Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dfronck
dfronck
Communicator
Member since:
03-13-2013
02-25-2021
Community Statistics
| Posts | 68 |
| Solutions | 4 |
| Karma Given | 44 |
| Karma Received | 52 |
| Member Since | 03-13-2013 |
Activity Feed
- Got Karma for Re: Mac OS client logs into splunk. 10-07-2020 07:03 AM
- Posted Remote Work Insights Executive Dashboard - Improvements on All Apps and Add-ons. 08-27-2020 04:22 AM
- Karma watchdog - No response received from IMonitoredThread=0x7fc110de6b90 within 8000 ms. for kpkeimig. 06-05-2020 12:50 AM
- Karma Re: How come the comment "macro" is not working? for dflodstrom. 06-05-2020 12:50 AM
- Karma Re: Why am I getting the following Http Event Collector (HEC) errors?: {"text":"Invalid token","code":4} for sylim_splunk. 06-05-2020 12:50 AM
- Karma Re: Poor ldapsearch performance - SA-ldapsearch app for datasearchninja. 06-05-2020 12:49 AM
- Karma Re: Poor ldapsearch performance - SA-ldapsearch app for rkantamaneni_sp. 06-05-2020 12:49 AM
- Karma Re: How to resolve timestamp and line processing issues in pdfgen.log ? for MuS. 06-05-2020 12:49 AM
- Karma Can you update the Splunk manifest so that it will not throw warnings about it being modified? for klopez30. 06-05-2020 12:49 AM
- Karma McAFee DLP logs into splunk. for agcorreia_asml. 06-05-2020 12:49 AM
- Got Karma for Re: Sending McAfee Epo 5.3.2 Logs via Syslog to Splunk...is there an AddOn?. 06-05-2020 12:49 AM
- Got Karma for Re: Poor ldapsearch performance - SA-ldapsearch app. 06-05-2020 12:49 AM
- Got Karma for Re: Can you update the Splunk manifest so that it will not throw warnings about it being modified?. 06-05-2020 12:49 AM
- Got Karma for Re: Can you update the Splunk manifest so that it will not throw warnings about it being modified?. 06-05-2020 12:49 AM
- Got Karma for Re: Can you update the Splunk manifest so that it will not throw warnings about it being modified?. 06-05-2020 12:49 AM
- Karma Re: What is the best way to remove local config in a Search Head Cluster? for jkat54. 06-05-2020 12:48 AM
- Karma Re: After upgrading deployment server to 6.5.1, "busyKeepAliveIdleTimeout...Consider raising timeout value" warning displays. Which configuration file do I edit to raise the timeout value? for jeremycarterdhs. 06-05-2020 12:48 AM
- Karma Re: Slow splunkweb startup caused by splunk_instrumentation for michaell_splunk. 06-05-2020 12:48 AM
- Karma Mac OS X Sierra - How to get all logs from the Unified Log database? for managed_securit. 06-05-2020 12:48 AM
- Got Karma for Re: Mac OS X Sierra - How to get all logs from the Unified Log database?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 0 |
08-27-2020
04:22 AM
In v9.1, Palo Alto Networks updated their log format for GlobalProtect and the data model has also changed so the RWI dashboard no longer see these logs. Also, can you add Region/State to the VPN dash board? I added it to mine and it's really helpful in the US where every state has a Lincoln.
... View more
03-23-2020
07:42 AM
I don't currently have a mac to test with and I'm not a Mac guy but something like this might work.
Add this to /etc/sudoers to permit the splunk user to run log without a password.
splunk ALL = NOPASSWD: /path/to/log
Edit the uf_macintosh/bin/mac_log_monitor.sh and add sudo to the command.
FROM
log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE
TO
sudo /path/to/log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE
Let me know how it goes!
... View more
09-16-2019
04:20 AM
1 Karma
Once you install the UF, you can use this simplistic script I wrote that pulls the logs I needed. It just uses the "log show" command to dump the logs and then greps out the stuff in the include file. Note: "log show" requires admin.
My answer here has a tar file that contains the script.
https://answers.splunk.com/answers/547865/mac-os-x-sierra-how-to-get-all-logs-from-the-unifi.html
#!/bin/bash
# Usage: ./mac_log_monitor.sh
# Runs the Macintosh log show command to get Macintosh user logs from START_DATE to END_DATE.
DATE_PATH=$SPLUNK_DB/persistentstorage/uf_macintosh # Setup the date file.
