Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About token2
token2
Path Finder
Member since:
12-03-2019
05-16-2025
Community Statistics
| Posts | 31 |
| Solutions | 1 |
| Karma Given | 12 |
| Karma Received | 3 |
| Member Since | 12-03-2019 |
Activity Feed
- Posted ESXi and vSphere logs on Getting Data In. 05-16-2025 09:09 AM
- Karma Re: How to be able to reassign the Orphaned searches? for isoutamo. 07-11-2024 02:23 PM
- Posted PCAP analyzer whitelist and pcap naming convention on All Apps and Add-ons. 07-10-2024 10:44 AM
- Got Karma for Re: Explain to me like I'm 4, indexes.conf, the stanzas, change frozen to archive option. 05-19-2022 05:08 PM
- Posted Re: Explain to me like I'm 4, indexes.conf, the stanzas, change frozen to archive option on Deployment Architecture. 05-19-2022 04:52 PM
- Posted Explain to me like I'm 4, indexes.conf, the stanzas, change frozen to archive option on Deployment Architecture. 05-19-2022 01:11 PM
- Posted Re: How to monitor path in RHEL 8 but not RHEL 7? on Getting Data In. 04-20-2022 08:42 AM
- Karma Re: Garmin Add-On for Splunk Issue for erikwie. 04-19-2022 10:48 AM
- Posted How to monitor path in RHEL 8 but not RHEL 7? on Getting Data In. 04-19-2022 10:44 AM
- Got Karma for Re: Garmin Add-On for Splunk Issue. 01-28-2022 10:10 AM
- Posted Re: Secure Gateway Status Not Connected on Splunk Enterprise. 10-04-2021 09:08 AM
- Posted Re: Secure Gateway Status Not Connected on Splunk Enterprise. 08-03-2021 11:06 PM
- Posted Re: Secure Gateway Status Not Connected on Splunk Enterprise. 08-02-2021 12:13 AM
- Posted Re: Garmin Add-On for Splunk Issue on All Apps and Add-ons. 08-01-2021 08:25 PM
- Posted Re: Garmin Add-On for Splunk Issue on All Apps and Add-ons. 08-01-2021 06:08 PM
- Posted Re: Secure Gateway Status Not Connected on Splunk Enterprise. 08-01-2021 05:49 PM
- Posted Why is Secure Gateway Status Not Connected? on Splunk Enterprise. 08-01-2021 05:40 PM
- Karma Re: Splunk App for Windows Infrastructure default index issue for gcusello. 03-15-2021 04:30 PM
- Posted Re: Splunk App for Windows Infrastructure default index issue on Getting Data In. 03-12-2021 03:09 PM
- Karma Re: Splunk App for Windows Infrastructure default index issue for gcusello. 03-12-2021 03:09 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-16-2025
09:09 AM
Hello all, I am reviewing the Splunk add-on for vCenter Log and the Splunk add-on for VMware ESXi logs guides and have the following question: Are both required in an environment where vCenter is present, or is the Splunk add-on for VMware ESXi logs not necessary if so? Or in other words, is the add-on for VMware ESXi just for simple bare metal installs that do not use vCenter? Are ESXi builds with vCenter sending all of the ESXi logs up to vCenter anyhow and one needs only use the add-on for vCenter? Second question, am I reading correctly that the add-on for vCenter requires BOTH a syslog output and a vCenter user account for API access?
... View more
Labels
- Labels:
-
monitor
07-10-2024
10:44 AM
Hello all and hopefully @rechteklebe I currently have PCAP analyzer to the point that I can copy over a *.pcap or *.pcapng" file to the monitor folder and it will run it through tshark and make the output file that Splunk then ingests and powers the dashboards with. I found that Suricata on pfSense outputs the pcap files as log.pcap.<I think date data here>. Example log.pcap.1720627634 These seem to not get converted and ingested. I went to make a whitelist in the inputs.conf but running a btool check it comes back as an invalid key in stanza. I remembered the webUI section to do this also does not offer a whilelist/blacklist stanza so I guess you have that disabled somehow. I'm assuming one or some of you python scripts are filtering if the file is a *.pcap or *.pcapng. I'm finding it not an option to change file name format in the Suricata GUI in pfsense, or have rsync change the file names on copy or to have a bash script do it on the Linux host the files get moved to. Are there a set of python scripts I can change this whitelisting in? Or a way to enable whitelisting at the inputs.conf level? Or could a transforms fix this?
