cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
rh71rdu
Explorer
Member since: ‎07-18-2022
‎08-15-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎07-18-2022
View All

How to adjust the parser in Splunk to look for thi...

by in Splunk Enterprise
‎07-26-2022 07:10 PM
‎07-26-2022 07:10 PM
Hi! I have a stream of (Syslog) data coming from my Router via UDP into my workstation that is received and parsed by Splunk into fields, to identify (mostly) attempts to breach my router’s firewall by outside servers. Unfortunately the syslog stream consistently omits a space or Tab between the MAC address ‘item‘ and the source ip ‘item‘ like this: …OUT= MAC=00:00:00:00:00:00:8484:26:2b:9b:ea:bd:src=31.220.1.83… which causes all SRC IP address field to remain unparsed. If I could instruct Splunk to look instead for “:src=xx.xxx.xxx.xxx” or cleanse the data stream by converting all “:src=“ into “: src=“ (note the space) I think my Splunk Search will begin interpreting these ‘rogue’ Source IP fields and reveal some interesting attempts to access my network. Does anyone know how to adjust the parser in Splunk to look for things without a space or to cleanse the datastream before it is parsed? Thanks, Rob ... View more

Re: Why are Netfilter IPTables not showing results...

by in All Apps and Add-ons
‎07-25-2022 01:34 PM
‎07-25-2022 01:34 PM
Hi Rich, thank you for the thoughtful suggestion. I think the magnifying glass is on the right track. my query was: `iptables_datasource` (`traffic_denied`) `filter_badclients` | timechart `iptables_span` count as Denied_Connections by iptables_host. That resulted in no results.  currently Datasource is set to "index=* eventtype="linux_netfilter"" When I changed  "( clientip!="0.0.0.0" OR clientip!="255.255.255.255")"  to "()" it opened the floodgate on my dashboard. Now I'm getting a lot of events in "volumes of connections", "network services" and "destination ports", but still translation of IP to Client location or stats on Trend by Country. I then changed the index=* to each of the 13 splunk indexes and only "main" returns anything. So it feels like maybe I still need to either create a new bespoke index or configure CIM correctly and 'fix' that cim_modactions index. I'm still a little confused but grateful for your help and happy I'm moving forward 🙂 in any case thank you for getting me in the right direction. Rob ... View more

Why are Netfilter IPTables not showing results?

by in All Apps and Add-ons
‎07-25-2022 10:21 AM
1 Karma
‎07-25-2022 10:21 AM
1 Karma
Hi Splunk Community, I’m trying to get syslogs from my router to show up in Splunk "NetFilter IPtables”. Would be great to get this view showing "results" where it says “no results found"   I have configured the router to send syslog to my mac’s IP address, port 514 and set up a data input in Splunk Enterprise on port 514 to listen for Syslog (as opposed to “ linux_messages_syslog”) That seems to transmit because if I run "sudo tcpdump -lns 0 -w - udp and port 514 | strings” from my CLI, I get a result like this every few seconds:   x?bu? B?̫,? ?,?? ~??<132> 2022-07-25T12:13:03.696064-04:00 L4 FIREWALL[9488]: nflog_log_fw(), action=DROP reason=POLICY-INPUT-GEN-DISCARD hook=INPUT mark=136314880 IN=br2 OUT= MAC=00:00:00:00:00:00:8484:26:2b:9b:ea:bd:src=167.94.138.139 DST=xx.yy.zzz.www LEN=44 TOS=0x00 PREC=0x00 TTL=40 ID=2539 PROTO=TCP SPT=19169 DPT=8901 SEQ=3022021036 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (MSS=1460 )    And  this seems to work to some extent in splunk because I’m also picking up the messages now in “Splunk Search and Reporting” and in CIM.   This app seems to depend on:  TA_Netfilter (I unpacked and copied the TA_Netfilter into: “/Applications/Splunk/etc/apps/TA_netfilter/“. Seems to be installed... Splunk Enterprise 6.2+ (I’m running 9.0.0.1) Splunk Common Information Model 4.3+ (I have installed 5.0.1 on Splunk Enterprise, I did not change configuration in http://localhost:8000/en-US/app/search/cim_setup) I suspect I’m missing something simple. Could you pls suggest some reasons that this Netfilter IP Tables might not be working properly to help me troubleshoot?   Thanks, Rob ... View more
Labels

Re: How to send Logs with SYSLOG?

by in Installation
‎07-18-2022 02:09 PM
‎07-18-2022 02:09 PM
Hi, I'm trying to connect my router's syslog to Splunk enterprise on my Mac as a "hello world," to see Splunk in action.  I have installed Splunk>enterprise and started that successfully. I opened 127.0.0.1:8000 and added a UDP data input with port 514 and a source type "syslog". It is enabled. On my router I have logged in and configured the syslog to be sent to my mac's internal ip address 192.168.1.244:514 (the one on ethernet, all other network cards on this mac are down) with log level L0--Emergency.  I know UDP isn't perfect and drops packets but my Mac is up continuously and I expected this to send all logs to my Mac port 514 to be captured by Splunk enterprise that is running. However in Splunk I am only getting a 2 events (found by searching for the number "0"). 14 devices are on my network (including iPhones, iPads, Macs, windows, watch, HomePods, as well as some iot devices like a Blink! camera hub with 4 cameras.) so I would expect a lot of traffic on the syslog Do you have any suggestions as to how to see more (or generate more) in the log... I was hoping to check email on my iPhone or do a google search and see some connections to the server. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-15-2022 03:30 PM
Karma from
View All
Karma given to
View All