Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About banaie
banaie
Path Finder
Member since:
02-26-2017
05-23-2021
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 02-26-2017 |
Activity Feed
- Posted Re: Archiver - Reporting reporting messages regarding ops.json on Getting Data In. 05-23-2021 06:54 AM
- Posted Re: Splunk Stream Start Error on Ubuntu 18.04 on All Apps and Add-ons. 09-29-2020 05:42 AM
- Posted Re: Splunk Stream Start Error on Ubuntu 18.04 on All Apps and Add-ons. 09-15-2020 06:58 AM
- Posted Splunk Stream Start Error on Ubuntu 18.04 on All Apps and Add-ons. 07-10-2020 10:07 AM
- Tagged Splunk Stream Start Error on Ubuntu 18.04 on All Apps and Add-ons. 07-10-2020 10:07 AM
- Tagged Splunk Stream Start Error on Ubuntu 18.04 on All Apps and Add-ons. 07-10-2020 10:07 AM
- Posted Re: Use OSSEC archives.log to collect logs of different systems on Getting Data In. 06-26-2020 08:15 AM
- Posted Re: Use OSSEC archives.log to collect logs of different systems on Getting Data In. 06-26-2020 07:29 AM
- Posted Use OSSEC archives.log to collect logs of different systems on Getting Data In. 06-26-2020 04:29 AM
- Posted Re: Ossec sent windows and linux logs are not correctly indexed on Splunk Enterprise Security. 06-17-2020 01:08 PM
- Tagged Re: Ossec sent windows and linux logs are not correctly indexed on Splunk Enterprise Security. 06-17-2020 01:08 PM
- Karma Re: Ossec sent windows and linux logs are not correctly indexed for richgalloway. 06-17-2020 12:59 PM
- Karma Re: Ossec sent windows and linux logs are not correctly indexed for woodcock. 06-17-2020 12:59 PM
- Karma Hunk Trial version? for Harishma. 06-05-2020 12:48 AM
- Posted Ossec sent windows and linux logs are not correctly indexed on Splunk Enterprise Security. 04-11-2020 11:08 AM
- Tagged Ossec sent windows and linux logs are not correctly indexed on Splunk Enterprise Security. 04-11-2020 11:08 AM
- Tagged Ossec sent windows and linux logs are not correctly indexed on Splunk Enterprise Security. 04-11-2020 11:08 AM
- Posted Re: 7.1 Streamfwd fails to configure service on ubuntu on All Apps and Add-ons. 12-31-2019 02:42 AM
- Posted Re: How can I receive ipfix from YAF (Yet Another Flowmeter)? on All Apps and Add-ons. 02-27-2017 04:10 AM
- Posted How can I receive ipfix from YAF (Yet Another Flowmeter)? on All Apps and Add-ons. 02-26-2017 11:08 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-23-2021
06:54 AM
I have same problem! Is there any solution? TNX
... View more
09-29-2020
05:42 AM
TNX for all suggestions! I finally succeeded upgrading to new coming stream 7.3! The problem does not exist in that version! Thanks again
... View more
09-15-2020
06:58 AM
@jraso TNX. But, it didn't work! Is there anything different about configTemplateName (splunk) from default?
... View more
07-10-2020
10:07 AM
Hi all I face a special problem on starting stream forwarder as a service on Ubuntu 18.04 (as dedicated mode) and it can not start unless I use this command: /opt/streamfwd/bin/streamfwd -D Using other start methods, I receive this error on streamfwd.log: 2020-07-10 20:02:11 INFO [140564408074944] (CaptureServer.cpp:452) stream.CaptureServer - Launch child process for dedicated capture mode 2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:490) stream.CaptureServer - Launch child process for restoring interfaces 2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:816) stream.CaptureServer - Found DataDirectory: /opt/streamfwd/data 2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:822) stream.CaptureServer - Found UIDirectory: /opt/streamfwd/ui 2020-07-10 20:02:11 ERROR [139766768343360] (SnifferReactor/DpdkNetworkCapture.cpp:1308) stream.NetworkCapture - Error: basic_string::_S_construct null not valid 2020-07-10 20:02:11 FATAL [139766768343360] (main.cpp:1150) stream.main - Failed to start streamfwd, the process will be terminated: DPDK failed to initialize 2020-07-10 20:02:11 INFO [140041836300608] (CaptureServer.cpp:622) stream.CaptureServer - kernel interfaces restored Have you any idea for resolving this problem? TNX
... View more
Labels
- Labels:
-
configuration
-
installation
-
troubleshooting
06-26-2020
08:15 AM
@richgalloway Unfortunately, as far as I know, there is no option for ossec to differentiate the log files. However, I thought Splunk should have some solution for this problem. Because, these events are events that are embedded into another event and I thought I can extract the event and provide a sourcetype and ask the default Splunk process to do the rest! Don't you have any proposition even for extracting a limited set of logs from this type of log?
... View more
06-26-2020
07:29 AM
@richgalloway Thanks for your reply. I wanna use OSSEC because it already is installed on the premise and I don't want to add another UF or HF on those systems! Moreover, It gives almost all the needed features and I just need to index it correctly! Thanks for the offer! I already has tested all of them and they only focus on alerts.log and do not have any solution for logs that are generated as raw on archives.log of the OSSEC. Isn't there any solution for applying those props for the new sourcetype configuration?
