Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About leonaheidern2
leonaheidern2
Loves-to-Learn Everything
Member since:
12-03-2020
05-27-2022
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-03-2020 |
Activity Feed
- Posted Re: set maintenance mode for indexer cluster with hashed password on Security. 05-27-2022 04:13 AM
- Posted Re: set maintenance mode for indexer cluster with hashed password on Security. 05-27-2022 03:27 AM
- Posted How to set maintenance mode for indexer cluster with hashed password? on Security. 05-27-2022 02:37 AM
- Tagged How to set maintenance mode for indexer cluster with hashed password? on Security. 05-27-2022 02:37 AM
- Tagged How to set maintenance mode for indexer cluster with hashed password? on Security. 05-27-2022 02:37 AM
- Tagged How to set maintenance mode for indexer cluster with hashed password? on Security. 05-27-2022 02:37 AM
- Tagged How to set maintenance mode for indexer cluster with hashed password? on Security. 05-27-2022 02:37 AM
- Posted Re: Why is splunk udp 514 syslog going straight to indexer and bypassing a second set of heavy forwarders? on Getting Data In. 04-27-2022 05:22 PM
- Posted Re: Why is splunk udp 514 syslog going straight to indexer and bypassing a second set of heavy forwarders? on Getting Data In. 04-21-2022 05:49 PM
- Posted Re: Why is splunk udp 514 syslog going straight to indexer and bypassing a second set of heavy forwarders? on Getting Data In. 04-21-2022 06:52 AM
- Posted Re: Why is splunk udp 514 syslog going straight to indexer and bypassing a second set of heavy forwarders? on Getting Data In. 04-20-2022 06:04 AM
- Posted Re: Why is splunk udp 514 syslog going straight to indexer and bypassing a second set of heavy forwarders? on Getting Data In. 04-19-2022 03:27 PM
- Posted Why is splunk udp 514 syslog going straight to indexer and bypassing a second set of heavy forwarders? on Getting Data In. 04-19-2022 08:39 AM
- Posted Re: splunk db connect on heavy forwarder not forwarding to indexers on All Apps and Add-ons. 09-09-2021 11:08 PM
- Tagged splunk db connect on heavy forwarder not forwarding to indexers on All Apps and Add-ons. 08-27-2021 02:48 AM
- Tagged splunk db connect on heavy forwarder not forwarding to indexers on All Apps and Add-ons. 08-27-2021 02:47 AM
- Posted splunk db connect on heavy forwarder not forwarding to indexers on All Apps and Add-ons. 08-27-2021 01:11 AM
- Tagged splunk db connect on heavy forwarder not forwarding to indexers on All Apps and Add-ons. 08-27-2021 01:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
05-27-2022
04:13 AM
I actually do. It's usually because of kernel patches that's why I have to reboot. Hence was thinking of an automated way to deal with the indexer cluster and master node. Currently I am doing this manually monthly.
... View more
05-27-2022
03:27 AM
I am actually trying to do this as a shell script for yum update. Probably schedule maintenance mode on the master node first then set hourly intervals per indexer to offline and yum update and reboot I have enable boot start for the Splunk so technically the splunk service starts up automatically on reboot
... View more
05-27-2022
02:37 AM
Hi all
I am having issues trying to script enabling and disabling maintenance mode with a hashed password.
The command is /opt/splunk/bin/splunk enable maintenance -mode - auth admin: somepassword
Is there a way I can hash the password. I have tried the hash-passwd and user-seed.conf but it does not seem to hash my clear text password upon restarting splunk
... View more
Labels
- Labels:
-
audit
-
authentication
-
encryption
-
login
-
other
04-27-2022
05:22 PM
I got syslog-ng service to listen to those two ports after semanage For some reason the syslog-ng service itself was the one holding onto those ports causing to to fail and say I was restarting the syslog-ng service too quickly I have some issues with the configuration though. As I am a syslog-ng novice, does each port protocol need to go to a different file even though I set it to blanket listen at the catch all level? But somehow it can only listen to udp 514, tcp 514 type logs with the keyword isn't that present in the log file. In the network device itself there is no ability to specify the port protocol from the GUI. My config for syslog-source ports is like below source s_networkdevice { udp(port(514)); tcp(port(514)); udp(port(10514)); tcp(port(9514)); udp(port(9514)); }; filter f_networkdevice{ match ipaddress }; destination d_networkdevice { file(“/home/syslog/logs/network/$HOST/$YEAR-$MONTH-$DAY.log” create_dirs(yes)); }; log { source(s_networkdevice); filter(f_networkdevice); destination(d_networkdevice); };
... View more
04-21-2022
05:49 PM
Considering the zone it's on ,that test vm should not have anything listening on port 9514. Tried a netstat -ano | grep 9514 and didn't find that port also. I have allowed the port in firewall-cmd I have not heard of audit2why and audit2allow. Maybe I could try those.
