Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About corti77
corti77
Communicator
Member since:
05-11-2021
Monday
Community Statistics
| Posts | 84 |
| Solutions | 3 |
| Karma Given | 16 |
| Karma Received | 4 |
| Member Since | 05-11-2021 |
Activity Feed
- Karma Re: EVAL-expression incomplete in TA-microsoft-windefender for bmorgenthaler. Monday
- Karma Re: Add a new field in indexing time from data received via HEC for PickleRick. 3 weeks ago
- Posted Sysmon Add-on - lookup eventcode not processed correctly on All Apps and Add-ons. 3 weeks ago
- Posted Re: Add a new field in indexing time from data received via HEC on Getting Data In. 11-01-2023 04:13 AM
- Posted Add a new field in indexing time from data received via HEC on Getting Data In. 10-31-2023 07:52 AM
- Posted Re: PaloAlto logs ingested and Paloalto app does not "see" them on All Apps and Add-ons. 10-06-2023 01:28 AM
- Posted Re: PaloAlto logs ingested and Paloalto app does not "see" them on All Apps and Add-ons. 10-06-2023 01:18 AM
- Posted PaloAlto logs ingested and Paloalto app does not "see" them on All Apps and Add-ons. 10-04-2023 09:17 AM
- Posted HEC stopped working on Getting Data In. 09-25-2023 07:07 AM
- Posted Re: Sysmon events not getting indexed on Getting Data In. 09-22-2023 01:05 AM
- Posted Re: Sysmon events not getting indexed on Getting Data In. 09-22-2023 01:04 AM
- Tagged Re: Sysmon events not getting indexed on Getting Data In. 09-22-2023 01:04 AM
- Posted Stormshield firewall logs identified as Unix OS - SC4S on Getting Data In. 09-12-2023 07:48 AM
- Posted Re: the best way to collect Windows Defender logs? on Getting Data In. 09-02-2023 02:50 AM
- Posted the best way to collect Windows Defender logs? on Getting Data In. 09-01-2023 06:53 AM
- Tagged the best way to collect Windows Defender logs? on Getting Data In. 09-01-2023 06:53 AM
- Posted Re: Sysmon events not getting indexed on Getting Data In. 08-25-2023 08:26 AM
- Posted Re: Sysmon events not getting indexed on Getting Data In. 08-25-2023 07:42 AM
- Posted Sysmon events not getting indexed on Getting Data In. 08-25-2023 02:26 AM
- Got Karma for Re: Splunk Connect For Syslog - no data indexed. 08-01-2023 01:27 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
3 weeks ago
hi, I have splunk 9.0.6 and sysmon add-on 3.1.0. The lookup table called "microsoft_sysmon_eventcode.csv" correctly appears in Splunk Lookup Table Files list. But, in the automatic lookup, the Lookup-eventcode is wrongly assigned to "eventcode" lookup instead of "sysmon_eventcode". Searching for this "eventcode" lookup, it belongs to the app Defender. Surprisingly, when I tried to fix this bug using the UI, the sysmon_eventcode lookup table did not appear in the dropdown list. I only see "sysmon-record_type-lookup". Do you have any idea what might be happening?
... View more
Labels
- Labels:
-
configuration
-
installation
11-01-2023
04:13 AM
hi @PickleRick , yes, I am a bit confused about the philosophy behind all these files. We have only one single server, so I guess it has to be configured there. You mentioned that has nothing to do with HEC, so where should I place the props.conf file? At /etc/system/local ? cheers
... View more
10-31-2023
07:52 AM
Hi, I am using Splunk 9.0.6, and I configured HEC + Syslog Connector for Splunk for the data ingestion. At the moment, I receive events from our two different firewall (PaloAlto and Stormshield). My problem arises with the fact that Stormshield is not directly supported by SC4S, so the extracted fields are not CIM compliant. More precisely, the field action should contain blocked or allowed as possible values, but it contains pass and block instead. My question is how it would be the best way to implement this transformation. I tried creating the following files in the path C:\Program Files\Splunk\etc\apps\splunk_httpinput\local props.conf
[StormShield:StormShield]
TRANSFORMS = rewriteaction
transform.conf
[rewriteaction]
EVAL-action = case(action="pass", "allowed", action="block", "blocked" , 1=1, "UNKNOWN") I restarted Splunk, but nothing really happened. Any idea of what I am doing wrong? Many thanks.
... View more
Labels
10-06-2023
01:28 AM
UPDATE: I just edited the datamodel and included the related indexes. Waiting for the index now to be recalculated. I will let you know if that solves the issue.