... View more
05-19-2022
04:52 PM
1 Karma
You have a gift at breaking things down!
... View more
05-19-2022
01:11 PM
Hello all, I'm finding the default indexer.conf settings too small, making various sourcetypes only searchable back about 4 months but I need a years worth/ability to search back to.
I've found numerous splunk posts on index.conf stanzas and settings, one more confusing than the next.
How the indexer stores indexes - Splunk Documentation
Configure index storage - Splunk Documentation
https://wiki.splunk.com/Deploy:BucketRotationAndRetention
I'm afraid I need a "explain to me like I'm 4 years old" post. What calculator or tool to use, and for what stanzas to effectively:
A) get search visibility into logs older than a few months
B) no longer roll buckets into Frozen (which seems to be aka 'deleted') but into archived, to facility easily restoring them when A) isn't as dialed in as thought.
... View more
Labels
- Labels:
-
indexer
04-20-2022
08:42 AM
Hello @gcusello , Do you have an example of stanzas that can segregate by OS version then specify directory to be monitored? Is there a GUI option or stanzas for the deployment server to identify RHEL 7 and RHEL 8 vs. just listing as Linux_(arch)?
... View more
04-19-2022
10:44 AM
Hello I am using the Spunk_TA_nix and a server class to push that out to all nix boxes, but server class is not granular enough to select between RHEL 7 and RHEL 8 boxes.
In RHEL 8 I want to monitor the path /var/log/audit but NOT in RHEL 7. Is there an inputs.conf stanza to try and accomplish directory monitoring by OS version? Or how else would one go about this?
... View more
Labels
- Labels:
-
Linux
10-04-2021
09:08 AM
Never fixed it, I just restored to an older version of Splunk 7 and forgoing the update to 8.
... View more
08-03-2021
11:06 PM
I had to revert my VM from a snapshot back to Splunk 8.0.1 using Splunk Cloud Gateway instead of Secure Gateway. It now works, I can register my device and check dashboards.
... View more
08-02-2021
12:13 AM
I can delete devices, I can somewhat register a device (error at the end of the process telling me to contact the admin). Thankfully production doesn't use this, but seems shaky for a built in app.
... View more
08-01-2021
08:25 PM
1 Karma
Doing a quick beyond compare of the "garminclient.py" found in the add-on and "garminclient.py" found in the garminexprot-master from github. There are a number of other changes as well, but I'm thinking between the time of this add-on being made and the last update to garminexport, there has been a change with the REST APIs authentication. Going to garminexport's Issues: https://github.com/petergardfjall/garminexport/issues June 12 Authentication failure I'm tempted to just copy over the python into the TA but I'm sure I wreck something...
... View more
08-01-2021
06:08 PM
I ran into what might have been the same issue as you. I went to var/log/ta_garmin_activities.log and it shows both what index=_internal showed: "Authenticating to Garmin Connect..." But then additional information "ERROR authentication failures: did you enter the valid credentials?" I tripple checked creds. I think there is an issue with the TA. Googling about Garmin API issues it looks like Garmin changes things from time to time and it breaks many a github python project's authentication (this TA uses a python project from github to grab the .fit files). I'm not technical enough to try and fix this or build a TA from scratch. Wish I was as its a real bummer this isn't working. A big part of getting my watch was the thought I could Splunk it...
... View more
08-01-2021
05:40 PM
I had the Splunk Cloud Gateway installed before it was standard (Splunk 7.x) and working, with alerts and dashboards accessible from my phone. I believe during a license update that stripped my account (new terms allows for only one account, so admin) broke it (stopped getting alerts). Since its a home lab and not prod I didn't dig into it.
