Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dsctm3
dsctm3
Path Finder
Member since:
05-10-2011
02-02-2022
Community Statistics
| Posts | 17 |
| Solutions | 3 |
| Karma Given | 4 |
| Karma Received | 3 |
| Member Since | 05-10-2011 |
Activity Feed
- Karma Re: Indexer fails to join back cluster due to standalone buckets for keio_splunk. 02-02-2022 10:22 AM
- Posted Re: Windows Event Log - .evtx file import - Foriegn AD Domain on Getting Data In. 06-29-2021 08:35 AM
- Tagged Windows Event Log - .evtx file import - Foriegn AD Domain on Getting Data In. 06-29-2021 07:57 AM
- Tagged Windows Event Log - .evtx file import - Foriegn AD Domain on Getting Data In. 06-29-2021 07:57 AM
- Tagged Windows Event Log - .evtx file import - Foriegn AD Domain on Getting Data In. 06-29-2021 07:57 AM
- Posted Windows Event Log - .evtx file import - Foriegn AD Domain on Getting Data In. 06-29-2021 07:56 AM
- Got Karma for ARM v7 support? (RPI3, etc). 05-01-2021 03:59 AM
- Karma Re: MS Crypto API Vuln - CVE-2020-0601 - Any example logs? for rmmiller. 06-05-2020 12:51 AM
- Got Karma for Re: Alert if any IP or source consume high volume of bandwidth like more than 500 Mb. 06-05-2020 12:51 AM
- Karma Universal Forwarder Windows Server 2019 support for montgomeryam. 06-05-2020 12:50 AM
- Karma Re: What is the best way to keep learning Splunk even if you are not working on it day in day out? for skoelpin. 06-05-2020 12:50 AM
- Got Karma for Re: What is the best way to keep learning Splunk even if you are not working on it day in day out?. 06-05-2020 12:50 AM
- Posted Re: Can Universal Forwaders filter in their input.conf file? on Getting Data In. 04-30-2020 01:19 PM
- Posted Re: Sorting issue with numeric field, descending order on Splunk Search. 04-29-2020 10:19 AM
- Posted Re: How to format text extracted from a lookup? on Splunk Search. 04-29-2020 10:10 AM
- Posted Re: Alert if any IP or source consume high volume of bandwidth like more than 500 Mb on Splunk Enterprise Security. 04-29-2020 08:56 AM
- Posted Measuring count of searches using Cold Buckets on Monitoring Splunk. 04-29-2020 08:40 AM
- Tagged Measuring count of searches using Cold Buckets on Monitoring Splunk. 04-29-2020 08:40 AM
- Tagged Measuring count of searches using Cold Buckets on Monitoring Splunk. 04-29-2020 08:40 AM
- Posted Re: MS Crypto API Vuln - CVE-2020-0601 - Any example logs? on Getting Data In. 01-15-2020 02:55 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
06-29-2021
08:35 AM
So I found the solution, and as usual "It was dumb" The resolution was that the hostname field was ignored by the input for some reason and the data got processed as the actual hostname of the host, not the name I gave it. When I search for the actual hostname the logs have been ingested despite the warning about DC binds. I suppose when you use that sourcetype Splunk ingests the data and runs it through the TA as it came from a native forwarder. I suspect some of the data might be missing, but I'm willing to accept that given the lack of resolution. Marking this solved for now.
... View more
06-29-2021
07:56 AM
Hello, Hoping to get a hint on where to go with this; Use Case: I am attempting to import files from a exported .evtx file from a external Windows host as per: Splunk Docs for Importing Windows Event Log Files The inputs.conf has been written close to the following. [monitor://D:\SplunkLogImport\awesome_hostname\preprocess-winevt\*.evtx]
disabled = 0
sourcetype = preprocess-winevt
host = awesome_hostname
index = awesome_index
crcSalt = <SOURCE>
move_policy = sinkhole
evt_resolve_ad_obj = 0 The challenge here is the logs are from a server in another domain from another network entirely and I have no access to a domain controller. As per: Splunk Docs for Monitor Windows EventLog Data I am recieving an error (as expected) but I'm not seeing any data come in. I am not concerned with having all the data resolved and seeking to simply input this data. Question: Any thoughts on how to blindly import the event logs knowing full well we're not going to get SID/GID object resolution? What is required to tell the forwarder not to bind to the domain? I've attempted the following with no results. evt_resolve_ad_obj = 0 I would appreciate any guidance that may exist on this subject. Details: Host is running Splunk Universal Forwarder v 7.3 on Windows 2012. Source data is from a Windows 2008 R2 server. The Error: (thousands of these) INFO WinEventLogChannel - WinEventLogChannel::getEventsNew (2000): No bindToDc
... View more
Labels
- Labels:
-
universal forwarder
04-30-2020
01:19 PM
Check this out.
https://www.splunk.com/en_us/blog/tips-and-tricks/controlling-4662-messages-in-the-windows-security-event-log.html
I think this is along the line of what you are looking for. You need to use regex to create the filter.
