Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About acavenago
acavenago
Explorer
Member since:
08-31-2023
09-20-2024
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 08-31-2023 |
Activity Feed
- Posted Re: Forwarding syslog to third-party software on Splunk Enterprise. 09-18-2024 07:52 AM
- Posted Re: Forwarding syslog to third-party software on Splunk Enterprise. 09-16-2024 03:25 AM
- Posted Forwarding syslog to third-party software on Splunk Enterprise. 09-12-2024 08:55 AM
- Posted Re: How to get Resource Usage information of Heavy Forwarders in Monitoring Console on Deployment Architecture. 02-26-2024 09:17 AM
- Posted How to get Resource Usage information of Heavy Forwarders in Monitoring Console on Deployment Architecture. 02-20-2024 02:45 AM
- Tagged How to get Resource Usage information of Heavy Forwarders in Monitoring Console on Deployment Architecture. 02-20-2024 02:45 AM
- Tagged How to get Resource Usage information of Heavy Forwarders in Monitoring Console on Deployment Architecture. 02-20-2024 02:45 AM
- Karma Re: Splunk Nodes Restart for isoutamo. 12-05-2023 01:12 AM
- Posted Re: Splunk Nodes Restart on Splunk Enterprise. 12-01-2023 12:28 PM
- Karma Re: Email Alerts for richgalloway. 12-01-2023 12:20 PM
- Posted Re: Email Alerts on Alerting. 12-01-2023 07:52 AM
- Posted Splunk Nodes Restart on Splunk Enterprise. 12-01-2023 06:44 AM
- Tagged Email Alerts on Alerting. 12-01-2023 06:25 AM
- Tagged Email Alerts on Alerting. 12-01-2023 06:25 AM
- Tagged Email Alerts on Alerting. 12-01-2023 06:25 AM
- Posted Email Alerts on Alerting. 12-01-2023 05:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-18-2024
07:52 AM
Hello, we configured rsyslog and it is now receiving logs from appliances, saves them locally to disk and send the copies to the remote destinations on client side. But we have now problems with indexing, as far as data is not being received anymore from the HFs. I think the UFs are undersized to perform all of these activities. Is there a way to check if we have a performance problem now? Thank you, Andrea
... View more
09-16-2024
03:25 AM
Thank you @PickleRick , we'll try and use rsyslog instead of Splunk to forward the logs and let you know if we solved the issue. Can you please tell me what do you think about the duplicate events in the index? What should I investigate? Thank you, Andrea
... View more
09-12-2024
08:55 AM
Good evening everyone, we have a problem in a Splunk cluster, composed of 3 indexers, 1 CM, 1 SH, 1 Deployer, 3 HF, 3 UF. The UFs receive logs from different Fortinet sources via syslog, and write them to a specific path via rsyslog. Splunk_TA_fortinet_fortigate is installed on the forwarders. These logs must be saved to a specific index in Splunk, and a copy must be sent to two distinct destinations (third-party devices), in two different formats (customer needs). Since the formats are different (one of the two contains TIMESTAMP and HOSTNAME, the other does not), via rsyslog they are saved to two distinct paths applying two different templates. So far so good. The issues we have encountered are: - Some events are indexed twice in Splunk - Events sent to the customer do not always have a format that complies with the required ones For example, in one of the two cases the required format is the following: <PRI> date=2024-09-12 time=14:15:34 devname="device_name" ... But looking at the sent packets via tcpdump, some are correct, others are in the format <PRI> <IP_address> date=2024-09-12 time=14:15:34 devname="device_name" ... and more in the format <PRI> <timestamp> <IP_address> date=2024-09-12 time=14:15:34 devname="device_name" ... The outputs.conf file is as follow: [tcpout] defaultGroup = default-autolb-group [tcpout-server://indexer_1:9997] [tcpout-server://indexer_2:9997] [tcpout-server://indexer_3:9997] [tcpout:default-autolb-group] server = indexer_1:9997,indexer_2:9997,indexer_3:9997 disabled = false [syslog] [syslog:syslogGroup1] disabled = false server = destination_IP_1:514 type = udp syslogSourceType = fortigate [syslog:syslogGroup2] disabled = false server = destination_IP_2:514 type = udp syslogSourceType = fortigate priority = NO_PRI This is the props.conf: [fgt_log] TRANSFORMS-routing = syslogRouting [fortigate_traffic] TRANSFORMS-routing = syslogRouting [fortigate_event] TRANSFORMS-routing = syslogRouting and this is the trasforms.conf: [syslogRouting] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=syslogGroup1,syslogGroup2 Any ideas? Thank you, Andrea
... View more
Labels
- Labels:
-
administration
-
other
-
troubleshooting
02-26-2024
09:17 AM
Hi @kiran_panchavat , thank you for all the information. I was already able to list HF info in MC/Forwarders menu. What I need is to have HF also listed in MC/Resource Usage, where right now I have only Cluster Manager and Indexers nodes. Kind regards, Andrea
... View more
02-20-2024
02:45 AM
Hello, I have a multi-site cluster at version 9.0.1, with several Indexers, SHs, and HF/UFs. The Monitoring Console is configured on the Cluster Manager, and "Forwarder Monitoring" is enabled, which allows me to see the status of the forwarders. What is missing is the possibility to select HF in the Resource Usage section of the Monitoring Console. They are not available. How can I get them to appear in Resource Usage in the Monitoring Console? Thank you, Andrea
... View more
Labels
- Labels:
-
heavy forwarder
12-01-2023
12:28 PM
Hi isoutamo, sorry for the dumb question, but I have to put only MN in maintenance mode or also the other nodes (except SH)? Do I have also to stop Splunk manually or it is automatically stopped during the OS shutdown? Thank you, Andrea
... View more
12-01-2023
07:52 AM
Thank you @richgalloway Is there a way to avoid losing alerts generated during the smtp server offline period? Thank you, Andrea
... View more
12-01-2023
06:44 AM
Hello, we need to patch the OS of our Splunk Enterprise cluster distributed on 2 sites, A & B. We will start the activity on site A, which contains one Deployer Server, two SH, one MN, three Indexer and three HF. Site B contains one SH, three Indexer and one HF and will be updated later. Considering that the patching of OS will require a restart of the nodes, can you please tell me Splunk Best Practice to restart the Splunk nodes? I'd start with the SH nodes then the Indexer nodes, Deployer, MN and HF. All one by one. Do I have to enable maintenance mode on each node, restart the node and disable maintenance mode, or is it sufficient to stop Splunk on each node and restart the machine? Thank you, Andrea
... View more
Labels
- Labels:
-
administration
-
other
-
upgrade
12-01-2023
05:55 AM
Hello, can you please tell me what happens to email alerts if the smtp used for email delivery is temporary offline? Is there a buffer where alerts are saved and then are sent once the smtp server becomes available again? Is there a link to Splunk documentation about that? Thank you, Andrea
... View more
Labels
- Labels:
-
email
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-20-2024
01:08 PM
|
