Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About pdoconnell
pdoconnell
Path Finder
Member since:
04-14-2013
03-14-2023
Community Statistics
| Posts | 23 |
| Solutions | 0 |
| Karma Given | 7 |
| Karma Received | 3 |
| Member Since | 04-14-2013 |
Activity Feed
- Posted Re: Nest Add-on for Splunk authentication for google accounts on All Apps and Add-ons. 10-29-2020 02:33 PM
- Karma Re: Nest Add-on for Splunk authentication for google accounts for ryanoconnor. 09-10-2020 12:41 PM
- Posted Nest Add-on for Splunk authentication for google accounts on All Apps and Add-ons. 09-06-2020 09:35 AM
- Got Karma for Re: How can I view scan logs from Windows Defender?. 06-05-2020 12:49 AM
- Karma Rapid7 App for Splunk Enterprise: How to change the "default" index so that the dashboard looks at another index? for windbishn. 06-05-2020 12:48 AM
- Karma Re: Rapid7 App for Splunk Enterprise: How to change the "default" index so that the dashboard looks at another index? for lguinn2. 06-05-2020 12:48 AM
- Karma Splunk Add-on for Blue Coat ProxySG: Has anyone gotten the transforms to work properly for Bluecoat 6.6.3.2 log formatting? for Heff. 06-05-2020 12:48 AM
- Karma Re: Splunk Add-on for Blue Coat ProxySG: Has anyone gotten the transforms to work properly for Bluecoat 6.6.3.2 log formatting? for mreynov_splunk. 06-05-2020 12:48 AM
- Got Karma for Re: How to make multivalue comparisons against multivalue fields without mvexpand?. 06-05-2020 12:48 AM
- Got Karma for Re: Rapid7 App for Splunk Enterprise: How to change the "default" index so that the dashboard looks at another index?. 06-05-2020 12:48 AM
- Karma Re: Splunk Support for Active Directory: Why does ldapsearch command result in "ERROR Missing required value for alternatedomain in ldap/default."? for tlelle_splunk. 06-05-2020 12:47 AM
- Karma Re: move some content/source from one index to another index for rgonzale6. 06-05-2020 12:46 AM
- Posted attempts to get data fail due to SSL error on All Apps and Add-ons. 03-09-2019 08:53 PM
- Tagged attempts to get data fail due to SSL error on All Apps and Add-ons. 03-09-2019 08:53 PM
- Posted Re: Index, Source and SourceType Missing? on All Apps and Add-ons. 03-29-2018 12:25 PM
- Posted Re: Logs not coming from Windows Defender on All Apps and Add-ons. 01-13-2018 03:38 PM
- Posted Re: Logs not coming from Windows Defender on All Apps and Add-ons. 01-13-2018 03:23 PM
- Posted Re: How can I view scan logs from Windows Defender? on Getting Data In. 10-09-2017 03:40 PM
- Posted Re: How can I view scan logs from Windows Defender? on Getting Data In. 10-09-2017 03:39 PM
- Posted What are good backup strategies for indexer buckets? on Getting Data In. 01-26-2017 07:03 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-29-2020
02:33 PM
Nope, not yet. The add-on is still on v2 in SplunkBase, not changed since 2017.
... View more
09-06-2020
09:35 AM
How does one authenticate via Google with the add-on? The authentication process doesn't expose the Google authentication process, just the old Nest account process, which is going away. @roconnor_splunk , is this your TA?
... View more
Labels
- Labels:
-
configuration
03-09-2019
08:53 PM
In /opt/splunk/var/log/splunk/ta_gitlab_add_on_get_events.log I see this error on attempts to get logs from my gitlab instance:
2019-03-09 22:50:44,802 ERROR pid=13454 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-gitlab-add-on/bin/get_events.py", line 68, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-gitlab-add-on/bin/input_module_get_events.py", line 297, in collect_events
headers=headers)
File "/opt/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/modinput_wrapper/base_modinput.py", line 476, in send_http_request
proxy_uri=self._get_proxy_uri() if use_proxy else None)
File "/opt/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/splunk_aoblib/rest_helper.py", line 43, in send_http_request
return self.http_session.request(method, url, **requests_args)
File "/opt/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)
This appears to be from the TLS certificate for my gitlab instance coming from my internal CA. How would I either tell this TA to ignore SSLErrors, or tell the TA to trust the CA?
