Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About johant
johant
Explorer
Member since:
11-12-2017
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 11-12-2017 |
Activity Feed
- Karma Re: Cannot receive WinEventLog via inputs.conf for gcusello. 06-05-2020 12:49 AM
- Got Karma for Re: Getting the following error in splunkd - Could not find user="system" with strategy="LDAP". 06-05-2020 12:49 AM
- Posted Splunk architectural design - global search head on Splunk Enterprise Security. 06-27-2018 05:13 PM
- Tagged Splunk architectural design - global search head on Splunk Enterprise Security. 06-27-2018 05:13 PM
- Tagged Splunk architectural design - global search head on Splunk Enterprise Security. 06-27-2018 05:13 PM
- Tagged Splunk architectural design - global search head on Splunk Enterprise Security. 06-27-2018 05:13 PM
- Posted Re: Getting the following error in splunkd - Could not find user="system" with strategy="LDAP" on Deployment Architecture. 04-04-2018 05:20 PM
- Posted Re: Cannot receive WinEventLog via inputs.conf on Getting Data In. 03-19-2018 02:55 PM
- Posted Re: Why is my Custom Tag not applying to all the applications? on Splunk Enterprise Security. 02-11-2018 04:43 PM
- Posted Why is my Custom Tag not applying to all the applications? on Splunk Enterprise Security. 02-11-2018 04:13 PM
- Tagged Why is my Custom Tag not applying to all the applications? on Splunk Enterprise Security. 02-11-2018 04:13 PM
- Tagged Why is my Custom Tag not applying to all the applications? on Splunk Enterprise Security. 02-11-2018 04:13 PM
- Tagged Why is my Custom Tag not applying to all the applications? on Splunk Enterprise Security. 02-11-2018 04:13 PM
- Tagged Why is my Custom Tag not applying to all the applications? on Splunk Enterprise Security. 02-11-2018 04:13 PM
- Posted SA-ldapsearch for Windows App - Need to turn off SSL on All Apps and Add-ons. 11-16-2017 02:30 PM
- Tagged SA-ldapsearch for Windows App - Need to turn off SSL on All Apps and Add-ons. 11-16-2017 02:30 PM
- Tagged SA-ldapsearch for Windows App - Need to turn off SSL on All Apps and Add-ons. 11-16-2017 02:30 PM
- Posted Re: Cannot receive WinEventLog via inputs.conf on Getting Data In. 11-16-2017 01:38 PM
- Posted Re: Cannot receive WinEventLog via inputs.conf on Getting Data In. 11-15-2017 02:20 PM
- Posted Re: Cannot receive WinEventLog via inputs.conf on Getting Data In. 11-15-2017 02:18 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-27-2018
05:13 PM
Hi,
I need someone to shed me some light on what is the best approach for me on changing my splunk architecture.
Currently, I have about 4 of single instance deployment of Splunk Enterprise Security; 1 indexer/search head and 1 heavy forwarder with each indexer and heavy forwarder dedicated to one customer.
Now, I find that this is a lot of hassle because if i need to search for a particular data for that customer I have to login to separate indexer every single time.
Note that each of the indexer have the same index name such as cisco, windows, etc.
My plan is to have 1 single search head to query the data from other indexer. I am just not sure how to deploy it with the enterprise security installed. Do I need to install enterprise security in search head only or does the enterprise security needs to be installed in the indexer as well since I enabled threat intelligence in the indexer before?
As I mentioned earlier, the data on each indexer have the same index name. How do I differentiate the data if I queried it from a single global search head?
Regards,
Johan
... View more
04-04-2018
05:20 PM
1 Karma
Hi,
I have the same issue as well.
Has the patch been released? Is there a website from Splunk to track the patches?
Thanks,
Johan
... View more
03-19-2018
02:55 PM
Hi SumitPan,
I assumed you grab the logs using Universal Forwarder? If so, you have to make sure that you choose "custom installation" otherwise UF will sent all windows logs by default and I found that we cannot change that in the inputs.conf.
Regards,
Johan Tanadi
... View more
02-11-2018
04:43 PM
Hi,
I found the problem.
The app name does not comply with ES.
it has to be either Splunk_TA_[appname] or TA-[appname]
We can check the requirement for app name in ../SplunkEnterpriseSecuritySuite/default/inputs.conf:
[app_imports_update://update_es]
app_regex = (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
app_exclude_regex = sideview_utils
app_include_list = Splunk_DA-ESS_PCICompliance
apps_to_update = (SA-.)|(Splunk_SA_.)
Then we can refresh the splunk config.
Regards,
Johan
... View more
02-11-2018
04:13 PM
Hi,
I am trying to add a tag for my logs to be CIM compliant/use in Email datamodel.
The tag does being applied in "Search&Reporting" app, however, it is not applied to my other apps e.g. Enterprise Security.
I created a TA called TA_test with eventtypes.conf and tags.conf in the local folder, the following are how my eventtypes.conf and tags.conf looks like:
eventtypes.conf
[testemail]
search = index=emailgateway sourcetype=gateway:email
tags.conf
[eventtype=testemail]
email = enabled
delivery = enabled
content = enabled
filter = enabled
I also have metadata folder where it set the app to be global:
default.meta
Application-level permissions
[]
access = read : [ * ], write : [ admin, power ]
export = system
Can anyone please let me know if I'm missing something?
Best Regards,
Johan
... View more
11-16-2017
02:30 PM
I'm trying to do ldaptestconnection from SA-ldapsearch and it is working fine without SSL.
However, everytime I saved the configuration with SSL unticked, the SSL box is always ticked when I come back to the configuration page.
Is it possible to leave the SSL unticked? or is it a compulsory requirement for SA-ldapsearch to use SSL? If so how do I get it working because I got an error saying that 'Could not access the directory service at ldaps;socket ssl wrapping error;[Errno 10054];An existing connection was forcibly closed by the remote host'.
Thanks,
Johan
... View more
11-16-2017
01:38 PM
Yes, I ran that on the forwarder and I still cannot find WinEventLog://Security.
It is all right now, I re-installed the forwarder in the windows machine and when i run those command I can see all inputs that I wanted.
... View more
11-15-2017
02:20 PM
Hi Hardik,
No i did not enabled that option, however I manually restart the UF and I stil cannot get the logs to my indexer.
Is it a best practice to automatically restart the forwarder everytime I make a deployment?
Thanks
... View more
11-15-2017
02:18 PM
Hi Giuseppe,
Can you tell me how to check that? I can see the event on the windows 'Event Viewer' so I assume it should be enabled?
Yes, both of them have the same system time.
I ran this command and I cannot see WinEventLog://Security ,Application, System listed on the inputs.txt. How do I make sure that those WinEventLog are listed in there?
Thanks
... View more
11-12-2017
08:17 PM
My current setup:
Splunk Indexer (Deployment Server)
Domain Controller (Windows Server 2008) - UF installed as Deployment Client
I wanted to use Windows App Infrastructure to read the logs, so I followed this documentation https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/ConfiguretheSplunkAppforWindowsInfrastructure.
I have installed all add-ons required on both Splunk Indexer and Domain Controller. The networking and firewall rules are all fine because I can receive "Active Directory" logs in the Indexer.
However, I cannot get any WinEventLog(Security, Application, System) eventhough I have enabled the monitoring in inputs.conf (\etc\deployment-apps\Splunk_TA_windows\local\inputs.conf)
This is how my inputs.conf looks like:
OS Logs
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
Can anyone tell me the reason why I cannot get those logs to Indexer?
Thanks
... View more
