A bit more clarity: The default behavior of the app is to monitor the sourcetype syslog for CLAMAV logs and it looks for the keyword "clamav" in the syslog messages. The example above will pipe all scan data to "logger" to send it into the syslog system with the correct keyword. I run a few different clamscans via cron. Some once a day and others once a week. Just depends on how and what you want to scan. It is up to you on how you want to do this. There is no standard. Please read the man page to understand all possible uses. ... View more

I actually got the subsearch ldapsearch to work correctly. My main mistake was assuming the data that was being returned was in the correct format and key value pair that I needed to make my main search to work. So example if I expected the ldapsearch to result with a value of a Username, the actual result was a key value pair where the key was not a key that would work in my main search. I was able to see this happening when I looked at the "inspect Job" view. So in my case I renamed the ldapsearch key to the key I needed in my second search. Example: sourcetype=events event_type=ME ( [|ldapsearch search=(&(objectClass=group)(cn=MYGROUP)) attrs="member" |ldapfetch dn=member attrs=mail |rename mail AS created_by_login |table created_by_login] ) |table created_by_login worked great!!! I hope that helps you or others in the future. ... View more

I am trying to do something very similar with ldapsearch. Though didn't want to have to use a lookup file. any luck? ... View more

Yes I did check that one out, as visually it was kind of nicer. But it does not work for my needs. Parallels coordinates does, but the lines can be too thin at times and makes it hard to read. I am visualizing multiple network traceroutes in one graph. Parallels shows the hops very nicely. ... View more

To use the TA to monitor a file instead. you would add a [monitor] stanza for the file or directories you have: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitorfilesanddirectorieswithinputs.conf ... View more

Great. for the cursor, depending on how many logs you have, it will auto catch up. It may take a day or two, but then all is good. ... View more

uname -a Linux pi-01 4.9.28-v7+ #998 SMP Mon May 15 16:55:39 BST 2017 armv7l GNU/Linux I have the ARM splunk UF v 6.6.1 running on two Pi's v3 model b ... View more

Splunk now has a normal linux ARM UF you can download from their normal splunk download section. The App is no longer the correct UF for the pi. I have it running on my Pi v3. ... View more

So to answer my own question. yes the ARM UF works just fine on the Raspberry Pi ver 3 model B. ... View more

I've been waiting for this app to be updated for Pi v3. Though always wondered why it was an app and not part of the normal Splunk UF downloads. So are you saying that I can simply download the ARM linux UF from splunk and use it? I'm going to go give it a shot. ... View more

Looks like Splunk took down the APP link for this. Normally this means they are updating the app and it will be published soon. I hope so I'm trying to deploy several PI v3 and want to use the forwarder!! 🙂 ... View more

I used this TA (Sophos UTM Syslog App (https://splunkbase.splunk.com/app/3575) ) as it seemed to have the best transforms for the firewall types. But I had to heavily modify it also. I remove the index references, I updated props.conf as it referred to stanzas that did not exist in transforms.conf. But it is correctly finding my sophos UTM and XG firewall syslog data. I'll have to build my own searches and dashboards however. ... View more

I've got the exact same problem. What was your final syntax that worked for you in the distsearch.conf file? Also did distsearch.conf get installed on the Search Heads, or Index cluster, or both? thank you! pj ... View more

Thank you for your response. This is one of those times where different people have created apps for the same thing and its difficult to figure out which is the right one to use. There are a few Sophos apps, But the three I'm looking at seem to all be separate with no relation. Hence my question. Sophos UTM Syslog App (https://splunkbase.splunk.com/app/3575) is a TA that simply takes in syslog and changes the sourcetype. But does nothing more than that. Does not set any extracts or key value pairs. So it looks like it is to be used with another app, but does not document which one. TA for Sophos UTM (https://splunkbase.splunk.com/app/3341) is a TA that does a bit more, sets sourcetype, some key value pairs, CIM tags etc.. This hints that then it would work with Splunk Security app ($$), but again does not directly state which one. Splunk for SophosUTM (https://splunkbase.splunk.com/app/3280/) Is it's own app, searches, dashboards, but it's source type transform seemed very simple and I thus wasn't sure if it needed a TA. All of these do not seem to be related, at least directly. I was hoping the author of this app (Sophos UTM Syslog App) would be able to shed some light to what his plans where. 🙂 At the end of the day, I have both XG firewalls and UTM firewalls sending syslog to splunk. I'm trying to find a good TA or app to parse the data so it is usable etc.. I may just need to load each and play around with them. thanks! ... View more

OK done. thanks! ... View more

Thank you, that was helpful in finding the answer. ... View more

Solution was to comment out some of the OIDs that were being used to poll the device with. In snmpif.py I commented out some of the OIDs in "interface_mibs". Not sure if this is specific to using a cisco ASA or splunk 6.5.0. Otherwise app works great!. ... View more

Good idea. I will add it on myside as well see if it breaks anything, then I can include it in my next release. thanks! ... View more