tried that and no change anything else I can try? ... View more

Thanks On Splunk, I installed the Aruba Networks Add-on for Splunk, created the udp:514 data input, specified aruba:syslog as source type and placed it in a wifi index. On Aruba controller, I forwarded logs to Splunk. The events in Splunk look different than I'm used to. It may just be because its not from a Windows box. Some events have multiple records in it. It made me thing the data wasn't getting parsed correctly. ... View more

I am not sure I have great answers but here it goes... Validation: No misconfiguration afaik. Followed Microsoft procedures. We upgraded to Outlook 2019 at the same time which did cause issues but have been addressed (autodiscovery issues, encryption plug-in). Efficiency: We have the same props file as the old Exchange server that uses SEDCMD Use Case: We have Splunk alerts and Reports for various purposes (security mainly). From monitoring who is using VPN to changes to changes to local admin groups to file/folder auditing. Would blacklisting something like computer account logins over the network break any of my alerts or reports? Highly doubtful but I am always hesitant in blacklisting items that may be useful down the road. Example: what if another report or alert notified me of a security breach but when I started looking thru logs, I discovered I had a need for something blacklisted? Kind of late at that point. Sometimes I log things not for everyday usage but if I need it for an investigation of some kind. So, in general, I need to be fairly comfortable it won't be useful in the future. ... View more

regarding Event Code 4624: is it safe to blacklist 4624 logon type 3 if the user is the computer account? ... View more

servers meaning Windows servers ... View more

I have the Splunk App for Windows Infrastructure installed already. I'll provide a little more details: Here is an example of an event I want to generate an alert on: LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName= "A valid computer name on our network" TaskCategory=Logon OpCode=Info RecordNumber=2335755 Keywords=Audit Failure Message=An account failed to log on. Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Network Information: Workstation Name: ETEpFe9v0ZoNUfqk Source Network Address: "valid internal ip address" Source Port: 44981 That workstation name is obviously randomly generated. I want a query to lookup the workstation name within our active directory environment and generate an alert if it doesn't exist. ... View more

Failed Logons by Username: eventtype=msad-failed-user-logons (host="*") src_nt_domain="." | fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type | join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain] ... View more

Users Failing to Logon from Multiple IPs: eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type | ip-to-host | fix-localhost |stats count by user,src_nt_domain,src_host,src_nt_host|stats count as nips by user,src_nt_domain|where nips>1|sort -nips|rename nips as "# Workstations", user as Username, src_nt_domain as "Domain" Want: An email generated when count of IPs >1 Question: How to control the time interval? Real time alter when count >1 over the last 2 min? ... View more

just to clarify, I mean failed logons to computer/domain, not failed logons into Splunk ... View more

looks like getting rid of the quotes completely worked thanks ... View more

changed the path and restarted splunk got the following error: ERROR loader - Problem parsing indexes.conf: Cannot load IndexConfig: Cannot create index 'windows': path of coldToFrozenDir must be absolute ('"d:\Splunk_Archive\windows"') ... View more

What should be in that config file? My file contains the following: [windows] coldToFrozenDir = "$SPLUNK_DB\windows\frozendb" frozenTimePeriodInSecs = 31536000 ... View more

nevermind...got that to work had to add the view to the user interface thanks for the help ... View more

I was able to clone it, find the cloned dashboard and alter the XML but how do you add it to the menus so I can run the customized version within the app? ... View more

I can't find that dashboard in Settings -> Searches, Reports, and Alerts If I go back to the dashboard within the app and select edit permissions, I get the following info: Dashboard: Traffic Dashboard Owner: nobody App: SplunkforPaloAltoNetworks Not sure where to find it. ... View more