×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
daniel_goolsby_
Explorer
Member since: ‎10-05-2012
‎03-04-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 3
Member Since ‎10-05-2012
Activity Feed
Topics I've Started
No posts to display.
View All

Re: All systems showing same IP Addresses in Forwa...

by in Deployment Architecture
‎03-04-2024 06:32 AM
‎03-04-2024 06:32 AM
We have upwards of 250k forwarders in one of our environments and various levels of DNS caching that make it very difficult for a forwarder to request a deployment server IP from a DNS name and maintain the connection consistently in order for it to get appropriate apps downloaded.  I have seen where a system will request an IP from a DNS name, make an initial connection to a deployment server, then send a DNS query again only to be given a different IP address, which causes issues with the forwarder trying to establish a consistent trusted connection to a deployment server.  That switch in deployment server destinations causes the forwarder to just try again later, until it can establish a consistent connection randomly. We put our deployment servers behind a load balancer before, but all the connections and logs show the forwarders coming from the same ip address.. something x-forwarded-for should help solve at our scale. ... View more

Re: How to index Mcafee HIPS logs?

by in Getting Data In
‎11-02-2015 03:58 AM
1 Karma
‎11-02-2015 03:58 AM
1 Karma
After discovering the event.log was binary-- but the file would seemingly load up fine in notepad, or notepad++.. I discovered the file was actually in a different character set called UCS-2 LE, which according to (http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Configurecharactersetencoding) maps to the utf-16le characterset- that I had to specify that in the props.conf on the forwarder. [monitor://C:ProgramDataMcAfeeHost Intrusion PreventionEvent.log] index= disabled = 0 sourcetype = hipsfw followTail = 1 in props.conf (still on forwarder) [hipsfw] NO_BINARY_CHECK = true CHARSET = utf-16le ... View more

Re: Getting Mcafee HIPS Firewall Logs to Splunk

by in Security
‎11-01-2015 06:22 AM
2 Karma
‎11-01-2015 06:22 AM
2 Karma
After discovering the event.log was binary-- but the file would seemingly load up fine in notepad, or notepad++.. I discovered the file was actually in a different character set called UCS-2 LE, which according to (http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Configurecharactersetencoding) maps to the utf-16le characterset- that I had to specify that in the props.conf on the forwarder. [monitor://C:\ProgramData\McAfee\Host Intrusion Prevention\Event.log] index= disabled = 0 sourcetype = hipsfw followTail = 1 in props.conf (still on forwarder) [hipsfw] NO_BINARY_CHECK = true CHARSET = utf-16le This should get everyone going. ... View more

Re: McAfee Host Intrusion Prevention event logs

by in Getting Data In
‎11-01-2015 06:20 AM
‎11-01-2015 06:20 AM
After discovering the event.log was binary-- but the file would seemingly load up fine in notepad, or notepad++.. I discovered the file was actually in a different character set called UCS-2 LE, which according to (http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Configurecharactersetencoding) maps to the utf-16le characterset- that I had to specify that in the props.conf on the forwarder. [monitor://C:\ProgramData\McAfee\Host Intrusion Prevention\Event.log] index= disabled = 0 sourcetype = hipsfw followTail = 1 in props.conf (still on forwarder) [hipsfw] NO_BINARY_CHECK = true CHARSET = utf-16le This should get everyone going. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-04-2024 09:53 AM
Karma from
View All