... View more
- Tags:
- GitLab Add-On
03-29-2018
12:25 PM
Is that being indexed from a UF version 6.2.0 or later? That is a prerequisite. Additionally, do you have Splunk_TA_windows installed on that device as well? I believe that is what creates the XmlWinEventLog intake tooling.
... View more
01-13-2018
03:38 PM
It looks like the start_from and current_only stanzas dont appear anymore in the inputs.conf definition. Maybe it is no longer supported?
... View more
01-13-2018
03:23 PM
This works for me:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = false
renderXml = 1
I confirm logs coming into Splunk for index=windefender with that input. Confirm that your Windows Defender log location is correct for your system.
... View more
10-09-2017
03:40 PM
1 Karma
Said this above, but look at https://github.com/pdoconnell/TA-microsoft-windefender for now. When this ends up on SplunkBase, I'll link there.
... View more
10-09-2017
03:39 PM
Yup, this looks like me. I'm currently getting my TA certified, but if you want to look into it @5splunked, you can at https://github.com/pdoconnell/TA-microsoft-windefender
... View more
01-26-2017
07:03 AM
What strategies do people use for backups of their buckets? Is there a clean way to identify "new" buckets for a given day based on their file name?
... View more
06-15-2016
12:56 PM
When this is released, can the documentation please include the specific ELFF string to be used in bluecoat as well.
... View more
05-10-2016
11:11 AM
1 Karma
to build in @lguinn's answer above, you need to add "index=" to the beginning of the following objects:
r7vulnexceptiondata
r7vulnerabilitydata
r7assetdata
They can all be found under the rapid7 app's Event Types, found at https://YOUR_HOST_NAME:8000/en-US/manager/search/saved/eventtypes
... View more
05-09-2016
12:51 PM
I haven't been able to find any reference to either sourcetypes or indexes in the dashboard configs. If anyone can see them, that would be enough I believe.
... View more
03-02-2016
12:11 PM
1 Karma
Actually, after recopying your suggestion into the search, it appears to be working correctly. Its possible that I somehow botched the search syntax the first time. For the record, this is the search that is working now:
index=wineventlog sourcetype=WinEventLog:Security EventCode=560 OR EventCode=4663 OR EventCode=5145 NOT user=*$
| lookup lookup_wild_folder folder_lookup AS folder_name, server AS host OUTPUT group_lookup user_lookup file_exceptions
| eval user=if(isnull(Object_Name),null,user)
| eval user=if(match(Object_Name,folder_lookup),null,user)
| eval user=if(match(user_lookup,user),null,user)
| eval user=if(match(Object_Name,file_exceptions),null,user)
| table user host folder_lookup folder_name Object_Name Message group_lookup
| ldapfilter domain=default search="(sAMAccountName=$user$)" attrs="memberOf"
| rex field=memberOf "^CN=(?[^,]+)"
| eval allowed_groups=split(group_lookup,"::")
| eval temp=mvdedup(mvappend(group_name,allowed_groups))
| eval user=if(mvcount(temp)=(mvcount(group_name) + mvcount(allowed_groups)),user,null)
| search user!=null
| table user host Object_Name allowed_groups group_name temp
The lookup_wild_folder CSV structure is still the same:
server,folder_lookup,folder_out,group_lookup,user_lookup,file_exceptions
SERVERNAME,D:Docstore*,D:Docstore,GROUP1::Group2,::USER1::USER2::USER3::,
... View more
03-01-2016
08:31 AM
This sanitized event will be a false positive, triggering the alert when it should not:
03/01/2016 10:42:26 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=SERVER.DOMAIN.COM
TaskCategory=File System
OpCode=Info
RecordNumber=100125574
Keywords=Audit Success
Message=An attempt was made to access an object.
