Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About token2
token2
Path Finder
Member since:
12-03-2019
2 weeks ago
Community Statistics
| Posts | 24 |
| Solutions | 1 |
| Karma Given | 10 |
| Karma Received | 1 |
| Member Since | 12-03-2019 |
Activity Feed
- Posted Re: Secure Gateway Status Not Connected on Splunk Enterprise. 08-03-2021 11:06 PM
- Posted Re: Secure Gateway Status Not Connected on Splunk Enterprise. 08-02-2021 12:13 AM
- Posted Re: Garmin Add-On for Splunk Issue on All Apps and Add-ons. 08-01-2021 08:25 PM
- Posted Re: Garmin Add-On for Splunk Issue on All Apps and Add-ons. 08-01-2021 06:08 PM
- Posted Re: Secure Gateway Status Not Connected on Splunk Enterprise. 08-01-2021 05:49 PM
- Posted Secure Gateway Status Not Connected on Splunk Enterprise. 08-01-2021 05:40 PM
- Karma Re: Splunk App for Windows Infrastructure default index issue for gcusello. 03-15-2021 04:30 PM
- Posted Re: Splunk App for Windows Infrastructure default index issue on Getting Data In. 03-12-2021 03:09 PM
- Karma Re: Splunk App for Windows Infrastructure default index issue for gcusello. 03-12-2021 03:09 PM
- Posted Splunk App for Windows Infrastructure default index issue on Getting Data In. 03-11-2021 05:46 PM
- Posted Splunk Add-on Builder how to pass bearer token on All Apps and Add-ons. 03-09-2021 07:08 PM
- Posted Tenable Add-On for Splunk Account WebUI hangs on All Apps and Add-ons. 03-03-2021 02:31 PM
- Tagged Tenable Add-On for Splunk Account WebUI hangs on All Apps and Add-ons. 03-03-2021 02:31 PM
- Tagged Tenable Add-On for Splunk Account WebUI hangs on All Apps and Add-ons. 03-03-2021 02:31 PM
- Karma Re: Cannot See Universal Forwarder from Splunk Enterprise for adonio. 08-09-2020 08:33 AM
- Karma Re: TA-pfsense + Suricata + Barnyard2 gone + eve json = oh fun for to4kawa. 08-09-2020 07:18 AM
- Karma Re: Same data input two apps? for richgalloway. 08-09-2020 07:10 AM
- Posted Same data input two apps? on Getting Data In. 08-08-2020 01:45 PM
- Posted Re: TA-pfsense + Suricata + Barnyard2 gone + eve json = oh fun on Getting Data In. 08-08-2020 10:51 AM
- Posted Re: TA-pfsense + Suricata + Barnyard2 gone + eve json = oh fun on Getting Data In. 08-08-2020 10:12 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
08-03-2021
11:06 PM
I had to revert my VM from a snapshot back to Splunk 8.0.1 using Splunk Cloud Gateway instead of Secure Gateway. It now works, I can register my device and check dashboards.
... View more
08-02-2021
12:13 AM
I can delete devices, I can somewhat register a device (error at the end of the process telling me to contact the admin). Thankfully production doesn't use this, but seems shaky for a built in app.
... View more
08-01-2021
08:25 PM
Doing a quick beyond compare of the "garminclient.py" found in the add-on and "garminclient.py" found in the garminexprot-master from github. There are a number of other changes as well, but I'm thinking between the time of this add-on being made and the last update to garminexport, there has been a change with the REST APIs authentication. Going to garminexport's Issues: https://github.com/petergardfjall/garminexport/issues June 12 Authentication failure I'm tempted to just copy over the python into the TA but I'm sure I wreck something...
... View more
08-01-2021
06:08 PM
I ran into what might have been the same issue as you. I went to var/log/ta_garmin_activities.log and it shows both what index=_internal showed: "Authenticating to Garmin Connect..." But then additional information "ERROR authentication failures: did you enter the valid credentials?" I tripple checked creds. I think there is an issue with the TA. Googling about Garmin API issues it looks like Garmin changes things from time to time and it breaks many a github python project's authentication (this TA uses a python project from github to grab the .fit files). I'm not technical enough to try and fix this or build a TA from scratch. Wish I was as its a real bummer this isn't working. A big part of getting my watch was the thought I could Splunk it...