Now that I am digging into it, the gateway dashboard is showing this:
SPL: index=_internal source=*cloud* ERROR AND NOT SUBSCRIPTION
Shows this:
I can register my device, but it can't see any dashboards, it seems to time out.
There seems to be a vacuum in google as to troubleshooting this except talk of using proxies. I am not running a proxy.
What could the issue be?
... View more
Labels
- Labels:
-
troubleshooting
03-12-2021
03:09 PM
@gcusello I get results if I input index=win* (in this case its index=windows). How does one go about changing the default path for the role via .conf files? I see it in the GUI: Settings >> Authentication Methods (because using LDAP in this case) >> LDAP Settings >> Map groups >> Edit LDAP group name user is affected by, added "winfra-admin". Where is this found inside of the Splunk file system?
... View more
03-11-2021
05:46 PM
I have the latest SA-LDAP, Splunk_TA_Windows and Windows Infra apps installed. I have sourcetype WinHostMon data coming in, but the Infrastructure app guided setup says it is not detected. I jumped over to one of the infra dashboards and all panels have "No results found" >> Host Monitoring - Operations >> Disk Free Space Distribution and opened that in search. By simply inputting index=windows the search then works. Where does the app designate the default index it's searches refer to?
... View more
Labels
- Labels:
-
index
03-09-2021
07:08 PM
I have setup a global account and REST URL that allows a successful POST of a vmware bearer token. How do I then extract that token to be used in subsequent data inputs? Or is this not possible with REST and should be done with a python module? (trying to avoid python, I don't know python).
... View more
Labels
- Labels:
-
development
03-03-2021
02:31 PM
Currently running Tenable Add-On for Splunk v4.0.1. It initially worked and allowed me to input an account (within the Configuration tab) and Input (within the inputs tab). Now the Inputs >> Account tab does not populate, there is a perpetual spinning animation and "loading". When going to Inputs, the account is no longer found in the saved input and cannot be added to it or a new input. I navigated to \Splunk\etc\apps\TA-tenable\local and verified that "ta_tenable_account.conf" was found, and within is the Tenable.sc instance IP, account, secret password etc all there. Should I try re-installing the app? I have already restarted the Splunk instance. Splunkd log has A LOT of TA-tenable\bin\tenable_securitycenter.py" errors from \Splunk\bin\Python3.exe" to name a few.
... View more
Labels
- Labels:
-
troubleshooting
08-08-2020
01:45 PM
Is it possible to share a sourcetype'd data between two apps? I have pfsense sending both firewall logs and Suricata eve json logs to the same UDP data input. The TA-pfsense app is sourcetyping, field extracting and indexing the various syslog types from pfsense. The TA-Suricata has the props.conf, lookups, eventtypes etc to extract relevant data from the eve json logs mixed into this UDP data stream. Is there a way to send the sourcetype:suricata from the TA-pfsense props to point to the TA-Suricata inputs.conf?
... View more
Labels
- Labels:
-
JSON
08-08-2020
10:51 AM
Why don't you make the props.conf not for json? The eve json has a lot more data This ELK dashboard is amazing and you need the additional fields to drive it https://github.com/robcowart/synesis_lite_suricata To be honest this seems to really give Splunk a run for the money https://www.youtube.com/watch?v=YA2tGrBQ4v0 Years ago I would have argued that Splunk has more support and documentation but I'm finding more and more tutorials geared towards ELK.
