Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About MoienABO
MoienABO
Loves-to-Learn Lots
Member since:
06-01-2022
07-30-2023
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 06-01-2022 |
Activity Feed
- Posted Re: Kaspersky Syslog Data Field Extraction on Getting Data In. 07-29-2023 02:02 AM
- Posted Kaspersky Syslog Data Field Extraction on Getting Data In. 07-28-2023 10:45 AM
- Posted Re: Defining new user in a new role with access to a specific index, does not show results on Splunk Enterprise. 12-07-2022 05:56 AM
- Posted Re: Defining new user in a new role with access to a specific index, does not show results on Splunk Enterprise. 12-07-2022 12:25 AM
- Posted Defining new user in a new role with access to a specific index, does not show results on Splunk Enterprise. 12-05-2022 11:45 PM
- Tagged Defining new user in a new role with access to a specific index, does not show results on Splunk Enterprise. 12-05-2022 11:45 PM
- Tagged Defining new user in a new role with access to a specific index, does not show results on Splunk Enterprise. 12-05-2022 11:45 PM
- Tagged Defining new user in a new role with access to a specific index, does not show results on Splunk Enterprise. 12-05-2022 11:45 PM
- Posted Why do I have a disk space warning for /opt/splunk/var/lib/splunk/audit/db but i have over 300 GB free on disk on Deployment Architecture. 06-01-2022 02:01 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
07-29-2023
02:02 AM
hi @gcusello Thanks for your answer. I use second transformation because second part of log contains useful fields such as Application, user and .... I need to extract them I also know about defining knowledge Objects related to this add on and will define them later. but now, field extraction is my concern and it not worked event with your configurations too. maybe you' re right and i should use Add-On Builder App.
... View more
07-28-2023
10:45 AM
Recently, I changed Kaspersky Security Center log format to syslog (because of limitation of CEF) and We're receiving these logs in SPLUNK. but I found there is no suitable TA for such logs. so I decided to create transforms.conf and props.conf files to parse this log format. Here is my sample log: Jul 26 16:44:56 172.31.0.254 1 2023-07-25T03:43:00.000Z comuter1 KES|11.0.0.0 - 000000g1 [event@23448 et="000000g1" tdn="Protection" etdn="Protection components are disabled" hdn="COMPUTER1" hip="172.24.7.139" gn="GPA" kscfqdn="something.root.holdings"] Event type: Protection components are disabled\r\nName: test.exe\r\nApplication path: C:\Program Files (x86)\Kaspersky Lab\KES.12.0.0\r\nProcess ID: 18446744073709551615\r\nUser: COMPUTER1\Administrator (Active user)\r\nComponent: Protection and here is my props.conf and transforms.conf props.conf: [kasperskylab:securitycenter:syslog]
SHOULD_LINEMERGE = false
KV_MODE = none
REPORT-outer_fields = get_outer_fields, get_inner_fields transforms.conf: [get_outer_fields]
REGEX = ^(?<timestamp>[a-zA-Z]{3}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2})\s+(?<device>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\S+\s+\d+-\d+-\d+\w+:\d+:\d+\.\d+\w+\s+(?<src>\S+)\s+(?<app>[^\s]*)\s+-\s+\S+\s+.*?hip="(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"\s+gn="(?<gn>[^"]+)"\s+kscfqdn="(?<fqdn>[^"]+)"]\s+(?<key_value_list>.*)
[get_inner_fields]
SOURCE_KEY = key_value_list
DELIMS = "\\r\\n", ":" but it seems only my first part (get_outer_fields) only works and nothing happens in second part (get_innter_fields). i also change my configs to replace "\r\n" with ";". here is my changes: props.conf: [kasperskylab:securitycenter:syslog]
SHOULD_LINEMERGE = false
KV_MODE = none
SEDCMD-event_cleaner = s/\\r\\n/;/g
REPORT-outer_fields = get_outer_fields, get_inner_fields transforms.conf: [get_outer_fields]
REGEX = ^(?<timestamp>[a-zA-Z]{3}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2})\s+(?<device>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\S+\s+\d+-\d+-\d+\w+:\d+:\d+\.\d+\w+\s+(?<src>\S+)\s+(?<app>[^\s]*)\s+-\s+\S+\s+.*?hip="(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"\s+gn="(?<gn>[^"]+)"\s+kscfqdn="(?<fqdn>[^"]+)"]\s+(?<key_value_list>.*)
[get_inner_fields]
SOURCE_KEY = key_value_list
DELIMS = ";", ":" but the result not changed. any idea?? Any help is greatly appreciated.
... View more
Labels
- Labels:
-
props.conf
-
transforms.conf
12-07-2022
05:56 AM
All of indexes listed above
... View more
12-07-2022
12:25 AM
Thanks for your answer all capabilities for that role are checked and in "indexes" section, cisco-asa, cisco-devices, cisco-ise, dhcp, fortigate and waf are checked. Here is a picture of authorize.conf:
... View more
12-05-2022
11:45 PM
Hi splunkers, I've defined a new role and check all capabilities for that but just access to a specific index. when i search in that index, it doesn't show any results for me. With another user and another role i can search in that index. Something wired is when i change the user role to for example "user", the search results shown. is there a limit in number of roles can be defined in splunk? How can i troubleshoot these kindes of permissions in splunk logs?
... View more
- Tags:
- permission
- roles
- users
Labels
- Labels:
-
administration
06-01-2022
02:01 AM
I have 2 partitions on my centos. The first one is 20 GB and mounted on / and the second one is 300 GB and mounted on /opt. Splunk service is in /opt/splunk directory and i have 300 free on this partition. but i got disk space warning on / partition.
please help!
... View more
Labels
- Labels:
-
capacity planning
-
Linux
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-30-2023
04:24 PM
|