... View more
08-01-2021
05:40 PM
I had the Splunk Cloud Gateway installed before it was standard (Splunk 7.x) and working, with alerts and dashboards accessible from my phone. I believe during a license update that stripped my account (new terms allows for only one account, so admin) broke it (stopped getting alerts). Since its a home lab and not prod I didn't dig into it. Now that I am digging into it, the gateway dashboard is showing this: SPL: index=_internal source=*cloud* ERROR AND NOT SUBSCRIPTION Shows this: I can register my device, but it can't see any dashboards, it seems to time out. There seems to be a vacuum in google as to troubleshooting this except talk of using proxies. I am not running a proxy. What could the issue be?
... View more
Labels
- Labels:
-
troubleshooting
03-12-2021
03:09 PM
@gcusello I get results if I input index=win* (in this case its index=windows). How does one go about changing the default path for the role via .conf files? I see it in the GUI: Settings >> Authentication Methods (because using LDAP in this case) >> LDAP Settings >> Map groups >> Edit LDAP group name user is affected by, added "winfra-admin". Where is this found inside of the Splunk file system?
... View more
03-11-2021
05:46 PM
I have the latest SA-LDAP, Splunk_TA_Windows and Windows Infra apps installed. I have sourcetype WinHostMon data coming in, but the Infrastructure app guided setup says it is not detected. I jumped over to one of the infra dashboards and all panels have "No results found" >> Host Monitoring - Operations >> Disk Free Space Distribution and opened that in search. By simply inputting index=windows the search then works. Where does the app designate the default index it's searches refer to?
... View more
Labels
- Labels:
-
index
03-09-2021
07:08 PM
I have setup a global account and REST URL that allows a successful POST of a vmware bearer token. How do I then extract that token to be used in subsequent data inputs? Or is this not possible with REST and should be done with a python module? (trying to avoid python, I don't know python).
... View more
Labels
- Labels:
-
development
03-03-2021
02:31 PM
Currently running Tenable Add-On for Splunk v4.0.1. It initially worked and allowed me to input an account (within the Configuration tab) and Input (within the inputs tab). Now the Inputs >> Account tab does not populate, there is a perpetual spinning animation and "loading". When going to Inputs, the account is no longer found in the saved input and cannot be added to it or a new input. I navigated to \Splunk\etc\apps\TA-tenable\local and verified that "ta_tenable_account.conf" was found, and within is the Tenable.sc instance IP, account, secret password etc all there. Should I try re-installing the app? I have already restarted the Splunk instance. Splunkd log has A LOT of TA-tenable\bin\tenable_securitycenter.py" errors from \Splunk\bin\Python3.exe" to name a few.
... View more
Labels
- Labels:
-
troubleshooting
08-08-2020
01:45 PM
Is it possible to share a sourcetype'd data between two apps? I have pfsense sending both firewall logs and Suricata eve json logs to the same UDP data input. The TA-pfsense app is sourcetyping, field extracting and indexing the various syslog types from pfsense. The TA-Suricata has the props.conf, lookups, eventtypes etc to extract relevant data from the eve json logs mixed into this UDP data stream. Is there a way to send the sourcetype:suricata from the TA-pfsense props to point to the TA-Suricata inputs.conf?
... View more
Labels
- Labels:
-
JSON
08-08-2020
10:51 AM
Why don't you make the props.conf not for json? The eve json has a lot more data This ELK dashboard is amazing and you need the additional fields to drive it https://github.com/robcowart/synesis_lite_suricata To be honest this seems to really give Splunk a run for the money https://www.youtube.com/watch?v=YA2tGrBQ4v0 Years ago I would have argued that Splunk has more support and documentation but I'm finding more and more tutorials geared towards ELK.