... View more
08-08-2020
10:12 AM
Sorry to4kawa, I'm not advanced enough to understand your answer. I changed the props to have your inputs, but not sure on what is and how to apply source="udp:514" | rex "(?<json>{.*})" | spath input=json Example of the TA-pfsense props.conf: [pfsense]
# timestamp fix to prevent default extraction issues when adding more apps
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15
# rest is original code
TRANSFORMS-pfsense_sourcetyper = pfsense_sourcetyper
SHOULD_LINEMERGE = false
# suspect the below 3 lines could be causing the time stamps being missing on some log types test 7.18.2020
# SEDCMD-event_cleaner = s/^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s)+\S+\.\S+\s+/\1/g
# SEDCMD-event_cleaner2 = s/^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s)+(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s)+/\1/g
# SEDCMD-event_cleaner3 = s/^\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(\S+\s)/\1/g
[pfsense:filterlog]
KV_MODE = none
EXTRACT-ipv4_tcp = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*)
,(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>tcp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<src_port>[^,]*),(?<d
est_port>[^,]*),(?<payload_bytes>[^,]*),(?<vendor_tcp_flags>[^,]*),(?<sequence_number>[^,]*),(?<ack>[^,]*),(?<window>[^,]*),(?<urg>[^,]*),(
?<options>[^$]*)$
EXTRACT-ipv4_udp = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*)
,(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>udp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<src_port>[^,]*),(?<d
est_port>[^,]*),(?<payload_bytes>[^,]*)
EXTRACT-ipv4_icmp_request = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reaso
n>[^,]*),(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offs
et>[^,]*),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>icmp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<icmp_code>
request),(?<echo_id>\d+),(?<echo_sequence>\d+)
EXTRACT-ipv4_icmp_unreachport = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<r
eason>[^,]*),(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<
offset>[^,]*),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>icmp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<icmp_c
ode>unreachport),(?<icmp_dest_ip>[^,]*),(?<unreachable_protocol_id>[^,]*),(?<unreachable_port_data>[^$]+)$
EXTRACT-ipv4_redirect_icmp_unreach_timeexceed = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest
_int>[^,]*),(?<reason>[^,]*),(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),
(?<id>[^,]*),(?<offset>[^,]*),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>icmp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>
[^,]*),(?<icmp_code>redirect|unreach|timexceed),(?<icmp_text>[^$]+)$
EXTRACT-ipv4_carp = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*)
,(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*
),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>carp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<carp_type>[^,]*),(
?<carp_ttl>[^,]*),(?<vhid>[^,]*),(?<version>[^,]*),(?<advbase>[^,]*),(?<advskew>[^,]*)
EXTRACT-ipv4_igmp = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*)
,(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*
),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>igmp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),datalength=(?<data_le
ngth>\d+)
EXTRACT-ipv4_pim = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*)
,(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>pim),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),datalength=(?<data_leng
th>\d+)
EXTRACT-ipv6_icmp = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*)
,(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>6),(?<class>[^,]*),(?<flow_label>[^,]*),(?<hop_limit>[^,]*),(?<vendor_tra