(Edit: Formatting)
... View more
04-29-2020
10:19 AM
Try forcing splunk to treat the ID field as a number.
| sort -num(id)
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Sort
... View more
04-29-2020
10:10 AM
Is it possible your lookup is using Windows text format on a Splunk instance installed on *nix?
If so, consider using the dos2unix command on the lookup file. (You may need to install if from yum/apt)
... View more
04-29-2020
08:56 AM
1 Karma
Schedule the above search to run hourly
Add the following to the end of your search
| where TotalMB >=500
... View more
04-29-2020
08:40 AM
Hello,
I am trying to collect key data metrics regarding search volumes accessing the varying tiers of Splunk Storage Buckets.
For example, I would love to see a report that says
xx% of searches are accessing warm buckets only
xx% of searches are accessing both warm and cold buckets
So far the only hope I've seen thus far is watching Disk IO volume for the cold mounts to get a idea of "how busy it is", and I am hoping for better information from Splunk Itself.
... View more
01-15-2020
02:55 PM
This is exactly what I was looking for. Many thanks @rmmiller !
... View more
01-15-2020
07:35 AM
Hello Splunkers!
TL;DR - Has anyone seen an example log generated by the fix for the 2020-January Critical MS Windows CryptoAPI Vuln? (CVE-2020-0601)
Does anyone know what the exact event event looks like? The technet article: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601/ references the following:
Event Log: Windows Logs/Application
Event Source: Audit-CVE
Event ID 1
Event ID 1 seems to be a common dumping ground, and I've never seen any logs from that SourceName (Assuming that's the field to key on)
I'll (for now) run scheduled searches for the following, but have a feeling the data presents differently.
sourcetype=wineventlog:application SourceName=Audit-CVE
Any ideas/thoughts/suggestions?
... View more
03-07-2019
07:44 AM
1 Karma
Do tons of side projects <--- This x100.
I've always learned more when applying tools from the office at home. I've home-labbed throughout my career to figure out things I was interested in and/or just needed to know more about.
... View more
03-07-2019
05:28 AM
This is in regards to Windows Server 2019 🙂
... View more
03-06-2019
12:14 PM
Someone from the inside told me in a non-committal way that a release supporting Win2k19 might drop in April.
... View more
07-05-2017
10:07 AM
Yeah, looks like Raspian. Will take a look again with Raspian and see if it's just a Ubuntu/PI issue.
... View more
06-21-2017
07:26 AM
Are you certain? What image are you running on the PI? (Ubuntu, Raspian?) The forwarder package available under Splunk Downloads (no, not the app, the actual Universal forwarder) is listing availability only or ARM v6... I tried just for fun and it wouldn't execute.
... View more
05-19-2017
01:09 PM
You can change it locally via commandline
This command sets the splunkd port to
9089:
splunk set splunkd-port 9089
... View more
05-19-2017
12:59 PM
Not sure on the license front, but TCP/8089 is used for more than Licensing.
This includes deployment client, distributed management console etc. If you have more than just licensing on the host serving that function, you have clear justification to request that port being opened as splunk uses TCP/8089 for all of those features.
... View more
05-12-2017
09:31 AM
1 Karma
The Splunk forwarder currently available (as of 6.6) is only packaged for ARM v6 only and not ARM v7
Any word on being able to obtain a Splunk Forwarder package for ARM v7?
Reasoning:
Newer versions of Raspberry PI (such as RPI3) and similar boards such as beaglebone are using the ARM v7 architecture. ARM v6 code as far as I am aware cannot run on ARM v7 architecture.
Would be nice to use Splunk for a project I have using raspberry PI's - relying on rsyslog to forward logs via network-base syslog not ideal.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-02-2022
01:42 PM
|