... View more
08-08-2020
10:12 AM
Sorry to4kawa, I'm not advanced enough to understand your answer. I changed the props to have your inputs, but not sure on what is and how to apply source="udp:514" | rex "(?<json>{.*})" | spath input=json Example of the TA-pfsense props.conf: [pfsense]
# timestamp fix to prevent default extraction issues when adding more apps
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15
# rest is original code
TRANSFORMS-pfsense_sourcetyper = pfsense_sourcetyper
SHOULD_LINEMERGE = false
# suspect the below 3 lines could be causing the time stamps being missing on some log types test 7.18.2020
# SEDCMD-event_cleaner = s/^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s)+\S+\.\S+\s+/\1/g
# SEDCMD-event_cleaner2 = s/^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s)+(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s)+/\1/g
# SEDCMD-event_cleaner3 = s/^\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(\S+\s)/\1/g
[pfsense:filterlog]
KV_MODE = none
EXTRACT-ipv4_tcp = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*)
,(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>tcp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<src_port>[^,]*),(?<d
est_port>[^,]*),(?<payload_bytes>[^,]*),(?<vendor_tcp_flags>[^,]*),(?<sequence_number>[^,]*),(?<ack>[^,]*),(?<window>[^,]*),(?<urg>[^,]*),(
?<options>[^$]*)$
EXTRACT-ipv4_udp = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*)
,(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>udp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<src_port>[^,]*),(?<d
est_port>[^,]*),(?<payload_bytes>[^,]*)
EXTRACT-ipv4_icmp_request = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reaso
n>[^,]*),(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offs
et>[^,]*),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>icmp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<icmp_code>
request),(?<echo_id>\d+),(?<echo_sequence>\d+)
EXTRACT-ipv4_icmp_unreachport = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<r
eason>[^,]*),(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<
offset>[^,]*),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>icmp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<icmp_c
ode>unreachport),(?<icmp_dest_ip>[^,]*),(?<unreachable_protocol_id>[^,]*),(?<unreachable_port_data>[^$]+)$
EXTRACT-ipv4_redirect_icmp_unreach_timeexceed = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest
_int>[^,]*),(?<reason>[^,]*),(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),
(?<id>[^,]*),(?<offset>[^,]*),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>icmp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>
[^,]*),(?<icmp_code>redirect|unreach|timexceed),(?<icmp_text>[^$]+)$
EXTRACT-ipv4_carp = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*)
,(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*
),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>carp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<carp_type>[^,]*),(
?<carp_ttl>[^,]*),(?<vhid>[^,]*),(?<version>[^,]*),(?<advbase>[^,]*),(?<advskew>[^,]*)
EXTRACT-ipv4_igmp = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*)
,(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*
),(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>igmp),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),datalength=(?<data_le
ngth>\d+)
EXTRACT-ipv4_pim = filterlog:\s(?<rule>[^,])*,(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>4),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>[^,]*),(?<id>[^,]*),(?<offset>[^,]*)
,(?<flags>[^,]*),(?<transport_id>[^,]*),(?<vendor_transport>pim),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),datalength=(?<data_leng
th>\d+)
EXTRACT-ipv6_icmp = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*)
,(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>6),(?<class>[^,]*),(?<flow_label>[^,]*),(?<hop_limit>[^,]*),(?<vendor_tra
nsport>ICMPv6),(?<transport_id>[^,]*),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),
EXTRACT-ipv6_tcp = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>6),(?<class>[^,]*),(?<flow_label>[^,]*),(?<hop_limit>[^,]*),(?<vendor_tran
sport>TCP),(?<transport_id>[^,]*),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<src_port>[^,]*),(?<dest_port>[^,]*),(?<payload_byte
s>[^,]*),(?<vendor_tcp_flags>[^,]*),(?<sequence_number>[^,]*),(?<ack>[^,]*),(?<window>[^,]*),(?<urg>[^,]*),(?<options>[^$]*)$
EXTRACT-ipv6_udp = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>6),(?<class>[^,]*),(?<flow_label>[^,]*),(?<hop_limit>[^,]*),(?<vendor_tran
