Yes but i get the following [root@dc1-splunk02 bin]# ./btprobe -d /opt/splunk/bin/splunkd: error while loading shared libraries: libjemalloc.so.2: cannot open shared object file: No such file or directory ... View more

cool thanks for the update ... View more

Thanks for the reply folks i will try this out, i will create a notepad file with some content rename it as setup.exe and try to pass it through source fire and see if the detection occurs, if it does and the detection is just because of the name than in my opinion it is not a so cool investigation correlation search in splunk. ... View more

I was unable to get it to work with read only access and then i explained my AMP admin and they got me both access and from last 4 months we are pulling data into Splunk and can say that it is safe to have read and write both. But i agree ideally it should work with read only access. I have not tested whether it requires read write initially or whether throughout ... View more

Nope i manually clean up after every 30 days. You can setup a cron job for 30 days cleanup. Because in umbrella bucket we have set the log retention for 30 days, so if clean up anything it downloads complete 30 days of log folders again, so once anything gets older than 30 days i delete them. ... View more

Yes below are the examples of files getting downloaded, and i am downloading it to my syslog server and then from there the splunk UF reads and forwards to my splunk indexer -rw-r--r--. 1 root root 628 Mar 15 14:50 2019-03-15-14-40-2593.csv.gz -rw-r--r--. 1 root root 683 Mar 15 14:50 2019-03-15-14-40-32fa.csv.gz -rw-r--r--. 1 root root 844 Mar 15 14:50 2019-03-15-14-40-7f7d.csv.gz -rw-r--r--. 1 root root 930 Mar 15 14:50 2019-03-15-14-40-b3ab.csv.gz -rw-r--r--. 1 root root 798 Mar 15 14:50 2019-03-15-14-40-dcd8.csv.gz ... View more

@ David rose TRY THIS workaround it works The work around mentioned in this article https://support.umbrella.com/hc/en-us/articles/360001388406-Configuring-Splunk-with-a-Cisco-managed-S3-Bucket and now i have it all working I am downloading logs onto my syslog servers with a cron job to run after every 10mins and from there i have the splunk reading them. If u need help with cron job let me know ... View more

Umbrella suport replied to me the same that due to permission issues it is not possible to ingest the logs using this app. So i followed the work around mentioned in this article https://support.umbrella.com/hc/en-us/articles/360001388406-Configuring-Splunk-with-a-Cisco-managed-S3-Bucket and now i have it all working his article covers the basics of getting Splunk up and running so it is able to consume the logs from your Cisco-managed S3 bucket. You will: 1) Set up your Cisco-managed S3 bucket in your dashboard. 2) Create a cron job to retrieve files from the bucket and store them locally on your server. 3) Configure Splunk to read from a local directory. ... View more

Hi BonMot, Thanks for your post but i tried exactly this and it is still not working? Anything else you can suggest? ... View more

Following is an example of an event we are getting from our DC (which has a splunk forwarder on it and is configured to read winevent>security logs) and ES shows credit/debit card number in event 08/05/2018 05:28:40 -0400, search_name="Audit - Personally Identifiable Information Detection - Rule", search_now=0.000, info_min_time=1533461040.000, info_max_time=1533461640.000, info_search_time=1533133791.725, orig_host="xx-xxdc01", iin_issuer="Diners Club Carte Blanche", orig_event_id="CBC12CAE-22A2-419F-93DB-BCC3CD1C57BF@@wineventlog@@7c0af42e1bc2ec59f7cecb1d07ea963d", orig_raw="08/05/2018 05:28:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=xxxx.corp.xxxx.com TaskCategory=Logon OpCode=Info RecordNumber=63149956493 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-73361282-1014109674-949316387-76757 Account Name: xxxxxxxx Account Domain: CORPORATE Logon ID: 0x4D527BB3 Logon GUID: {5EBFB8A3-0187-8553-4803-2BCE019E11DD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.xxxxx Source Port: 50701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 ", orig_time=1533461320, pii="3-0187-8553-4803-2", pii_hash=6bad3a856887xxxxxxxxxxx, risk_object="xx1-xxc01", risk_object_type=system, risk_score=80 ... View more

Checking the raw events does not show up these numbers, its weird, how is Splunk making up all these hundreds of credit numbers from the raw data? ... View more

Thanks. Yes we are running it against the whole data (which i will change) but the data is coming from the expected source i.e. our Oracle servers which have some payment info files (but Oracle team suggests they encrypt the file before sending it to bank). They are red-hat and we are taking everything from /var/log folder. ... View more

after adding syslog to the end of my inputs stanza i.e. /opt/splunk/syslogs/cisco/acs/*/syslog it is now not reading the .gz files and only reads the directory syslog anything else that is there like date+syslog directory.gz it is not reading that i confirmed it from ./splunk list monitor command. ... View more

Thanks, I am using this now in my inputs.conf [monitor:///opt/splunk/syslogs/cisco/acs//syslog] instead of //* , lets c if this works if this does not then i will try your suggestion of blacklisting. ... View more

Thanks, I think I will go for 6.6.3 rather than V7 now. ... View more