@RDAVISS That search doesn't work if you have the Splunk_SA_CIM installed because "action" will never equal "login attempt" [audittrail] EVAL-action = case(match(_raw,"action\=login\sattempt") AND match(_raw,"info\=succeeded"),"success",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=failed"),"failure",match(_raw,"action\=add"),"created",match(_raw,"action\=delete"),"deleted",match(_raw,"action\=update"),"modified",1=1,action) EVAL-app = if(match(_raw,"action\=login\sattempt"),"splunk",app) Try it without action= index=_audit "login attempt" "info=succeeded"   ... View more

We get these too but only when the add-on first starts. Then it seems like everything line breaks correctly. The suggested props config did not fix this for us.  ... View more

I don't currently have a mac to test with and I'm not a Mac guy but something like this might work. Add this to /etc/sudoers to permit the splunk user to run log without a password. splunk ALL = NOPASSWD: /path/to/log Edit the uf_macintosh/bin/mac_log_monitor.sh and add sudo to the command. FROM log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE TO sudo /path/to/log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE Let me know how it goes! ... View more

Once you install the UF, you can use this simplistic script I wrote that pulls the logs I needed. It just uses the "log show" command to dump the logs and then greps out the stuff in the include file. Note: "log show" requires admin. My answer here has a tar file that contains the script. https://answers.splunk.com/answers/547865/mac-os-x-sierra-how-to-get-all-logs-from-the-unifi.html #!/bin/bash # Usage: ./mac_log_monitor.sh # Runs the Macintosh log show command to get Macintosh user logs from START_DATE to END_DATE. DATE_PATH=$SPLUNK_DB/persistentstorage/uf_macintosh # Setup the date file. DATE_FILE=$SPLUNK_DB/persistentstorage/uf_macintosh/last_run_date.txt # Setup the date file. if [ ! -e "$DATE_FILE" ] # Does the date file exist. then # No. date file does not exist. if [ ! -e "$DATE_PATH" ] then mkdir $DATE_PATH fi date -v -1w +"%F %T" > $DATE_FILE # Set start date to -1 week to get old logs. Redeploying overwrites this. fi START_DATE=`cat $DATE_FILE` # Set start date for log reading. date +"%F %T" > $DATE_FILE # Set new start date for next run. END_DATE=`cat $DATE_FILE` # Set end date for log reading. # File with keywords to grep from logs. INCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/include.conf # File with keywords to exclude from logs. EXCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/exclude.conf # Macintosh log command. Need to figure out predicaate so we can pull the logs we need instead of everything. #log show --predicate [] --style syslog --start [] --end [] --info --last [] # Should really have an if to check for the existance of include/exclude log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE ... View more

We updated /opt/splunk/share/GeoLite2-City.mmdb and started getting these errors. sha256sum in installed on RHEL so we did this. Get the new checksum. Change the checksum in the manafest. Validate. Restart. sha256sum /opt/splunk/share/GeoLite2-City.mmdb c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37 /opt/splunk/share/GeoLite2-City.mmdb vi /opt/splunk/splunk-*-manifest f 444 splunk splunk splunk/share/GeoLite2-City.mmdb c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37 splunk validate files Validating installed files against hashes from '/opt/splunk/splunk-*-manifest' All installed files intact. splunk restart ... View more

Your answer is just for Intrushield. What jbrocks is talking about sending ALL logs from ePO using syslog. KB87927 - How to set up an example syslog server for use with ePolicy Orchestrator That post has guidance using ELK. We are just getting started with this but we used RHEL w/TLS rsyslog and it works fine. We, like jbrocks, just need to read and parse the text file now. I think this is what we need Splunk to add support for. I know, I know, open an enhancement ticket. See you in a couple of years. ... View more

I ended up kludging a pretty generic scripted input that. Runs the log show command from start_date to end_date. Greps what you want using an include file. Greps out stuff with an exclude file. tar-zipped TA ... View more

Sorry I can't help other than to say that upgrading from 6.6.3 to 6.6.4 fixed it for us. Now we're on 7.1.4 with a whole bunch of new issues! ... View more

If you're talking about having the Inputs pull the data again, the checkpoint info is stored here $SPLUNK_HOME/var/lib/splunk/modinputs/sfdc_object. You can go there and delete the individual directories/files or just the ones you want to reset. ... View more

The Add-on only supports IDS, malware and inventory. You'll probably have to build out your own query. Probably start here and do a bunch of joins to fill in the data. | dbquery "McAfee_ePO_5" "SELECT * FROM UDLP_Incidents" limit=1000 ... View more

We didn't seem to have this issue before we upgraded from 6.6.1 to 6.6.3. Maybe it was an issue but not as bad but I'm pretty sure this is new with 6.6.3. There are no errors in the logs. In debug, I can see that the file rotates and splunk keeps looking at the .log.1 file descriptor and never changing offset. I did some more testing. Configured splunk to monitor .log*. It still just looks at the old .log.1 file. It doesn't seem to care about the brand new .log file that's getting a ton of new data! It doesn't seem to be monitoring the directory for changes. Anyway, the current work around that guarantees a consistent loss of data is to use copytruncate. Splunk keeps monitoring the same file so I don't lose a ton of logs anymore, just the 3 seconds that occur when the file gets truncated before splunk has re-read the new logs. ... View more

I enabled debug for these 3 process and found what I suspected. Splunk keeps monitoring the old log file even though there's a new /logs/file.log and the old file has been renamed to /logs/file.log.1. It keeps using the old file descriptor and offset until you restart splunk. 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd. 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd. 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:38.551 -0500 DEBUG WatchedFile - seeking /logs/file.log to off=527773500 11-06-2017 13:06:38.551 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991598 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Defering notification for file=/logs/file.log by 3.000ms 11-06-2017 13:06:41.385 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. 11-06-2017 13:06:41.385 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:41.385 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:41.387 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread 11-06-2017 13:06:41.387 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd. 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:41.389 -0500 DEBUG WatchedFile - seeking /logs/file.log to off=527773500 11-06-2017 13:06:41.389 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991601 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - Defering notification for file=/logs/file.log by 3.000ms 11-06-2017 13:06:44.220 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. 11-06-2017 13:06:44.220 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. 11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread 11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd. 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:44.221 -0500 DEBUG WatchedFile - seeking /logs/file.log to off=527773500 11-06-2017 13:06:44.221 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991604 11-06-2017 13:06:44.221 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991604 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - Defering notification for file=/logs/file.log by 3.000ms 11-06-2017 13:06:47.052 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. 11-06-2017 13:06:47.052 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. category.TailingProcessor=DEBUG category.WatchedFile=DEBUG category.TailReader=DEBUG ... View more

I think they just used the Universal Forwarder. The first line of the install instructions says this. Double-click on the DMG file. A Finder window that contains splunkforwarder.pkg opens. ... View more

You should mark this as answered. ... View more