cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jones4bob
Explorer
Member since: ‎05-12-2010
‎06-05-2020
Community Statistics
Posts 9
Solutions 0
Karma Given 6
Karma Received 10
Member Since ‎05-12-2010
Activity Feed
View All

Re: Splunk for IronPort

by in All Apps and Add-ons
‎01-11-2013 12:33 PM
‎01-11-2013 12:33 PM
If you find it acceptable to not be completely real time, I would recommend setting up log subscriptions and opting to forward them off to splunk via SCP. When you create this log subscription (System Administration->Log subscriptions) Ironport will supply you with a key that you can copy/paste into the .authorized_keys file on your splunk server for the user you want ironport to use to drop off the log files. If you don't need to keep the log files that ironport drops off, since the web access logs are probably the most commonly indexed ones and can be a bit heavy, also consider using batch inputs with a move_policy=sinkhole so that the files that are dropped off get deleted after indexing, which can save you disk space issues in the long run. Ironport can also do regular syslog forwards but not on all of the log files. The CLI audit ones can, but not the most commonly used log files. I have not read the linked doc from sdaniels yet, but wanted to throw a couple pennies in since this is the data I'm most familiar with. Hope you can make use of it. ... View more

Create a custom web page for the Splunk web server...

by in Security
‎07-01-2010 03:42 PM
‎07-01-2010 03:42 PM
Is there a way to create a simple web page that I can serve up from the Splunk server? I'm not at the point where I can create a custom app. I have Afterglow (the script, not the app) working and I would like to pipe some firewall logs into afterglow (and neato) to generate a graph of some network traffic every few minutes. If I could host a page locally, I could point my browser to this page and use a simple refresh to keep showing an image of the last few minutes of traffic. This can act as an alert to suspicious activity when the image changes dramatically from the norm. ... View more

Re: Output only specific field values to CLI

by in Splunk Search
‎06-23-2010 05:52 PM
2 Karma
‎06-23-2010 05:52 PM
2 Karma
I think I've found what I was looking for. The syntax for pulling specific fields appears to need to work like this: fields field1 field2 | fields - _* It looks like that last pipe to fields is needed to remove the remainder of the fields from the search result. This worked for me and produced the desired output for awk to process. ... View more

Output only specific field values to CLI

by in Splunk Search
‎06-23-2010 04:59 PM
1 Karma
‎06-23-2010 04:59 PM
1 Karma
I'm trying to pull data from the CLI to pipe to awk to pipe to ... I can't seem to find the correct syntax to say, for example, just pull a single field from a record, rather than pulling everything in each event. Older examples seem to indicate that I can pipe the search to 'fields + field1 field2' but this still only produces the entire event information. What am I missing? ... View more

Re: How to get Splunk to work with Sawmill server?

by in Getting Data In
‎06-10-2010 09:32 PM
‎06-10-2010 09:32 PM
Yes, for the latter option, you can create a new log subscription for any of IronPort's log types and have it sent to Splunk. For example, on your splunk server, create a user for your ironport system to use when dropping the files off. Create a SCP log subscription on your ironport system that sends to your splunk server. You will be provided with a key to use for your splunk account to authenticate with, this should be added to your /home/username/.ssh/authorized_keys file. Then, configure an input in splunk to monitor the directory where you told ironport to stick the files. Of course, there are some assumptions for this to work, like the fact that you've got ssh available, but that's it in a nutshell for one possibility. ... View more

Consolidate similarly named log files into a singl...

by in Getting Data In
‎06-09-2010 04:31 PM
3 Karma
‎06-09-2010 04:31 PM
3 Karma
Our Splunk environment takes input from log files dropped off by an IronPort web security appliance. The files are named in a format where a long string representing the date is appended to a common file name. An input is set up to monitor this folder for files as they are dropped off. Since each file name is different, each one represents a different "source" in Splunk. How can I cause them to be considered a single source? ... View more

What about archiving/offline storage?

by in Reporting
‎05-20-2010 02:25 PM
‎05-20-2010 02:25 PM
What is the recommended way to export/archive a large amount of historical data for retention or offline storage? I would like to clean old data from splunk but still maintain our regulatory requirements on retention. ... View more

Can Splunk monitor vmWare vSphere version 4 update...

by in Getting Data In
‎05-12-2010 04:17 PM
1 Karma
‎05-12-2010 04:17 PM
1 Karma
Can Splunk monitor vmWare vSphere version 4 update 1? ... View more

What Windows Event Codes are generally acceptable ...

by in Getting Data In
‎05-12-2010 04:15 PM
3 Karma
‎05-12-2010 04:15 PM
3 Karma
Is there a good reference list or someone that can post what ways Windows Event Logs are being filtered? I'm particularly interested in those from a security perspective. For example, I get a flood of successful logins on an IIS web server from the IUSR account, which is of little value to me. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
Karma given to