Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jfeitosa
jfeitosa
Path Finder
Member since:
09-16-2014
02-23-2021
Community Statistics
| Posts | 32 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 3 |
| Member Since | 09-16-2014 |
Activity Feed
- Posted Re: how to correlate events from PaloAlto VPN logs and Windows authentication per user, comparing src_ip and machine_nam on Splunk Search. 02-23-2021 09:52 AM
- Posted How to discard Windows events of type EventCode = 4663 from Splunk executables. on Splunk Enterprise. 02-23-2021 09:41 AM
- Got Karma for Splunk DB Connect 1.1.4: How to troubleshoot error "Connecting to databases stopped"?. 06-05-2020 12:47 AM
- Got Karma for Send Mainframe logs to Splunk?. 06-05-2020 12:47 AM
- Karma Re: Forwarding Mainframe logs to Splunk for steveirogers. 06-05-2020 12:46 AM
- Got Karma for Re: Can Splunk input IBM SMF records?. 06-05-2020 12:46 AM
- Karma Re: How do I bind Splunk to a specific interface? for jrodman. 06-05-2020 12:45 AM
- Posted Re: Field Extract and Format Time Stamp on Splunk Search. 03-01-2018 01:18 PM
- Posted Re: Field Extract and Format Time Stamp on Splunk Search. 03-01-2018 01:18 PM
- Posted Field Extract and Format Time Stamp on Splunk Search. 03-01-2018 07:43 AM
- Tagged Field Extract and Format Time Stamp on Splunk Search. 03-01-2018 07:43 AM
- Posted Re: Send Mainframe logs to Splunk? on Getting Data In. 02-14-2017 09:07 AM
- Posted Re: Send Mainframe logs to Splunk? on Getting Data In. 02-14-2017 03:07 AM
- Posted Re: How create a schedule alert just after 17:00, holidays and weekend? on Alerting. 07-26-2016 05:13 AM
- Posted How create a schedule alert just after 17:00, holidays and weekend? on Alerting. 07-25-2016 10:26 AM
- Tagged How create a schedule alert just after 17:00, holidays and weekend? on Alerting. 07-25-2016 10:26 AM
- Posted Re: How to convert seconds to hours and minutes? on Splunk Search. 07-14-2016 12:17 PM
- Posted Re: When will Splunk address the OpenSSL vulnerability issue (CVE-2016-2107; OpenSSL <1.0.2h)? on Splunk Enterprise. 07-08-2016 11:12 AM
- Posted Re: How to convert seconds to hours and minutes? on Splunk Search. 06-20-2016 12:08 PM
- Posted Re: How to "filter out" to discard specific events Palo Alto firewall? on Getting Data In. 06-20-2016 12:04 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
02-23-2021
09:52 AM
Hi @Kwip You saw my answer. Thanks in advance.
... View more
02-23-2021
09:41 AM
Hi friends! How to discard Windows events of type EventCode = 4663 from Splunk executables? Dismiss only Splunk-related events: SplunkUniversalForwarder \ bin \ splunk-powershell.exe splunk-regmon.exe splunk-admon.exe To reduce the consumption of the Splunk license. Example log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{}'/><EventID>4663</EventID><Version>1</Version><Level>0</Level><Task>12802</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-02-23T14:56:54.615235600Z'/><EventRecordID>835675728</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='10472'/><Channel>Security</Channel><Computer>DC01.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>DC01$</Data><Data Name='SubjectDomainName'>DC01</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>SymbolicLink</Data><Data Name='ObjectName'>\SHARE??\E:</Data><Data Name='HandleId'>0x94</Data><Data Name='AccessList'>%%4544</Data><Data Name='AccessMask'>0x1</Data><Data Name='ProcessId'>0x1fa8</Data><Data Name='ProcessName'>E:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Data><Data Name='ResourceAttributes'>-</Data></EventData></Event> Thanks in advancend! James \o/
... View more
Labels
- Labels:
-
using Splunk Enterprise
03-01-2018
01:18 PM
Thanks for the answer. I'll test and return with the result.
Thanks in advance.
... View more
03-01-2018
01:18 PM
Thanks for the answer. I'll test and return with the result.