nsport>ICMPv6),(?<transport_id>[^,]*),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),
EXTRACT-ipv6_tcp = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>6),(?<class>[^,]*),(?<flow_label>[^,]*),(?<hop_limit>[^,]*),(?<vendor_tran
sport>TCP),(?<transport_id>[^,]*),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<src_port>[^,]*),(?<dest_port>[^,]*),(?<payload_byte
s>[^,]*),(?<vendor_tcp_flags>[^,]*),(?<sequence_number>[^,]*),(?<ack>[^,]*),(?<window>[^,]*),(?<urg>[^,]*),(?<options>[^$]*)$
EXTRACT-ipv6_udp = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>6),(?<class>[^,]*),(?<flow_label>[^,]*),(?<hop_limit>[^,]*),(?<vendor_tran
sport>UDP),(?<transport_id>[^,]*),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<src_port>[^,]*),(?<dest_port>[^,]*),(?<payload_byte
s>[^,]*)
EXTRACT-ipv6-hbh = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>6),(?<class>[^,]*),(?<flow_label>[^,]*),(?<hop_limit>[^,]*),Options,\d+,\d
+,(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<extension_header>\w+),
REPORT-vendor_tcp_flag = pfsense_vendor_tcp_flag
EVAL-app = "pfsense:filterlog"
EVAL-bytes_in = if(vendor_direction == "in", bytes,null)
EVAL-bytes_out = if(vendor_direction == "out", bytes,null)
EVAL-direction = case(vendor_direction == "in", "inbound", vendor_direction == "out", "outbound")
FIELDALIAS-pfsense_filterlog_src=src_ip AS src
FIELDALIAS-pfsense_filterlog_dest = dest_ip AS dest
LOOKUP-filterlog_tcpflags = pfsense_filter_tcpflags vendor_tcp_flag OUTPUTNEW tcp_flag
LOOKUP-filterlog_transport = pfsense_filter_transport vendor_transport OUTPUTNEW transport
LOOKUP-filterlog_action = pfsense_filter_action vendor_action OUTPUTNEW action
[pfsense:dhcpd]
EXTRACT-ipv4_dhcp = (?<vendor_action>DHCPACK|DHCPREQUEST) (?:on|for) (?<dest_ip>\S+) (?:from|to) (?<src_mac>\S+) \(.*\) via (?<src_interfac
e>\S+)
EXTRACT-ipv6_dhcp_rebind = dhcpd: Rebind message from (?<src_mac>\S+) port (?<src_port>\d+), transaction ID (?<transaction_id>\S+)
EXTRACT-ipv6_dhcp_reply = dhcpd: Sending Reply to (?<src_mac>\S+) port (?<src_port>\S+)
EVAL-app = "pfsense:dhcpd"
[pfsense:openvpn]
EXTRACT-process_id = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s+\w+(\[(?<process_id>\d+)\])?:
EXTRACT-authentication = openvpn: user '(?<user>[^']+)' (?<vendor_action>could not authenticate\.|authenticated)
EXTRACT-user,src_ip,src_port = openvpn\[\d+\]: (?<user>\S+)\/(?<src_ip>\S+):(?<src_port>\d+)
EXTRACT-src_ip,src_port = openvpn\[\d+\]:\s+(?<src_ip>\d+\.\d+\.\d+\.\d+):(?<src_port>\d+)
EXTRACT-src_ip,src_port,user,reason = openvpn\[\S+\]: (?P<src_ip>[^:]+):(?P<src_port>\d+).*\[(?<user>\S+)\]\s+(?<reason>Peer Connection Ini
tiated|Inactivity timeout)
EVAL-app = "pfsense:openvpn"
LOOKUP-openvpn_action = pfsense_openvpn_action vendor_action OUTPUTNEW action
[pfsense:nginx]
EXTRACT-pf_nginx = nginx: (?P<dest>[^ ]+) \-(?P<user>[^\s"]*) \- \[(?P<request_time>[^\]]+)[^"\n]*"(?P<http_method>\w+)\s+(?P<url>[^\s"]+)[
^ \n]* (?P<http_proto>[^"]+)[^ \n]* (?P<status>[^ ]+)\s+(?P<bytes_out>\d+)[^"\n]*"(?P<http_referrer>[^"]+)(?:[^"\n]*"){2}(?P<http_user_agen
t>[^"]+)
EVAL-app = "pfsense:nginx"
[pfsense:unbound]
EXTRACT-queries = info: resolving (?P<query>\S{2,})\s(?P<query_type>\S+)
EXTRACT-response = info: response for (?P<answer>\S+)\s(?P<record_type>\S+)
EXTRACT-reply = info: reply from\s(\S+)\s(?P<src>(\d|.)+)#(?P<src_port>(\d+))
EVAL-app = "pfsense:unbound"
# added due to Barnyard2 support dropped by Snort and Suricata 8.7.20
#[pfsense:suricata]
#EXTRACT-classification = ^(?:[^:\n]*:){6}\s+(?P<classification>[^\]]+)
#EXTRACT-generator_id = ^[^\[\n]*\[(?P<generator_id>\d+)
#EXTRACT-signature_id = ^\[\d+:(?P<signature_id>\d+)
#EXTRACT-sigrev_id = ^\[\d+:\d+:(?P<sigrev_id>\d+)
#EXTRACT-description = ^[^\]\n]*\](?P<description>[^\[]+)
#EXTRACT-priority = ^(?:[^:\n]*:){4}\s+(?P<priority>\d+)
#EXTRACT-interface = ^[^<\n]*<(?P<interface>\w+)
