I’ve been looking for this for about 3 days now and have come up empty-handed. I am looking for a way to build a threat alert for Linux-based credential dumping in Splunk. To do this I need to be able to monitor the /proc directory. I found audit and auditd (audit deamon) but I don’t … Read more
I’m trying to set up a seperate log file for all windows messages. I’ve set up a match for MSWinEventLog, but it’s completely ignoring my configuration Here’s my config, which is straight after the src object filter f_windows { match(“MSWinEventLog”); }; destination winFIFO { file(“/var/log/splunk/syslog-ng/winFIFO”); }; log { source(src); filter(f_windows); destination(winFIFO); flags(final); }; It all … Read more
I currently manage a qmail installation, set up on Centos using the qmailrocks guide (which seems to have vanished from the Internet now). So – daemontools, multilog, vpopmail, qmail. I’ve been asked to set up a Splunk server for analysing the logs from all our servers, and I can’t seem to find any way of … Read more
Is anyone using haproxy/keepaliveD as their software load balancer in a HA search head environment? I am configuring my haproxy.cfg and having some trouble getting sticky sessions and proper load balancing working. This is on a pair of load balancers using haproxy/keepaliveD to 3 splunk search heads. Here is what i currently have, my sessions … Read more
Ubuntu 12.04 Server x64 & Splunk 6.0 I installed Splunk according to the documentation. Started Splunk as directed and I am able to see it running in the terminal. I believe I correctly added the default port number – 8000 – to iptables with the following command: sudo iptables -A INPUT -p tcp –dport 8000 … Read more
This question already has answers here: Can you help me with my capacity planning? (3 answers) Closed 7 years ago. I need to get a vague idea of disk space requirements before I start forwarding logs to a Splunk instance. Each indexed line will have on average 320 characters and I will be indexing around … Read more
I need to analyze data stored in multiple databases. Each of them contains a few TB of logs and sensor data. If I use Splunk or ElasticSearch/Kibana, I see 2 solutions: Batch import everything Write some scripts to import only the data I need, on demand This is not optimal because with 1. I duplicate … Read more
How do you convert IP address data in a splunk field from HEX to the normal 4 octet format? Answer I don’t know about “in Splunk”, but the conversion is easy – take two hex digits for each octet, put dots between them, convert each pair to decimal. Many languages have a conversion function, otherwise … Read more
I created the data input for AWSConfig by modifying inputs.conf file but I dont see sourcetype aws:config created under Splunk. The AWSConfig messages are sitting in the SQS queue which means Splunk is not polling from the queue. Any idea what the issue is? how do I troubleshoot the issue? Answer Assuming the plumbing is … Read more
We have a nagios instance set up so that using MK-Livestatus and splunk, we are able to push all of nagios’s alerts through livestatus’s socket thanks to a call from splunk. However, splunk is now receiving data which when someone uses the application to search through its events is getting its fair share of “OK” … Read more
