cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
flakshack
Explorer
Member since: ‎11-29-2011
3 weeks ago
Community Statistics
Posts 9
Solutions 0
Karma Given 15
Karma Received 5
Member Since ‎11-29-2011
Activity Feed
View All

Re: SP-CAAAP3M - Tenable incorrectly reporting my ...

by in Deployment Architecture
‎01-08-2024 08:46 AM
‎01-08-2024 08:46 AM
I should add that this is confusion is probably caused because the Splunk advisory isn't as accurate as it could be (as I understand it).   Section 1b is not a vulnerability by itself, so the label for "1." should really say "both" of the following conditions, not "one." ... View more

SP-CAAAP3M - Tenable incorrectly reporting my inst...

by in Deployment Architecture
‎01-08-2024 08:43 AM
‎01-08-2024 08:43 AM
This started out as a question, but is now just an FYI.  Similar to this post, this week I received a old vulnerability notice from Tenable about my Splunk instance.  We'd previously remediated this issue, so it was weird that it showed up again suddenly. Vulnerability details: https://packetstormsecurity.com/files/144879/Splunk-6.6.x-Local-Privilege-Escalation.html https://advisory.splunk.com/advisories/SP-CAAAP3M?301=/view/SP-CAAAP3M https://www.tenable.com/plugins/nessus/104498 The details in the articles are light, except saying to review the directions here for running Splunk as non-root: https://docs.splunk.com/Documentation/Splunk/9.1.2/Installation/RunSplunkasadifferentornon-rootuser Tenable also doesn't give details about exactly what it saw...it just says, "The current configuration of the host running Splunk was found to be vulnerable to a local privilege escalation vulnerability."   My OS is RHEL 7.x.  I'm launching Splunk using systemd with a non-root user and I have no init.d related files for Splunk.   My understanding is that launching with systemd eliminates the issue, since this way, Splunk never starts with root credentials anyway. Per Splunk's own advisory, any Splunk system is vulnerable, if: Satisfied one of the following conditions a. A Splunk init script created via $SPLUNK_HOME/bin/splunk enable boot-start –user on Splunk 6.1.x or later. b. A line with SPLUNK_OS_USER= exists in $SPLUNK_HOME/etc/splunk-launch.conf In my case, this is an old server and at one point, we did run the boot start command, which made changes to the $SPLUNK_HOME/etc/splunk-launch.conf line that sets the SPLUNK_OS_USER.  Although we had commented out the launch line, the Tenable regex is apparently broken and doesn't realize the line was disabled with a hash.  Removing the line entirely made Tenable stop reporting the vulnerability.  I assume their regex was only looking for "SPLUNK_OS_USER=<something>" so it missed the hash. Anyway, hope this helps someone.         ... View more
Labels

Re: Why isn't my TIME_FORMAT working for this sysl...

by in Getting Data In
‎03-05-2021 08:01 AM
‎03-05-2021 08:01 AM
Thanks for the reply.  All of my systems are located in the same time zone (GMT-5) and I have that set in my user preferences in the Splunk UI. Per your suggestion, I tried setting the time zone for the sourcetype (via the UI) to +5 and also later to -5.  Weirdly, neither setting made any difference in the _time of the log entries in Splunk.  In both cases, the time still showed up in the future. So I decided to change the timestamp format to exclude the -05:00 and also change the time zone and that worked. Timestamp format:  %Y-%m-%dT%H:%M:%S Time Zone:  GMT Thanks for the help!     ... View more

Why isn't my TIME_FORMAT working for this syslog d...

by in Getting Data In
‎02-26-2021 08:52 AM
‎02-26-2021 08:52 AM
I just configured a new device to send data to a syslog server (w/universal forwarder), but when it shows up in Splunk, the time is incorrect.  I have about 30 other devices from different vendors in the same configuration that are working fine. Here's an example syslog entry: 2021-02-26T15:35:09-05:00 XYZ---Office-HQ edge[9076]: EDGE_NEW_DEVICE: New or updated client device b4:56:e3:a8:91:b5, ip 10.5.38.0 When this log entry shows up in Splunk, the _time is 3:35:09 PM (future) when it should be 10:35:09 AM.  The Splunk server (single-node) and device are both in the same time zone with me and other devices on the same syslog server are working fine. I've reviewed the following posts, but haven't had much luck How time zones are processed by Splunk Configure timestamp recognition props.conf documentation For example, I set the sourcetype to "velocloud:syslog" for the input and I tried editing the sourcetype so that the TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z Unfortunately, this hasn't had any effect.  I feel like I'm missing something simple, but I've now spent hours going through everything twice with no luck.  Any help would be appreciated.   ... View more
Labels

Re: Splunk DB Connect: Why am I getting error "no ...

by in All Apps and Add-ons
‎11-07-2018 02:51 PM
4 Karma
‎11-07-2018 02:51 PM
4 Karma
I got this error message and thought I would post my solution here in case it helps someone else. It turns out that I had this problem, even when using an account I had configured as sysadmin on the server. For example, I could connect to the SQL server with SQL Server Management Studio with this account and could see the database and all the tables. However, when I connected with the same account in DB Connect\SQL Explorer, it would show all of the databases in the Catalog combo box, but I would get an error message for the Schema combo box, "Cannot get schemas." I turned on DB Connect logging and would see the following error in the log file: ERROR c.s.d.s.a.s.d.impl.DatabaseMetadataServiceImpl - Unable to get schemas metadata com.microsoft.sqlserver.jdbc.SQLServerException: Invalid object name '[my_database].sys.schemas'. I turned out that this problem was because I was using the MS SQL Server JDBC driver version 7. When setting it up, I figured I would ignore Splunk's guidance to use version 4.1 or 4.2 and use the latest available version. Turns out this was a bad idea. In my testing if I copy the version 4.2 driver into the folder and restart, everything works great. Then if I copy the version 7 driver into the folder and restart, I get this error message (without any changes to permissions or anything). Anyway, hope this helps someone. ... View more

Re: Your entry was not saved. The following error ...

by in Splunk Search
‎09-18-2018 01:02 PM
‎09-18-2018 01:02 PM
This was exactly my problem. Thanks for posting! ... View more

Re: Splunk logs in as Admin without asking for pas...

by in Security
‎03-29-2012 11:18 AM
‎03-29-2012 11:18 AM
Thanks, should've found that one myself. ... View more

Splunk logs in as Admin without asking for passwor...

by in Security
‎03-29-2012 10:48 AM
‎03-29-2012 10:48 AM
We just switched from the trial license to a free license. Whenever I browse to the main Splunk web page, I see the login page briefly, then (via javascript) it changes to a "Checking for Updates" page, followed by a "No Updates Found" page, followed by a Welcome to Splunk Free page. When I click on the Continue button, I'm presented with the main dashboard, logged in as Administrator. I never actually enter any credentials into a login page, it just automatically logs anyone who goes to the website as Administrator. I've tested deleting all the browser's cookies and settings, using different browsers and even using different computers with no change. If it makes any difference, previously we had Splunk setup with LDAP/AD authentication. Any tips would be appreciated. ... View more

Re: Slaves in violation with trial-license, how to...

by in Installation
‎03-29-2012 10:21 AM
1 Karma
‎03-29-2012 10:21 AM
1 Karma
"splunk clean eventdata all" worked for me after going from trial to free license. ... View more
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Karma from
Karma given to