Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rvany
rvany
Communicator
Member since:
06-27-2017
11-22-2022
Community Statistics
| Posts | 124 |
| Solutions | 2 |
| Karma Given | 13 |
| Karma Received | 9 |
| Member Since | 06-27-2017 |
Activity Feed
- Tagged Splunk_TA_ossec alters original data erroneously on All Apps and Add-ons. 11-22-2022 12:14 AM
- Posted Splunk_TA_ossec alters original data erroneously on All Apps and Add-ons. 11-22-2022 12:06 AM
- Tagged Splunk_TA_ossec alters original data erroneously on All Apps and Add-ons. 11-22-2022 12:06 AM
- Posted Re: error in savedsearches.conf on Splunk Enterprise. 11-08-2022 02:54 AM
- Got Karma for Error in savedsearches.conf- Invalid key in stanza - splunk_instrumentation - savedseaches.conf v8.2.9. 11-08-2022 01:53 AM
- Posted Error in savedsearches.conf- Invalid key in stanza - splunk_instrumentation - savedseaches.conf v8.2.9 on Splunk Enterprise. 11-07-2022 03:03 AM
- Tagged Error in savedsearches.conf- Invalid key in stanza - splunk_instrumentation - savedseaches.conf v8.2.9 on Splunk Enterprise. 11-07-2022 03:03 AM
- Got Karma for Re: Forgot Pass4symmKey. 01-12-2022 12:08 PM
- Posted Re: enable integrity control on splunk 6.3 on Splunk Enterprise. 05-06-2021 08:01 AM
- Posted Re: trusted.pem and private.pem in auth/distServerKeys. How are they generated? on Security. 10-20-2020 04:06 AM
- Posted Re: Listing out dates and appending to search?? on Splunk Search. 09-29-2020 11:00 PM
- Got Karma for Re: suspicious_writes_lookup Threat Intel. 09-29-2020 10:49 AM
- Posted Re: suspicious_writes_lookup Threat Intel on Knowledge Management. 09-29-2020 09:54 AM
- Posted Re: How to trigger alert for when a host reaches out to a filepath on Alerting. 09-29-2020 09:53 AM
- Posted Re: Listing out dates and appending to search?? on Splunk Search. 09-29-2020 09:51 AM
- Got Karma for Re: Splunk upgrade: splunk_monitoring_console has overriding copies of alerts.xml/dashboards.xml/reports.xml. 06-05-2020 12:50 AM
- Got Karma for Re: How to - Custom alert action (passing arguments to custom scripts). 06-05-2020 12:50 AM
- Karma Re: Splunk Enterprise Security 5.0 warning messages for kwokkal. 06-05-2020 12:49 AM
- Karma Re: How to schedule PDF delivery of dashboard with trellis? for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: authorize.conf : Wildcard alongside specific Indexes & Option to blacklist? for somesoni2. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 |
11-22-2022
12:06 AM
While investigating logs coming in from an OSSEC server I found that the `SPLUNK_TA_ossec` alters data erroneously. The investigated event is for Rule 18149 from a Windows server. The original user is `WINSERVER01$` - as we know a "machine account" as indicated by the trailing "$"-sign. The `SPLUNK_TA_ossec` (current version is 4.1.0) just strips off the dollar sign in `transforms.conf` in the `[kv_for_default_ossec]` stanza and shows the user as `WINSERVER01` just like a normal username. Now in a search that filters out machine accounts like `NOT user=*$` these accounts are shown and counted anyway. => Error
... View more
Labels
- Labels:
-
other
11-08-2022
02:54 AM
Yes, that's exactly the line for th 8.2.9 version although the sha256sum is different there.
... View more
11-07-2022
03:03 AM
1 Karma
As my original subject led to some weird error message about message flooding - here it is again:
Subject: Invalid key in stanza - splunk_instrumentation - savedseaches.conf v8.2.9
Version 8.2.9 (Linux, tgz-version) brings the "Invalid key in stanza" error in line 451 of `/opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf` - file. This wasn't the case in v.8.27.
It turns out that the named file differs in one character between the two versions:
A space added after the "\" (for line continuation) in v8.2.9. After removing that single space the `splunk restart` command run through without errors.
... View more
- Tags:
- 8.2.9
Labels
- Labels:
-
upgrade
05-06-2021
08:01 AM
Even this is now 1year old 😉 But it's still possible to use these checksums as per https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Dataintegritycontrol Just use ./splunk check-integrity -index [ index name ] [ -verbose ] to check your indexed data and you will get "Integrity check succeeded on bucket..." or "Integrity check error for bucket..." (or maybe some other, similar output) for your buckets.
