cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
keenerms
Engager
Member since: ‎08-19-2015
‎04-28-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎08-19-2015
Activity Feed
View All

Re: JSON Wrapped Windows Logs not being read as JS...

by in Getting Data In
‎04-23-2022 08:49 AM
‎04-23-2022 08:49 AM
Edited it as to add a single event, and deleted or modified any items that might be considered identifying.   I considering using a JSON to CSV Python script, but I though that would be more work for a one off than Splunk.  My assumption is that I'm not understanding something about how Splunk ingests JSON.   ... View more

Why are JSON Wrapped Windows Logs not being read a...

by in Getting Data In
‎04-23-2022 06:07 AM
‎04-23-2022 06:07 AM
Hey, I'm very experienced using Splunk as an analyst, but not at all experienced on the admin side of things, but am trying to learn.  I was recently given a JSON file full of Windows Logs to analyze.  Not sure why they gave me the data that way, but they did, and that's how I have to use it.   When I try and upload the file to Splunk, I select "Add Data", I upload the file, and it does not recognize it as JSON.  If I select json_no_timestamp, it seems to recognize it, but doesn't break it up into events.  Every event starts the same way, and I copied the first 12 lines of JSON below (when auto-arranged).  Using Regex101, I found a Regex that matches the beginning of the event, but adding that into Event Breaks Pattern does not break the event.   I've tried the following Event Breaks Patterns because sometimes when you copy the lines, there is whitespace, and sometimes there is no whitespace (Splunk, Atom, and Regex101 show line breaks and whitespace, but when I copied it into this comment... no line breaks!  Unsure if that's b/c of presentation or just copy/paste): \{\s\"sort\"\: {\n\s+\"sort\" \{\r\n\s+\"sort\"\: { "sort":   { "data": [ { "sort": [ 0 ], "_score": null, "_type": "winevtx", "_index": "winevtx", "_id": "==", "_source": { "process_id": 488, "message": "A Kerberos service ticket was requested.", "provider_guid": "{}", "log_name": "Security", "source_name": "Microsoft-Windows-Security-Auditing", "event_data": { "TicketOptions": "0x60810010", "TargetUserName": "JOHN$@LOCAL.LOCAL", "ServiceName": "krbtgt", "IpAddress": "::ffff:10.10.0.1", "TargetDomainName": "LOCAL.LOCAL", "IpPort": "53782", "TicketEncryptionType": "0x12", "LogonGuid": "{}", "TransmittedServices": "-", "Status": "0x0", "ServiceSid": "S-1-5-21-3052363079-1128767895-2942130287-502" }, "beat": { "name": "LOCAL", "version": "5.2.2", "hostname": "LOCAL" }, "thread_id": 1096, "@version": "1", "@metadata": { "index_local_timestamp": "2017-04-20T06:27:21.283576", "hostname": "LOCAL", "index_utc_timestamp": "2017-04-20T06:27:21.283576", "timezone": "UTC+0000" }, "opcode": "Info", "@timestamp": "2017-04-20T06:25:33.801Z", "tags": [ "beats_input_codec_plain_applied" ], "type": "wineventlog", "computer_name": "LOCAL.LOCAL.local", "event_id": 4769, "record_number": "127898", "level": "Information", "keywords": [ "Audit Success" ], "host": "LOCAL", "task": "Kerberos Service Ticket Operations" } } ] }     Every event starts with { "sort": [ 0 ], so I know that's where I want to break it up.  I'm sure I'm missing something simple.  What is it? Appreciate any assistance. ... View more
Labels

Re: Indexer not filtering forwarded events

by in Getting Data In
‎08-19-2015 11:24 AM
‎08-19-2015 11:24 AM
Yep, it looks like that link and the original one I cited both specifically call out forwarders. We were trying this on an indexer since the indexer was on the correct subnet to make the changes without messing with firewall rules. Interesting. Thanks! M. ... View more

Indexer not filtering forwarded events

by in Getting Data In
‎08-19-2015 07:20 AM
‎08-19-2015 07:20 AM
So. We have recently changed MSSPs, and we are going to be forwarding events to them from our Splunk instance. We have a number of technologies going into Splunk, including IIS, Windows logs, and various security tools. The MSSP wants each technology on a different port. So we were going to split them using props.conf, transforms.conf, and outputs.conf as documented here: http://docs.splunk.com/Documentation/Splunk/6.2.5/Forwarding/Forwarddatatothird-partysystemsd We are doing a test run, attempting to split out IIS logs to a test server to make sure we know how to do this... but it doesn't split out IIS logs, it appears to just send all logs to our test syslog listener. Appreciate other eyes on this to tell me how I'm screwing this up. The goal is to have only iis logs sent to our internal syslog server. props.conf [iis] TRANSFORMS-iis=IISSampleTransform transforms.conf [IISSampleTransform] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = IISSample outputs.conf [syslog] defaultGroup = UnknownMSS, IISSample [syslog:IISSample] server = 192.168.xxx.xxx:514 type = udp priority = <18> I read that the default group sent everything, so I tried removing the IISSample group from that line, but then it didn't send anything to the local (192.168.xxx.xxx) server. No logs period. When I add it to the default group I get all logs including Windows Event logs, syslog from the indexer, and the IIS logs. The filtering for IIS logs is not working at all. Appreciate any assistance. The "UnknownMSS" group is for another set of Stanzas that the MSSP directed us to add, but I didn't want to clog the question up with possibly unrelated info. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-28-2022 11:38 AM
Karma given to
View All