Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About corti77
corti77
Contributor
Member since:
05-11-2021
07-07-2025
Community Statistics
| Posts | 106 |
| Solutions | 4 |
| Karma Given | 22 |
| Karma Received | 10 |
| Member Since | 05-11-2021 |
Activity Feed
- Posted Re: CITRIX onboard via SC4S - no events in splunk on Getting Data In. 07-07-2025 07:43 AM
- Posted Re: CITRIX onboard via SC4S - no events in splunk on Getting Data In. 07-07-2025 07:25 AM
- Posted Re: Slack Channel on Knowledge Management. 05-12-2025 03:26 AM
- Posted Re: Slack Channel on Knowledge Management. 05-12-2025 03:04 AM
- Posted Re: CITRIX onboard via SC4S - no events in splunk on Getting Data In. 05-12-2025 02:12 AM
- Posted Re: CITRIX onboard via SC4S - no events in splunk on Getting Data In. 05-08-2025 06:21 AM
- Posted CITRIX onboard via SC4S - no events in splunk on Getting Data In. 05-08-2025 04:15 AM
- Got Karma for Re: Sysmon events not getting indexed. 05-02-2025 04:59 AM
- Got Karma for Re: SC4S - PaloAlto logs not processed correctly. 02-12-2025 10:35 AM
- Posted Re: NetApp onboarding - audit folder/files deletion on All Apps and Add-ons. 11-27-2024 07:59 AM
- Posted NetApp onboarding - audit folder/files deletion on All Apps and Add-ons. 11-27-2024 05:36 AM
- Tagged NetApp onboarding - audit folder/files deletion on All Apps and Add-ons. 11-27-2024 05:36 AM
- Tagged NetApp onboarding - audit folder/files deletion on All Apps and Add-ons. 11-27-2024 05:36 AM
- Posted Re: Splunk Security Essentials - macro 'summariesonly_config' cannot be found on Splunk Enterprise Security. 09-02-2024 08:58 AM
- Got Karma for Sysmon events not getting indexed. 09-02-2024 04:30 AM
- Posted Re: Splunk Security Essentials - macro 'summariesonly_config' cannot be found on Splunk Enterprise Security. 09-02-2024 02:34 AM
- Posted Splunk Security Essentials - macro 'summariesonly_config' cannot be found on Splunk Enterprise Security. 08-30-2024 03:40 AM
- Got Karma for Re: License consumed, how to calculate the daily ingest per index?. 07-11-2024 07:12 AM
- Posted Body always empty - Sysmon events are always in XML format on Security. 06-25-2024 08:44 AM
- Posted Re: Splunk Add-on for Sysmon - Could not load lookup=LOOKUP-eventcode on Getting Data In. 06-17-2024 01:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
07-07-2025
07:43 AM
I just found the events in Splunk, they ended up in a different index (osnix). Any idea why the SC4S parser was not triggered? the tags indicate that SC4S correctly identify CITRIX as the logs source. thanks
... View more
07-07-2025
07:25 AM
Hi, litle update. Splunk upgrafed to 9.3.3 , SC4S upgraded to version 3.37 and Splunk Citrix add-on upgraded to 8.2.3. the issue remains, I see the CITRIX syslog packet reaching SC4S but nothing is forwarded to Splunk.
... View more
05-12-2025
03:26 AM
Thanks a lot @ITWhisperer , but it seems like my account was deactivated. could you help me out to restore it? thanks
... View more
05-12-2025
03:04 AM
Hi @isoutamo is the slack channel still alive? the link you provided is not working anymore thanks!