#EXTRACT-protocol = ^[^\{\n]*\{(?P<protocol>\w+)
#EXTRACT-source_ip = ^[^\}\n]*\}\s+(?P<source_ip>[^:]+)
#EXTRACT-source_port = ^(?:[^:\n]*:){3}(?P<source_port>\d+)
#EXTRACT-destination_ip = ^[^\-\n]*\->\s+(?P<destination_ip>[^:]+)
#EXTRACT-destination_port = ^[^\-\n]*\->\s+\d+\.\d+\.\d+\.\d+:(?P<destination_port>.+)
# converted suricata to eve json for testing
[pfsense:suricata]
INDEXED_EXTRACTIONS = json
KV_MODE = none
... View more
08-08-2020
09:44 AM
Another complexity, it looks like the suricata plugin for pfsense is sending both unified2 logs (for the alerts) and then eve json for the addition data to the same data input UDP. I guess some transforms would be need to sourcetype the two differently to apply extractions to? In order to have eve json sent over syslog, send to system logs must be enabled: So I get duplicates in two different formats: Due to pfsense, I don't think there is a way around this (maybe in a config somewhere vs the GUI?) So the challenge, tell Splunk to shed the unified2 format, keep the eve json format, pull fiends from the json format from without a props that has stanzas for the other pfsense sourcetypes such as filterlog, openvpn etc. Also, Splunk is cutting off the source, the line break is too soon I guess- Splunk vs. pfsense GUI.
... View more
08-08-2020
09:06 AM
TL:DR- How do I specify in the props.conf that for "pfsense:suricata" to then use Splunk's json extraction? Situation explained below: Hello All, so I've done some tweaking to make the TA-pfsense add more sourcetypes effectively. The app's author has a really neat transforms that looks into the syslog event and assign a sourcetype so that the appropriate props.conf stanza is then used to field extract. This way you get good fields from an openvpn event, good fields from a firewall (filterlog) event etc. For Snort and then Suricata being hosted on pfsense, I was using the barnyard2 support and sending those logs over a different port, making the apps and sourcetyping easy. Now both Snort and Suricata have deprecated Barnyard2 support on pfsense. Snort still supports Unified2 output, Suricata supporting eve json- over the same UDP data input that the TA-pfsense uses. Thanks to the TA-pfsense transforms I mentioned earlier, the data coming into that UDP feed gets sourcetyped as "pfsense:suricata" and I have a props.conf stanza for it with some rough regex to get fields like Classification, src_ip etc. For the question: I selected the eve json format option for fun- you get lots more data like protocols used, data flows etc. Really neat stuff. ELK already has an amazing dashboard for this stuff. How do I specify in the props.conf that for "pfsense:suricata" to then use Splunk's json extraction?
... View more
- Tags:
- enterprise
- json
Labels
- Labels:
-
JSON
07-31-2020
09:19 AM
The issue is a bug Splunk is fixing- the authentication.conf needed to be saved as ANSI to allow the upgrade to proceed.
... View more
07-13-2020
03:05 PM
Hello, I have SPL that when opened into a search from the dashboard has good working SPL, for example | rex field=_raw "\"stuff\"+\smaximum=\"100\"\>(?P<Score>[^\<]*)" in simple XML (when editing in the webUI 'source' and when opening the XML files in an editor) some of the characters get garbled. | rex field=_raw "\"stuff\"+\smaximum=\"100\"\>(?P<Score>[^\<]*)" Seems that the ">" gets garbled into ">" and "<" into "<" Another example is " | rex field=Message "Member:\s(?P<UserAdd>[\s\S]*?Account Name" the < and > get mutated to: rex field=Message "Member:\s(%3FP<UserAdd>[\s\S]*%3F)Account Name" So ? is %3F < is < > >
... View more
Labels
- Labels:
-
simple XML
05-19-2020
04:57 PM
Windows version is 2016. It goes through all of the motions, and then rolls back the actions.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-16-2025
09:03 AM
|
