Hi Splunkerz, we get this request quite often. Some hosting companies or service provider are running a multi-tenant Microsoft Active Directory. They are using the same DC's for multiple companies with in the same Active Directory. For example they have two DC's that are used by Company A and Company B in one global domain called serviceprovider.local . There are two subdomains like companyb.serviceprovider.local and so on. But all the administration and operation is done by a service provider. Now the service provider will offer those two companies some reports with Splunk. Maybe they should be able to their own search head instance to do this by themselves. Is there a way to separate the WinEventLog:Security information in an special index per customer? I am totally aware about the routing and filtering function in Splunk. If I have a clear filter criteria like the subdomain this will be possible. But this is not the case. What about WMI? I know this is not best practice but can I separate the logs there? Does anybody solved this problem already? ... View more

Hi Splunkers, We have a customer that is collecting Check Point fw, ips, and vpn logs via Opsec. Check Point version is R77. At the moment, Splunk is indexing about 30 gigabyte per day. If we look at the log directory at Check Point smartcenter, we only see something about 3 gigabytes (rotating every 2GB) for the specific day, but Splunk has indexed 30 gigabytes. I found out that Check Point logs are written in binary, but are they also saved in a compressed way? Does anybody know how the OPSEC script from Splunk is pulling the logs? Is it just reading the files or is there an APIcall directly to the smart center? How can we check why we have this gab between the logs files on the system and the indexed log volume? Thanks in advance ... View more

Hi all, I am struggling with the field extractions in TA-squid. I have tried the TA-squid with Splunk 6.0 (which is required as you can see at splunk base) and 6.2 on a fresh and clean splunk installation. The setup: Squid is running on ubuntu with a splunkforwarder on it. Splunkforwarder is reading the access_splunk.log and sends it to the indexer. I can't see any issue, because I can see the events with sourcetype=squid on my indexer. But I only see the field "tag" which points out proxy and web. I can't see the fields described in props and transforms. There is no issue with permission. TA-squid is defined as global. I am not deep into regex, but can it be that the regex is just wrong? Running squid version is 3.3.8 on Ubuntu. I have done the customization of squid log events in squid.conf: # The format definitions squid, common, combined, referrer, useragent are built in. logformat squid %ts.%03tu %6tr 127.1.%{%H}tl.%{%M}tl %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt logformat splunkES %ts.%03tu %09tr %09>a %09>st %09Ss %09>Hs %09<st %09rm %09ru %09un %09Sh %09<A "%09mt" "%09{User-Agent}>h" "%09{Referer}>h" "%09{Cookie}>h" access_log /var/log/squid3/access_splunk.log splunkES access_log /var/log/squid3/access.log squid access_log none magellan log_ip_on_direct on The events look like this in splunk: 1433251217.917 000000086 1.1.1.114 000000259 TCP_MISS 000000200 000001396 CONNECT r2---sn-oxujvavbox-jbol.googlevideo.com:443 - HIER_DIRECT r2---sn-oxujvavbox-jbol.googlevideo.com " -" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0" "-" "-" Time stamp is looking good. I can't see the fields described in props.conf and transforms.conf: props.conf: [root@magsplunk1 default]# cat props.conf [squid] TIME_FORMAT = %s.%3N MAX_TIMESTAMP_LOOKAHEAD = 15 KV_MODE = none SHOULD_LINEMERGE = false REPORT-squid = squid_fields LOOKUP-vendor_info_for_squid_proxy = squid_vendor_info_lookup sourcetype OUTPUT vendor,product transforms.conf [root@magsplunk1 default]# cat transforms.conf [squid] [squid_fields] REGEX = ^\d+\.\d{3}\s+(\d*)\s+([0-9{1,3}\.]*)\s+([0-9]*)\s+([^0-9]*)\s(\d{3})\s(\d*)\s+(\w*)\s+((http|ftp|https)://[^\s]+)\s+([^\s]*)\s+(\w*)\s+([0-9{1,3}\.]*)\s+([^/]+/[^ ]+)\s\"([^"]+)\"\s+\"([^\"]+)\"\s+\"([^\"]+)\" FORMAT = duration::$1 src::$2 bytes_in::$3 action::$4 status::$5 bytes_out::$6 http_method::$7 url::$8 protocol::$9 user::$10 hierarchy_code:$11 destination::$12 http_content_type::$13 user_agent::$14 http_referrer::$15 http_cookie::$16 [squid_vendor_info_lookup] filename = proxy_vendor_info.csv This are the default config files, but this fields are beeing not extracted. I have set the sorucetype = squid in my inputs.conf [monitor:///var/log/squid3/access_splunk.log] disabled = 0 host = mag-squid index = proxy sourcetype = squid ... View more