Hi you should just enable that input on your linux box inputs.conf. BUT there is issue if you are using other than local accounts on /etc/passwd (like AD or ldap authentication). This passwd.sh reads only events on /etc/passwd file nothing else. It's quite common that most of users are on LDAP or AD and they are authenticated and authorise against those directories. Then there is no information of those users on local server. Probably most linux shops (more than couple of servers) do it that way. Unfortunately Splunk_TA_nix didn't support currently anything else than local accounts. Basically you could try to create a new check like passwd_getent.sh which is copy from passwd.sh with next modification. CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $PASSWD_FILE ; cat $PASSWD_FILE' ====> CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $PASSWD_FILE ; getent passwd' This should work in most recent linux versions, but unfortunately I haven't suitable environment test it now. Of course you need to fix check also on inputs.conf too. r. Ismo ... View more

Based on your description, the only information the second search needs from the first search is host, the time the host got compromised, and 120 seconds after that time.  So, if the first search is already run, the most straight-forward solution would be a subsearch using the first CSV file.  Like index=wineventlog source="wineventlog:security" "logname=security" (EventCode=4624 LogonType=2) [| inputlookup passwordcompromise_initial.csv | fields host newtime oldtime | rename newtime as latest, oldtime as earliest] | eval AccountName = mvfilter(NOT match(AccountName, "-") AND NOT match(AccountName, "DWM*") AND NOT match(AccountName,"\$$$$")) | eval logontime=time | dedup host, AccountName, logontime | where AccountName!="" | rename AccountName as "AuthenticatedUser" | table time host "AuthenticatedUser" logontime | outputcsv password_successfullogon.csv Of course, if the first one hasn't run, and you want to take one execution to obtain two CSVs, you can just combine the two. index=wineventlog source="wineventlog:security" "logname=security" (EventCode=4624 LogonType=2) [search index=wineventlog source="wineventlog:security" "logname=security" (EventCode=4625 Logon_Type=2) | eval newtime=_time+120 | eval oldtime=_time | eval Account_Name = mvfilter(Account_Name!="-" AND NOT match(Account_Name,"\$$")) | eval number=len(Account_Name) | eval status=case(number>13,"Potential Password Compromise", number<=9,"OK") | where status="Potential Password Compromise" | rename Account_Name as "Potential Password?" | sort -_time | table _time host "Potential Password?" oldtime newtime status | outputcsv passwordcompromise_initial.csv | fields host newtime oldtime | rename newtime as latest, oldtime as earliest] | eval AccountName = mvfilter(NOT match(AccountName, "-") AND NOT match(AccountName, "DWM*") AND NOT match(AccountName,"\$$$$")) | eval logontime=time | dedup host, AccountName, logontime | where AccountName!="" | rename AccountName as "AuthenticatedUser" | table time host "AuthenticatedUser" logontime | outputcsv password_successfullogon.csv Hope this helps. ... View more

Two items to check - 1. Within the deploymentclient.conf file within the etc\system\local folder, there is a ClientName field that could be added. 2. The following SPL will identify duplicate entries coming in from different machines index=* host=* | dedup ComputerName | rex field=ComputerName "(?<host_name>[^.]+)\." | stats count(host_name), values(host_name) by host | sort -count(host_name) | where count > 1 | rename host as "Computer Name" "count(host_name)" as "Record Count" values(host_name) as "Affected Machines" ... View more

Good Morning - Just tried the download link and seems everything is working. Maybe gremlins this morning on the network but you should be able to download it. Try logging in to see if that works for you or use a different browser. https://www.splunk.com/en_us/download/splunk-enterprise.html ... View more

You are expecting all of your data to be going to an index named default based on the inputs.conf on the local system, should this be like wineventlog or something else? ... View more

Based on the tagging of SYSLOG based on the front tag, I would assume that this is being ingested into a syslog server and then sent to an Indexer or Heavy Forwarder. If this is the case, the Splunk Add-on is not going to help you in this situation if this is the case. I usually ingest the data from SYSLOG and then use regex to extract the field names when I am conducting searches. If this is being monitored on the server that is using a Universal Forwarder, then ensure that you are monitoring the /var/log locations with the splunkbase app on the forwarder and on the indexer. ... View more

Worked. Thanks  ... View more

Hi @toddehb , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hello! Validate that the Splunk service is started "/opt/splunk/bin/splunk status" for Linux or check the Splunk service is started for for windows. Also make sure the URL include port 8000 at the end http://localhost:8000 ... View more

PickleRick is spot on - Here is an example of capturing print logs.... Keep in mind that some logs are disabled from operational status, such as the Print Monitor and need to be enabled to start generating logs. [WinEventLog://Microsoft-Windows-PrintService/Operational] disabled=0 index=wineventlog current_only = 0 renderXml = false checkpointInterval = 5   #REGFIX - HKLM\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-PrintService/Operational] - DWORD Enabled=00000001 #REGFIX - HKLM\SOFTWARE\Microsoft\Windows\CurrentControlSet\WINEVT\Channels\Microsoft-Windows-PrintService/Operational] - DWORD Enabled=00000001   ... View more

@Simple_Search - You could start here: index=wineventlog source="wineventlog:security" (EventCode=4625 OR (EventCode=4624 Logon_Type=2)) | eval Account = mvindex(Account_Name, 1) | transaction src maxspan=2m startswith="EventCode=4625" endswith="EventCode=4624" | where isnotnull(Account) AND mvcount(Account) > 0 AND len(mvindex(Account, 1)) > 13   transaction might not be the best command to use, but this is your starting point.   I hope this helps!! Consider upvoting!! ... View more

You do not require your own certificates for the Splunk Universal Forwarder, Splunk ships with default ones and can be installed without your own. As you can see in the message that if you dont provide one the default ones will be used. There must be something else that is going on with the installer or system configuration that is prompting this. Trying installing via the command line with the /quiet tag to see if that circumvents this issue. ... View more

Appreciate the quick response to this! It did return some results but with a multi-machine environment (which I did not disclose) did not return what I was anticipating. I made some modifications and here is what I would like to see.... For each 4719 Event from 100's of machines Hostname Time of Event for 4719 Message from 4719 Time of Event for 4624 Message from 4624 ... View more