... View more
10-20-2020
04:06 AM
An older one, but... as said the `pem`-files under `distSearchKeys` are simply RSA-Private- and corresponding RSA-Public-Key files. These can be created (at least in a Linux environment) using the following commands: 1. Create private key file: `openssl genrsa -out private.pem 2048` 2. Create public key file from private key file: `openssl rsa -in private.pem -pubout -out trusted.pem` The `openssl` binary is located in Splunk's `bin` folder. If you want to create a trusted connection from e.g. a Cluster Master (CM) to an Indexer (IX) manually you just do the following: 1. create a new directory under `distServerKeys` named according to your CM-hostname 2. copy the `trusted.pem` file (i.e. the public key) from the CM's `distServerKeys` directory to the newly created directory on your IX 3. restart Splunk on both (in a cluster according to restart policy/rules) Under "Settings | Distributed search" on the CM you could then see if the connection between CM and IX is established: State = Up, Health status = Healthy If one of the above steps failed you get: State = Down, Health status = Sick (at least this was the output during my experiment I just ran)
... View more
09-29-2020
11:00 PM
Should this "day column" go on a row of its own? What if you have more than one data rows for a particular day? Maybe you want to have a look at the "bin" command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin) to group your events by day with a "span=1d" parameter.
... View more
09-29-2020
09:54 AM
1 Karma
Is this for Enterprise Security? Maybe you get better results if you add the label accordingly.
... View more
09-29-2020
09:51 AM
What do you exactly mean with "all dates between my time picker"? What is the output of your SPL? What did you expect? Could you give some example data?
... View more
05-15-2020
04:14 AM
Just a friendly hint: you added your solution as comment what is good as everybody could see it.
It would be even better if you convert it to/post it again as an answer - that's something different 😉
And as a last step you then accept this answer as a solution - so everybody could see right in the search results, that this question already HAS a solution.
... View more
05-14-2020
07:57 AM
@delewis13 could you please paste your corresponding dashboard code?
... View more
05-05-2020
02:05 AM
Have you checked the "ValueError: Invalid format string', 'event': 'Invalid format string'" (line 6) and "ValueError: Invalid format string" (line 15) messages? Maybe there's something wrong in some token.#.replacement string.
... View more
04-26-2020
11:51 PM
You are too late - this one was solved already four month ago 😉
But thank you for pointing this out - for some reason I thought, that putting single quotes around the password (see above) belongs to the syntax of the "--decrypt"-command. But of course - it's just the shell escape.
... View more
04-16-2020
11:45 PM
In the end it really doesn't matter, which team I give my points - it's all for supporting the corona studies, but...
You are talking about two different teams here:
a) Team: Splunk Folding@Home Research Labs (also referred to as "Buttercup Research Labs Team #: 238889) Link
b) Team: Splunk Community Link
Which one is "the one"?
... View more
03-29-2020
10:27 AM
At least today - e.g. in a Red Hat 7.6 environment - wildcard settings are used for the root user also.
... View more
03-29-2020
10:16 AM
This one is quite old - but still wrong - therefore the downvote.
sysctl -p -command load kernel settings from /etc/sysctl.conf . That's different from the user-specific settings in /etc/security/limits.conf , which are not read by this command. Instead one has to logoff and logon again.
... View more
02-11-2020
04:44 AM
Yes, right, I read that Ubuntu 18.04 - and then immediately forgot it - my bad 😉
... View more
02-11-2020
01:29 AM
Just an add-on:
What kind of system do you have? E.g. RedHat currently uses firewalld by default - so you won't find any iptables -service. Maybe "the guy that have installed [...] this" is not that bad 😉
... View more
12-20-2019
09:20 AM
This is done in $SPLUNK_HOME/apps/Splunk_TA_nix/local/inputs.conf and this is in "Splunk Add-on for Unix and Linux" in version 7.0.0 but I think that actually doesn't matter.
I found that the change comes from $SPLUNK_HOME/apps/Splunk_Security_Essentials/appserver/static/data_source.js (in line 1106 for v3.0.3). All other "source"-values for "monitor"-stanzas stay correct, i.e left unchanged at their default. This "secure"-source really should also stay at its original value, i.e. source=/var/log/secure .
Or is there a really good reason?
... View more
