Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About catsmeowor
catsmeowor
Explorer
Member since:
11-15-2017
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 2 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 11-15-2017 |
Activity Feed
- Karma Re: how to get a list of skipped searches which are NOT REAL-TIME ?? for cmerriman. 06-05-2020 12:48 AM
- Karma Re: How to specify an index for storing data from forwarders for Ayn. 06-05-2020 12:46 AM
- Posted Recursive query based upon current result set on Getting Data In. 12-17-2018 03:55 PM
- Tagged Recursive query based upon current result set on Getting Data In. 12-17-2018 03:55 PM
- Posted Re: Heavy Forwarder: How do I get traffic to a specific index on my indexer? on Getting Data In. 02-13-2018 10:51 AM
- Posted Re: Heavy Forwarder: How do I get traffic to a specific index on my indexer? on Getting Data In. 02-13-2018 09:55 AM
- Posted Heavy Forwarder: How do I get traffic to a specific index on my indexer? on Getting Data In. 02-13-2018 09:33 AM
- Tagged Heavy Forwarder: How do I get traffic to a specific index on my indexer? on Getting Data In. 02-13-2018 09:33 AM
- Tagged Heavy Forwarder: How do I get traffic to a specific index on my indexer? on Getting Data In. 02-13-2018 09:33 AM
- Tagged Heavy Forwarder: How do I get traffic to a specific index on my indexer? on Getting Data In. 02-13-2018 09:33 AM
- Tagged Heavy Forwarder: How do I get traffic to a specific index on my indexer? on Getting Data In. 02-13-2018 09:33 AM
- Posted Re: How to configure the inputs.conf to only allow specific event IDs and only filter on a wildcard username? on Getting Data In. 02-08-2018 08:59 AM
- Posted Re: How to configure the inputs.conf to only allow specific event IDs and only filter on a wildcard username? on Getting Data In. 02-06-2018 03:45 PM
- Posted How to configure the inputs.conf to only allow specific event IDs and only filter on a wildcard username? on Getting Data In. 02-05-2018 01:38 PM
- Tagged How to configure the inputs.conf to only allow specific event IDs and only filter on a wildcard username? on Getting Data In. 02-05-2018 01:38 PM
- Tagged How to configure the inputs.conf to only allow specific event IDs and only filter on a wildcard username? on Getting Data In. 02-05-2018 01:38 PM
- Tagged How to configure the inputs.conf to only allow specific event IDs and only filter on a wildcard username? on Getting Data In. 02-05-2018 01:38 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
12-17-2018
03:55 PM
Having some trouble figuring this out, and fishing for an example as well.
Have an index that contains URL traffic logs. The category of these logs is dynamically updated each day.
index=url_logs category=malware | table user category url --> i get my results if there's any hits
But i what I'd like to do is to search for anything that currently matches malware on today's date with a search going back at least a week. That way I could tell if there was a lot of allowed traffic to a site that is now malicious and investigate from there.
Any suggestions? Thank you!
... View more
- Tags:
- splunk-enterprise
02-13-2018
10:51 AM
Unfortunately this does not work. No more events after making those changes, restarting everything.
Change it back to transforms.conf
[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue
And specifying the index on the inputs.conf on the Windows host appears to work. Have not been able to figure out how to do it from the HF.
... View more
02-13-2018
09:55 AM
Figured it out, inputs.conf on the indexer:
[WinEventLog]
index = winevents
At least I think I figured it out, still testing.
... View more
02-13-2018
09:33 AM
Hi Folks - testing the product out and trying to figure out this scenario.
Windows Server w/ Universal Forwarder --> Heavy Forwarder --> Specific Index on Indexer
Most of the above works and I have filtering based on specific events and account names are working too, the next step is getting traffic to a specific index on my indexer.
How do I do this? Referenced articles are not working.
On the indexer, I've created a new index 'winevents'
On props.conf
[source::*:Security]
TRANSFORMS-set = setnull,seclog
On my transforms.conf I've got:
[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue
From what I understand 'format' should equal the new index name? FORMAT = winevents
That's not working.
... View more
02-08-2018
08:59 AM
Did this with props.conf and transforms.conf
Props.conf
[source::*:Security]
TRANSFORMS-set = setnull,seclog
transforms.conf
[seclog]
REGEX = (?msi)(^EventCode=4634|4632).*(Account\sName:\t\tSUPER.)
DEST_KEY = queue
FORMAT = indexQueue
This is all for testing and obviously needs fine tuning for more appropriate eventID's and message information. Will attempt with different logon types, etc
(?msi)(^EventCode=4634|4624).*(Logon\sType:\t\t[1-3]).*(Account\sName:\t\tSUPER.)
Hope this helps someone in the future.
Cheers!
... View more
02-06-2018
03:45 PM
Thanks - been down this road - but to no avali.
Would you happen to have an example of multi-line filtering?
Such as
All Events for 1234, 4321
and
All those events for a wildcard username "admin_*" for example?
I haven't had much luck with my googlefu.
... View more
02-05-2018
01:38 PM
Hi fellas,
Testing the product out.
Have 2012 DC --> UF --> Splunk test environment
I've figured out how to configure the inputs.conf to only allow specific event IDs through the whitelist
Is it possible to also only filter on a wildcard username? Let's say I have an environment where every admin starts with SUPER_ADMIN_X
Been trying to figure it out with no luck.
This is what I've been working with:
[WinEventLog://Security]
disabled = 0
# only index events with these event IDs.
whitelist = 4624,4634
Message = Account\sName:\s+*super*
... View more