DATE_FILE=$SPLUNK_DB/persistentstorage/uf_macintosh/last_run_date.txt # Setup the date file.
if [ ! -e "$DATE_FILE" ] # Does the date file exist.
then # No. date file does not exist.
if [ ! -e "$DATE_PATH" ]
then
mkdir $DATE_PATH
fi
date -v -1w +"%F %T" > $DATE_FILE # Set start date to -1 week to get old logs. Redeploying overwrites this.
fi
START_DATE=`cat $DATE_FILE` # Set start date for log reading.
date +"%F %T" > $DATE_FILE # Set new start date for next run.
END_DATE=`cat $DATE_FILE` # Set end date for log reading.
# File with keywords to grep from logs.
INCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/include.conf
# File with keywords to exclude from logs.
EXCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/exclude.conf
# Macintosh log command. Need to figure out predicaate so we can pull the logs we need instead of everything.
#log show --predicate [] --style syslog --start [] --end [] --info --last []
# Should really have an if to check for the existance of include/exclude
log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE
... View more
07-25-2019
04:18 PM
3 Karma
We updated /opt/splunk/share/GeoLite2-City.mmdb and started getting these errors.
sha256sum in installed on RHEL so we did this.
Get the new checksum.
Change the checksum in the manafest.
Validate.
Restart.
sha256sum /opt/splunk/share/GeoLite2-City.mmdb
c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37 /opt/splunk/share/GeoLite2-City.mmdb
vi /opt/splunk/splunk-*-manifest
f 444 splunk splunk splunk/share/GeoLite2-City.mmdb c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37
splunk validate files
Validating installed files against hashes from '/opt/splunk/splunk-*-manifest'
All installed files intact.
splunk restart
... View more
05-19-2019
05:29 AM
1 Karma
Your answer is just for Intrushield.
What jbrocks is talking about sending ALL logs from ePO using syslog.
KB87927 - How to set up an example syslog server for use with ePolicy Orchestrator
That post has guidance using ELK.
We are just getting started with this but we used RHEL w/TLS rsyslog and it works fine.
We, like jbrocks, just need to read and parse the text file now.
I think this is what we need Splunk to add support for. I know, I know, open an enhancement ticket. See you in a couple of years.
... View more
I ended up kludging a pretty generic scripted input that.
Runs the log show command from start_date to end_date.
Greps what you want using an include file.
Greps out stuff with an exclude file.
tar-zipped TA
... View more
01-07-2019
06:38 PM
Sorry I can't help other than to say that upgrading from 6.6.3 to 6.6.4 fixed it for us. Now we're on 7.1.4 with a whole bunch of new issues!
... View more
09-20-2018
04:31 AM
If you're talking about having the Inputs pull the data again, the checkpoint info is stored here $SPLUNK_HOME/var/lib/splunk/modinputs/sfdc_object.
You can go there and delete the individual directories/files or just the ones you want to reset.
... View more
07-30-2018
01:25 PM
I tested this without the ctypes part and one of our daily asset queries is back to one minute instead of +30 minutes. Thanks Colin!
... View more
07-26-2018
08:59 AM
The Add-on only supports IDS, malware and inventory. You'll probably have to build out your own query.
Probably start here and do a bunch of joins to fill in the data.
| dbquery "McAfee_ePO_5" "SELECT * FROM UDLP_Incidents" limit=1000
... View more
11-07-2017
06:44 AM
We didn't seem to have this issue before we upgraded from 6.6.1 to 6.6.3. Maybe it was an issue but not as bad but I'm pretty sure this is new with 6.6.3.
There are no errors in the logs. In debug, I can see that the file rotates and splunk keeps looking at the .log.1 file descriptor and never changing offset.
I did some more testing. Configured splunk to monitor .log*. It still just looks at the old .log.1 file. It doesn't seem to care about the brand new .log file that's getting a ton of new data! It doesn't seem to be monitoring the directory for changes.
Anyway, the current work around that guarantees a consistent loss of data is to use copytruncate. Splunk keeps monitoring the same file so I don't lose a ton of logs anymore, just the 3 seconds that occur when the file gets truncated before splunk has re-read the new logs.
... View more
11-06-2017
10:23 AM
I enabled debug for these 3 process and found what I suspected.
Splunk keeps monitoring the old log file even though there's a new /logs/file.log and the old file has been renamed to /logs/file.log.1.
