Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About wbkendall
wbkendall
Explorer
Member since:
02-04-2014
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 5 |
| Member Since | 02-04-2014 |
Activity Feed
- Got Karma for FireEye Built in Dashboards Not Working. 06-05-2020 12:46 AM
- Got Karma for FireEye Built in Dashboards Not Working. 06-05-2020 12:46 AM
- Got Karma for FireEye Built in Dashboards Not Working. 06-05-2020 12:46 AM
- Got Karma for FireEye Built in Dashboards Not Working. 06-05-2020 12:46 AM
- Got Karma for Re: TZ Issues When Searching. 06-05-2020 12:46 AM
- Posted Re: TZ Issues When Searching on Getting Data In. 05-19-2014 11:54 AM
- Posted TZ Issues When Searching on Getting Data In. 05-19-2014 10:42 AM
- Tagged TZ Issues When Searching on Getting Data In. 05-19-2014 10:42 AM
- Posted Re: FireEye Built in Dashboards Not Working on All Apps and Add-ons. 02-18-2014 11:17 AM
- Posted FireEye Built in Dashboards Not Working on All Apps and Add-ons. 02-17-2014 11:25 AM
- Tagged FireEye Built in Dashboards Not Working on All Apps and Add-ons. 02-17-2014 11:25 AM
- Posted Re: Use Splunk Listener Instead of Syslog File? on All Apps and Add-ons. 02-06-2014 04:26 PM
- Posted Re: Log Format on All Apps and Add-ons. 02-06-2014 02:27 PM
- Posted Re: Use Splunk Listener Instead of Syslog File? on All Apps and Add-ons. 02-05-2014 04:53 PM
- Posted Log Format on All Apps and Add-ons. 02-05-2014 06:42 AM
- Tagged Log Format on All Apps and Add-ons. 02-05-2014 06:42 AM
- Posted Re: Use Splunk Listener Instead of Syslog File? on All Apps and Add-ons. 02-04-2014 04:08 PM
- Posted Use Splunk Listener Instead of Syslog File? on All Apps and Add-ons. 02-04-2014 02:10 PM
- Tagged Use Splunk Listener Instead of Syslog File? on All Apps and Add-ons. 02-04-2014 02:10 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 4 | |||
| 0 | |||
| 0 |
05-19-2014
11:54 AM
1 Karma
Thanks everyone. I finally just ended up modifying the props.conf in /opt/splunkforwarder/etc/apps/Splunk_TA-cisco-asa/local/ with this value:
[host:::*]
TZ = US/Eastern
Thanks!
... View more
05-19-2014
10:42 AM
Hello,
We're currently doing a pilot of Splunk. We have two servers - one is an indexer and the other a search head. We have a Linux syslog server that collects all firewall logs and forwards these to the indexer via the Universal Forwarder agent.
All firewalls are set to UTC. This causes an issue when searching for events, as we're in US Eastern time. The only way to get the relevant events to show up in searches is to effectively search in the future relative to our local time (ie compute UTC for the time desired, and search on those values).
I've checked and both the server and the dashboard are set to the correct time zone.
Is there a way to display the time locally in the dashboard while leaving it unmodified within the index?
Thanks!
... View more
- Tags:
- timezone
02-18-2014
11:17 AM
I couldn't post an event other than by editing the original post, but I now have one of the events in my post. I'm wondering if the format changed?
... View more
02-17-2014
11:25 AM
4 Karma
I installed the FireEye application and configured my WebMPS sensors to post alerts to Splunk per the instructions. I've reviewed the Splunkd log and can see where the events are making their way to Splunk.
The default FireEye dashboards have no results. I know the events are in the index because if I search for index=fe, my events show up.
Inspecting one of the dashboards shows the following query being run with no results:
search index=fe sourcetype="fe_xml" fe_appliance=* src_ip=* malware_name=* alert_id=* | rename severity AS fe_severity | eval fe_severity=replace(fe_severity,"\"","") | lookup severity fe_severity | rename severity AS SEVERITY | table alert_id fe_appliance src_ip dest_ip malware_name malware_stype SEVERITY
If I run this query manually, I get no results. If I start backing parameters of the query off, I get results at
index=fe sourcetype="fe_xml" fe_appliance=*
As soon as src_ip=* is tacked onto the search, results stop coming in.
I haven't modified any of the FireEye application files, and I've triple-checked that my sensors are sending data to Splunk in the Extended XML format. Does anyone have any ideas why this isn't working correctly? Thanks!
