Activity Feed
- Posted Re: Best way to get Windows DHCP logs to Splunk on Getting Data In. 10-10-2021 11:30 PM
- Karma Re: Best way to get Windows DHCP logs to Splunk for isoutamo. 09-22-2021 11:04 PM
- Posted Re: Best way to get Windows DHCP logs to Splunk on Getting Data In. 09-22-2021 10:29 PM
- Posted Best way to get Windows DHCP logs to Splunk on Getting Data In. 09-22-2021 06:09 AM
- Posted Re: Help with App to get approved over Splunk Cloud on Splunk Dev. 03-25-2021 06:06 AM
- Karma Re: Help with App to get approved over Splunk Cloud for richgalloway. 03-25-2021 06:01 AM
- Posted Re: Help with App to get approved over Splunk Cloud on Splunk Dev. 03-24-2021 11:41 PM
- Posted Re: Splunk Cloud - uploading an app on All Apps and Add-ons. 03-24-2021 09:08 AM
- Posted Re: Help with App to get approved over Splunk Cloud on Splunk Dev. 03-23-2021 01:44 AM
- Posted Re: Help with App to get approved over Splunk Cloud on Splunk Dev. 03-22-2021 06:20 AM
- Posted Re: Help with App to get approved over Splunk Cloud on Splunk Dev. 03-22-2021 12:02 AM
- Posted Help with App to get approved over Splunk Cloud on Splunk Dev. 03-19-2021 02:14 AM
- Posted Re: Defender ATP App issue on Splunk Cloud Platform. 01-28-2021 01:02 AM
- Posted Defender ATP App issue on Splunk Cloud Platform. 01-27-2021 06:39 AM
- Posted Re: Event4662: To blacklist $user name in Subject User name on Getting Data In. 10-01-2020 04:48 AM
- Posted Re: Event4662: To blacklist $user name in Subject User name on Getting Data In. 10-01-2020 03:42 AM
- Posted Event4662: To blacklist $user name in Subject User name on Getting Data In. 09-27-2020 11:44 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-10-2021
11:30 PM
The only problem with this way is DHCP log file size on DC. I am also trying with Splunk Stream app, but it is complicated to fulfil the use case, MAC - IP - Hostname Details from the logs, with stream we get all the data from DORA process and I believe DHCPREQUEST and DHCPACK is where I should get the details. But not able to figure out the fields, mostly I should received the desired values on this fields but not always this is true. chaddr yiaddr client_fqdn Has anyone successfully configured stream for DHCP logs and have getting the logs required for asset inventory (MAC-IP-Hostname)?
... View more
09-22-2021
10:29 PM
Which means I am on the right track, Thanks Roy. But would also like to understand is there any other way as well to pull the DHCP logs to Splunk?
... View more
09-22-2021
06:09 AM
Hello, I am trying to get Windows DHCP logs to Splunk and trying to use below way to get the same, but wanted to look if there is any better way to ingest the DHCP logs to Splunk. Using Deployment server to get the logs with inputs.conf file, [monitor://C:\Windows\System32\dhcp] sourcetype = dhcp crcSalt = <SOURCE> alwaysOpenFile = 1 disabled = false index = dhcplogs whitelist = Dhcp.+\.log And then to install below app at search heads to parse the logs, https://splunkbase.splunk.com/app/4359/#/details I haven't completed the setup prior to that was getting some advise if this the best way to go ahead or any other way we have to ingest it better. If this the best way is there anything i need to be aware prior to the setup, Thanks in advanced. Regards, Pratik Pashte
... View more
Labels
- Labels:
-
inputs.conf
-
universal forwarder
-
Windows
03-25-2021
06:06 AM
Hi @richgalloway Thank you for all your help. I had actually changed the files permission for the one which got with the report to 644 and it worked. Rather changing the directory permission recursively i changed only required file permission. Do not need to use that tool but I guess in future splunk package app would make sense to use rather changing each file permission to get this worked. Last question.. Now as I added custom sourctype to props.conf file replacing syslog and I would be taking that data from syslog server. So I should add that sourcetype at syslog server side and same I will get as I am going to install that app on Splunk cloud right? If possible you can provide some information about the workflow from app custom sourcetype to splunk cloud would be great help.