... View more
10-06-2023
01:18 AM
thanks @_JP . I checked that link and what I saw is that if I search for eventtype=pan I get 0 results but if I include index=* eventtype=pan, then I get thousands of events. So I can imagine that the Palolato app does not include the indexes in its searches. Do you know if I should include the indexes to use some where in the local folder? or maybe there is a setting in splunk to user index=* by default in any search that does not include the index clause? cheers
... View more
10-04-2023
09:17 AM
Hi, quick summary of our deployment: - Splunk standalone 9.0.6 - PaloAlto Add-on and App freshly installed 8.1.0 - SC4S v3.4.4 sending logs to splunk - PA logs ingested in indexes and sourcetypes according SC4S official doc https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/PaloaltoNetworks/panos/ - I see events in all indexes and with all sourcetypes. Indexes: netfw, netproxy, netauth, netops Sourcetypes: pan:traffic , pan:threat , pan:userid, pan:system, pan:globalprotect, pan:config What else do I need to do to make the official PaloAlto App to work? I checked the documentation https://pan.dev/splunk/docs/installation/ and I enable the data acceleration, and still no data is shown in any dashboard. I don't know what else is missing, any suggestion? thanks a lot
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
09-25-2023
07:07 AM
Hi, I have an issue with our HEC service in our Splunk standalone installation (9.0.6). It simply does not complete the TCP connection for some unknown reason. Local FW is OFF. Ping works but TCP does not complete the connection. everything else works normally. I can connect to Splunk and search data, and universal forwarders report commonly (no deployment errors)... only HEC does not work as it should. HEC global settings from wireshark, the TCP retransmition can be seen but I can't find the root cause for it. any idea of what could be happening? many thanks.
... View more
Labels
- Labels:
-
HTTP Event Collector
09-22-2023
01:05 AM
try to configure it with the user SYSTEM. if the issue persists, check the local logs of the universal forwarder located in c:\program files\splunk\var\log\splunkd.log
... View more
09-22-2023
01:04 AM
in my case the issue was the user running the splunk universal forwarder service. open the services manager and check that, it should be SYSTEM or any user with local admin rights
... View more
- Tags:
- i
09-12-2023
07:48 AM
Hi, I just deployed the latest version 2 of SC4S and I sent syslog events from our firewall Stormshield. I checked and I didn't see a specific source for this firewall brand The box is capable of sending logs in the format RFC5424, UDP/514. I did not configure a custom filter for it and the logs are automatically recognized as UNIX OS syslog events which is wrong, they are indexed in the osnix instead of netfw. I would like to create a filter based on the source host but I don't find any examples in the official github documentation. for version 1 there is some but I am not sure if it applies to version 2. https://splunk.github.io/splunk-connect-for-syslog/1.110.1/configuration/#override-index-or-metadata-based-on-host-ip-or-subnet-compliance-overrides any suggestion? many thanks
... View more
Labels
- Labels:
-
syslog
09-02-2023
02:50 AM
Hi @gcusello , are you sure that app includes the basic Microsoft Defender included in any Microsoft OS? checking the app documentation mentions Microsoft 365 Defender and Defender for Endpoint products. Those are the EDR and SOAR solutions from Microsoft , no mention of the basic AV logs. https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Releasehistory thanks
... View more
09-01-2023
06:53 AM
Hi, I need to collect the logs from Windows Defender and I was looking for an official app and I couldn't find one. I read some people recommending "TA for Microsoft Windows Defender" but I see that it didn't get update since 2017. Any other option more recent? thanks.
... View more
Labels
- Labels:
-
inputs.conf
-
universal forwarder
08-25-2023
08:26 AM
I finally found the reason. it was due to the user configured to run the Splunk forwarder windows service. It was a local user account without necessary rights. I changed it to local system account and the events started to flow in.
... View more
08-25-2023
07:42 AM
I found the reason but not the solution. at the host level , the splunk forwarder does not have access to the sysmon event logs for some unknown reason. any idea? 08-25-2023 16:34:02.254 +0200 ERROR ExecProcessor [1340 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::subscribeToEvtChannel: Could not subscribe to Windows Event Log channel 'Microsoft-Windows-Sysmon/Operational'
08-25-2023 16:34:02.254 +0200 ERROR ExecProcessor [1340 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Init failed, unable to subscribe to Windows Event Log channel 'Microsoft-Windows-Sysmon/Operational': errorCode=5
... View more
08-25-2023
02:26 AM
Hi, I am deploying sysmon all acrros our company but for some reason the sysmon events are not getting indexed Our deployment is the following: Splunk 9.0.5 running on Windows server sysmon index created manually in Splunk. inbound firewall rules created allowing traffic TCP in port 9997 Sysmon TA installed in the server in C:\Program Files\Splunk\etc\deployment-apps\Splunk_TA_microsoft_sysmon default/input.cont enabled (by default) [WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
local/input.conf containing [WinEventLog://Microsoft-Windows-Sysmon/Operational]
index=sysmon Splunk Universal forwarder 9.1.0 deployed in all hosts All UF are reporting correctly to Splunk confirmed that sysmon TA is present in all hosts , deployed via forwarder management using a server class /etc/system/default/ouputs.conf is pointing to the right splunk server [tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = xxxxxx:9997
[tcpout-server://xxxxxx:9997] Sysmon 15 deployed in all hosts confirmed that the events are being created locally in the hosts in Microsoft-->Windows-->Sysmon tree But no single event appears in the sysmon index 😞 Does anyone have any idea or suggestion of what might be missing? many thanks
... View more
Labels
- Labels:
-
universal forwarder
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Monday
|
Karma given to
