Hello,  Thank you for taking the time to consider my question. I'm currently working on a solution that would report all outbound IPv4 connections from Windows workstations, but in order to reduce the volume of these logs I'd like to blacklist (or in another sense whitelist) some of the normal (internal) sites that users will be visiting often, so as not to kill our entire license.  I have been closely reading the inputs.conf Splunk documentation where it's clear that this functionality is possible using regex, but for some reason mine isn't working.  I am using analytics markets' IP range regular expression builder to find the correct syntax, and testing it using the very well known and common tool regex101. My inputs.conf (subtracting other configs out of scope of this topic) is as follows: [WinNetMon://OutboundMon] disabled=0 addressFamily=ipv4;ipv6 direction=outbound index=winnetmon sourcetype=WinEventLog packetType=connect;accept protocol=tcp;udp blacklist1 = ^10\.(([1-9]?\d|[12]\d\d)\.){2}([1-9]?\d|[12]\d\d)$ blacklist2 = ^192\.168\.([1-9]|[1-9]\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)$ Essentially, just as a test, I am just trying to see if I can eliminate traffic logs from all internal (private) IP ranges, in this case the test ranges being 10.0.0.0/8 and 192.168.0.0/16.  If I put these in regex101 and enter addresses within each of those ranges they are highlighted, but when I test internal connections and expect no logs to show up, sure enough they still populate for destination addresses within those ranges, so what gives?  Many thanks in advance         ... View more

Hello,  Thank you for taking the time to read/consider my question, it's very much appreciated.  I'm revamping a legacy Splunk deployment for a mid-size company that I work for and have recently deployed IT essentials work to monitor the health of both Windows and *nix hosts in our environment, this app has many wonderful features and visualizations, even though some/most are locked behind the ITSI paywall.  What I'm wondering (mainly from a security perspective), is if there's equivalent apps that Splunk (or third parties, or even individuals) have developed to visualize network & authentication data that is collected from Windows and Unix endpoints. I know network bandwidth is included within the ITE suite, which is terrific, but doesn't help me identify which processes are linked to remote network connections, or track lateral movement across the network.  Do people usually just develop apps internally that take care of this? If that's the case than that's totally fine and I completely understand admins not wanting to share that outside of their own organization, but I can't help but feel that I'm not the only one in this boat, and there must be others with this conundrum as well. As far as I know this is something that used to be dealt with rather well by the purpose built apps by Splunk for Windows and *nix systems, but now that these are going to be deprecated this year I'd like a long-term solution to this problem.  If these types of visualizations are typically reserved for EDR/EPP apps like Crowdstrike, Cylance, S1, Sophos, etc. I also get that, but I'm not actually sure if these apps all have dashboards that would allow you to filter by host, user, process, etc to identify suspicious remote network connections, or authentication attempts across a wide swath of monitored systems.  Again, I'd like to reiterate my appreciation for you taking the time to consider my question. I'm sure there's a simple solution to this that I just have not thought of or stumbled across in my research, but rather than waste another week or two trying to find what everyone else is doing for this I figured I'd just ask the experts myself.  Thanks again! ... View more

Hello,  I'm currently working on configuring SSL from a UF sitting on a Windows server to a HF running on RHEL 7. I am using third party certs that I obtained from my lab windows PKI environment that has two tiers of CA (RootCA/SubCA) with the HF having a signed cert (.pem file) as well as each UF sharing a single cert that was signed by the same Subordinated CA. I've managed to successfully achieve/confirm this SSL connection is happening using the Validate your configuration doc by Splunk, but the configuration seems to contradict itself so I would appreciate some insight into where I may have gone wrong that resulted in this.  The contradiction is within the requireClientCert parameter on the Splunk HF, as well as the clientCert parameter on the Universal Forwarder. I have tested several times after restarting the Splunk service on both workstations and this connection ONLY works when I have both clientCert configured within the outputs.conf as well as requireClientCert = false. If either of these variables are changed or I remove the clientCert parameter (even though it should be technically not required) I have a connection error.  For example, with the configuration below, if I changed requireClientCert = true the entire connection would fail, even though I believe the clientCert .pem file is configured correctly.  My certificate chains for each host are as follows: HF:  adcs.pem (shared with clients via deployment server, to be used for sslRootCaPath parameter) <intermediate (subordinate/issuing) ca certificate> <root ca certificate> heavyforwarder01.pem (certificate chain to be used for serverCert parameter) <hf01.pem cert issued by subordinate ca> <decrypted rsa key> <subca_pub.pem> <rootca_pub.pem> UF:  server.conf sslRootCAPath = C:/path/to/adcs.pem universalforwarder01.pem (certificate chain to be used for clientCert parameter) <uf01.pem certificate issued by subordinate CA> <encrypted rsa key for cert> <subca_pub.pem> <rootca_pub.pem> Configuration for outputs.conf on Universal Forwarder: [tcpout] defaultGroup=splhf01 [tcpout:splhf01] disabled=0 server = splhf01.domain.local:9998 clientCert = C:\path\to\universalforwarder01.pem sslPassword = <redacted> useClientSSLCompression = true sslCommonNameToCheck = splhf01.domain.local sslVerifyServerCert = true Configuration for server.conf on Universal forwarder: [sslConfig] sslRootCAPath = C:\path\to\combined\adcs.pem   Configuration for inputs.conf on Heavy Forwarder/Indexer: [default] host = splhf01 [splunktcp:9997] disabled = 0 [splunktcp-ssl:9998] disabled = 0 [SSL] serverCert = /opt/splunk/etc/auth/ssl/s2s/heavyforwarder01.pem requireClientCert = false sslVersions *,-ssl2 sslCommonNameToCheck = splhf01.domain.local Configuration for Heavy forwarder server.conf <..> [sslConfig] sslRootCAPath = /path/to/combined/adcs.pem <...> ... View more