto) | eval mailfrom=lower(mailfrom) | stats count by mailto mailfrom | accum count AS Total | sort -Total mailto | table mailfrom mailto count Total
Find e-mails not encrypted by TLS:
sourcetype="cisco_esa" | transaction maxspan=180s keepevicted=true mid dcid icid | search "STARTTLS command not supported" | eval mailto=lower(mailto) | eval mailfrom=lower(mailfrom) | stats count by mailto mailfrom | accum count AS Total | sort -Total mailto | table mailfrom mailto count Total
... View more
07-13-2011
07:44 AM
1 Karma
Fantastic answer!!! Thanks a lot, gkanapathy!
... View more
07-07-2011
11:41 AM
1 Karma
I somewhat solved the issue by putting "." character after mydomain and putting "^" character in the beginning of the string. Here is the search:
source="/var/log/iis" myserver.mydomain.com | eval username=lower(username) | eval username=replace(username,"^mydomain.","") | stats count by username | sort -count
Though it does work, it is not elegant solution, since it will remove a user "client1" if it exists in AD. Splunk developers PLEASE address the issue of escaping a backslash in search string. I BEG YOU...
... View more
07-07-2011
11:11 AM
How you defined the data input for this log? Splunk reading a local log Squid log file? If that's the case under: <splunk_directory>/etc/apps/<Splunk_for_squid>/local directory modify file inputs.conf :
[monitor:///var/log/<snortlogfilename>]
disabled = false
followTail = 0
sourcetype = squid
... View more
07-07-2011
10:55 AM
1 Karma
I am breaking my head over this.
Sometimes our users login to our web application using username: "myuser" or "mydomain\myuser". It screws up the results for "stats", because myuser and mydomain\myuser are taken as two different users. I need to remove "mydomain\" string from the username. Here is what I am doing:
Search:
source="/var/log/iis" myserver.mydomain.com | eval username=lower(username) | eval username=replace(username,"mydomain\\\\","") | stats count by username | sort -count
gets broken with error message, because splunk thinks that I am escaping double quotes, instead of \ sign.
When I take "\" out of the statement:
source="/var/log/iis" myserver.mydomain.com | eval username=lower(username) | eval username=replace(username,"mydomain","") | stats count by username | sort -count
it returns:
\\myuser
myuser
How can I get rid of the damn backslash???? I am surprised that splunk matches from the right side instead of from the left. Statement "\\" should escape \ sign and not double quotes.
Same thing happens if I try to extract "myuser" from the username with rex:
rex field=_raw "^client\\\\(?<user>.*)"
It gets broken thinking that I am escaping the parenthesis.
Very strange and very frustrating.
It would be nice if Splunk developers included "chr(ascii-code)" command, when any character in the search string could be replaced with ASCII code at places, where the escaping nonsense happens.
... View more
- Tags:
- search
05-05-2011
09:34 AM
No, I could not find a way to push Transaction logs from Ironport devices to Splunk. When I turn transaction logging on, I can query stuff right on the Ironport box, but I have not find a way to send those logs either as flat file or as syslog messages to Splunk. I will open ticket with Ironport support. I will update this post if I make this whole thing work.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma from