... View more
04-21-2022
06:52 AM
Does anyone know how to get syslog-ng to start on tcp 9514 and udp 9514 One of the equipments sends on those two ports but I tried on a VM that is selinux enforcing and it couldn't start on those ports Strangely it can start on a udp and TCP 10514 I tried installing policycore-utils and adding the port in semanage port -m -t syslogd_port_t -p tcp 9514 semanage port -m -t syslogd_port_t -p udp 9514
... View more
04-20-2022
06:04 AM
Hi Patrick . The transform and props were part of a legacy configuration when my splunk servers were still on windows When we migrated the splunk heavy forwarder over to redhat we zipped and unzipped leaving the configuration intact Since everything was working we didn't feel the need to change the configuration till the new requirement came up. However since it was done by a vendor and another colleague from another department . All i was left with was a single transforms and conf and multiple ip address with transforms and props to multiple indexes so i sort of. Inherited the infrastructure without the documentation and am trying to reverse engineer it without breaking things
... View more
04-19-2022
03:27 PM
The equipment are network devices or app driven ones that clients are unable to install the universal forwarder for. One of the heavy forwarders is a windows server . Ports wise everything uses port 514 from the devices side hence the transforms and props ended up in the main index first then being transformed to other indexes Now I have a requirement to forward the logs before it gets to my indexer. Can this be done without syslog-ng or rsyslog I have another set of heavy forwarder that is listening to udp 514 in data inputs but also using syslog-ng rules that somehow is unable to send the logs to this other set of heavy forwarders midway to my indexer. Do I need to remove the data inputs in Splunk web to get it to send as well?
... View more
04-19-2022
08:39 AM
hi all
I am running on a windows heavy forwarder on Splunk Enterprise 8.1.7.2 and I listen to ports tcp 9514 and udp 514.
The data comes in to the main index and I perform a transforms/ props to a other index and the logs go into my indexers and search heads (both search head and indexers are redhat 7.9 splunk enteprise 8.2.0)
However in my heavy forwarders i send a copy off to another set of splunk redhat 7.9 heavy forwarders but it seems anything besides the default splunk logs on tcp 9997 does not reach them
My config is follows
Inputs.conf
[tcp:9514] disabled = false connection_host=ip index =main
##inputs.conf
[udp:9514] disabled = false connection_host=ip index =main
[udp:514] disabled = false connection_host=ip index =main
[tcp:514] disabled = false connection_host=ip index =main
##transforms.conf
[index_redirect_to_pci] REGEX = . DEST_KEY = _MetaData:Index FORMAT = pci
### props.conf [host::x.x.x.x] TRANSFORMS-rt1 = host_rename_rt1,index_redirect_to_pci
How do I get the logs for the 514 and 9514 to be forwarded to the second set of heavy forwarders
I have one redhat heavy forwarder that I installed syslog-ng on and change splunk to monitor that folder and remove the listen to port 514 and that's the only splunk heavy forwarder that can send syslog data over to the second set of splunk that is not receiving the logs from the transformed index
... View more
Labels
09-09-2021
11:08 PM
Not quite sure why it started to work again after a monthly restart of the entire infra
... View more
08-27-2021
01:11 AM
hi I have this issue where the db connect installed on a heavy forwarder is not able to forward logs to the indexers in a particular sourcetype configured in the indexer The heavy forwarder obtains the logs from the mssql database using http event collector From splunkd log and metric logs i can see the non db connect logs being forwarded on the standard 9997 port We are able to run the sql query in db connect and able to see results Not quite sure where i should troubleshoot and hoping for some leads The db connect version is 3.1.4 and the splunk enterprise version is 7.2.6 I do not see error 400 on the db connect server or command and audit logs tho
... View more
Labels
- Labels:
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-27-2022
07:33 AM
|
