Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About o_calmels
o_calmels
Communicator
Member since:
10-26-2012
06-21-2023
Community Statistics
| Posts | 58 |
| Solutions | 6 |
| Karma Given | 5 |
| Karma Received | 16 |
| Member Since | 10-26-2012 |
Activity Feed
- Posted Going to Splunk 9 : Does CPU and RAM usage increase after migration? on Splunk Enterprise. 06-20-2023 05:40 AM
- Got Karma for Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4?. 02-22-2023 06:56 PM
- Posted Maxmind | How to use 5 different mmdb databases? on Splunk Enterprise. 10-05-2022 06:02 AM
- Got Karma for Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4?. 01-03-2021 10:52 PM
- Got Karma for Re: Creation of one pdf file for 2 dashboard views using rest API. 10-23-2020 06:15 AM
- Posted Re: Creation of one pdf file for 2 dashboard views using rest API on Dashboards & Visualizations. 10-22-2020 11:27 PM
- Posted McAfee Web Gateway socks logs on All Apps and Add-ons. 10-22-2020 11:16 PM
- Tagged McAfee Web Gateway socks logs on All Apps and Add-ons. 10-22-2020 11:16 PM
- Got Karma for Re: How to configure Splunk Heavy Forwarder and Splunk Searchhead on the same machine?. 06-05-2020 12:50 AM
- Got Karma for Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4?. 06-05-2020 12:48 AM
- Got Karma for Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4?. 06-05-2020 12:48 AM
- Got Karma for Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4?. 06-05-2020 12:48 AM
- Got Karma for Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4?. 06-05-2020 12:48 AM
- Got Karma for Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4?. 06-05-2020 12:48 AM
- Got Karma for Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4?. 06-05-2020 12:48 AM
- Got Karma for Is it possible to generate a PDF of a full dashboard and all its panels in a single page with Splunk 6.4?. 06-05-2020 12:48 AM
- Got Karma for Re: start and finish time to be set for summary index to get data for last 24 hours. 06-05-2020 12:48 AM
- Karma Re: Why is syslog right into Splunk so bad/wrong? for alacercogitatus. 06-05-2020 12:47 AM
- Karma Re: Why is syslog right into Splunk so bad/wrong? for donald_mccarthy. 06-05-2020 12:47 AM
- Karma Re: Why am I getting https error "ssl_error_rx_record_too_long" when logging into my Indexers? for juvetm. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-20-2023
05:40 AM
I splunkers,
I'm currently planning to upgrade to Splunk 9.
Does someone of you had noticed CPU and RAM usage increase after migration as described in the following link : CPU and RAM usage increase after migration to splunk 9 ?
If yess, how much is this increase ? (%)
I need to plan the ressource usage before the upgrade.
Thank you.
... View more
Labels
- Labels:
-
upgrade
-
using Splunk Enterprise
10-05-2022
06:02 AM
Hi splunkers,
I have problem about usind maxming geoip datavbses
I get 4 databases from maxmind (GeoIP2-City.mmdb; GeoLite2-ASN.mmdb; GeoIP2-Country.mmdb; GeoIP2-Anonymous-IP.mmdb)
I need to use these 4 databases
Following the html documentation about iplocation (https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Iplocation), I copy the databases I need to use under a specific directory and configure limits.conf to point to this directory for any of the databases I need to use. This database was copied over search Head AND Indexers. Limits.conf : [root@vlpsospk04-sh databases]# more ../local/limits.conf [iplocation] db_path = /data/splunk/etc/apps/cnaf_deploy_maxmind_databases/databases/GeoIP2-City.mmdb db_path = /data/splunk/etc/apps/cnaf_deploy_maxmind_databases/databases/GeoLite2-ASN.mmdb db_path = /data/splunk/etc/apps/cnaf_deploy_maxmind_databases/databases/GeoIP2-Country.mmdb db_path = /data/splunk/etc/apps/cnaf_deploy_maxmind_databases/databases/GeoIP2-Anonymous-IP.mmdb Then, when I m using this file configuration, Then restart splunkd process, I get data about GeoIP2-City.mmdb, but nothing about GeoIP2-Anonymous-IP.mmdb as an exemple. In the documentation about iplocation, only one mmdb file is documented, so is this a specific configuration to use multiple mmd files ?