... View more
03-24-2021
11:41 PM
I did that taking package at Linux extracting doing changes and repackaging. But still getting same error although the permissions are as per requirement. I will be now trying to utilize splunk app package utility, to do so, would just need validation on steps to follow, Place the app (.tgz file or extracted package?) under $SPLUNK_HOME/etc/apps, then to go under, $SPLUNK_HOME/bin/ and to run below command right? splunk package app <APP_NAME> and the app will output to $SPLUNK_HOME/etc/system/static/app-packages Thank you in advanced
... View more
03-24-2021
09:08 AM
@eavent_splunk I might be too late to reply to this post. But where should we run the command ? under bin folder or under splunk home Cause I am getting error, Could not look up Home Variable Auth Token cannot be cached. I am doing it from Deployment server, executing command under config explorer
... View more
03-23-2021
01:44 AM
I guess this worked only thing now I need to figure out is below, I cannot do this, $SPLUNK_HOME/bin/splunk package app <APP_NAME> As I am having Splunk Cloud don't have access to the box not sure whether can be done on deployment server, also as Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory that is already in place but not sure whether windows is still messing with permission... [ Failure Summary ] Failures will block the Cloud Vetting. They must be fixed. check_for_bin_files This file has execute permissions for owners, groups, or others. File: test This file has execute permissions for owners, groups, or others. File: license-eula.txt This file has execute permissions for owners, groups, or others. File: README.md This file has execute permissions for owners, groups, or others. File: default/inputs.conf.example This file has execute permissions for owners, groups, or others. File: default/app.conf
... View more
03-22-2021
06:20 AM
Hi Rich, I can remove time prefix but would not get "when occurred" date field which would be needed. When you say custom source type meaning a separate stanza in props.conf and associated regex under transofrms.conf file right? Like props would look like this, [cp_centrify_syslog] TRANSFORMS-cp_centrify_cisp_syslog_transforms = cp_centrify_cisp_syslog_regex [syslog] TRANSFORMS-centrify_cisp_syslog_transforms = centrify_cisp_syslog_regex And transform would look like this, [cp_centrify_cisp_syslog_regex] REGEX = (?:^.*Centrify.*whenoccurreddate=|^.*?) FORMAT = sourcetype::centrify_cisp_syslog [centrify_cisp_syslog_regex] REGEX = .*Centrify.*whenoccurreddate=.* FORMAT = sourcetype::centrify_cisp_syslog DEST_KEY = MetaData:Sourcetype Does this needs to be done? Thank you for your help.
