Hello the issue I am having is with the following command:   ./splunk restart      When I try to restart I get the following message:   As Su user: Failed to run splunk as SPLUNK_OS_USER. This command can only be run by bootstart user. without su user: please run 'splunk ftr' as boot-start user     I am not understanding what it is asking me to do...   I want to mention that puppet is the tool we use to deploy the UF to our linux servers. I am trying to restart the UF because I want to see if the linux server will  use the splunk server as a deploymentserver by adding a deploymentclient.conf file to SplunkUniversalForwarder/etc/system/local. ... View more

Hello,  I am working with a Linux system and a universal forwarder.    Operating System: Debian GNU/Linux 10 (buster) Kernel: Linux 4.19.0-12-amd64 Architecture: x86-64     when I checked opt/splunkforwarder/etc/system/local  and ran ls -l I noticed that root root had permission in there as well as splunk splunk. Should splunk splunk own everything in the universal forwarder directory?   -rw-r--r-- 1 root root 283 Apr 30 2020 inputs.conf -rw------- 1 root root 45 Apr 21 2020 migration.conf -rw-r--r-- 1 root root 222 Apr 23 2020 outputs.conf -r--r--r-- 1 splunk splunk 265 Mar 30 2020 README -rw------- 1 splunk splunk 431 Sep 23 2019 server.conf -rw-r--r-- 1 splunk splunk 65 Jun 3 13:38 user-seed.conf -rw-r--r-- 1 root root 40 Sep 23 2019 web.conf     ... View more

Hello,  I been trying to figure this out for the past 2 days now and I cannot seem to find which config file is making my host send logs to index=main. I have 4 other machines in forward management that have the same application sending logs to the correct index except for this system. It seems to send Application logs to index=main but all other security logs go to index=windows. I double checked the apps folder on that machine  and compared it with a machine that is not sending to index main and also did the same in the etc/system/local.     This is a single deployment we have a single search head and single indexer.  ... View more

I was following this guide on adding command line logging to my GPO. I verified that the current GPO has these settings.    You must enable the Audit Process Creation audit policy so that 4688 events are generated. You can enable this audit policy from the following Group Policy Object (GPO) container: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Tracking. You must enable the Include command line in process creation events GPO setting. You can find this setting in the following GPO container: Computer Configuration\Administrative Templates\System\Audit Process Creation. Alternatively, you can enable this setting in the local system registry by setting the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ ProcessCreationIncludeCmdLine_Enabled registry key value to 1.   Here is what I did to test, I simply created a directory, deleted it, also ran ipconfig, net share and was unable to find those commands expect for ipconfig in the logs.  Is there anything else I need to do maybe in the input.conf file?    EDIT: Seems like mkdir and rmdir do not show up in the logs but all others do. Does anyone know why? ... View more

Hello I am getting my vpn logs in syslog format on my single splunk deployment instance and I am having trouble figuring out the proper way to extract the fields.        Aug 11 15:57:00 uf-log-ads-01.s.uw.edu 122.211.777.777/111.111.111.112 {"EVENT":"ACCESS_SESSION_OPEN","session.server.network.name":"dept-falconsonnet-ns.uf.edu","session.server.landinguri":"/dservers","session.logon.last.username":"carl","session.saml.last.attr.friendlyName.eduPersonAffiliation":"| member | staff | employee | alum | faculty |","session.client.platform":"Win10","session.client.cpu":"WOW64","session.user.clientip":"111.11.111.111","session.user.ipgeolocation.continent":"NA","session.user.ipgeolocation.country_code":"US","session.user.ipgeolocation.state":"Georgia","session.user.starttime":"1597186611","sessionid":"b5b42313cbb528a386beafff72cd5cef"}       Well now I am trying to figure out what the best way it is to extract the field names that I care about. I was having trouble figuring this out because when I do the delimiter extraction and separate by comma I have the problem of seeing "session.saml.last.attr.friendlyName.eduPersonAffiliation":"| member | staff | employee |"     Alright so I ruled out the delimiter extraction. I began doing regex and everything was going good until  I noticed that the the field continent , after extracting it, saving it, and then doing a search, was picked up by only some events and others were missing it even though the variable and continent were the same in this case "NA" The same thing happened with the sessionid field. I compared both logs they were coming from the same source, sourcetype, index. Main differences were the sessions, session start times, ips, usernames. The syslog comes into the server and writes to a .log file on my splunk server so that is how I got the data to be indexed on splunk by monitoring a directory. But now I am stuck and not sure how I should approach this problem.   ... View more