If my enterprise AD admins will not allow Splunk Agent on DCs, is DNS Debug logging and Windows Event Forwarding my only option?  Do you have any reference/suggestions regarding this configuration?  Additionally, and read on the article, it seems Stream is the preferred implementation and not DNS Debug. Can you elaborate as to why? Thank you much in advance. ... View more

Thank you very much for the answer ... View more

Thanks a lot! ... View more

Has anyone successfully accomplished the integration between Quest (Dell) ChangeAuditor and Splunk? I would love to be able to send ChangeAuditor logs to Splunk. Thank you! ... View more

Recently read an article covering that very topic. The following answers were found about 1/3 of the way down the following webpage: http://stratumsecurity.com/2012/07/03/splunk-security/ The following rex was suggested to clean up the domain name: index="win_dns" imap | rex mode=sed "s/\(\d+\)/./g" Domain name field extraction was suggested with this regex: (?i) .*? \.(?P[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}) ... View more

Fantastic answer!!! Thanks a lot, gkanapathy! ... View more

I had same issue with dvc_ip and src_ip that need to be switched. But to log the destination IP addresses of web traffic, shouldn't be with the field r-ip instead sc-ip ? ... View more

On the forwarder you want to set up an input for every occurrence. Then, you would specify the sourcetype on the input. (DHCP, windows update, wmi, etc) If you are using a light/universal forwarder, you build filters based on the sourcetype on the indexer. If you're using a heavy forwarder, then you do the same thing. Specify the input, and sourcetype. Build a props entry based on the source type, and build a transforms entry based on the TRANSFORMS field. On the indexer, the props/transforms are in etc\system\local You do need to add an entry for every unique sourcetype. ... View more

Where do you tell it to look for the "/var/log/xx" on a Windows deployed Splunk> server? ... View more

The free license simply has no authentication at all. I suspect that those comments in server.conf are wrong, or things got confused at some point. At any rate on the free license there is no "login" to allow or disallow. That said, I don't see why you would want to use the free license on a forwarder. Use the forwarder license and make sure that your forwarder isn't indexing any significant data. Is there a downside? ... View more

That appears incorrect. Those settings are telling Splunk that the time being reported by those sources are in UTC, but you are telling us that the correct TZ for those servers is EST. After Splunk understands the correct TZ of the time being logged, the times are converted automatically to UTC and recorded with each event as _time. The client then pulls _time at search time and converts it to the TZ you set in your profile. If the server reports in EST and you tell Splunk that it is really UTC (+0 offset), then it is recorded without any changes. If your client is set to UTC, then the time is displayed exactly as it was recorded (again +0 offset) .. in EST even though your profile is set to UTC. It only appears to work because you are using two +0 offsets in a row to display time logged in the same TZ as you. Splunk clients set to any other TZ will produce incorrect times, and technically even your UTC client displays incorrectly because it is showing EST instead of UTC. Setting your client to EST will likely show +10 offset somewhere in the Pacific Ocean, because it will offset +5 from your EST time as if it were the UTC time. ... View more