... View more
06-26-2020
04:29 AM
Hi all, I am trying to use OSSEC archives.log to collect logs of different systems. It can collect whatever you need from windows and Linux systems and gather them inside the archives.log file as a raw log for all. Then, I need to parse the file and assign correct sourcetypes and source and host variables to them. I tried using props.conf and transforms.conf to do this using available transformations. I have succeeded getting for example windows events a WinEventLog sourcetype using that method and it works correctly on assigning the sourcetype and trimming the event body from the original log file. However, the fields are not correctly extracted from that Windows Log. Sample archives.log of two windows and linux events are as follows: 2020 Jun 16 00:01:04 (E-Fl) 192.168.3.2->WinEvtLog 2020 Jun 16 00:01:00 WinEvtLog: Security: AUDIT_SUCCESS(4672): Microsoft-Windows-Security-Auditing: (no user): no domain: eFl: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-3960285484-3209917605-2958509563-1006 Account Name: t_apx Account Domain: EFL Logon ID: 0x133a050c7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
2020 Jun 16 00:01:06 (SE-Cloud) 192.168.9.194->/var/log/messages Jun 16 00:01:05 ccrtl13c snmpd[1204]: Connection from UDP: [192.168.9.202]:50515->[192.168.9.194]:161
2020 Jun 16 00:01:08 (FTP) 192.168.9.230->WinEvtLog 2020 Jun 16 00:01:05 WinEvtLog: System: WARNING(51): Disk: (no user): no domain: FTPPublic.serv.local: An error was detected on device \Device\Harddisk5\DR5 during a paging operation. my props.conf [ossec_archives]
TRANSFORMS-assignSourcetype = extractEvent, assignWinEvtLog
#,assignSyslog my transforms.conf ###### OSSEC_Archives ######
[extractEvent]
SOURCE_KEY = _raw
REGEX = WinEvtLog\s(.*)$
FORMAT = $1
DEST_KEY = _raw
#CLONE_SOURCETYPE = WinEventLog
[assignWinEvtLog]
#CLONE_SOURCETYPE = WinEventLog
REGEX = WinEvtLog:
DEST_KEY =MetaData:Sourcetype
FORMAT =sourcetype::WinEventLog
#[assignSyslog]
#REGEX = \s[WinEvtLog:].*$
#DEST_KEY =MetaData:Sourcetype
#FORMAT =sourcetype::syslog Can you please help me get the data in correctly and make default windows and linux add-ons extract the related fileds? Thanks
... View more
Labels
06-17-2020
01:08 PM
I found out that the problem was because of the Alienvault system I am using. It changes the log format to some customized format. I solved it using a new transforms.conf file that I managed to modify. A sample log was as follows: AV - Alert - "1592305529" --> RID: "18103"; RL: "5"; RG: "windows,system_error,"; RC: "Windows error event."; USER: "SQL Server Distributed Replay Client"; SRCIP: "None"; HOSTNAME: "(risab) 192.168.9.1->WinEvtLog"; LOCATION: "(risab) 192.168.9.1->WinEvtLog"; EVENT: "[INIT]2020 Jun 16 15:35:25 WinEvtLog: System: ERROR(10016): DCOM: SQL Server Distributed Replay Client: NT SERVICE: E-Learn: application-specific Local Activation {6DF8CB71-153B-4C66-8FC4-E59301B8011B} {961AD749-64E9-4BD5-BCC8-ECE8BA0E241F} NT SERVICE SQL Server Distributed Replay Client S-1-5-80-3249811479-2167633679-2115734285-1138413726-166979568 LocalHost (Using LRPC) Unavailable Unavailable [END]"; I put all the message into "Event" field into a separate field. However, it is a standard relevant windows event log. Is there anyway that I can use that field to create a new log in windows sourcetype to use the Splunk_TA_windows for extracting the fields? Thanks
... View more
04-11-2020
11:08 AM
Hi all,
I use splunk forwarder to read ossec alert logs and index them on splunk. I'm using all the latest versions. But, it only saves ossec logs as raw events and no field is extracted! As the ossec add-on is old, is there any way to make that work with new ossec versions to correctly index windows and Linux logs that are sent using the forwarder?
TNX
... View more
12-31-2019
02:42 AM
Unfortunately, it didn't work on streamfwd version 7.2 and ubuntu 18.04!
Dec 31 13:25:31 splunk-stream-forwarder systemd[1]: Started Splunk Stream Dedicated Service.
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.317 INFO stream.CaptureServer - Launch child process for restoring interfaces
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.334 INFO stream.CaptureServer - Found DataDirectory: /opt/streamfwd/data
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.334 INFO stream.CaptureServer - Found UIDirectory: /opt/streamfwd/ui
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.337 ERROR stream.NetworkCapture - Error: basic_string::_S_construct null not valid
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.339 FATAL stream.main - Failed to start streamfwd, the process will be terminated: DPDK failed to init
ialize
Dec 31 13:25:31 splunk-stream-forwarder systemd[1]: streamfwd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: terminate called after throwing an instance of 'std::bad_alloc'
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: what(): std::bad_alloc
Dec 31 13:25:31 splunk-stream-forwarder systemd[1]: streamfwd.service: Failed with result 'exit-code'.
... View more
02-27-2017
04:10 AM
I managed to solve the problem by inputting the server ip instead of localhost on the yaf config. However, I can't receive application labels and other deep packet information on the index.
Is there any approach for receiving all the information that yaf can provide?
... View more
02-26-2017
11:08 PM
Hi all,
I was trying to receive ipfix from YAF (Yet Another Flowmeter). I changed the yaf config to udp and I thought I would receive events perfectly. But, YAF says in the log file that the connection is refused! However, I have defined the datainput to receive IPFIX on the default 4739 port and it is listening perfectly.
Please help me on this.
Thanks a lot
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-23-2021
01:04 PM
|
