Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About MrWh1t3
MrWh1t3
Path Finder
Member since:
12-13-2011
06-05-2020
Community Statistics
| Posts | 24 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 3 |
| Member Since | 12-13-2011 |
Activity Feed
- Got Karma for Re: Users who accessed from more than one IP address. 12-21-2020 07:42 PM
- Karma Re: Multiple Networks, Multiple Indexes, and One Splunk server for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Creating a Data Table from CSV for kristian_kolb. 06-05-2020 12:46 AM
- Got Karma for Sourcefire Syslog Regex Query. 06-05-2020 12:46 AM
- Got Karma for Re: Sourcefire Syslog Regex Query. 06-05-2020 12:46 AM
- Posted Re: Sourcefire Defense Center into Splunk for Sourcefire App - Windows on All Apps and Add-ons. 12-27-2012 06:18 PM
- Posted Sourcefire Defense Center into Splunk for Sourcefire App - Windows on All Apps and Add-ons. 12-27-2012 04:14 PM
- Tagged Sourcefire Defense Center into Splunk for Sourcefire App - Windows on All Apps and Add-ons. 12-27-2012 04:14 PM
- Posted Re: How to import McAfee EPO 4.6 logs? on Getting Data In. 10-24-2012 05:39 PM
- Posted Subsearch? Transaction? I'm not sure on Splunk Search. 10-02-2012 11:31 PM
- Tagged Subsearch? Transaction? I'm not sure on Splunk Search. 10-02-2012 11:31 PM
- Tagged Subsearch? Transaction? I'm not sure on Splunk Search. 10-02-2012 11:31 PM
- Posted Re: Can't connect to SplunkWeb after SSL on Security. 09-06-2012 09:31 PM
- Posted Can't connect to SplunkWeb after SSL on Security. 09-06-2012 08:55 PM
- Tagged Can't connect to SplunkWeb after SSL on Security. 09-06-2012 08:55 PM
- Posted Splunk Alerts -> Custom Scripts -> Sharepoint tickets? on Alerting. 08-29-2012 03:30 AM
- Tagged Splunk Alerts -> Custom Scripts -> Sharepoint tickets? on Alerting. 08-29-2012 03:30 AM
- Posted Re: Multiple Networks, Multiple Indexes, and One Splunk server on Deployment Architecture. 08-23-2012 12:44 AM
- Posted Multiple Networks, Multiple Indexes, and One Splunk server on Deployment Architecture. 08-20-2012 03:52 AM
- Tagged Multiple Networks, Multiple Indexes, and One Splunk server on Deployment Architecture. 08-20-2012 03:52 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
03-26-2015
12:38 PM
THe estreamer app is only compatible with Unix platforms
... View more
10-03-2012
12:03 AM
What did you try that did not work?
transaction sounds like exactly what you should use. Something like:
EventId=4688 OR EventId=4624 OR EventId=4672 OR EventId=4688 OR EventId=4689| transaction maxspan=10s | search EventId=4688 AND EventId=4624 AND EventId=4672 AND EventId=4688 AND EventId=4689
This retrieves all the events of interest, then puts them together in transactions spanning max 10 seconds (you might want to perform this transaction on a field as well, like host , to avoid events from different sources overlapping each other), and finally searches for transactions that contain all the EventId's.
... View more
I suggest using Powershell scripting to manipulate your ticket system. Check out http://technet.microsoft.com/en-us/sharepoint/jj672838.aspx for a good starting point for going down that road. You can then use Splunk alerts to launch the Powershell code OR if it is on a different system, use a script on the Splunk server to trigger something across the network (SSH or Powershell depending on your platform, for example).
We use similar methods for providing CSV input into a VBScript program that produces reports on things every day.
... View more
08-23-2012
12:44 AM
[default]
index=companyXYZ
worked just fine!
... View more
08-15-2012
07:10 AM
1 Karma
Best practice is to install the universal forwarder for anything related to Windows event logs. We went through a painful experience by not following this practice.
It has a really small footprint and should not affect sever performance.
The forwarder also brings with it numerous benefits as opposed to syslog. Metrics data being one that we leverage quite extensively. it allows you to monitor data sources in a uniform way to determine last event indexed, kbps thruput, eps, etc etc
It also allows you to use the deployment server to centrally manage forwarder configs which is very very handy. combined with the deployment monitor app and you've got a robust enterprise grade implementation.
So yes... use the forwarder wherever possible and syslog for other "stuff".
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata
... View more
08-15-2012
06:27 AM
I believe it was the heavy load and lack of power in the thin clients. Everything worked fine today.
... View more
06-25-2012
10:35 PM
Another concern I have - what if a service was started and stopped several times within your search time range? Because you are de-duping the Message, you would only see one start and one stop. Is this what you want? It would also be possible to count the number of starts/stops if you didn't dedup...
... View more
01-17-2018
08:11 AM
you can collect intrusion events from the device directly as there is eStreamer server code on the device. You'll only get IDS events however. No impact flag.
You can get IDS and Connection events off the device in syslog too. TAC can help you set this up.
On the port, you need to use 8302, not 8320.
Doug
... View more
07-13-2012
01:30 AM
Have you seen the Splunk for InterMapper app?
http://splunk-base.splunk.com/apps/51549/splunk-app-for-network-monitoring-and-mapping-beta
It provides the ability to map your network devices (switches, routers, servers etc) on a rack image, world map or even a blank background and then pull it into Splunk. By pulling it into Splunk you can then drilldown on individual devices to see layer 2 and 3 information including any related log data.
... View more
Figured it out.... Feel free to make it better.
eventtype="windows-security-4625" | stats dc(src_ip) by Account_Name | search "dc(src_ip)" > 1 |sort "dc(src_ip)" asc
Seems to work fine, but it would be cool to have it also spit out the various src_ips. I'm still playing with it.
... View more
05-15-2017
07:31 PM
You are best off pulling samples of each and using the wording on the events, and your resulting knowledge of what fields are populated in your particular environment, to pull information off the events via rex.
The standard general wording for each is here, but it occasionally varies based on specific OS version.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=642
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4738
For instance, this pulls the Target account name off of the standard 528 and the 4738 events, respectively. Since the words "Account Name" occur twice, you need to take the second occurrence as the target account. This is one way to do that.
| rex "Target Account Name:\s+?(<TargetName>[^\s]*)"
| rex "Account Name:\s+?(<AccountName>[^\s]*) max_match=2
| eval TargetName=coalesce(TargetName,mvindex(AccountName,1))
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
