×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sgabriel1962
Explorer
Member since: ‎01-26-2023
‎12-26-2024
Community Statistics
Posts 8
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎01-26-2023
Activity Feed
View All

Exchange 2019 - How to configure Edge Transport se...

by in All Apps and Add-ons
‎12-26-2024 05:36 PM
1 Karma
‎12-26-2024 05:36 PM
1 Karma
Being completely new to this:  Our SMTP servers gathered data completely before using the SMTP Add-on. My Doman admin Now wants me to start ingesting D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\.   So I have deployed TA-Exchange-Mailbox from the TA-Exchange App download from Splunkbase.  I also deployed TA-exchange-SMTP.   The TA-exchange-smtp  local/inputs.conf file looks like this - only made a couple changes in the path: [monitor://D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Edge\ProtocolLog\...\*] index = smtp sourcetype = exchange:smtp added this one after install: [monitor://D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*] index = smtp sourcetype = MSExch2019:Tracking So I am not 100% sure this is correct. For the TA-Exchange-Mailbox - I have 3 stanzas based upon the info from this forum previous messages: [monitor://D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking] whitelist=\.log$|\.LOG$ time_before_close = 0 sourcetype=MSExchange:2019:MessageTracking queue=parsingQueue index=smtp disabled=0 [monitor://D:\Exchange Server\TransportRoles\Logs\*\ProtocolLog\SmtpReceive] whitelist=\.log$|\.LOG$ time_before_close = 0 sourcetype=MSExchange:2019:SmtpReceive queue=parsingQueue index=smtp disabled=false [monitor://D:\Exchange Server\TransportRoles\Logs\*\ProtocolLog\SmtpSend] whitelist=\.log$|\.LOG$ time_before_close = 0 sourcetype=MSExchange:2019:SmtpSend queue=parsingQueue index=smtp disabled=false Again - I know nothing in regards to this level of data gathering so Im hoping one of you all who have will be able to guide me in the right direction so that I can begin ingesting. ... View more

Config validation failure reported in peer.

by in Splunk Enterprise
‎06-27-2024 12:01 PM
‎06-27-2024 12:01 PM
Config validation failure reported in peer=usxzvrspidx1.usaccess.gsa.gov guid=62899FCC-C4E8-4A86-903D-C72234AE7F38. In index '_audit': Failed to create directory '/opt/splunk/var/lib/splunk/cold/audit/colddb' (File exists); . I made a change to my my indexes: [wineventlog] homePath = volume:hotwarm/wineventlog/db coldPath = volume:cold/wineventlog/colddb thawedPath = $SPLUNK_DB/wineventlog/thaweddb maxDataSize = auto_high_volume coldPath.maxDataSizeMB = 0 maxWarmDBCount = 300 frozenTimePeriodInSecs = 33696000 repFactor = auto [syslog] homePath = volume:hotwarm/syslog/db coldPath = volume:cold/syslog/colddb thawedPath = $SPLUNK_DB/syslog/thaweddb repFactor = auto maxDataSize = auto_high_volume coldPath.maxDataSizeMB = 11059200 maxWarmDBCount = 4294967295 frozenTimePeriodInSecs = 33696000 Since this change  the indexers quit receiving data from their forwarders.   So I want to put the values back and Im getting this error when I want to apply the bundle change  Need help on how to fix this   ... View more
Labels

Re: Information Disclosure Vulnerability - Splunk ...

by in Splunk Enterprise
‎01-19-2024 11:56 AM
‎01-19-2024 11:56 AM
I have a similar situation in my environment - making the changes to the restmap.conf prevents the App Launcher from loading  this is true  -  and I have version 9.1.2  where the fix must should have been fixed   ... View more

Re: Incomplete UserID

by in Splunk Search
‎11-21-2023 09:48 AM
‎11-21-2023 09:48 AM
I can work from this - this is great thanks = but how can I now only record login attempts > 4 and ignore all others ... View more

Re: Incomplete UserID

by in Splunk Search
‎11-21-2023 09:11 AM
‎11-21-2023 09:11 AM
We are configuring for Brute Force login attempts, failures obviously.  Here is the search string we have put together as we are working from TAs coming from Splunkbase.    index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count The list is coming back with all sorts of combinations as listed already, Im attempting to exclude IDs such as USERNAME or host/* as they dont make any sense.   I cant post much publicly but you get the idea   ... View more

Re: Incomplete UserID

by in Splunk Search
‎11-21-2023 07:33 AM
‎11-21-2023 07:33 AM
where do I find this as Im using defaults coming out of the Windows TA ... View more

Incomplete UserID

by in Splunk Search
‎11-21-2023 06:43 AM
‎11-21-2023 06:43 AM
How to I eliminate partial user id characters coming out of a search query?   Here are examples of incomplete userIDs - whereupon they shouldnt appear at all:   The middle GSA line is the correct example userID- the rest is garbage and I want to eliminate that 01022703 021216 07602381 "1206931120@GSA.GOV" 177 177670 1969412 232789 ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-26-2024 09:58 PM
Karma from
View All
Karma given to
View All