I am trying to setup syslog forwarding from Isilon Cluster to Splunk server ... I have done the following steps as per instructions online. 1. edit syslog.conf file in cluster 2. create a read only user in splunk 3. Deploy the DELL EMC app and TA on deployment server. Currently I can see that all of the cluster nodes are talking to my server but all TCP state for the nodes are in TIME_WAIT. I am also unable to detect any connection with the cluster from the Splunk UI. I tried setting up the TA with the read only user I had created. But that is also throwing "authentication" error. I am new to Splunk and am no expert. I am unable to understand what I have missed. Requesting help from the Splunk community.
... View more
Hello, I am trying to setup a report which will list all user activities in the F: drive. PFB my inputs.conf : [WinEventLog://Security] disabled = 0 index = fgfdstore start_from = newest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 15 whitelist1 = 4663,4656 renderXml = false I have also prepared the below search query : index=<indexname> Object_Name="F:*" NOT *.*tmp | eval folder = mvindex(split(lower(Object_Name),"\\"),3) | table _time, Account_Name, folder, Object_Name, Accesses | rename Object_Name as "File Path", Account_Name as UserName | dedup UserName, "File Path", Accesses | sort -_time With this setup I am able to track activities like delete, modify, READ_CONTROL and create. However, I am still not getting records when my colleague opened a file in F: drive as a test run. Also, I am not able to understand how I can tell if a file is being copied from F: drive without opening it. My question is, 1. How can i track if a file is read but not modified ? 2. How can i tell if a file is copied without ever opening it ? I am new to Splunk and my questions may appear naïve and simple. Any help, guidance and suggestion is highly appreciated.
... View more