sport>UDP),(?<transport_id>[^,]*),(?<bytes>[^,]*),(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<src_port>[^,]*),(?<dest_port>[^,]*),(?<payload_byte
s>[^,]*)
EXTRACT-ipv6-hbh = filterlog:\s(?<rule>[^,]*),(?<sub_rule>[^,]*),(?<anchor>[^,]*),(?<tracker_id>[^,]*),(?<dest_int>[^,]*),(?<reason>[^,]*),
(?<vendor_action>[^,]*),(?<vendor_direction>[^,]*),(?<ip_version>6),(?<class>[^,]*),(?<flow_label>[^,]*),(?<hop_limit>[^,]*),Options,\d+,\d
+,(?<src_ip>[^,]*),(?<dest_ip>[^,]*),(?<extension_header>\w+),
REPORT-vendor_tcp_flag = pfsense_vendor_tcp_flag
EVAL-app = "pfsense:filterlog"
EVAL-bytes_in = if(vendor_direction == "in", bytes,null)
EVAL-bytes_out = if(vendor_direction == "out", bytes,null)
EVAL-direction = case(vendor_direction == "in", "inbound", vendor_direction == "out", "outbound")
FIELDALIAS-pfsense_filterlog_src=src_ip AS src
FIELDALIAS-pfsense_filterlog_dest = dest_ip AS dest
LOOKUP-filterlog_tcpflags = pfsense_filter_tcpflags vendor_tcp_flag OUTPUTNEW tcp_flag
LOOKUP-filterlog_transport = pfsense_filter_transport vendor_transport OUTPUTNEW transport
LOOKUP-filterlog_action = pfsense_filter_action vendor_action OUTPUTNEW action
[pfsense:dhcpd]
EXTRACT-ipv4_dhcp = (?<vendor_action>DHCPACK|DHCPREQUEST) (?:on|for) (?<dest_ip>\S+) (?:from|to) (?<src_mac>\S+) \(.*\) via (?<src_interfac
e>\S+)
EXTRACT-ipv6_dhcp_rebind = dhcpd: Rebind message from (?<src_mac>\S+) port (?<src_port>\d+), transaction ID (?<transaction_id>\S+)
EXTRACT-ipv6_dhcp_reply = dhcpd: Sending Reply to (?<src_mac>\S+) port (?<src_port>\S+)
EVAL-app = "pfsense:dhcpd"
[pfsense:openvpn]
EXTRACT-process_id = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s+\w+(\[(?<process_id>\d+)\])?:
EXTRACT-authentication = openvpn: user '(?<user>[^']+)' (?<vendor_action>could not authenticate\.|authenticated)
EXTRACT-user,src_ip,src_port = openvpn\[\d+\]: (?<user>\S+)\/(?<src_ip>\S+):(?<src_port>\d+)
EXTRACT-src_ip,src_port = openvpn\[\d+\]:\s+(?<src_ip>\d+\.\d+\.\d+\.\d+):(?<src_port>\d+)
EXTRACT-src_ip,src_port,user,reason = openvpn\[\S+\]: (?P<src_ip>[^:]+):(?P<src_port>\d+).*\[(?<user>\S+)\]\s+(?<reason>Peer Connection Ini
tiated|Inactivity timeout)
EVAL-app = "pfsense:openvpn"
LOOKUP-openvpn_action = pfsense_openvpn_action vendor_action OUTPUTNEW action
[pfsense:nginx]
EXTRACT-pf_nginx = nginx: (?P<dest>[^ ]+) \-(?P<user>[^\s"]*) \- \[(?P<request_time>[^\]]+)[^"\n]*"(?P<http_method>\w+)\s+(?P<url>[^\s"]+)[
^ \n]* (?P<http_proto>[^"]+)[^ \n]* (?P<status>[^ ]+)\s+(?P<bytes_out>\d+)[^"\n]*"(?P<http_referrer>[^"]+)(?:[^"\n]*"){2}(?P<http_user_agen
t>[^"]+)
EVAL-app = "pfsense:nginx"
[pfsense:unbound]
EXTRACT-queries = info: resolving (?P<query>\S{2,})\s(?P<query_type>\S+)
EXTRACT-response = info: response for (?P<answer>\S+)\s(?P<record_type>\S+)
EXTRACT-reply = info: reply from\s(\S+)\s(?P<src>(\d|.)+)#(?P<src_port>(\d+))
EVAL-app = "pfsense:unbound"
# added due to Barnyard2 support dropped by Snort and Suricata 8.7.20
#[pfsense:suricata]
#EXTRACT-classification = ^(?:[^:\n]*:){6}\s+(?P<classification>[^\]]+)
#EXTRACT-generator_id = ^[^\[\n]*\[(?P<generator_id>\d+)
#EXTRACT-signature_id = ^\[\d+:(?P<signature_id>\d+)
#EXTRACT-sigrev_id = ^\[\d+:\d+:(?P<sigrev_id>\d+)
#EXTRACT-description = ^[^\]\n]*\](?P<description>[^\[]+)
#EXTRACT-priority = ^(?:[^:\n]*:){4}\s+(?P<priority>\d+)
#EXTRACT-interface = ^[^<\n]*<(?P<interface>\w+)
#EXTRACT-protocol = ^[^\{\n]*\{(?P<protocol>\w+)
#EXTRACT-source_ip = ^[^\}\n]*\}\s+(?P<source_ip>[^:]+)
#EXTRACT-source_port = ^(?:[^:\n]*:){3}(?P<source_port>\d+)
#EXTRACT-destination_ip = ^[^\-\n]*\->\s+(?P<destination_ip>[^:]+)
#EXTRACT-destination_port = ^[^\-\n]*\->\s+\d+\.\d+\.\d+\.\d+:(?P<destination_port>.+)
# converted suricata to eve json for testing
[pfsense:suricata]
INDEXED_EXTRACTIONS = json
KV_MODE = none
... View more
08-08-2020
09:44 AM
Another complexity, it looks like the suricata plugin for pfsense is sending both unified2 logs (for the alerts) and then eve json for the addition data to the same data input UDP. I guess some transforms would be need to sourcetype the two differently to apply extractions to? In order to have eve json sent over syslog, send to system logs must be enabled: So I get duplicates in two different formats: Due to pfsense, I don't think there is a way around this (maybe in a config somewhere vs the GUI?) So the challenge, tell Splunk to shed the unified2 format, keep the eve json format, pull fiends from the json format from without a props that has stanzas for the other pfsense sourcetypes such as filterlog, openvpn etc. Also, Splunk is cutting off the source, the line break is too soon I guess- Splunk vs. pfsense GUI.
