Hello,  I am requested to make a study on the possibility to integrate Splunk authentication/authorization  with Cyberark PAM/PSM.  To get connected into Splunk, the users should go through PAM/PSM.   I could not find anything in the documentation nor in internet. Can you please tell me if this is or will be feasible?   ... View more

Hello,  As found on "Splunk Security Advisory for Apache Log4j", I could read that "Unless CVE-2021-45105 or CVE-2021-44832 increase in severity, Splunk will address these vulnerabilities as part of the next regular maintenance release of each affected product. Customers also have the option to remove Log4j Version 2 from Splunk Enterprise out of an abundance of caution. " CVE-2021-44832 concerns a vulnerability found in version 2.17. Thus as far as I understand, the vulnerability of Log4j 2.17 will be solved in next maintenance release. I am running Splunk Enterprise 8.1.7.2 and the version of Log4j in it is 2.16.  This version of Log4j has been deleted.  But my management is asking when the version 2.17 will be available. I believe in next maintenance release. Thus can you please tell me when the next maintenance release will be released for Splunk Enterprise 8.1? Thanks ... View more

Hello, I have a very special log to index into Splunk. This is a Sybase IQ log with a special timestamp format. Each line is a new log event. At the begining of the log and at some lines after, you find a timestamp with the format %m%d %H%M%S.%3N But between them, the time is shown as relative milliseconds For example, 0523 095954.807,[,1000000001,sp_iq_mpx_init,16,iq +2,],1000000001,sp_iq_mpx_init,16= +79,P,1,[S]DUMMY =,>,1,EXEC ...... 0523 095954.807,[, xxxxxx +83,>,1,CONNECT,1 ...... At the first line the timestamp is with format %m%d %H%M%S.%3N At the second line, the timestamp is thus the timestamp of first line +2 milliseconds (sign "+2") At the third line, the timestamp is thus the timestamp of the second line +79 milleseconds (sign "+79") Aty the fourth line, the timestamp is thus the timestamp of the thid line (sign "=") .... This mechanism is valid till the new line with timestamp with format %m%d %H%M%S.%3N And then it begins again I do not see how I can catch the timestamp at each line at index time (preferably) or at search time. Can you please advice? Thanks ... View more

Hello, I am new in Splunk parsing and I am facing some problems with this. I am trying to parse, at Search Time, a source of logs (containing two sourcetypes, AIX and Linux). In the AIX sourcetype, I have three different type of events (one for "PROC_Execute", another for "CRON" and the last one for "S_PASSWD_READ". The beginning of the event is the same for the three types. I have a UF -> IDX environment -> SH. I have tried many many things with transforms.conf and/or props.conf without any success. Everytime I search for the sourcetype events, nothing is parsed in SH Gui. My logs look like this, for AIX (sourcetype=aix) (I will do linux afterwards.) PROC_Execute root OK Mon Jul 25 10:53:26 2016 uncompress 14614680 21364880 root euid: 0 egid: 0 epriv: ffffffff:ffffffff name /usr/bin/uncompress -f /audit/tempfile.21364880 PROC_Execute i51534a OK Mon Jul 25 10:53:26 2016 sh 15335586 7798934 root euid: 0 egid: 0 epriv: ffffffff:ffffffff name sh -c LANG=C /usr/bin/vmstat S_PASSWD_READ root OK Mon Jul 25 10:54:00 2016 cron 21233890 6684896 root audit object read event detected /etc/security/passwd S_PASSWD_READ root OK Mon Jul 25 10:54:00 2016 cron 21233890 6684896 root audit object read event detected /etc/security/passwd CRON_Start root OK Mon Jul 25 10:54:00 2016 cron 21233890 6684896 root event = start cron job cmd = > /lpar2rrd/product/logs/error.log time = Mon Jul 25 10:54:00 2016 As you can see, multiple white spaces is used as delimiter and more than that, the amount of white spaces between the "sh"/"uncompress" and the "process_number" can vary. I tried the following in the SH gui and it works fine. The events are parsed with correct values : "index= host= | rex field=_raw "^(?P\w+)\s+(?P\w+)\s+(?P\w+)\s+(?P\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\s+(?P[^ ]+)\s+(?P\d+)\s+(?P\d+)\s+(?P\w+)\s+(?P.*)$"" In transforms.conf and/or props.congf, I tried using (?x) for free-spacing mode as the numbers of free spaces between "trail_aix_short_command" and "trail_aix_parent_process_id" can vary. I tried to put in props.conf, only the first extract "EXTRACT-aix_command = ^(?P[^ ]+)" (created with the fiedls extractor) without success. -> no parsing at search time in SR GUI. I tried, in transforms.conf, the following "(?x)(?P\w+)\s+(?P\w+)\s+(?P\w+)\s+(?P\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\s+(?P[^ ]+)\s+(?P\d+)\s+(?P\d+)\s+(?P\w+)\s+(?P.)" (with and without ") and "(?P\w+)\s+(?P\w+)\s+(?P\w+)\s+(?P\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\s+(?P[^ ]+)\s+(?P\d+)\s+(?P\d+)\s+(?P\w+)\s+(?P.)" (with and without ") without success. I tried also with (.*) for each element in transforms.conf without success. => I need some help. What I would like to do is parse until the "user name" in a common extraction, and then use three other extractions, one for "CRON", one for "PASSWD" and one for "PROC_EXECUTE" => can you help? ... View more