... View more
05-12-2025
02:12 AM
for your reference, below the syslog event received in SC4S that does not seem to trigger the parser /etc/syslog-ng/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf tcpdump -n -vvv -i eth0 host 10.143.6.21 -s 0
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:06:40.745046 IP (tos 0x0, ttl 255, id 21289, offset 0, flags [none], proto UDP (17), length 289)
10.X.Y.Z.23350 > 192.X.Y.Z.syslog: [udp sum ok] SYSLOG, length: 261
Facility local0 (16), Severity info (6)
Msg: 12/05/2025:11:06:40 host_nameXXXXX 0-PPE-1 : default TCP CONN_TERMINATE 465400 0 : Source 192.X.Y.Z:636 - Destination 10.X.Y.z:53621 - Start Time 12/05/2025:11:06:40 - End Time 12/05/2025:11:06:40 - Total_bytes_send 0 - Total_bytes_recv 1 \0x0a
any idea about how to see why it does not match? should I create some specific parser to force this trigger? thanks
... View more
05-08-2025
06:21 AM
I found some fixes added in version 3.35.1 related to Citrix. https://github.com/splunk/splunk-connect-for-syslog/releases?page=1 So I decided to update to the latest version 3.36.0. Unfortunately, the issue remains. 😕
... View more
05-08-2025
04:15 AM
Hi, I am running splunk standalone 8.4.1 with Citrix add-on installed 8.2.3. Also, I have SC4S running version 3.31.0. I configured Citrix to send syslog events to SC4S, and running a tcpdump in SC4S, I see those events arriving. According to the documentation, nothing else must be done at SC4S level. https://splunk.github.io/splunk-connect-for-syslog/3.31.0/sources/vendor/Citrix/netscaler/ Unfortunately, I don't see any Citrix event in splunk. I searched in index "netfw" and also filtered by sorcetype (sourcetype="citrix*" and index=*), in both cases, no events are in there. Other events, from our firewall, are reaching splunk without any issue via the same SC4S server. So I discarded network issues. Any idea about what could be happening? any SC4S logs that I could check? thanks a lot.
... View more
- Tags:
- SC4S
11-27-2024
07:59 AM
Thanks for your reply @gcusello , my question was more on how to build the solution. I found some information about configuring netapp https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/ So maybe it is a matter of configuring it like that and sending those logs via syslog to splunk?
... View more
11-27-2024
05:36 AM
Hi, I wonder the easiest way to monitor the deletion of files/folders in a CIFS netapp using splunk. I saw an Add-on available, could someone share any experience with this use case? I have a SC4S in place so I thought to configure syslog in NetApp to be sent to SC4S and start digging into the logs. Is there any App I could leverage to ease the pain? many thanks
... View more
Labels
- Labels:
-
configuration
09-02-2024
08:58 AM
hi again @richgalloway , the model is accelerated and contains data. and I use the latest version of the Microsoft add-on 8.9.0 which is CIM compliant. any other idea? many thanks
... View more
09-02-2024
02:34 AM
Hi @richgalloway , you were right. The datamodel "Endpoint" was not properly configured, whitelisted indexers were empty. I added the index wineventlog but it still appears in red. But whenever I click on the "open search" link next to the red icon, that query does get data. any idea of what might be happening here? Also, I created the macro "summaryonly_config" as you suggested but new errors appeared related to the other two missing macros "oldsummaries_config" and "fillnull_config". I also created these macros with a true value in both cases. that seems to solve the issue with the search, no more errors are shown. thanks
... View more
08-30-2024
03:40 AM
Hi, I am testing the Security Essentials App 3.8.0 in Splunk 9.0.8, and I found the same issue while trying to activate the following contents: Unknown Process Using The Kerberos Protocol Windows Steal or Forge Kerberos Tickets Klist ServicePrincipalNames Discovery with SetSPN Rubeus Command Line Parameters Mimikatz PassTheTicket CommandLine Parameters In all cases above, I get two errors: "Must have data in data model Endpoint.Processes" is in red even though I have installed several Add-ons suggested as compatible such as Splunk Add-on for Microsoft Windows 8.9.0 Palo Alto Networks Add-on for Splunk 8.1.1 Error in 'SearchParser': The search specifies a macro 'summariesonly_config' that cannot be found. I searched that missing macro and indeed it does not exist. Should I create it manually? With which value? Do you have any idea how to fix those two errors? Many thanks
... View more
Labels
06-25-2024
08:44 AM
Hi, I am runnig Splunk 9.0.9 with Splunk Add-on for Sysmon 4.0.1 and Sysmon Security Monitoring App for Splunk 4.0.13. I configured the alerts to be sent by email and I am receiving many of them (false positives thanks god). At this point I have two issues: - The field "Body" is always empty. Reviewing the macros included in the app, they seem to be created for the non-XML sysmon events. I changed the inputs.conf from the TA-Windows-Sysmon addon without success. The events continue flowing in in XML format. [WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 0
source = WinEventLog:Microsoft-Windows-Sysmon/Operational Did anyone face the same issue? how did you solve it? - I also would like to add an exception list of processes to reduce the amount of alerts, whitelisting some well known windows executables or tools. have anyone done that? could you tell me the approach you took? thanks a lot. I am checking other alternatives like Cyences https://splunkbase.splunk.com/app/5351. any opinion?