... View more
08-08-2020
09:06 AM
TL:DR- How do I specify in the props.conf that for "pfsense:suricata" to then use Splunk's json extraction? Situation explained below: Hello All, so I've done some tweaking to make the TA-pfsense add more sourcetypes effectively. The app's author has a really neat transforms that looks into the syslog event and assign a sourcetype so that the appropriate props.conf stanza is then used to field extract. This way you get good fields from an openvpn event, good fields from a firewall (filterlog) event etc. For Snort and then Suricata being hosted on pfsense, I was using the barnyard2 support and sending those logs over a different port, making the apps and sourcetyping easy. Now both Snort and Suricata have deprecated Barnyard2 support on pfsense. Snort still supports Unified2 output, Suricata supporting eve json- over the same UDP data input that the TA-pfsense uses. Thanks to the TA-pfsense transforms I mentioned earlier, the data coming into that UDP feed gets sourcetyped as "pfsense:suricata" and I have a props.conf stanza for it with some rough regex to get fields like Classification, src_ip etc. For the question: I selected the eve json format option for fun- you get lots more data like protocols used, data flows etc. Really neat stuff. ELK already has an amazing dashboard for this stuff. How do I specify in the props.conf that for "pfsense:suricata" to then use Splunk's json extraction?
... View more
- Tags:
- enterprise
- json
Labels
- Labels:
-
JSON
07-31-2020
09:19 AM
The issue is a bug Splunk is fixing- the authentication.conf needed to be saved as ANSI to allow the upgrade to proceed.
... View more
07-13-2020
03:05 PM
Hello, I have SPL that when opened into a search from the dashboard has good working SPL, for example | rex field=_raw "\"stuff\"+\smaximum=\"100\"\>(?P<Score>[^\<]*)" in simple XML (when editing in the webUI 'source' and when opening the XML files in an editor) some of the characters get garbled. | rex field=_raw "\"stuff\"+\smaximum=\"100\"\>(?P<Score>[^\<]*)" Seems that the ">" gets garbled into ">" and "<" into "<" Another example is " | rex field=Message "Member:\s(?P<UserAdd>[\s\S]*?Account Name" the < and > get mutated to: rex field=Message "Member:\s(%3FP<UserAdd>[\s\S]*%3F)Account Name" So ? is %3F < is < > >
... View more
Labels
- Labels:
-
simple XML
05-19-2020
04:57 PM
Windows version is 2016. It goes through all of the motions, and then rolls back the actions.
... View more
05-19-2020
02:25 PM
I'm running into an issue where as a domain admin I cannot upgrade Splunk 7.2.9.1 to Splunk 8.0.3. I was able to upgrade 7.2.9.1 to 7.3.5, but still cannot upgrade from 7.3.5 to 8.0.3. The GUI (Windows) reports back after going through a lot of the steps, "Splunk Enterprise Setup Wizard ended prematurely because of an error. Your system has not been modified..."
... View more
- Tags:
- splunk-enterprise
03-28-2020
10:19 PM
1 Karma
Running into an issue where TA-pfsense is only creating three sourcetypes-
pfsense:filterlog
pfsense:dhclient
pfsense
I'm not that Splunk savey. Looking at the props and transforms, and then the data in splunk (_raw). I'm wondering if the lack of time being in the raw log is throwing off the transforms to create sourcetype.
example raw log not getting sourcetyped by the app (so ends up with sourcetype=pfsense)
/index.php: User logged out for user 'admin' from: 192.168.1.151 (Local Database)
OR
sendmsg: Permission denied
Example of raw log getting sourcetyped as pfsense:dhclient which is not addressed in the props.
Mar 28 22:13:03 dhclient: FAIL
Looking at the transforms'
[pfsense_sourcetyper]
REGEX = \w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?(\w+)
I'm assuming it gets past the time stamp, and the following is what gets grabbed as sourcetype to append to pfsense:
With this assumption, the raw logs without time in the raw simply get sourcetyped pfsense.
This is causing OpenVPN logs, nginx, dhcpd etc to not accurately get sourcetyped and fields extracted as they are sourcetyped simply 'pfsense'.
... View more
- Tags:
- TA-pfsense
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
