Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Stefanie
Stefanie
Builder
Member since:
07-22-2021
09-02-2022
Community Statistics
| Posts | 181 |
| Solutions | 19 |
| Karma Given | 23 |
| Karma Received | 65 |
| Member Since | 07-22-2021 |
Activity Feed
- Got Karma for Re: gia_summary index not populating. 09-27-2023 08:46 AM
- Got Karma for Re: Splunk authentication with CAC / Smart Card and LDAP for Authorization. 08-09-2023 07:24 AM
- Got Karma for Re: Need help for Errors I get after upgrading to 8.2.4. Like "Sum of 3 Highest per-cpu iowaits reached red Thresho. 07-18-2023 04:28 PM
- Got Karma for Re: Need help for Errors I get after upgrading to 8.2.4. Like "Sum of 3 Highest per-cpu iowaits reached red Thresho. 12-01-2022 04:19 AM
- Got Karma for Re: Need help for Errors I get after upgrading to 8.2.4. Like "Sum of 3 Highest per-cpu iowaits reached red Thresho. 10-27-2022 08:23 AM
- Posted Re: Upgrading from 8 to 9 (UF question) on Splunk Enterprise. 07-07-2022 06:29 AM
- Posted Re: Bug in exporting csv in dashboard panel on Splunk Enterprise. 07-07-2022 06:16 AM
- Posted Re: Enabling TLS in Splunk Enterprise on Splunk Enterprise. 07-07-2022 05:57 AM
- Posted Re: Enabling TLS in Splunk Enterprise on Splunk Enterprise. 07-07-2022 05:40 AM
- Posted Re: I am trying to create app in deployment server on Deployment Architecture. 06-21-2022 06:12 AM
- Posted Re: Splunk not running on Monitoring Splunk. 06-21-2022 06:09 AM
- Got Karma for Re: How to create an Alert on disabled AD accounts being re-enabled?. 06-17-2022 12:58 PM
- Got Karma for Re: Splunk Indexers and long term data storage. 06-13-2022 07:38 AM
- Posted Re: Splunk Indexers and long term data storage on Deployment Architecture. 06-13-2022 06:48 AM
- Posted Re: How to create an Alert on disabled AD accounts being re-enabled? on Splunk Search. 06-13-2022 06:43 AM
- Posted Re: Why the error "Daily indexing volume limit exceeded" on Splunk free license with 500Mb daily indexing limi on Deployment Architecture. 06-13-2022 06:39 AM
- Posted Re: Unable to upgrade splunk to 8.2.6 due to Splunk setup wizard ended prematurely on Splunk Enterprise. 06-03-2022 06:03 AM
- Karma Customers Name Splunk as a Top-rated Provider by TrustRadius for sensitive-thug. 06-01-2022 11:12 AM
- Got Karma for Re: Splunk authentication with CAC / Smart Card and LDAP for Authorization. 05-19-2022 08:46 AM
- Posted Re: Splunk authentication with CAC / Smart Card and LDAP for Authorization on Security. 05-19-2022 05:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-07-2022
06:29 AM
I don't believe there is a specific documentation for the upgrade path for UFs. But UFs are a watered-down version of Splunk Enterprise... For full Splunk server installations there is a specific upgrade path. Generally it is version 6.5.x to 7.2.x to 8.0.x to 8.2.x to 9.0.x. https://docs.splunk.com/Documentation/Splunk/8.2.0/Installation/HowtoupgradeSplunk My question is this. Are there specific versions that I cannot upgrade from? For instance, does a 6.x need to be upgraded to a specific version of 7 then a specific version of 8 or will any version in the line of upgrades work? So to clarify, yes there are specific versions you have to upgrade to. For the example of 7.2.x it can be ANY version of 7.2.x (7.2.3, 7.2.4, 7.2.5, etc). Hope this helps
... View more
07-07-2022
06:16 AM
Hello @phamxuantung , Please reach out to Splunk Support if this is a suspected bug. They will be able to confirm it is a bug and then report it to the proper channels. Hope this helps!
... View more
07-07-2022
05:57 AM
Each indexer needs a certificate installed & configured, yes. But that certificate can have multiple SANs for each of your indexers. That way there is only one certificate to renew when the time comes. But for your indexers to accept SSL connections from another Splunk instance (Server or forwarder) it needs a certificate as well. Luckily the forwarder can utilize any certificate you obtained for your Splunk servers. It doesn't have to be the indexer's certificate but that one is readily available I assume?