... View more
03-22-2021
12:02 AM
Hi Rich, Please find the below line, [syslog] TIME_PREFIX = (?:^.*Centrify.*whenoccurreddate=|^.*?) TRANSFORMS-centrify_cisp_syslog_transforms = centrify_cisp_syslog_regex And transform.conf file below, [centrify_cisp_headers] REGEX = .*\d{1,2}\:\d{1,2}\:\d{1,2}\.*?\s(?<system>[^\s]*)\s+.*INFO\s+(?<product>(?:[^|\\]|(?:\\{2})|\\\|)+)\|(?<category>(?:[^|\\]|(?:\\{2})|\\\|)+)\|(?<eventname>(?:[^|\\]|(?:\\{2})|\\\|)+) [centrify_cisp_syslog_regex] REGEX = .*Centrify.*whenoccurreddate=.* FORMAT = sourcetype::centrify_cisp_syslog DEST_KEY = MetaData:Sourcetype
... View more
03-19-2021
02:14 AM
I have vendor whose application is yet not supported on Splunk Cloud but can be installed on HF. I thought to check what error I am getting post uploading the app, so if possible I can tweak and can get that approved. Post uploading I got the below failure summary, I need help to understand the error and if possible to get that resolve I had followed below dev guide as well but not able to get the proper understanding which can help to resolve the error. [ Failure Summary ] Failures will block the Cloud Vetting. They must be fixed. check_pretrained_sourcetypes_have_only_allowed_transforms Only TRANSFORMS- or SEDCMD options are allowed for pretrained sourcetypes. File: default/props.conf Line Number: 3 Dev Guide: https://dev.splunk.com/enterprise/docs/reference/splunkappinspectcheck/
... View more
Labels
- Labels:
-
Splunk Web Framework
01-28-2021
01:02 AM
I have Splunk Cloud Version: 8.1.2011.1 which was recently upgraded but it was not working on 7.2.9 meaning as stated above the application was stuck until i disabled and re-enabled the same. I too did not find any error logs under the folder have used below query to check, also with this setup Splunk 8.1 it did works for me at-least pulling logs to Splunk but the main issue remains the same gets stuck in between. Query: index=_internal (source=/opt/splunk/var/log/splunk/ta_defender_atp_hunting_defender_hunting_query.log* OR source=/opt/splunk/var/log/splunk/ta_ms_defender_microsoft_defender_atp_alerts.log*) | rex "^.*\,\d{3}\s(?<log_level>\w+)" | cluster showcount=true labelonly=t | stats earliest(_time) AS EARLIEST latest(_time) AS LATEST max(cluster_count) AS COUNT values(log_level) AS LEVEL first(_raw) AS MESSAGE BY cluster_label | convert ctime(EARLIEST) ctime(LATEST) | table COUNT EARLIEST LATEST LEVEL MESSAGE | sort - COUNT
... View more
01-27-2021
06:39 AM
I am using below app to pull the alerts from ATP to Splunk, which actually gives functionality to pull the data directly from ATP, alert with evidence or with associated user or any of the data that is supported by Advanced Hunting query. https://splunkbase.splunk.com/app/4623/#/details But this is not consistent it actually stops in between, then i need to disable and reenabled the inputs to get this work again. Setup is pretty simple, set the id and then to set the Advanced hunting query from ATP. This app is really nice and can fulfil lot of use case of pulling the data from ATP other than only alerts, so I really wanted to get this worked consistently as do not wanted to skip the alerts from ATP to Splunk where our entire Ops team relies to take further action on the alert. Have also raised a case with Splunk support but this add on is not supported by the support so I am raising the concern over here if anyone has the same issue and if have solved the same. @jorritf If possible can you please help here as I can see you have developed the application, Thank you in advanced.
... View more
Labels
- Labels:
-
troubleshooting
10-01-2020
04:48 AM
Yes, i have escaped special character in the regex, do you suggest any more I need to tweak in the below regex. blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
... View more
10-01-2020
03:42 AM
Hi Giuseppe, The above inputs.conf is not working as expected, actually do not want any other user name mostly with $ in the event which is actually consuming the Splunk Space. So i have created that regex to blacklist the Subject Username with $ but it is not working I could still get users on Splunk for that particular event code. blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)" This is my inputs.conf file, [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)" blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))" renderXml=true index = DC_Events
... View more
09-27-2020
11:44 PM
Hello Team, I have been working to optimize the data going to Splunk and found EventCode 4662, Object Type= Computers are forwarding huge amount of data. Upon further investigation I found that Subject user name having $ (Local Account) can be blacklist from sending to Splunk Cloud. To do so I added below regex on the Splunk Application over Deployment Server, [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)" blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))" renderXml=true index = DC_Events The below regex completely works fine on Sample Data, blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)" This would help me not to send the user name having $ in Subject User name which could save lot of space over splunk as more than 100s of servers are sending the data to the splunk and would increased eventually. Thanks & Regards, Pratik Pashte
... View more
Labels
- Labels:
-
universal forwarder