It keeps using the old file descriptor and offset until you restart splunk.
11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0
11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread
11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd.
11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd.
11-06-2017 13:06:38.551 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log').
11-06-2017 13:06:38.551 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log').
11-06-2017 13:06:38.551 -0500 DEBUG WatchedFile - seeking /logs/file.log to off=527773500
11-06-2017 13:06:38.551 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991598
11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000
11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Defering notification for file=/logs/file.log by 3.000ms
11-06-2017 13:06:41.385 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'.
11-06-2017 13:06:41.385 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0
11-06-2017 13:06:41.385 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0
11-06-2017 13:06:41.387 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread
11-06-2017 13:06:41.387 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd.
11-06-2017 13:06:41.389 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log').
11-06-2017 13:06:41.389 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log').
11-06-2017 13:06:41.389 -0500 DEBUG WatchedFile - seeking /logs/file.log to off=527773500
11-06-2017 13:06:41.389 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991601
11-06-2017 13:06:41.389 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000
11-06-2017 13:06:41.389 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000
11-06-2017 13:06:41.389 -0500 DEBUG TailReader - Defering notification for file=/logs/file.log by 3.000ms
11-06-2017 13:06:44.220 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'.
11-06-2017 13:06:44.220 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'.
11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0
11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0
11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread
11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread
11-06-2017 13:06:44.221 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd.
11-06-2017 13:06:44.221 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log').
11-06-2017 13:06:44.221 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log').
11-06-2017 13:06:44.221 -0500 DEBUG WatchedFile - seeking /logs/file.log to off=527773500
11-06-2017 13:06:44.221 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991604
11-06-2017 13:06:44.221 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991604
11-06-2017 13:06:44.221 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000
11-06-2017 13:06:44.221 -0500 DEBUG TailReader - Defering notification for file=/logs/file.log by 3.000ms
11-06-2017 13:06:47.052 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'.
11-06-2017 13:06:47.052 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'.
category.TailingProcessor=DEBUG
category.WatchedFile=DEBUG
category.TailReader=DEBUG
... View more
11-06-2017
05:07 AM
We log just about everything to syslog and have Splunk read the syslog files. This has been working forever until we upgraded from 6.6.1 to 6.6.3.
Now, when syslog rolls a file, splunkd doesn't start reading the new file until we restart spunk.
/logs/file.log rolls to /logs/file.log.1
The new file is /logs/file.log
Splunk doesn't read either of those until the restart.
Anyone else seeing this?
... View more
11-06-2017
04:55 AM
1 Karma
This is a known issue in v2 and has been for 2 years. Can't see it ever getting fix.
2015-12-4 TAG-9567 After you upgrade from version 1.x to version 2.x of the add-on, the custom commands (ldapsearch,
ldapfetch, ldapfilter, ldapgroup, ldaptestconnection) are slower.
The only "solution" is to roll back to v1. (Not a good solution.)
... View more
09-19-2017
08:57 AM
I think they just used the Universal Forwarder. The first line of the install instructions says this.
Double-click on the DMG file. A Finder window that contains splunkforwarder.pkg opens.
... View more
06-21-2017
04:41 AM
I downvoted this post because use tcpsendbufsz so you don't have to edit the registry. tcpsendbufsz was introduced after the initial answer.
... View more
12-23-2015
08:01 AM
1 Karma
Seriously?
The "fix" is to manually install this on all my indexers and then manually configure it?
I assume I can't use the master node to push this out because of the way the app handles passwords.
The doc still says...
Where to install it
The Splunk Supporting Add-on for Active Directory can be installed on a search head or a heavy forwarder.
It does not perform any function when you install it on an indexer or universal forwarder.
This method of installation is valid for both single-instance and distributed environments.
... View more
10-06-2015
12:06 PM
So I think that you shouldn't have to restore the RB but you'll get errors if you don't. (I think that's a bug but I'm not sure and since I restored all my data already, it doesn't matter to me anymore.)
More info at thawing-data-in-an-indexer-clustering-environment
I used it and it worked for me but USE AT YOUR OWN RISK!!!