... View more
06-17-2024
01:31 AM
You were so right @deepakc ! Thanks a lot. I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk and Splunk_TA_microsoft_sysmon I just removed Defender Add-on which is not officially supported. I need to find some other with support that I guess will not generate this type of conflict. Do you have any suggestion for this ? 😉
... View more
06-12-2024
05:46 AM
Hi, Following the official instructions https://apps.splunk.com/apps/id/Splunk_TA_microsoft_sysmon , Splunk Add-on for Sysmon 4.0.0 I just deployed the addon for sysmon in my indexer, search head and deployment servers so I started to collect sysmon logs. I am running Sysmon 15.14 on the endpoints. The logs started to flow into splunk but when I do searches on the index I constantly receive the following error: [indexer.mydomain.es, mysearchhead.mydomain.es] Could not load lookup=LOOKUP-eventcode I read the information in the https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Lookups but I couldnt find the root cause. The csv are in the path indicated in the documentation. 😕 Any suggestion? many thanks
... View more
- Tags:
- sysmon
Labels
- Labels:
-
universal forwarder
05-14-2024
05:54 AM
Thanks for your reply. At the end, the solution was about to just disable the splunk light forwarder via CLI. ./splunk disable app SplunkLightForwarder after this change I restarted splunk service and it worked fine back again.
... View more
05-06-2024
08:01 AM
Hi, recently we had an issue with the LUN drive where data is stored and after fixing it, a new problem came up. splunk services starts normally but the web access does not work anymore. the output of the splunk start command is the following \bin>splunk.exe start
Splunk> Map. Reduce. Recycle.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
(skipping validation of index paths because not running as LocalSystem)
Validated: _configtracker _introspection _metrics _metrics_rollup _thefishbucket anomaly_detection autek azure cim_modactions cisco citrix email eusc_apps firedalerts ftp hyper-v infraops itsi_grouped_alerts itsi_im_meta itsi_im_metrics itsi_import_objects itsi_notable_archive itsi_notable_audit itsi_summary itsi_summary_metrics itsi_tracked_alerts kubernetes metrics_sc4s msad msexchange netauth netfw netops netproxy os osnix pan_logs perfmon rancher_k8sca rancher_k8scc rancher_k8scs rancherprod sample snmptrapd sns symantec sysmon test thor windefender windows wineventlog winevents
Done
Bypassing local license checks since this instance is configured with a remote license master.
Checking filesystem compatibility... Done
Checking conf files for problems...
Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features.
One or more regexes in your configuration are not valid. For details, please see btool.log or directly above.
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program Files\Splunk\splunk-9.0.8-4fb5067d40d2-windows-64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Splunkd: Starting (pid 38432)
Done extract of btool.log 05-06-2024 11:07:35.039 WARN ConfMetrics - single_action=BASE_INITIALIZE took wallclock_ms=1014
05-06-2024 11:17:25.445 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 11:17:25.445 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 13:00:58.310 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 13:00:58.310 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 13:00:58.373 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features.
05-06-2024 13:19:36.176 WARN ConfMetrics - single_action=BASE_INITIALIZE took wallclock_ms=1234
05-06-2024 14:44:42.912 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 14:44:42.912 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 14:44:42.975 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features.
05-06-2024 14:44:51.022 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 14:44:51.022 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 14:44:51.084 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features.
05-06-2024 16:36:21.051 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 16:36:21.051 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 16:36:21.114 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features.
05-06-2024 16:36:29.661 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 16:36:29.661 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf
05-06-2024 16:36:29.723 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features. I already checked the /etc/system/local/web.conf and everything seems fine. [settings]
enableSplunkWebSSL = 1
httpport = 443 system/default/web.conf [default]
[settings]