EDIT:
Looks like the src_ip isn't being extracted. I wonder if the event format changed? Here's an edited raw event:
<?xml version="1.0" encoding="utf-8"?><alerts appliance="ApplianceName" msg="extended" product="Web MPS" version="7.0.2.156588" xmlns="hxxp://www.fireeye.com/alert/2011/AlertSchema" xmlns:xsi="hxxp://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="hxxp://www.fireeye.com/alert/2011/AlertSchema FireEyeAlert.xsd"><alert id="405294" name="infection-match" severity="minr"><explanation analysis="content" protocol="tcp"><malware-detected><malware name="Local.Infection" sid="600104" stype="bot-command"/></malware-detected><cnc-services><cnc-service port="80" protocol="tcp"><address>141.101.117.X</address><channel>GET /efax_7132159010.doc hxxp/1.1::~~Accept: */*::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)::~~Accept-Encoding: gzip, deflate::~~Host: slash.ma::~~Connection: Keep-Alive::~~Cookie: __cfduid=db3535ebf75b3f2976167c05678ac6e631392738961234::~~::~~</channel></cnc-service></cnc-services></explanation><src vlan="0"><ip>192.168.12.150</ip><host>host.domain.local</host><port>58268</port><mac>00:15:c7:00:00:00</mac></src><dst><ip>141.101.117.x</ip><mac>00:1b:54:f7:00:00</mac><port>80</port></dst><occurred>2014-02-18T18:00:16Z</occurred><interface label="A1" mode="tap">pether3</interface><alert-url>hxxps://sensor/event_stream/events_for_bot?ev_id=405294&lms_iden=00:E0:81:C3:00:00</alert-url><action>notified</action></alert></alerts>
... View more
- Tags:
- FireEye
02-06-2014
04:26 PM
So... it appears to be working now. The Source IP shows correct values, but the router's sending everything to Splunk, including things like DHCP events. Any easy way to set it up to only parse firewall events and ignore everything else? Thanks!
... View more
02-06-2014
02:27 PM
Yes, looks like logs aren't in standard format. Here's a DROP event:
Feb 6 17:16:48 192.168.1.1 Feb 6 17:15:15 kernel: DROP <4>DROPIN=eth0 OUT= MAC=e0:cb:4e:c4:dd:24:00:01:5c:64:4e:46:08:00 <1>SRC=198.20.69.74 DST=96.29.x.x <1>LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=53857 PROTO=TCP <1>SPT=19139 DPT=80 SEQ=1395526512 ACK=0 WINDOW=31849 RES=0x00 SYN URGP=0
I'm trying to find out how to set up extractions in props.conf but this is my second day of Splunking and it's slow going. 🙂
... View more
02-05-2014
04:53 PM
I've set it up like you recommend but I have apparently indexed my limit today, so I'll check it tomorrow and provide feedback.
Thanks!
... View more
02-05-2014
06:42 AM
After my other question, I installed Kiwi Syslog server on my Windows box and have it set up to receive syslog messages from the network and log to a file. I pointed Splunk to the logfile location and set it to feed into this application.
No matter what logfile format I choose in Kiwi, it looks like some of the fields don't line up. For instance, take this event from Kiwi:
02-05-2014 09:34:10 User.Alert 192.168.1.1 Feb 5 09:32:40 kernel: DROP <4>DROPIN=eth0 OUT= MAC=e0:cb:4e:c4:dd:24:00:01:5c:64:4e:46:08:00 <1>SRC=4.79.142.206 DST=96.29.46.xxx <1>LEN=44 TOS=0x00 PREC=0x00 TTL=225 ID=61440 PROTO=TCP <1>SPT=61690 DPT=23 SEQ=56734009 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B4)
When this event shows up in the app, it has an "unknown" value for the source IP address.
Logs are coming from a router running DD-WRT. My guess is that either the Kiwi service is writing syslog files in a format that doesn't match native iptables, or the router is sending logs in a format that doesn't match native iptables.
Either way I'm out of ideas.
Thanks!
... View more
02-04-2014
04:08 PM
Thanks for the response.
If I were going to have to go that route I may as well set up Splunk in a virtual machine running Linux on my Windows box. The goal was to minimize log loss when the Windows box is rebooted, however. Syslog-ng has a Win client if you buy the Premium edition.
This is all for a home PC and a home firewall. We're going to be installing Splunk at work and I need to get my hands dirty first. 🙂
... View more
02-04-2014
02:10 PM
I have a single remote device I want to monitor and Splunk running on Windows. I set up a UDP listener in Splunk for port 514 and pointed the single remote device to the Splunk machine. I can see that Splunk is logging this data correctly.
This application is not seeing this data, however, and I'm pretty sure it's because the instructions tell you to point the app to the log files for syslog.
Can I set this application up to just use the data that's coming in through the Splunk listener I've already set up? If not, can I set the listener up to write its data out to a file that I can then point this application to?
Thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