Subject:
Security ID: DOMAIN\USERNAME
Account Name: USERNAME
Account Domain: DOMAIN
Logon ID: 0xc93b0ff0
Object:
Object Server: Security
Object Type: File
Object Name: D:\FOLDER\PROTECTED.XLSX
Handle ID: 0x1418
Process Information:
Process ID: 0x4
Process Name:
Access Request Information:
Accesses: ReadData (or ListDirectory)
Access Mask: 0x1
It triggers with the following statistics:
user: USERNAME
host: SERVER.DOMAIN.COM
Object_Name: D:\FOLDER\PROTECTED.XLSX
allowed_groups: ALLOWED_GROUP1
ALLOWED_GROUP2
group_names: RANDOM_GROUP1
RANDOM_GROUP2
ALLOWED_GROUP2
RANDOM_GROUP3
You can see that the user is a member of ALLOWED_GROUP2, which is one of the two allowed groups to this file.
... View more
02-26-2016
12:38 PM
Unfortunately this is still showing false positives. I had tried something similar to this on an initial version of the search but never was able to make it work.
... View more
02-26-2016
11:24 AM
I have an alert designed to examine Windows event logs (event 560 or 4663) for file access by unauthorized users. The search works by slowly checking the file location, files that aren't examined, and then finally the user's group membership compared to that allowed for the file. The final comparison is where I have problems, as I need to look to see that at least one of the user's groups is in the list of groups allowed access to the file. Because of that, and how it is structured as a reductionary search, I can't explode using mvexpand, because anything remaining would be indicative of an alert, so there would have to be 100% match as opposed to the !=0% match I am looking for. That is why solutions such as those found at https://answers.splunk.com/answers/11287/comparing-multivalue-fields.html won't work. Right now the search below will always alert if a sensitive file is accessed, but it is not appropriately skipping users who have permission.
Search:
index=wineventlog sourcetype=WinEventLog:Security EventCode=560 OR EventCode=4663 OR EventCode=5145 NOT user=$ folder_name!=null
| lookup lookup_wild_folder folder_lookup AS folder_name, server AS host OUTPUT group_lookup user_lookup file_exceptions
| eval user=if(isnull(Object_Name),null,user)
| eval user=if(match(Object_Name,folder_lookup),null,user)
| eval user=if(match(user_lookup,user),null,user)
| eval user=if(match(Object_Name,file_exceptions),null,user)
| table user host folder_lookup folder_name Object_Name Message group_lookup
| ldapfilter domain=default search="(sAMAccountName=$user$)" attrs="memberOf"
| rex field=memberOf "^CN=(?[^,]+)"
| eval allowed_groups=split(group_lookup,"::")
| **eval user=if(match(group_name,allowed_groups),null,user)*
| search user!=null
| table user host Object_Name allowed_groups group_name
lookup_wild_folder CSV structure
server,folder_lookup,folder_out,group_lookup,user_lookup,file_exceptions
SERVERNAME,D:\Docstore*,D:\Docstore,GROUP1::Group2,::USER1::USER2::USER3::,
... View more
12-01-2015
02:46 PM
This fixed the issue for me as well, thank you!
... View more
11-11-2015
10:47 AM
Regenerating the API key after renaming the folder resolved the issue. Thank you for your suggestion!