Does someone get results with sevferal databases ?
Thank you !
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
10-22-2020
11:27 PM
1 Karma
Hi Abhishek , Did you try to create a cheduled view of this dashboard with pdf export configured in the web interface. Then call this scheduled view trough api. >> https://docs.splunk.com/Documentation/Splunk/8.0.6/RESTREF/RESTsearch
... View more
10-22-2020
11:16 PM
Hi splunkers, I need to get socks logs from my MWG into my splunk instances. Does anyone get these logs in ? Thanks. Olivier
... View more
Labels
- Labels:
-
configuration
11-19-2019
11:02 PM
I give up this app, and addapt my dashboard.
... View more
11-19-2019
11:00 PM
I, The problem is found!
on a checkpoint architecture with one manager and a smart log, if the logs are sent to the smart log directly, opsec cannot get them.
Log are to be sent to the manager and the smartlog at the same time.
Then, opsec can read logs from de manager.
... View more
11-19-2019
02:44 AM
Hi splunkers !
I ve just configured active directory monitoring based on Splunk 7.3 Active Directory inputs. The AD connexion is running well, but the first sync is limited.
I opened a case, as a solution, Splunk support said admon is limited to approximatively 1000 assets on the first sync.
My AD count 32000 users, 60000 computers and much more object !
Had you used this monitoring on large active directory architecture ?
What type of input do you use to get AD assets ?
Thanks.
Olivier.
... View more
10-31-2019
12:01 AM
Hi,
As port 8000 seams to be open, had you tried curl command on the server himself, to check if the webserver is responding:
curl http://your.ip.adress:8000
If you get response, the problem is not on splunk install, maybe firewalls anywhere ?
... View more
10-22-2019
12:44 AM
Hi lwass,
If your WSUS install had a full SQL db instance, you could use Splunk DB connect.
Could you share your ps script in a way to work on then, why not create schedule scripts inputs in the TA app ?
... View more
10-22-2019
12:35 AM
After some research and test about kvstore, all is OK now.
If that helps, here are all the files needed in one app
Create an app with these files :
AppName/local/app.conf
[install]
state = enabled
[package]
check_for_updates = false
[ui]
is_visible = false
is_manageable = false
label = Checkpoint DHCP KvStore - TA
[launcher]
author = Olivier CALMELS
description = Automaticaly link Checkpoint DHCP logs with firewall log to merge them in the specified time rage
version = 1.5
AppName/local/collections.conf
# KVSTORE definition to save a timeline of IP / User / time entries.
# This KVSTORE is filled with a scheduled search every minute that append results to the KV Store
# "fileds.*****" are the same than the scheduled search results
[VPN-SSL_DHCP_collection]
field.office_mode_ip = string
field.domain_name = string
field._time = string
field.user_dn = string
# Acceleration in this KvStore
accelerated_fields.my_accel = {"user_dn": 1}
# My architecture has 3 indexers, so ==> Replication
replicate = true
AppName/local/transforms.conf
# Lookup definition that links the lookup with the KvStore and allow to querry the KvStore defined in collections.conf
[VPN-SSL_DHCP_lookup]
external_type = kvstore
collection = VPN-SSL_DHCP_collection
case_sensitive_match = False
fields_list = _key,_time,office_mode_ip,domain_name,user_dn
# The fileds time_* are necessary to set time based lookup
time_field = _time
time_format = %s
AppName/local/props.conf
# Automate the link between the firewall logs and the KvStore.
# If the IP match (office_mode_ip AS src ) domain_name et user_dn are appended to the results
# This props is limited to one host for automatic lookup.
[host::CheckPointManagerName]
LOOKUP-VPNSS_Automatic_Lookup = VPN-SSL_DHCP_lookup office_mode_ip AS src OUTPUTNEW domain_name AS domain_name user_dn AS user_dn
AppName/local/savedsearches.conf
[Do-Not-Click_VPN-SSL_Office-Mode_DHCP_KvStore_Filling]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = */1 * * * *
dispatch.earliest_time = -1min@min
dispatch.latest_time = -0min@min
enableSched = 1
search = index="checkpoint_vpnssl" event_type=Login | stats values(user_dn) by office_mode_ip domain_name _time | rename values(user_dn) as user_dn | outputlookup append=true VPN-SSL_DHCP_lookup
... View more
10-03-2019
01:54 AM
Hi splunkers,
I need to enrich the Checkpoint Firewall logs with the username in my corporate VPN logs.
