Activity Feed
- Posted SAML/SSO setting with Azure ID multi tenants on Security. 06-19-2024 09:19 AM
- Tagged SAML/SSO setting with Azure ID multi tenants on Security. 06-19-2024 09:19 AM
- Tagged SAML/SSO setting with Azure ID multi tenants on Security. 06-19-2024 09:19 AM
- Posted Using Microsoft AMA agent to send logs to splunk on Splunk Enterprise. 01-15-2024 08:42 AM
- Tagged Using Microsoft AMA agent to send logs to splunk on Splunk Enterprise. 01-15-2024 08:42 AM
- Tagged Using Microsoft AMA agent to send logs to splunk on Splunk Enterprise. 01-15-2024 08:42 AM
- Tagged Using Microsoft AMA agent to send logs to splunk on Splunk Enterprise. 01-15-2024 08:42 AM
- Posted Re: Why are Licensing pages failing to render and shows error "Mako failed to render"? on Splunk Enterprise. 01-02-2024 08:42 AM
- Posted Search Head Cluster email setting between different SMTP servers on Splunk Enterprise. 11-02-2023 11:22 AM
- Tagged Search Head Cluster email setting between different SMTP servers on Splunk Enterprise. 11-02-2023 11:22 AM
- Tagged Search Head Cluster email setting between different SMTP servers on Splunk Enterprise. 11-02-2023 11:22 AM
- Tagged Search Head Cluster email setting between different SMTP servers on Splunk Enterprise. 11-02-2023 11:22 AM
- Got Karma for Re: Splunk Add on not working after being pushed by deployment server. 10-12-2023 05:22 AM
- Posted Re: Splunk Add on not working after being pushed by deployment server on Splunk Enterprise. 10-12-2023 03:27 AM
- Posted Splunk Add on not working after being pushed by deployment server on Splunk Enterprise. 10-11-2023 09:17 AM
- Tagged Splunk Add on not working after being pushed by deployment server on Splunk Enterprise. 10-11-2023 09:17 AM
- Tagged Splunk Add on not working after being pushed by deployment server on Splunk Enterprise. 10-11-2023 09:17 AM
- Tagged Splunk Add on not working after being pushed by deployment server on Splunk Enterprise. 10-11-2023 09:17 AM
- Posted Splunk infrastructure recommendations on Deployment Architecture. 08-23-2023 06:31 AM
- Tagged Splunk infrastructure recommendations on Deployment Architecture. 08-23-2023 06:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-19-2024
09:19 AM
Hello all, I need to configure SAML/SSO with Splunk but i m having the following issues: - I have 3 search heads in a cluster (without a load balancer 😕) => I can create a dedicated SAML config for each search head and disable the replication of the authentication.conf - we have many tenants and we have users connecting from the different tenants to Splunk (currently we have multiple LDAP configurations) => I understood that Splunk only accepts one IdProvider with SAML, so users from other tenants will not be able to access splunk with SSO. - ideally, we must have some users connecting with LDAP, but Splunk doesn't allow enabling both LDAP and SAML simultaneously 😕 or it is possible but requires a custom script for that. Questions: 1- does anyone have worked on a script to enable LDAP and SAML ? 2- Any idea about the best config from Azure ID regarding the multi-tenants and the B2B collaboration? 3- Any advice in general how to better approach this issue? 🙏 Best
... View more
Labels
- Labels:
-
authentication
-
LDAP
-
SAML
01-15-2024
08:42 AM
Hello, I am looking for any guidance, info about the possibility of using Microsoft AMA agents to forward logs to splunk instead of using Splunk universal forwarders. I know you will say but why?! lets say I have some requirements and constraints that oblige me to use AMA agents 🙃 I need to know the feasibality of this integration and if there are any known issues or limitations. Thanks you for your help. (excuse me if my question is vague, i am kinda lost here 😕)
... View more
Labels
- Labels:
-
using Splunk Enterprise
01-02-2024
08:42 AM
Hello, I am having the same issue, and I understood that it could be due to a license violation. I just found out that even when a license peer can't connect to license manager for 72 hours it will cause warnings (I m not sure yet if for a single error message = a warning or not!!) check your internal logs (if you still have them) for this: index=_internal component=LMTracker ("failed to send rows" OR "unable to connect") then i understood that the warning/violation will be reset after 30days (this period could be different too!), so I am assuming that after 30days of the violation, the issue will disappear! The other possibility is to change the file: /opt/splunk/share/splunk/search_mrsparkle/templates/licensing/overview.html and comment the section where it checks for the pool quota violation (I haven't tried that yet).