... View more
11-09-2015
10:40 AM
This is what we currently have configured for our user:
Privileges Read/write access
ISI_PRIV_LOGIN_CONSOLE N/A
ISI_PRIV_LOGIN_PAPI N/A
ISI_PRIV_LOGIN_SSH N/A
ISI_PRIV_ANTIVIRUS Read-only
ISI_PRIV_AUDIT Read-only
ISI_PRIV_CLUSTER Read-only
ISI_PRIV_DEVICES Read-only
ISI_PRIV_EVENT Read-only
ISI_PRIV_FTP Read-only
ISI_PRIV_HDFS Read-only
ISI_PRIV_HTTP Read-only
ISI_PRIV_ISCSI Read-only
ISI_PRIV_JOB_ENGINE Read-only
ISI_PRIV_LICENSE Read-only
SI_PRIV_NDMP Read-only
ISI_PRIV_NETWORK Read-only
ISI_PRIV_NFS Read-only
ISI_PRIV_NTP Read-only
ISI_PRIV_QUOTA Read-only
ISI_PRIV_REMOTE_SUPPORT Read-only
ISI_PRIV_SMARTPOOLS Read-only
ISI_PRIV_SMB Read-only
ISI_PRIV_SNAPSHOT Read-only
ISI_PRIV_STATISTICS Read-only
ISI_PRIV_SYNCIQ Read-only
ISI_PRIV_VCENTER Read-only
ISI_PRIV_WORM Read-only
... View more
11-04-2015
12:32 PM
That got most of the way. I now see data coming into index nessus, specifically sourcetype=nessus:plugin. Unfortunately, I do not seem to be getting any sourcetype=nessus:scan data.
Searching for index=internal sourcetype=ta:nessus:log again gets me the following data for the run today:
11/4/15
2:07:37.456 PM
2015-11-04 14:07:37,456 ERROR pid=5201 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://axe1util03p.anixter.com:8834/plugins/families/21, reason=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_rest_client.py", line 79, in request
headers=headers)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunktalib/httplib2/init.py", line 1593, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunktalib/httplib2/init.py", line 1335, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunktalib/httplib2/init.py", line 1291, in _conn_request
response = conn.getresponse()
File "/opt/splunk/lib/python2.7/httplib.py", line 1073, in getresponse
response.begin()
File "/opt/splunk/lib/python2.7/httplib.py", line 415, in begin
version, status, reason = self._read_status()
File "/opt/splunk/lib/python2.7/httplib.py", line 371, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File "/opt/splunk/lib/python2.7/socket.py", line 476, in readline
data = self._sock.recv(self._rbufsize)
File "/opt/splunk/lib/python2.7/ssl.py", line 714, in recv
return self.read(buflen)
File "/opt/splunk/lib/python2.7/ssl.py", line 608, in read
v = self._sslobj.read(len or 1024)
SSLError: ('The read operation timed out',)
Collapse
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:06:01.359 PM
2015-11-04 14:06:01,359 ERROR pid=5201 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://axe1util03p.anixter.com:8834/plugins/families/2, reason=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_rest_client.py", line 79, in request
headers=headers)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunktalib/httplib2/init.py", line 1593, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunktalib/httplib2/init.py", line 1335, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunktalib/httplib2/init.py", line 1291, in _conn_request
response = conn.getresponse()
File "/opt/splunk/lib/python2.7/httplib.py", line 1073, in getresponse
response.begin()
File "/opt/splunk/lib/python2.7/httplib.py", line 415, in begin
version, status, reason = self._read_status()
File "/opt/splunk/lib/python2.7/httplib.py", line 371, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File "/opt/splunk/lib/python2.7/socket.py", line 476, in readline
data = self._sock.recv(self._rbufsize)
File "/opt/splunk/lib/python2.7/ssl.py", line 714, in recv
return self.read(buflen)
File "/opt/splunk/lib/python2.7/ssl.py", line 608, in read
v = self._sslobj.read(len or 1024)
SSLError: ('The read operation timed out',)
Collapse
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:05:17.403 PM
2015-11-04 14:05:17,403 ERROR pid=5201 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://axe1util03p.anixter.com:8834/plugins/families/1, reason=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_rest_client.py", line 79, in request
headers=headers)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunktalib/httplib2/init.py", line 1593, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunktalib/httplib2/init.py", line 1335, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunktalib/httplib2/init_.py", line 1291, in _conn_request
response = conn.getresponse()
File "/opt/splunk/lib/python2.7/httplib.py", line 1073, in getresponse
response.begin()
File "/opt/splunk/lib/python2.7/httplib.py", line 415, in begin
version, status, reason = self._read_status()
File "/opt/splunk/lib/python2.7/httplib.py", line 371, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File "/opt/splunk/lib/python2.7/socket.py", line 476, in readline
data = self._sock.recv(self._rbufsize)
File "/opt/splunk/lib/python2.7/ssl.py", line 714, in recv
return self.read(buflen)
File "/opt/splunk/lib/python2.7/ssl.py", line 608, in read
v = self._sslobj.read(len or 1024)
SSLError: ('The read operation timed out',)
Collapse
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:11.133 PM
2015-11-04 14:04:11,133 ERROR pid=5205 tid=MainThread file=nessus.py:get_nessus_modinput_configs:157 | Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 147, in get_nessus_modinput_configs
input_conf = config.get_data_input(input_name)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_config.py", line 186, in get_data_input
check_conf_mgr_result(False, "Cannot get the encrypted keys.")
