Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About Jordan54
Jordan54
New Member
Member since:
03-08-2017
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 03-08-2017 |
Activity Feed
- Posted In multisite Clustering, do both sites need to have the same amount of indexers and same size storage? on Getting Data In. 02-26-2018 11:38 AM
- Tagged In multisite Clustering, do both sites need to have the same amount of indexers and same size storage? on Getting Data In. 02-26-2018 11:38 AM
- Tagged In multisite Clustering, do both sites need to have the same amount of indexers and same size storage? on Getting Data In. 02-26-2018 11:38 AM
- Tagged In multisite Clustering, do both sites need to have the same amount of indexers and same size storage? on Getting Data In. 02-26-2018 11:38 AM
- Tagged In multisite Clustering, do both sites need to have the same amount of indexers and same size storage? on Getting Data In. 02-26-2018 11:38 AM
- Tagged In multisite Clustering, do both sites need to have the same amount of indexers and same size storage? on Getting Data In. 02-26-2018 11:38 AM
- Posted Why are some Windows Security events not logging in Splunk? on Getting Data In. 09-26-2017 07:20 AM
- Tagged Why are some Windows Security events not logging in Splunk? on Getting Data In. 09-26-2017 07:20 AM
- Tagged Why are some Windows Security events not logging in Splunk? on Getting Data In. 09-26-2017 07:20 AM
- Tagged Why are some Windows Security events not logging in Splunk? on Getting Data In. 09-26-2017 07:20 AM
- Tagged Why are some Windows Security events not logging in Splunk? on Getting Data In. 09-26-2017 07:20 AM
- Posted Re: Trying to blacklist event code with accesses on Splunk Dev. 07-28-2017 08:07 AM
- Posted Re: Trying to blacklist event code with accesses on Splunk Dev. 07-27-2017 11:29 AM
- Posted Re: Trying to blacklist event code with accesses on Splunk Dev. 07-27-2017 11:09 AM
- Posted Re: Trying to blacklist event code with accesses on Splunk Dev. 07-27-2017 10:10 AM
- Posted Re: Trying to blacklist event code with accesses on Splunk Dev. 07-27-2017 05:24 AM
- Posted Trying to blacklist event code with accesses on Splunk Dev. 07-26-2017 12:51 PM
- Tagged Trying to blacklist event code with accesses on Splunk Dev. 07-26-2017 12:51 PM
- Posted Re: Configuring VMWare ESX hosts on Splunk on Getting Data In. 04-06-2017 09:28 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
02-26-2018
11:38 AM
So we are looking at doing a multisite clustering with replication across two sites. 1 site will have 320 gig log ingestion and the other will have 100 gig log ingestion. Do both sites need to have the same amount of indexers? What about storage? The size storage need to be the same as well?
Thanks in advance
... View more
09-26-2017
07:20 AM
I have a UF setup on a windows 2012 server. I am logging Win sec logs but I see some in the event viewer that are not going into splunk.. How can I get all the logs to go into Splunk from the windows server?
... View more
07-27-2017
11:29 AM
2:27:01.000 PM
07/27/2017 02:27:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=473041460
Keywords=Audit Success
Message=An attempt was made to access an object.
Subject:
Security ID: S-1-5-18
Account Name:
Account Domain:
Logon ID:
Object:
Object Server: Security
Object Type: File
Object Name: D:\Program Files\
Handle ID: 0x204
Resource Attributes:
Process Information:
Process ID: 0x51c
Process Name: D:\Program Files
Access Request Information:
Accesses: ReadData (or ListDirectory)
Access Mask: 0x1
Collapse
EventCode = 4663 host = index = oswinsec source = WinEventLog:Security sourcetype = WinEventLog:Security
Thanks
... View more
07-27-2017
11:09 AM
Sorry new to splunk.. what do you mean by paste on sample event?
Thanks
... View more
07-27-2017
10:10 AM
This is what I have.. Thanks again!
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4700|4767|4946|4948|4779|4954|4740|4658|4634|5145|4656|4672|5158|4776|5152|5157|4769|4768|4648|4985|4690|4771|4770|4702|4670|4660|4689|4611|5154|4793|5447|5058|5061|5031|4673|5143|4742|1|4647|4723|4738"
blacklist2 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist4 = EventCode="4688" Message="New Process Name: (?i)^(C:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"
blacklist5=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"
index = oswinsec
renderXml=false
... View more
07-27-2017
05:24 AM
Thanks for the suggestion, but that didn't seem to help. Any other suggestions?
... View more
07-26-2017
12:51 PM
Hello.. I am trying to black list a event code with a message and it is not working.. I have my code posted below. Am I missing something? Thanks!
blacklist5 = Eventcode="4663" Message="Accesses:ReadData (or ListDirectory)"
... View more
- Tags:
- splunk-enterprise
04-06-2017
09:28 AM
Are you suggesting having the logs go through log insight and then pick them up from there?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