On a first sourcetype, I have the name of the user with his DHCP IP address in the VPN (field name : office_mode_ip).
On a second sourcetype, I have the firewall traffic log with this same DHCP IP (field name : src).
The DHCP has a 10h lease.
I do not find how to get the associated user for each Firewall log. How can i make a join over the same time range to avoid error on DHCP lease change?
The first log with login details ==> user=Alain DUBOIS 123 (Alain.dubois@mydomain.com), office_mode_ip=10.245.131.237
time=1570087243|loc=1589977|fileid=1570053600|action=authcrypt|orig=0.0.0.0|i/f_dir=inbound|has_accounting=0|logId=-1|log_type=log|log_sequence_num=119|is_first_for_luuid=0|log_version=5|origin_sic_name=CN=FW_VPN01,O=vu.jmsp.prod.sq5ad5|uuid=<5d95a14b,00000000,0140a30a,0000116d>|product=xxxxxxxx|cvpn_category=Session|event_type=Login|client_name=Check Point Mobile|client_version=xxxxx|client_build=xxxxxxx|user=Alain DUBOIS 123 (Alain.dubois@mydomain.com)|auth_method=Password|login_option=Authentification IPSEC|failed_login_factor_num=0|user_dn=CN=Dominique ROBERT 841,OU=Administrateurs,OU=W7,OU=841-Utilisateurs,DC=mydomain,DC=com|user_group=GrpLDAP_VPNSSL, ad_group_VPNSSL_238285|host_type=PC|os_name=Windows|os_version=10|os_build=17763|os_bits=64bit|device_identification={xxxxxxxxxxxxxxxxxxxxxxxxxxx}|session_timeout=10:00:00|login_timestamp= 3Oct2019 9:20:43|src=aa.bb.cc.dd|host_ip=192.168.1.212|office_mode_ip=10.245.131.237|s_port=0|proto=tcp|service=443|tunnel_protocol=IPSec|methods:=3DES + SHA1|status=Success|Suppressed_Logs=0|mac_address=50:76:af:3a:eb:57|Hostname=p0006841|domain_name=mydomain.com|auth_encryption_methods=AES-256 + SHA1 + Group 2
then, the second sourcetype with src=10.245.131.237
time=1570087396|loc=1622048|fileid=1570053600|action=decrypt|orig=aa.bb.cc.dd|i/f_dir=inbound|i/f_name=wrp193|has_accounting=0|logId=0|log_type=connection|log_sequence_num=52|is_first_for_luuid=131072|log_version=5|origin_sic_name=CN=FW_VPN01,O=vu.jmsp.jmsp.prod.sq5ad5|uuid=<5d95a1e4,00000009,0140a30a,c0001800>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={xxxxxxxxxxxxxxxxxxxxxxxxx};mgmt=xxxxxxx;date=1570034884;policy_name=Regles_VS_VPN01]|inzone=External|outzone=Internal|service_id=cp_tcp_xxxxxxxxxx|src=10.245.131.237|s_port=49438|dst=10.160.16.247|service=10123|proto=tcp|scheme:=IKE|methods:=ESP: 3DES + SHA1|peer gateway=10.245.131.237|community=RemoteAccess|fw_subproduct=VPN-1|vpn_feature_name=VPN|LastUpdateTime= 3Oct2019 9:23:16|match_id=19|match_table.match_id=19|layer_uuid=129b5909-9ae6-48d5-8ee6-0dfb64ca827f|match_table.layer_uuid=129b5909-9ae6-48d5-8ee6-0dfb64ca827f|layer_name=Regles_VS_VPN01 Network|match_table.layer_name=Regles_VS_VPN01 Network|rule_uid=fbe622a8-fa24-4fe1-b372-bc63f23eb6f9|match_table.rule_uid=fbe622a8-fa24-4fe1-b372-bc63f23eb6f9|rule_name=Flux nomades|match_table.rule_name=Flux |rule_action=2|match_table.rule_action=2|parent_rule=0
I can get a real time list of DHCP adress affected with
index="checkpoint_vpnssl" event_type=Login | stats latest(user_dn) by office_mode_ip
, but how to link each fw log and this result in a way to have updated couple of user / IP?
