I am reaching out to seek guidance regarding a migration project for our Splunk Enterprise Server. I am currently running a Splunk Enterprise Server on an air-gapped Windows environment. I plan to transition this setup to a Linux-based air-gapped Splunk Enterprise Server. I have over 2 years of ingested data on the current Windows server that I need to access post-migration. Linux version is RHEL 9. How can I ensure that I will be able to access the 2+ years of ingested data after switching to the Linux server? The systems are air-gapped, so solutions involving direct internet access or cloud-based transfers are not feasible. ... View more

My network has Splunk Enterprise 10.0.2, and it is air-gapped. I want to run a Linux and Windows enterprise server side by side. Can I configure the universal forwarder to send data to both servers? ... View more

I am running windows version of Splunk Enterprise 9.4.2 stand alone. I have 17 older security logs saved in a  separate folder. I want to ingest these logs into a new index and run queries on the ingested logs.  How can I do that?  ... View more

I have a requirement to monitor log files created by Trellix on my windows 11 and 2019 hosts.  The log files are located at C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log                                                                                                                                                               \ExploitPrevention_Activity.log                                                                                                                                                                \OnDemandScan_Activity.log                                                                                                                                                                 \SelfProtection_Activity.log   My stanza in the input.conf are configured as:   [monitor://C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log disabled = 0 index = winlogs sourcetype = WinEventLog:HIPS start_from = oldest current_only = 0 checkpointInterval = 5 renderXel = false   Same format for each log. For some reason Splunk is not ingesting the log data. ... View more

I am standing up a Linux server to host Splunk Enterprise 9.4.3. I have 30+ windows hosts. Can I  upload Splunk Add-on for Microsoft Windows and use it to config the windows hosts even though the server is running on a Linux host?   Thank you ... View more

I want Splunk to ingest my AV log. I made the following entry in the inputs.conf file: Note: The log file is a text file with no formatting. [monitor://C:ProgramData\'Endpoint Security'\logs\OnDemandScan_Activity.log] disable=0 index=winlogs sourcetype=WinEventLog:AntiVirus start_from=0 current_only=0 checkpointInterval = 5 renderXml=false   My question is: Is the stanza written correctly? When I do a search I am not seeing anything. ... View more

I am exceeding my 5GB license. I have determine the problem by doing a 24 hour search using the following: index="winlogs" host=filesvr souce="WinEventLog:Security" EventCode=4663 Accesses="ReadData (or ListDirectory) Security_ID="NT AUTHORITY\SYSTEM" The above search returns 4.5 million plus records. My question is how do I stop Splunk from ingesting     Security_ID="NT AUTHORITY\SYSTEM" of EventCode 4663? Would appreciate any assistance\suggestions given. ... View more

I use Splunk to ingest events from the windows Security, Application and System event logs. We have a scanner that is very noisy and I would like for Splunk not ingest the events that the scanner creates.  I have tried without success to use SEDCMD on my indexer's Props.conf: SEDCMD-Remove_Scanner_IP_Address = s/\b12\.34\.567\.89\b//g SEDCMD-Remove_Scanner_Host_Name = s/Workstation_Name\s*=\s*scanner-name01\s*//g I have also tried to blacklist the IP on each of the host's Splunk UF inputs.conf file: blacklist = 12\.34\.567\.89 Would appreciate any assistance\suggestions given.   ... View more

I audit windows computers. My search looks for the date, time, EventCode and Account_Name:   Date                        Time            EventCode  Account_Name 2023/08/29       16:09:30     4624                   jsmith   I would like the Time field to turn red when a user signs in after hours (1800 - 0559). I have tried clicking on the pen in the time column and selecting Color than Ranges. I always get error messages about not putting the numbers in correct order. What do I need to do? ... View more

-- I want to see events of 4648. I want to filter out certain ones. Is my stanza configured correctly? \etc\system\local\inputs.conf [WinEventLog://Security] disabled = 0 whitelist = EventCode="4648" blacklist = EventCode="4648" Message="Account\sWhose\sCredential\sWere\sUsed:\sAccount\sName:\s+computer01$" blacklist = EventCode="4648" Message="Account\sWhose\sCredential\sWere\sUsed:\sAccount\sName:\s+Window Manger" blacklist = EventCode="4648" Message="Account\sWhose\sCredential\sWere\sUsed:\sAccount\sName:\s+Font Driver Host" -- Is there a Log that I can look at to troubleshoot my stanza? ... View more

I want to whitelist events when users put the password in the logon window during login. See example below, note the *****: An account failed to log on. Subject: Security ID: SYSTEM Account Name: Computer01 Account Domain: MyDomain Logon ID: 0x3E7 Logon Type: 7 Account For Which Logon Failed: Security ID: NULL SID Account Name: User Account Domain: MyDomain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D ************** Sub Status: 0xC000006A Process Information: Caller Process ID: 0x8e0D Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: Computer01 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 My whitelist is as follows: whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d" Need assistance with coding the 0xc000006d Thank you! ... View more