# enable/disable the appserver
startwebserver = 1
# First party apps:
splunk_dashboard_app_name = splunk-dashboard-studio
# enable/disable splunk dashboard app feature
enable_splunk_dashboard_app_feature = true
# port number tag is missing or 0 the server will NOT start an http listener
# this is the port used for both SSL and non-SSL (we only have 1 port now).
httpport = 8000
# this determines whether to start SplunkWeb in http or https.
enableSplunkWebSSL = false
# location of splunkd; don't include http[s]:// in this anymore.
mgmtHostPort = 127.0.0.1:8089
# list of ports to start python application servers on (although usually
# one port is enough)
#
# In the past a special value of "0" could be passed here to disable
# the modern UI appserver infrastructure, but that is no longer supported.
appServerPorts = 8065 any suggestion? many thanks. jose
... View more
Labels
- Labels:
-
splunkd
04-30-2024
04:33 PM
Hi, I run splunk 9.0.8 and after an issue with our storage (LUN full). I had to full scan the disk and successfully repaired the filesystem. splunk starts now but there is a persistent error with the KV store. the status is the following: show kvstore-status This member: backupRestoreStatus : Ready disabled : 0 guid : E59FAAA8-D66A-498E-8DDF-0F5C29866F95 port : 8191 standalone : 1 status : failed storageEngine : wiredTiger Any suggestion on how could get an operational status? many thanks. Jose
... View more
Labels
- Labels:
-
kvstore
04-04-2024
06:54 AM
Thanks a lot @gcusello ! I just created a search to create that CSV used in your query. | ldapsearch domain=default search="(objectClass=computer)"
| table name
| rename name as host
| outputlookup append=false monitored_hosts.csv and I run your query using the monitored_hosts.csv. It works flawless! thanks once again.
... View more
04-04-2024
05:53 AM
Hi, By chance, I discovered that a power user with admin rights disabled sysmon agent and splunk forwarder on his computer to gain some extra CPU for his daily tasks. To react quicker to this type of "issue" in the future, I would like to have some alerts in splunk informing me whenever any host, initially domain joined workstations and servers, might have stopped reporting events. Did someone implement something like this already? any good article to follow? I plan to create a lookup table using ldapsearch and then, an alert detecting which hosts from that table are not present in a basic listing host search on sysmon index for example. Any other better or simpler approach? many thanks
... View more
Labels
- Labels:
-
alert action
12-18-2023
01:40 AM
1 Karma
Hi, Running Splunk 9.0.7 and addon Splunk_TA_MS_Security version 2.1.1. I followed the instructions from the addon https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configure and reviewed from Microsoft article https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide Basically I created an App Registration in our Azure tenant, add the following permissions and created a secret with all this, I followed the Microsot article and run the powershell scripts to test the connection and the token I obtain only gets a single permission. could someone tell me what I am doing wrong? I expected to get all the permissions assigned to the application and I think that is why I get the 403 error in the splunkd.log. 12-17-2023 13:14:32.037 +0100 ERROR ExecProcessor [19404 ExecProcessor] - message from ""C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_MS_Security\bin\microsoft_defender_endpoint_atp_alerts.py"" 403 Client Error: Forbidden for url: https://api-eu.securitycenter.microsoft.com/api/alerts?$expand=evidence&$filter=lastUpdateTime+gt+2023-11-17T12:14:31Z 12-17-2023 13:17:38.251 +0100 ERROR ExecProcessor [19404 ExecProcessor] - message from ""C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_MS_Security\bin\microsoft_365_defender_endpoint_incidents.py"" 403 Client Error: Forbidden for url: https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime+gt+2023-11-17T12:17:31Z thanks
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
11-20-2023
04:16 AM
hi, I have splunk 9.0.6 and sysmon add-on 3.1.0. The lookup table called "microsoft_sysmon_eventcode.csv" correctly appears in Splunk Lookup Table Files list. But, in the automatic lookup, the Lookup-eventcode is wrongly assigned to "eventcode" lookup instead of "sysmon_eventcode". Searching for this "eventcode" lookup, it belongs to the app Defender. Surprisingly, when I tried to fix this bug using the UI, the sysmon_eventcode lookup table did not appear in the dropdown list. I only see "sysmon-record_type-lookup". Do you have any idea what might be happening?
... View more
Labels
- Labels:
-
configuration
-
installation
11-01-2023
04:13 AM
hi @PickleRick , yes, I am a bit confused about the philosophy behind all these files. We have only one single server, so I guess it has to be configured there. You mentioned that has nothing to do with HEC, so where should I place the props.conf file? At /etc/system/local ? cheers
... View more
10-31-2023
07:52 AM
Hi, I am using Splunk 9.0.6, and I configured HEC + Syslog Connector for Splunk for the data ingestion. At the moment, I receive events from our two different firewall (PaloAlto and Stormshield). My problem arises with the fact that Stormshield is not directly supported by SC4S, so the extracted fields are not CIM compliant. More precisely, the field action should contain blocked or allowed as possible values, but it contains pass and block instead. My question is how it would be the best way to implement this transformation. I tried creating the following files in the path C:\Program Files\Splunk\etc\apps\splunk_httpinput\local props.conf
[StormShield:StormShield]
TRANSFORMS = rewriteaction
transform.conf
[rewriteaction]
EVAL-action = case(action="pass", "allowed", action="block", "blocked" , 1=1, "UNKNOWN") I restarted Splunk, but nothing really happened. Any idea of what I am doing wrong? Many thanks.
... View more
Labels
