Hi. How can I distinguish events with Authentication when «Unknown User Name» and when «Bad Password»? Ping me if you need more information 🙂 ... View more

Hello. How best to implement Patch Management in Splunk for Win\Linux? Maybe some blogs, articles, APPs that can help me. ... View more

I don't understand the part with eval (what we calculate and for what): | inputlookup meta_woot where index=* sourcetype=* host=* | where recentTime<(now()-3600) | eval latency= round((recentTime-lastTime)/60,2) | eval latency_type=if(latency<0,"Logging Ahead","Logging Behind") | eval latency=abs(latency) | eval latency_type=if(latency="0.00","No Latency",latency_type) | where latency>=0 | convert ctime(recentTime) ctime(firstTime) ctime(lastTime) ctime(lastUpdated) | rename latency AS "latency (mins)" | table index, sourcetype, host, firstTime, lastTime, recentTime, "latency (mins)",latency_type, lastUpdated | sort - "latency (mins)" — — — — — — — — — — — — — — — — — — — — — — — — And what mean: | rest splunk_server=* /services/server/info From savedsearches.conf [Generate Meta Woot Server GUID Lookup] disabled = 1 action.email.useNSSubject = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * enableSched = 1 search = | rest splunk_server=* /services/server/info | fields splunk_server, guid\ | outputlookup meta_woot_server_guid For what we need fields splunk_server, guid ? ... View more

[UPD] The logs kinda different, so I changed my question. Hi. I need some ideas to create Windows Firewall Rules dashboard. Right now it's looks: Pane 1: List of Firewall Rules 4945 - A rule was listed when the Windows Firewall started Panel 2: Windows Firewall Exception List 4946 - A change has been made to Windows Firewall exception list. A rule was added 4947 - A change has been made to Windows Firewall exception list. A rule was modified 4948 - A change has been made to Windows Firewall exception list. A rule was deleted Panel 3: Other Changes In Firewall Rules 4954 - Windows Firewall Group Policy settings has changed. The new settings have been applied 4956 - Windows Firewall has changed the active profile Panel 4: Local Security Policy index=win_firewall sourcetype="WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" host=$host$ | stats count by _time host Application_Path Message User | rename count as Count _time as Time host as Host Application_Path as "Application Path" | fieldformat Time=strftime('Time', "%c") | sort -Time 2011 - Firewall Service Block Notifications 2008 - Firewall Rule Processing 2010 - Network profile changed on an interface ... View more

Hi. Which you know apps that can track communication between src and dest hosts that use SSL or TLS encryption protocols? ... View more

Hello. I have windows№1 who sending logs to my windows№2 (WEC) on which i have UF (windows_TA) who collecting data and in Splunk i got logs only from windows№2 (although the logs from windows№1 are displayed in WEC). ... View more

I wanna to run WinNetMon on UF and I put to SplunkUniverstalForwarder\etc\system\local\inputs.conf ... View more

HI. I know how to monitoring process and services in Windows, but I don't know how to see port which use process/service. All logs that I have right now and including process/services not have any fields with ports. For example, I wanna make one table which will include service/process and port. How can I realize it? ... View more

Hi! I never used Pivot command and now I need to change this: | pivot Authentication Authentication count(Authentication) AS "Count of Authentication" SPLITROW src AS src SPLITCOL action LIMIT src BY TOP 15 count(is_Failed_Authentication) FILTER action isNot unknown FILTER action isNot search FILTER src isNot "10.10.20.58" FILTER src isNot "10.10.20.140" FILTER src isNot "10.10.20.200" FILTER src isNot unknown FILTER src isNot *az* FILTER src isNot struts FILTER src isNot *DESKTOP* SORT 1000 src ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 0 |rename src AS Host | sort -failure to something like: | tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication by Authentication.action,Authentication.src | `drop_dm_object_name("Authentication")` | eval success=if(action="success",count,0) | eval failure=if(action="failure",count,0) | stats values(app) as app,sum(failure) as failure,sum(success) as success by src | where success > 0 | xswhere failure from failures_by_src_count_1d in authentication is above medium | `settags("access")` ^ this search shows success/failed authentication only by remote (and i need in general all success/failed by all users) And by low skill with working tstats and Pivot syntax I'm stack :< And one more question, it's possible to run my Pivot search with acceleration? ... View more