... View more
07-07-2022
05:40 AM
Yes you will need to have a certificate on all of your forwarders in the /opt/splunkforwarder/etc/auth/ directory. This can be the same certificate you use on your indexers. You don't need to generate multiple. This is something that the Deployment Server can not push out natively, you may need to look at utilizing another software to push out the configurations for the forwarder's SSL settings.
... View more
06-21-2022
06:12 AM
Please review the Splunk documentation https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates This is a new message related to the recently released Splunk security updates. Are you currently using the default certificates that shipped with Splunk?
... View more
06-21-2022
06:09 AM
Are there any logs within splunkd.log that might suggest it does not have access to the port anymore? There should be some information in Splunkd.log as you restart it.
... View more
06-13-2022
06:48 AM
1 Karma
Which technology are you more familiar with? SAN and NAS might be more on the expensive side. But you'd get better performance and scalability. I'd say DAS might be the better solution, but that's my opinion. It's cheaper than the other two. However it does lack some scalability that the other two have.
... View more
06-13-2022
06:43 AM
1 Karma
How long back are you looking to detect when an account was disabled? I've found a query that may suit your needs EventCode=4725 OR EventCode=4722 earliest=-60d
|eval account=mvindex(Account_Name,1)
|stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
|replace "4722" with "enabled" in firstEvent, lastEvent
|replace "4725" with "disabled" in firstEvent, lastEvent
|search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
|convert ctime(times)
|table times, firstEvent, lastEvent, account
... View more
06-13-2022
06:39 AM
It could be a couple of things. Randomly guessing it could have been from a host that was offline for a while and then brought back online thus the Splunk Forwarder played catch-up and sent a huge amount of data to the indexers. You would have to investigate what caused the sudden unexpected increase. Is this the first time you've had the violation? If you're using the free license as long as you hadn't had three or more warnings you should still be able to search and investigate what index/sourcetype/host sent the most data on the day that you received the violation.
... View more
06-03-2022
06:03 AM
@rashiagrawal What was the text inside of the msiexec.log? Can you also check the splunkd.log for any hints?
... View more
Glad to hear you were able to get it working... 🙂Thank you for marking the answer as correct as it will help others with the same question in the future.
... View more
05-18-2022
10:14 AM
There isn't a supported way to install Splunk Enterprise on unsupported hardware. Even if you were able to get Splunk to start, it's not compatible and would likely have many unexpected problems. Maybe a better solution would be to try running Splunk in a Docker container? I've never tried it so its just a suggestion. https://github.com/Splunk/docker-Splunk
... View more
05-18-2022
06:54 AM
1 Karma
@kevissadev , Which version of the Splunk software did you install? For Linux there's a few different versions you can download. If you used the 64-bit tgz maybe try the deb version? Within the Linux world that error pops up when the executable was compiled to work on a different distro.
... View more
Here's ours. [splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 60
expireUserAccounts = 1
forceWeakPasswordChange = 0
lockoutAttempts = 3
lockoutMins = 30
lockoutThresholdMins = 15
lockoutUsers = 1
minPasswordDigit = 1
minPasswordLength = 15
minPasswordLowercase = 1
minPasswordSpecial = 1
minPasswordUppercase = 1
passwordHistoryCount = 5
verboseLoginFailMsg = 1
[LDAP1]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=SPLUNK.SVC,OU=SPLUNK,OU=Service Accounts,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX
bindDNpassword = mypassword
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=SPLUNK,OU=Groups,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydc.com
nestedGroups = 1
network_timeout = 29
pagelimit = -1
port = 3269
realNameAttribute = cn
sizelimit = 100000
timelimit = 28
userBaseDN = DC=XXX,DC=XXX,DC=XXX,DC=XXX;DC=XXX1,DC=XXX,DC=XXX,DC=XXX;DC=XXX2,DC=XXX,DC=XXX,DC=XXX
userNameAttribute = userprincipalname
[roleMap_LDAP1]
admin = Splunk Admins
user = DL SPLUNK Share - Read;Splunk Users I have multiple userBaseDNs because I pull from different AD trusts. If you're not doing that then you don't need to use port 3269 fyi. Port 636 works just fine for me too. What attribute in AD stores your Principal Name for your CAC? If you open up the authentication certificate on your card it should show under the Subject Alternative Name. Our AD environment has it as the userprincipalname. The Proxy stanzas I added earlier extract that Principal Name from the certificate presented and then pass it along to be authenticated. @jramnanitandem , Are the roles you have mapped showing up for you under the Splunk Web UI -> Authentication Methods -> LDAP Settings -> Map Groups ? Another question, did you make any modifications to /opt/splunk/etc/openldap/ldap.conf ? Doubt this would cause an issue but it would be nice to know.