Any idees ?
Thanks
... View more
07-28-2019
10:55 PM
Hi georgen, unfortunaltly, the offline mode gives same result with "cpshared_filename failed" error.
... View more
07-25-2019
11:57 PM
1 Karma
Hi sarvesh_11,
I can see Two ways:
1 - transform your UF in HF
2 - install splunk enterprise on the "SH" server, then configure inputs. conf, outputs.conf and TA if necessary as you should do it on the HF.
A single instance can have multiple roles.
Cheers.
Olivier.
... View more
07-25-2019
11:46 PM
Hi splunkers,
I got problem to get logs from a Smart Event server.
The infrastructure I try to connect is :
FW1 and FW2 sends logs to SmartEvent directly. They are managed with a Smart Console. Smart Event and Smart Console are different server. This infrastructure is single domain.
When I connect directly to the smart console, Everything is OK, I get the console logs.
When connecting to the SmartEvent, no connexion!
This is the config file (splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf) of the LEA connector is :
[Connector_SSL_SmartEvent]
cert_name = Connector_SSL_SmartEvent_1874929942.p12
fw_version = R80
lea_app_name = Splunk_LEA2
lea_object_name = SmartEvent
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 192.168.130.6
lea_server_type = dedicated
management_server_ip = 192.168.130.4
opsec_entity_sic_name = CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5
opsec_sic_name = CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5
When I try to connect to the smart event, I got the folowing opsec logs (index=_internal source=ta_checkpoint-opseclea😞
2019-07-25 08:55:15,080 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"][ 173840512][25 Jul 10:55:15] get_pkxld_path: cpshared_filename failed
2019-07-25 08:55:13,821 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2553 :INFO: Successfully create session
2019-07-25 08:55:13,821 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2019-07-25 08:55:13,820 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2019-07-25 08:55:13,808 +0000 log_level=INFO, pid=25947, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"] Starting /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data non_audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 10.251.130.6 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/Connector_SSL_SmartEvent_1874929942.p12 --opsec_sic_name CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5 --opsec_entity_sic_name CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5 --online --no_resolve
Does somebody successfully get logs from smart event ?
Thank's a lot.
Olivier.
... View more
05-06-2019
02:10 AM
Hi @DavidHourani, My dashboard is ready within a couple of second (10s max). Ieven tried to enlarge this timer with no result. Thank's.
It seams like phantomjs do not detect the end of page load.
... View more
05-02-2019
06:21 AM
Hi,
I'm trying to export pdf dashboards.
Thank's smartexporter can do this on demand (The export when I click on the button is good).
Splunk is installed on RedHat 7.4
Therefore, when rtying pour add a cron to this export, I got the following error :
2019-05-02 14:31:01,476 INFO temporary js file /tmp/tmpXN7wqi
2019-05-02 14:31:01,493 INFO protocole : https Vs https
2019-05-02 14:31:01,493 INFO ExportPDF for url https://localhost:8000/fr-FR/app/Splunk_For_MyApp/1-Test-SimpleXML-Print
2019-05-02 14:31:01,494 INFO start PhantomJS Process ...
2019-05-02 14:31:01,494 INFO phantomjs bin : /data/phantomjs-2.1.1-linux-x86_64/bin
2019-05-02 14:31:01,494 INFO temp js file : /tmp/tmpXN7wqi
2019-05-02 14:41:02,131 ERROR Failed to capture the page within the allocated time
Traceback (most recent call last):
File "/data/splunk/etc/apps/smart_exporter_app/bin/smartexporter.py", line 150, in handle_POST
self.__die('Failed to capture the page within the allocated time')
File "/data/splunk/etc/apps/smart_exporter_app/bin/smartexporter.py", line 84, in __die
raise RuntimeError(str(fmsg))
RuntimeError: Failed to capture the page within the allocated time
Phantomjs is installed, as well as Fontconfig.
I check actually how to verify if GLIBCXX_3.4.9 AND GLIBC_2.7 are installed.
Have you encountered this problem, have you got any idea ?
Thank's.
Olivier.
... View more
01-09-2019
10:08 PM
Hi emeelan. Thank's for this update.
