Activity Feed
- Karma Re: Search results - How to prevent DNS resolution for PaulPanther. 02-21-2023 06:35 AM
- Posted Re: Search results - How to prevent DNS resolution on Splunk Search. 02-21-2023 06:34 AM
- Posted How to prevent DNS resolution? on Splunk Search. 02-21-2023 02:55 AM
- Posted What are some Syslog storage recommendations? on Getting Data In. 07-14-2022 12:20 PM
- Posted Re: Searching - No results found. Try expanding the time range. on Splunk Search. 07-14-2022 09:33 AM
- Posted Firewall logs going into separate index: Why the error "Searching - No results found. Try expanding the time range"? on Splunk Search. 07-14-2022 09:31 AM
- Posted Re: Best practice when it comes to managing multiple firewall logs on Getting Data In. 06-15-2022 06:16 AM
- Posted Re: Best practice when it comes to managing multiple firewall logs on Getting Data In. 06-15-2022 05:25 AM
- Posted Re: Best practice when it comes to managing multiple firewall logs on Getting Data In. 06-15-2022 05:24 AM
- Posted Best practice when it comes to managing multiple firewall logs on Getting Data In. 06-14-2022 08:43 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 |
02-21-2023
06:34 AM
Yea, what we're using for Syslog collection is doing the name resolution. Not Splunk. I swear I deleted this as soon as I realised my mistake! Thanks for the input nonetheless.
... View more
02-21-2023
02:55 AM
Hey all,
Our raw syslogs are showing IP addresses of sourced events, but the results in Splunk is changing the IP addresses to their respective hostnames/FQDNs.
If I want to see the results without the name resolution how can I do this? I just need to see the IP addresses, as per the actual raw syslog.
Thanks,
Will
... View more
Labels
- Labels:
-
lookup
07-14-2022
12:20 PM
Hey all,
I need some advice regarding our syslog storage facility. We're using rsyslog and at the moment we've got all firewall logs going into a single log file, which is getting pretty large at this point. I'm then using the universal forwarder to send this over to Splunk. The log file at the moment is around 150gb and growing. We've got plenty of space but I was wondering, is there a better way I should be approaching this? For example, should I break the logs up so that each Firewall has it's own directory and new sub directories per day?
Any insight would be appreciated.
Thanks,
Will
... View more
Labels
- Labels:
-
Linux
-
syslog
-
universal forwarder
07-14-2022
09:33 AM
Just wanted to add that I'm in directory of the index itself, inside the latest hot directory I can see it's populating with data.
... View more
07-14-2022
09:31 AM
Hey everyone,
I've got all our firewall logs going into separate index.
When I perform a search just using the index as a value, for example index="sec-firewalls" the results vary quite a bit.
I get nothing for real-time unless I select all time (real-time). Under relative results I get nothing for today. Nothing for last 15 minutes, last 4 hours etc. Again, the only option that works is All time.
When I'm looking at real-time results, it's about 2hr30m behind.
I am using the Splunk Add-on for Cisco ASA for this index.
Anyone able to assist me with what's happening here?
Thanks,
Will
... View more
- Tags:
- splunk-search
Labels
- Labels:
-
lookup
06-15-2022
06:16 AM
I have noticed that it's flagging logs from the ASAs with a sourcetype of %ASA-too_small.
... View more
06-15-2022
05:25 AM
Everything is currently going into main, but when I give it the value of main it won't take it. Not sure if I'm being very stupid here or what.
... View more
06-15-2022
05:24 AM
Hey Pickle, So I've got a universal forwarder that monitors a directory, inside this directory each host that's sending syslogs has it's own directory. For example: - Parent Directory -- ASA1 -- ASA2 -- ASA3 All of this is going to the main index in Splunk. This particular addon I'm using using is asking to specify the index. It has a prefilled example of index="cisco_asa". When I input "main", it doesn't like it. What am I missing here? Thanks, Will
... View more
06-14-2022
08:43 AM
Hey all, I'm looking for some advice. We currently have multiple ASAs which are sending logs to rsyslog. The logs are stored in folders based on the hostname. I currently have the universal forwarder monitoring the parent folder. When it comes to using Splunk addons such as "Firegen Log Analyzer for Cisco ASA". It's asking to specify an index. Do I need to compile all the logs from the ASAs into a single directory and then create an index for it? Both rsyslog and splunk on are linux (ubuntu) hosts. Any help would be appreciated. Thanks, Will
... View more
Labels
- Labels:
-
universal forwarder