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_config.py", line 27, in check_conf_mgr_result
raise NessusConfigException(msg)
NessusConfigException: Cannot get the encrypted keys.
Collapse
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:11.132 PM
2015-11-04 14:04:11,132 ERROR pid=5205 tid=MainThread file=nessus.py:get_nessus_modinput_configs:156 | Failed to setup config for nessus TA: Cannot get the encrypted keys.
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:11.132 PM
2015-11-04 14:04:11,132 ERROR pid=5205 tid=MainThread file=nessus_config.py:check_conf_mgr_result:26 | Cannot get the encrypted keys.
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.981 PM
2015-11-04 14:04:10,981 INFO pid=5205 tid=MainThread file=nessus.py:get_nessus_modinput_configs:142 | Set loglevel to WARN
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.966 PM
2015-11-04 14:04:10,966 INFO pid=5201 tid=MainThread file=nessus.py:get_nessus_modinput_configs:142 | Set loglevel to WARN
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.710 PM
2015-11-04 14:04:10,710 INFO pid=5201 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:206 | Proxy username is empty. Try to delete the encrypted proxy username & password
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.710 PM
2015-11-04 14:04:10,710 INFO pid=5201 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:198 | Encrypt the proxy username & password
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.710 PM
2015-11-04 14:04:10,710 INFO pid=5201 tid=MainThread file=nessus_config.py:update_nessus_conf:66 | Update nessus.conf
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.709 PM
2015-11-04 14:04:10,709 INFO pid=5201 tid=MainThread file=nessus_config.py:get_nessus_conf:80 | Try to get encrypted proxy username & password
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.689 PM
2015-11-04 14:04:10,689 INFO pid=5205 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:206 | Proxy username is empty. Try to delete the encrypted proxy username & password
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.689 PM
2015-11-04 14:04:10,689 INFO pid=5205 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:198 | Encrypt the proxy username & password
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.689 PM
2015-11-04 14:04:10,689 INFO pid=5205 tid=MainThread file=nessus_config.py:update_nessus_conf:66 | Update nessus.conf
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.689 PM
2015-11-04 14:04:10,689 INFO pid=5205 tid=MainThread file=nessus_config.py:get_nessus_conf:80 | Try to get encrypted proxy username & password
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:10.335 PM
2015-11-04 14:04:10,335 INFO pid=5205 tid=MainThread file=nessus.py:main:260 | Start nessus TA
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
11/4/15
2:04:09.876 PM
2015-11-04 14:04:09,876 INFO pid=5201 tid=MainThread file=nessus.py:main:260 | Start nessus TA
host = axe1splkh01p.anixter.com source = /opt/splunk/var/log/splunk/ta_nessus.log sourcetype = ta:nessus:log
... View more
10-29-2015
09:14 AM
I am using the following configuration:
This results in the following errors:
10/29/15 11:07:15.842 AM 2015-10-29
11:07:15,842 ERROR pid=14247
tid=MainThread
file=nessus.py:get_nessus_modinput_configs:157
| Traceback (most recent call last):
File
"/opt/splunk/etc/apps/axe_sec_nessus_inputs/bin/nessus.py",
line 136, in
get_nessus_modinput_configs
config.remove_expired_ckpt() File
"/opt/splunk/etc/apps/axe_sec_nessus_inputs/bin/nessus_config.py",