I have this script on all of my indexers and yes, it does time out if it runs for too long.
restore_buckets.sh
#!/bin/bash
# This script will copy frozen indexes to the thaweddb and restore them.
# The user will be prompted for index, start time and end time.
# The user will be prompted to list files to restore or restore.
echo -n "$(tput setaf 2)$(tput bold)"
echo -n "Enter the index you need to restore :$(tput setaf 7) "
read index
echo -n "$(tput setaf 2)$(tput bold)"
echo -n "Enter the start time in epochtime :$(tput setaf 7) "
read startTime
echo -n "$(tput setaf 2)$(tput bold)"
echo -n "Enter the end time in epochtime :$(tput setaf 7) "
read endTime
echo " $(tput bold)"
echo " $(tput setaf 2)Restoring : $(tput setaf 7)$index"
echo " $(tput setaf 2) From : $(tput setaf 7)`date -d @$startTime +\"%Y-%m-%d %H:%M:%S\"`"
echo " $(tput setaf 2) Through : $(tput setaf 7)`date -d @$endTime +\"%Y-%m-%d %H:%M:%S\"`"
#echo " $(tput setaf 2)File Count : $(tput setaf 7)`ls -dA $SPLUNK_DB/$index/frozendb/* | awk -v et=$endTime -v st=$startTime \
##
## Added to fix awk problem when underscores are in the index name.
cd $SPLUNK_DB/$index
echo " $(tput setaf 2)File Count : $(tput setaf 7)`ls -dA frozendb/* | awk -v et=$endTime -v st=$startTime \
'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $0}' | wc -l`"
echo " $(tput setaf 2)"
echo -n "List files [y/n]: $(tput setaf 7)"
echo -n " $(tput sgr0)"
read listFiles
if [ "$listFiles" != "n" ]; then
echo "Start $(tput setaf 2)End$(tput setaf 7) File"
# ls -dA $SPLUNK_DB/$index/frozendb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} { "date -d @"$2 " +\"%Y-%m-%d %H:%M:%S\"" \
##
## Added to fix awk problem when underscores are in the index name.
ls -dA frozendb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} { "date -d @"$2 " +\"%Y-%m-%d %H:%M:%S\"" \
| getline ET ; "date -d @"$3 " +\"%Y-%m-%d %H:%M:%S\"" | getline ST } $2 <= et && $2 >= st \
{printf("%s\t\033[32m%s\033[0m\t%s_\033[32m%s\033[0m_%s_%s_%s\n",ST,ET,$1,$2,$3,$4,$5)}' | sort -k3
fi
echo "$(tput bold)"
echo "$(tput setaf 2)This will copy file from $(tput setaf 1)$index/frozendb $(tput setaf 2)to $(tput setaf 1)$index/thaweddb."
echo
echo -n "$(tput setaf 2)Enter $(tput setaf 3)\"c\" $(tput setaf 2)to begin copying files. Any other input will skip this step. : $(tput setaf 3)"
read startCopy
if [ "$startCopy" == "c" ]; then
echo "$(tput setaf 3)Copying files."
# ls -dA $SPLUNK_DB/$index/frozendb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $0}' \
##
## Added to fix awk problem when underscores are in the index name.
ls -dA frozendb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $0}' \
| xargs -I BUCKET /bin/cp -r BUCKET thaweddb
echo "$(tput setaf 7)Done."
fi
echo
echo -n "$(tput setaf 2)Enter $(tput setaf 3)\"r\" $(tput setaf 2)to begin the restore. Any other input will skip this step. : $(tput setaf 3)"
read doRestore
# The splunk restore command always generates the USAGE message and 2 other line. Send this to dev null.
# The problem with that is you won't see the results of the restore.
if [ "$doRestore" == "r" ]; then
echo "$(tput setaf 3)Starting restore."
# ls -dA $SPLUNK_DB/$index/thaweddb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $1"_"$2"_"$3"_"$4"_"$5}' \
##
## Added to fix awk problem when underscores are in the index name.
ls -dA thaweddb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $1"_"$2"_"$3"_"$4"_"$5}' \
| xargs -I BUCKET --max-procs=10 $SPLUNK_HOME/bin/splunk rebuild BUCKET 2>/dev/null
echo "$(tput setaf 7)Restore complete. Splunk needs to be restarted."
echo
fi
echo "$(tput setaf 7)$(tput sgr0)"
... View more
10-06-2015
11:39 AM
I down-voted this because it really didn't have much to do with my question.
While it might a good idea, it doesn't consider a lot of issues that would come up. Off the top of my head, here's a couple of stopper issues for me. I'd have to copy terabytes of data from 7 indexers to a spare, multi-terabyte server that I really don't have.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-25-2021
07:52 AM
|
Karma given to