Cheers.
... View more
07-05-2018
02:25 AM
Hi btiggemann
Have you solve your parsing problem ?
I'm interested in the solution !
Cheers.
Olivier.
... View more
02-13-2018
06:11 AM
Hi splunkers!
I just add a new BlueCoat box as my new proxies.
After configured it just like my actual one, the logs arrived on the Heavy Forwarder ethernet interface, but they arrived fragmented on multiple small frames, With approx 1600 Users logged on this new proxy, I'm quite sure that the logs received are not complete.
My SGOS version is 6.7.3.1
Does anybody encounter this kind of problem?
Thanks.
Olivier.
... View more
09-26-2017
01:06 AM
Hi,
For next users geting this problem after upgrade to splunk 6.2 or later, Splunk now allow only tls v1.2 as ssl version ( http://docs.splunk.com/Documentation/Splunk/6.6.3/Security/SetyourSSLversion ).
I had rest api from a late curl program, and had to update curl.
Then the curl command must specify sslversion:
curl --tlsv1.2 -k -vvv -u user:pass -d "search=savedsearch %22My%20Search%22" https://myserver:80/servicesNS/user/search/search/jobs/export
Hope that helps.
Olivier.
... View more
09-20-2017
11:59 PM
Hi,
We got exactly the same problem on our 2 indexers.
Can you explain me how to check if the problem is LDAP (what can I search ?)
And if this is same problem, how to disable LDAP on the indexers (I only use LDAP authentication for splunk users on theSearch Head.)
Cheers.
Olivier.
... View more
09-14-2017
12:26 AM
Hi woodcock, cusello,
Thank's for your response, all the lines are not joined in one line.
After trying your solutions, i contact splunk support team and the error is simply on the filename ! 😞
Yes, I forgive the "s" at the and of transforms.conf
Everything OK now !
Olivier
... View more
09-11-2017
07:27 AM
Hi,
I parsed a lot of post on splunk answers, but I still have a problem to filter a specific sourcetype.
Here the log line I want to trash
Sep 11 16:16:08 192.168.24.35 ROOT_FW_2: NetScreen device_id=ROOT_FW_2 [Root]system-notification-00257(traffic): start_time="2017-09-11 16:15:51" duration=16 policy_id=86 service=smtp (tcp) proto=6 src zone=zone_in dst zone=zone_out action=Permit sent=22056 rcvd=1284 src=192.168.1.1 dst=192.168.10.10 src_port=40049 dst_port=80 src-xlated ip=192.168.100.5 port=40049 dst-xlated ip=10.25.23.55 port=80 session_id=1015055 reason=Close - TCP FIN
On my Formwarder:
$SPLUNK_HOME/etc/system/local/props.conf
# Filtrage de tout sauf les accept
[JuniperFW]
TRANSFORMS-Juniper-null = remove_juniper_permit
$SPLUNK_HOME/etc/system/local/transform.conf
# Accepter tout sauf les Permit
[remove_juniper_permit]
REGEX = action=Permit
DEST_KEY = queue
FORMAT = nullQueue
Splunkd was restarted with no stanza errors
My Splunk version is 6.6.3.
Does anyone should have de clue or a way to debug this ?
Thank's a lot.
... View more
07-21-2017
02:06 AM
Hi, have you think about directly send events from your 2 sylog servers to the splunk indexer or a unique forwarder (syslog output configuration, ie: RedHat Rsyslog config).
This architecture does'nt need any splunk install on your syslog cluster and so, you can manage your storage like you want
... View more
07-21-2017
01:22 AM
1 Karma
Hi,
The answer depends on yout need:
To get data during the entire last day only, you can use earliest=@d latest=-1d@d (the @day flag specify that you want entire day)
To get, exactly last 24 h (including minutes), so, from last day 9:30 AM to now, you can use : earliest=-24h@min, latest=now (the @min flag specify that you want time range with minutes details).
You can test these expresions in search app > Click "time range " and select "Advanced time range option". when you set values in the boxes, the effective time is calculated (documentation : https://docs.splunk.com/Documentation/Splunk/latest/Search/Selecttimerangestoapply)
Hope that helps.
Olivier.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-21-2023
08:39 AM
|
Karma given to
| User | Karma Count |
|---|---|
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