... View more
05-16-2022
05:09 AM
Yes it's possible to do exactly what you're looking for. We utilize CAC authentication for our Splunk servers. Is the Reverse Proxy set up on the same server you'll be logging into? We have our web.conf set up like: [settings]
httpport = 8000
SSOMode = permissive
remoteUser = cacuser
enableSplunkWebSSL = 1
trustedIP = 127.0.0.1 Our authentication.conf shows the LDAP settings for the DC that contains the users & groups we're pulling from. It also has the different roles in Splunk mapped to different ldap groups. In our httpd conf file for the reverse proxy, we had to set the settings as: <Proxy *>
RequestHeader set cacuser %{SSL_CLIENT_SAN_OTHER_msUPN_0}s
</Proxy> Hope this works! If you need further assistance I can share with you the full httpd conf file.
... View more
05-10-2022
01:04 PM
1 Karma
Are you using the 0MB Deployment Server License that the article mentions? That might be causing the issue. Ultimately it seems that this issue is a little more complicated than initially anticipated. I would suggest working directly with Technical Support from Splunk.
... View more
05-10-2022
11:34 AM
1 Karma
I'm not familiar with the Splunk_TA_DomainController, where did you see to create that? Looking at your inputs.conf I'm not seeing anything out of the ordinary. What happens when you search index=_internal Do you see events from your forwarders?
... View more
05-10-2022
10:21 AM
1 Karma
That's correct. My apologies. Take the Splunk_TA_windows that you have on the deployment server (Including the inputs.conf and everything) and put it on the forwarder in the apps folder.
... View more
05-10-2022
09:47 AM
1 Karma
Could you move everything from C:\Program Files\SplunkUniversalForwarder\etc\deployment-apps\Splunk_TA_windows\* to C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\* then restart the forwarder service again. The deployment-apps folder is for the Deployment Server to tell forwarders which apps it needs to download from the Deployment Server. Those apps then get installed into the "apps" folder on the forwarders. Try that and see if you start seeing logs, if so, We can set up your deployment server correctly. 🙂
... View more
05-10-2022
08:31 AM
1 Karma
Okay looks like we got a connection now. So now, what inputs.confs do you have installed on your forwarders? Have you installed any apps to your forwarders? If so, can you post an example of it?
... View more
05-10-2022
08:07 AM
1 Karma
Interesting, Okay can you add this to your outputs.conf and then restart? [tcpout]
defaultGroup = group1
[tcpout:group1]
server=192.168.0.2:9997 And then restart your Splunk Forwarder. Could you then review splunkd.log for any errors? It might say something like "TCPoutput paused data flow" or something like that if I remember correctly.
... View more
05-10-2022
07:42 AM
1 Karma
@theitgui wrote: I put the simple one liner outputs.conf in $SPLUNK_HOME/etc/system/local/ Could you post an anonymized version of your outputs.conf? Maybe using the CLI would be easier ./splunk add forward-server <host name or ip address of your splunk server>:9997 To run CLI commands in Splunk Enterprise on Windows, use PowerShell or the command prompt as an administrator.
1. Open a PowerShell window or command prompt as an administrator.
2. Change to the Splunk Forwarder bin directory.
3. Run a Splunk command by typing in splunk followed by the subcommand and any required arguments.
... View more
05-10-2022
06:48 AM
1 Karma
Hi @theitgui , I'm assuming the deployment server is acting as your indexer as well? When setting up your forwarders, did you give them an outputs.conf to tell them to send log data to your deployment server? https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Outputsconf Also, check your logs in C:\Program Files\SplunkUniversalForwarder\var\log\splunkd.log on your server 2019 machines. There should be a clue as to not having a connection to send logs to. Hope that helps!
... View more
05-10-2022
06:36 AM
Hola @wueyca , No estoy segura de cómo Splunk descifró las contraseñas. Es posible crear un REGEX para enmascararlas. Este artículo lo explica mejor. https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
... View more
05-10-2022
05:56 AM
Since it is affecting Enterprise Security I would assume that you have many correlational searches enabled. 🙂 Are you familiar with Correlational searches? It sounds like you may need to disable the searches that are not required for your Use case.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-02-2022
10:33 AM
|
Karma given to
