Activity Feed
- Karma Roles from LDAP (nested groups) for terago. 06-05-2020 12:45 AM
- Karma Re: Alert if no events seen in X hours for Ledion_Bitincka. 06-05-2020 12:45 AM
- Karma Re: Simple(?) realtime chart example for Ron_Naken. 06-05-2020 12:45 AM
- Karma Re: Simple(?) realtime chart example for Ron_Naken. 06-05-2020 12:45 AM
- Got Karma for Events in dashboard panels not wrapping. 06-05-2020 12:45 AM
- Got Karma for Alert if no events seen in X hours. 06-05-2020 12:45 AM
- Posted Forwarders on Win 2008 SP1 stop forwarding events on Getting Data In. 08-22-2011 05:42 AM
- Tagged Forwarders on Win 2008 SP1 stop forwarding events on Getting Data In. 08-22-2011 05:42 AM
- Tagged Forwarders on Win 2008 SP1 stop forwarding events on Getting Data In. 08-22-2011 05:42 AM
- Tagged Forwarders on Win 2008 SP1 stop forwarding events on Getting Data In. 08-22-2011 05:42 AM
- Posted Re: No python.exe included with universal forwarder? on Getting Data In. 06-27-2011 07:51 AM
- Posted Re: No python.exe included with universal forwarder? on Getting Data In. 06-24-2011 10:51 AM
- Posted Re: No python.exe included with universal forwarder? on Getting Data In. 06-24-2011 10:48 AM
- Posted Re: No python.exe included with universal forwarder? on Getting Data In. 06-24-2011 08:26 AM
- Posted No python.exe included with universal forwarder? on Getting Data In. 06-24-2011 07:45 AM
- Tagged No python.exe included with universal forwarder? on Getting Data In. 06-24-2011 07:45 AM
- Posted Re: Simple(?) realtime chart example on Dashboards & Visualizations. 05-16-2011 08:49 AM
- Posted Simple(?) realtime chart example on Dashboards & Visualizations. 05-13-2011 10:16 AM
- Tagged Simple(?) realtime chart example on Dashboards & Visualizations. 05-13-2011 10:16 AM
- Tagged Simple(?) realtime chart example on Dashboards & Visualizations. 05-13-2011 10:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 |
08-22-2011
05:42 AM
We're noticing that all of our Windows 2008 SP1 machines stop forwarding events from the security event log over the weekend. This appears to coincide with our EventArchiver process rotating/clearing the logs locally on the systems. This problem does not occur with XP, 2008 R2, or Windows 7 environments. Searching around I found something that appears to be similar at:
http://splunk-base.splunk.com/answers/3456/windows-event-logs-stop-forwarding-why
but it was from over a year ago. Does anyone know if that particular thread still applies to current (4.2.2) forwarders? Events do not get sent on until the universal forwarder service gets stopped/started manually.
... View more
06-27-2011
07:51 AM
It appears that the error looking for Python.exe only shows up when you run splunk.exe without any arguments. "splunk help" or "splunk list monitor" for example return expected results.
... View more
06-24-2011
10:51 AM
Do you have a python.exe anywhere in C:\Program Files\SplunkUniversalForwarder? I'm getting the impression that everyone assumes that there is python installed elsewhere on the windows clients which is not the case in my environment.
... View more
06-24-2011
10:48 AM
Loading the files from the main Splunk instance seemed to accept the file but then nothing happened, or at least no events from that file were able to be seen later. That was the first attempt. After that I read here that one would have to process the .evt files from a Windows machine because of .dlls that are required to see the data.
I think at this point I just need to install python on one of my Windows forwarders. I assumed that python came with the forwarders so I was surprised when splunk.exe would not run.
... View more
06-24-2011
08:26 AM
Correct. Agents were installed on several linux and windows clients months ago and configured to send audit data / security event logs back to the central indexer. That works and has worked pretty much flawlessly from day one. Now I have a requirement to be able to load windows security events from before the splunk installation, which we have in .evt and .evtx files.
... View more
06-24-2011
07:45 AM
I have a need to import older Windows .evt files into my splunk environment. Since the splunk server is on linux I got the impression that I would only be able to import the .evt files from one of my Windows clients that I have the universal forwarder installed on. However, when I go to run the splunk.exe cli to add monitors I get an error stating that Python.EXE cannot be located and it is indeed not anywhere in the splunkuniversalforwarder tree. Is there another way to add this data that I'm not thinking of?
... View more
- Tags:
- universal-forwarder
05-16-2011
08:49 AM
Thanks, that definitely put me in the right direction. The only issue I seem to have now is that zero values don't factor into the charting. The search I'm playing with is:
host=*|chart count by _time,sourcetype
Which in my case shows me counts for linux_audit and WinEventLog::Security, however for periods where no data is coming in the chart doesn't update, and leaves the previous non-zero count until a new non-zero number shows up. Is there a way to avoid this behavior?
... View more
05-13-2011
10:16 AM
I'm trying to figure out how real-time charts are built and so far I've had zero success. Even doing something like creating a line chart with 'host=* | stats count' to show event counts over time isn't working. Is this something that can be done with simple XML or do I have to switch to advanced xml?
... View more
04-29-2011
11:24 AM
1 Karma
Using the following search:
|metadata type=hosts |sort lastTime|convert ctime(lastTime)|fields host,lastTime
I am able to get a list of all hosts and when the last time splunk saw an event from that host. What I would like to do is create a saved search based off of this sort of search that I can use as an alert if lastTime is greater than some number of hours for any particular host. I was imagining something along the lines of
|metadata type=hosts |sort lastTime|convert ctime(lastTime)|fields host,lastTime |where NOW - lastTime > 12h
Or something along those lines. Is there a function that would give me NOW (current date/time) and if so, is this the right approach to get what I'm after?
... View more
- Tags:
- alerts
04-21-2011
08:15 AM
Thanks for the reply. If my first read of the transaction documentation is correct it needs to key off of a common field in each of the events. What I look at when doing a manual review is a section that looks like:
audit([epoch_time].[milliseconds]:[audit_event])
where [audit_event] is the important part between the 3 lines of correlated audit data. Splunk currently doesn't see that as a field so I'll have to tell splunk that is important first, correct?
... View more
04-21-2011
07:05 AM
In my test environment I have several Windows and Linux systems using splunk forwarder to send audit logs to the main splunk server. We have a requirement to detect and investigate failed accesses to security-relevant objects (SROs), which is basically a list of files or directories that we specify. Detecting failed access to SROs with Windows audit events is relatively easy since that is a single event with a well-known event ID. However in Linux that raw audit data looks like 3 separate audit events with a common event id. I've started down the path of creating a custom search script and am able to read in the event data from splunk.Intersplunk.getOrganizedResults but I'm stuck at the point of generating an event to put into splunk.Intersplunk.outputResults. Is there a method to generate a new event (transient?) to return from my saved search?
... View more
04-08-2011
02:23 PM
1 Karma
I've created a dashboard with several panels, each running different searches. The panels that use saved searches (searchName) wrap the events but will not use the paginators. The panels that use ad hoc searches (searchString) will paginate but will not wrap the events, forcing scrollbars on the panel. I need the results to be wrapped AND paginated, what is the best approach?
... View more
- Tags:
- dashboard