... View more
11-02-2023
11:22 AM
Hello everyone, Here is the story, we have a search head cluster with three members, lets call them sh1, sh2, sh3. these 3 search heads are not in the same domain/vlan, so each one used to have its own config of the SMTP server. Now we are having issues sending reports from Splunk. and I noticed that all 3 search heads are using just one SMTP server so the emails will not be delivered. I tried to put the correct config for each search head in .../system/local/alert_actions.conf but still not working. For now I will try to allow the search heads to communicate with all SMTP servers. but i am not sure it is the best solution. Is there a config I am missing about the email setting in a search head cluster? Thank you.
... View more
Labels
- Labels:
-
configuration
10-12-2023
03:27 AM
1 Karma
Thank you for your message, I checked all occurrences of the original app name in all files and I found that in many .py files the original name was used, so i replaced those with the new name. Now the inputs.conf seems to work and I can see logs, the issue I have now is that the UI of the app shows a new error: "Configuration page failed to load, the server reported internal errors which may indicate you do not have access to this page." I am checking again what other replacements I need to do.
... View more
10-11-2023
09:17 AM
Hello all, I installed a Splunk add-on on my heavy forwarder just to test it first, it worked fine. After that I copied it (the entire directory) to the deployment server and I pushed it to the heavy forwarder because, you know, I want to manage everything from the deployment server (trying to be organized 😅) The issue is, from the heavy forwarder GUI, when i click on the app icon it doesn't load: it gives me "500 Internal Server Error" (with the picture of the confused horse 😂) and I have these error messages from the internal logs: "ERROR ExecProcessor [2341192 ExecProcessorSchedulerThread] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/myapp_hf/bin/app.py" HTTP 404 Not Found -- Action forbidden." I forgot to mention that I changed the name of the original app in app.conf 😅 I can't figure out why it is not working 😕 Thanks for your help, Kaboom1
... View more
Labels
- Labels:
-
configuration
-
development
08-23-2023
06:31 AM
Hello all, I need some suggestions/recommendations about enlarging our splunk infra. What are the considerations of putting a Heavy forwarders in a different network/vlan than the deployment server and the indexers ? What are the considerations of putting the indexers on different networks/vlans than the other indexers and the cluster master? will there be any synchronization issues? The context here is that we will onboard new logs from a different network/domain/vlan and we were thinking of putting the heavy forwarder in the "new domain" to reduce the overhead with the firewall rules/to centralize data that will be later sent to the indexers. and we were also wondering why not putting a heavy forwarder and an indexer in the "new domain" and open the required flows towards/from the deployment server/cluster master/other indexers search heads. Any comments or suggestions ? Thank you soo much.
... View more
- Tags:
- distributed_infra
- HF
Labels
06-05-2023
01:39 AM
1 Karma
Thank you @richgalloway , indeed by simply selecting the option Restart Splunkd from the deployment server GUI (in Settings > Forwarder management > select your app then click Edit abd select: After installation: Restart Splunkd) logs start coming in 🙂
... View more
06-01-2023
07:58 AM
hello @isoutamo , so the downloaded files have this structure: /opt/ciscologs/dnslogs/date/date-hour-text-csv.gz for example: /opt/ciscologs/dnslogs/2023-06-01/2023-06-01-12-20-732d.csv.gz I didnt run the script as root, I only use splunk user, so the files are owned by splunk user.
... View more
- Tags:
- HF
- local_data
- umbrella
06-01-2023
07:50 AM
I didnt restart the HF because I am managing the conf files from a deployment server.
... View more
06-01-2023
07:25 AM
Hello, Here is the deal, I am following this link to ingest cisco umbrella logs into splunk: https://support.umbrella.com/hc/en-us/articles/360001388406-Configuring-Splunk-with-a-Cisco-managed-S3-Bucket (I know, you will say: why not use one of the existing apps in SplunkBase? I will say: I really don't know which one to use, they seem doing the same thing, plus I just want the raw logs, so getting the logs directly from the bucket is good enough 🙂 ) I downloaded the logs and stored them in the HF under /opt/ciscologs/ and i configured a simple inputs.conf file to read those files with the idea that these logs will be sent to the indexers (because I already have the output file with the config to send data from HF to indexers)
But, I dont see any logs being indexed, I dont see any events on the search head 😞
here is the inputs.conf in the HF: [monitor:///opt/ciscologs/dnslogs/*] index = index_name sourcetype = csv #whitelist = 2023-*/* disabled = 0 crcSalt = <SOURCE> #_TCP_ROUTING = default-autolb-group
(the commented lines are settings that i have tried but still no luck.)
Any suggestions here? I am out of ideas
Thanks.
... View more
- Tags:
- HF
- local_data
- umbrella
Labels
- Labels:
-
data
-
heavy forwarder
-
indexer
-
inputs.conf