line 159, in remove_expired_ckpt
inputs) Show all 6 lines host = HOSTNAME source =
/opt/splunk/var/log/splunk/ta_nessus.log
sourcetype = ta:nessus:log 10/29/15
11:07:15.841 AM 2015-10-29
11:07:15,841 ERROR pid=14247
tid=MainThread
file=nessus.py:get_nessus_modinput_configs:156
| Failed to setup config for nessus
TA: 'NoneType' object is not iterable
host = HOSTNAME source
= /opt/splunk/var/log/splunk/ta_nessus.log
sourcetype = ta:nessus:log 10/29/15
11:07:15.703 AM 2015-10-29
11:07:15,703 INFO pid=14247
tid=MainThread file=nessus.py:main:260
| Start nessus TA host =
HOSTNAME source =
/opt/splunk/var/log/splunk/ta_nessus.log
sourcetype = ta:nessus:log 10/29/15
11:07:15.425 AM 2015-10-29
11:07:15,425 ERROR pid=14235
tid=MainThread
file=nessus.py:get_nessus_modinput_configs:157
| Traceback (most recent call last):
File
"/opt/splunk/etc/apps/axe_sec_nessus_inputs/bin/nessus.py",
line 136, in
get_nessus_modinput_configs
config.remove_expired_ckpt() File
"/opt/splunk/etc/apps/axe_sec_nessus_inputs/bin/nessus_config.py",
line 159, in remove_expired_ckpt
inputs) Show all 6 lines host = HOSTNAME source =
/opt/splunk/var/log/splunk/ta_nessus.log
sourcetype = ta:nessus:log 10/29/15
11:07:15.425 AM 2015-10-29
11:07:15,425 ERROR pid=14235
tid=MainThread
file=nessus.py:get_nessus_modinput_configs:156
| Failed to setup config for nessus
TA: 'NoneType' object is not iterable
host = HOSTNAME source
= /opt/splunk/var/log/splunk/ta_nessus.log
sourcetype = ta:nessus:log 10/29/15
11:07:15.350 AM 2015-10-29
11:07:15,350 INFO pid=14235
tid=MainThread file=nessus.py:main:260
| Start nessus TA host =
HOSTNAME source =
/opt/splunk/var/log/splunk/ta_nessus.log
sourcetype = ta:nessus:log
Anyone have any suggestion as to what I'm doing wrong?
... View more
09-04-2015
01:00 PM
I am building an alert based on file accesses to certain files. This is what I have so far:
index=wineventlog sourcetype=WinEventLog:Security EventCode=560 OR EventCode=4663 OR EventCode=5145 NOT user=*$
| lookup lookup_wild_folder folder_lookup AS folder_name, server AS host OUTPUT group_lookup user_lookup file_exceptions
| eval user=if(isnull(Object_Name),null,user)
| eval user=if(match(Object_Name,folder_lookup),null,user)
| eval user=if(match(user_lookup,user),null,user)
| eval user=mvfilter(match(Object_Name,file_exceptions))
| table user host folder_lookup folder_name Object_Name Message group_lookup
| ldapfilter domain=default search="(sAMAccountName=$user$)" attrs="memberOf"
| rex field=memberOf "^CN=(?<group_name>[^,]+)"
| eval user=mvfilter(match(group_name,group_lookup))
| search user!=null
| table user host folder_lookup folder_name Object_Name Message group_lookup group_name
My problems are in the mvfilter lines. What I want is to check if the user is a member of an Active Directory group that is in the list of owners for the files (e.g. is user foo in group bar or baz), and is the file something we care about (e.g. does Object_Name contain one of the various file names from the lookup). The mvfilter command LOOKS similar to what I want, but in reverse (the mv variables are the regexes, of which any match is a reason to exit the search). Do I need to create a junk variable to do this?
... View more
10-15-2013
12:36 AM
Has anyone figured out a way to get log information from an android device? For instance I think it MIGHT be possible to modify a Linux forwarder, but would require some rather intense work to do so.
... View more
- Tags:
- android
- forwarders
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-14-2023
03:26 PM
|
Karma given to