Thanks in advance.
... View more
03-01-2018
07:43 AM
Hi All.
How to break this log block so that it reads each row as an event, and this log is not in timestamp format?
The date would be the start and end of the user session on the system.
The following is an example of the log:
cod|user |system |day|month|year|hour|minute|day|month|year|hour|minute
001|00129810|cis2121000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cis2200000 |01|03|18|10|46|01|03|18|10|46 001|00129810|cis2121000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cisli2100m000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cisli2100m000 |01|03|18|10|46|01|03|18|10|46 001|00129810|cis2121000 |01|03|18|10|46|01|03|18|10|46 001|00129810|cisli2100m000 |01|03|18|10|46|01|03|18|10|46 001|00821888|cis0121000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cis2200000 |01|03|18|10|46|01|03|18|10|46
Do I have to configure in props.conf and transform.conf by sourcetype?
REGEX = = (.{3}).(.{8}).(.{16}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2})
FORMAT = emp::$1 user::$2 session_id::$3 datei_mday::$4 datei_month::$5 datei_year::$6 datei_hour::$7 datei_minute::$8 datef_mday::$9 datef_month::$10 datef_year::$11 datef_hour::$12 datef_minute::$13
I tried to create this REGEX, but it did not work.
Can you help me please?
Best Regards.
... View more
- Tags:
- splunk-enterprise
02-14-2017
09:07 AM
I got through script to collect login failure events in RACF and send via SFTP to Splunk in the same script.
... View more
02-14-2017
03:07 AM
Yes, the Ironstream is a commerical application and very expensive! I requested a commercial proposal and it was not viable.
... View more
07-26-2016
05:13 AM
OK, thanks guys for the help. I think that create a list of the holidays is a good idea.
... View more
07-25-2016
10:26 AM
I need to schedule an alert that triggers an email alert just after 17:00, holidays and weekend. It's possible?
... View more
- Tags:
- splunk-enterprise
07-14-2016
12:17 PM
Now I need the browsing team in each url, not the sum per user.
Como alterar a busca para trazer o tempo para cada url?
Search:
index=pan_logs (type=TRAFFIC AND vendor_action=allow) OR (type=THREAT AND vendor_action=alert) rule=URLF_LojaVirtual | eval MB=bytes/1024/1024 |transaction src_ip dest_ip startswith="start" endswith="end" | search eventcount>2 | stats values(dest_hostname) as URL, sum(duration) as duration(HH:MM:SS) by user | table user URL duration(HH:MM:SS) | convert dur2sec(CallDuration) AS duration | eval "duration(HH:MM:SS)"=tostring('duration(HH:MM:SS)',"duration") | sort -duration(HH:MM:SS) | head 3
Tks
... View more
07-08-2016
11:12 AM
I have the same problem, and other vulnerabilities found in communication between the Universal Forwarder and Splunk Manager.
Does anyone know how to mitigate these vulnerabilities? Force use TLS? How do correctly?
Tks
... View more
06-20-2016
12:04 PM
I solve that.
props.conf
[source::udp:514]
TRANSFORMS-nullQ=nullFilter
transform.conf
FILTER OUT FIREWALL
[nullFilter]
REGEX = (%ASA-\d+-.(Built|Teardown))
DEST_KEY = queue
FORMAT = nullQueue
Tks,
... View more
06-20-2016
11:50 AM
How to convert the search results in seconds to hours and minutes?
This my search:
index=pan* (type=TRAFFIC AND vendor_action=allow) OR (type=THREAT AND vendor_action=alert) | eval MB=bytes/1024/1024 |transaction src_ip dest_ip startswith="start" endswith="end" | search eventcount>2 | stats values(sourcetype) as sourcetype, values(dest_hostname) as URL, sum(MB) as MB, sum(duration) as duration(Sec) by user | table user URL MB duration(Sec)
Thank you in advance!
... View more
04-08-2016
06:05 AM
Hi woodcock,
It does not work this REGEX. The term SOURCE KEY = dest was not accepted appears error inconsistency. I tried without the term SOURCE_KEY = dest, still did not work.
Thanks in advance.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-23-2021
07:50 PM
|
