Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About harrisoncs
harrisoncs
Explorer
Member since:
05-12-2017
08-31-2022
Community Statistics
| Posts | 10 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 2 |
| Member Since | 05-12-2017 |
Activity Feed
- Got Karma for Re: Universal Forwarder Stops sending data. 03-23-2021 01:21 PM
- Posted Re: Cisco Firepower Encore App 4.0.10 on All Apps and Add-ons. 02-12-2021 12:22 PM
- Posted Re: Cisco eStreamer eNcore Add-on for Splunk v3.6.8 "EVAL-first_pkt_sec" error on All Apps and Add-ons. 02-11-2021 11:12 AM
- Posted Cisco Firepower Encore App 4.0.10 on All Apps and Add-ons. 02-10-2021 09:43 AM
- Posted A bit of ssl cert help needed on Getting Data In. 08-27-2020 07:27 AM
- Posted Re: Universal Forwarder Stops sending data on Getting Data In. 08-03-2020 06:32 AM
- Got Karma for Universal Forwarder Stops sending data. 08-02-2020 06:10 PM
- Karma Re: What is wrong with this regular expression to extract the URL from our logs? for grimlock. 06-05-2020 12:48 AM
- Karma Re: What is wrong with this regular expression to extract the URL from our logs? for woodcock. 06-05-2020 12:48 AM
- Karma Re: What is wrong with this regular expression to extract the URL from our logs? for ddrillic. 06-05-2020 12:48 AM
- Posted Re: Universal Forwarder Stops sending data on Getting Data In. 09-27-2019 08:49 AM
- Posted Re: Universal Forwarder Stops sending data on Getting Data In. 09-09-2019 06:16 AM
- Posted Universal Forwarder Stops sending data on Getting Data In. 09-06-2019 01:36 PM
- Tagged Universal Forwarder Stops sending data on Getting Data In. 09-06-2019 01:36 PM
- Tagged Universal Forwarder Stops sending data on Getting Data In. 09-06-2019 01:36 PM
- Posted Re: What is wrong with this regular expression to extract the URL from our logs? on Splunk Search. 05-15-2017 10:24 AM
- Posted What is wrong with this regular expression to extract the URL from our logs? on Splunk Search. 05-12-2017 12:50 PM
- Tagged What is wrong with this regular expression to extract the URL from our logs? on Splunk Search. 05-12-2017 12:50 PM
- Tagged What is wrong with this regular expression to extract the URL from our logs? on Splunk Search. 05-12-2017 12:50 PM
- Tagged What is wrong with this regular expression to extract the URL from our logs? on Splunk Search. 05-12-2017 12:50 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
02-12-2021
12:22 PM
This is pretty much fixed. There are still some minor issues that I'm deciding whether it worth fixing or not. Problem one for me is on my system 4.0.10 is 100% manual setup. There is no setup option in the GUI anymore, at least for me, and I downloaded it several times and several different versions. Setup went away after version 3.7.4. I did try to use 3.7.4 on 8.1.2 to try the easy way out, but it wouldn't work for me. I had to run the commands under splencore.sh to break up the pkcs12 into what was required by Encore. I eventually found this Cisco link that described setting up 4.0.9 in decent detail. That link got me to a certain point, but I still didn't have data coming in from the firepower except for status (cisco:estreamer:log). I eventually found a place in place in estreamer.conf that needed to be set to enabled = true. Then found that app.conf also need is_configured=true, and state=enabled set. Then data started flowing in, but to the wrong folder. I ended up just leaving in the folder it was coming to and changing the data folder in all of the conf files.
... View more
02-11-2021
11:12 AM
I have pretty much the same problem. Did you change fix the issue for you?
... View more
02-10-2021
09:43 AM
Hi, Last week I upgraded our Splunk servers to 8.1.2. Once completed I upgraded the Cisco Firepower Encore app to 4.0.10. Shortly after data stopped coming in. I did a good bit of troubleshooting including new certs, clean install of the Cisco Encore App, and setting up as new. I am currently to the point where I'm getting cisco:estreamer.log (Monitor) every 2 minutes. However, I am NOT getting anything to sourcetype cisco:estreamer:data. When I check the data folder under /splunkhome/etc/apps/TA-estreamer/data it is empty. I do a netstat to my firepower and a ton of data is coming from it. I just can't find where it's landing. I do a search for encore.*.log and nothing shows up. Estreamer.conf has the correct information. Splencore.sh has been configured correctly, tests successfully, and is running. configure.sh looks correct. It has this for the path --stream=relfile:///../../data/encore.{0}.log" which kind've bothers me. I'm stuck at the moment. We are working on restoring a backup of the folder structure before I made the upgrade to have a comparison. Any help would be appreciated. If any additional information is needed from me, let me know.
... View more
Labels
- Labels:
-
troubleshooting
08-27-2020
07:27 AM
I have an 8.0.5 Splunk environment. It is not a cluster, there is one indexer. I am quickly headed towards a distributed environment and have an search head setup but not integrated yet. I have 1 heavy forwarder/deployment server/license manager. The new Heavy forwarder I'm setting up I need some help with setting up certs. Here is the scenario. New heavy forwarder will received data from 2 universal forwarders managed by another team (we don't have access to them). Part of their requirement for receiving this data is that the connection is encrypted. We have purchased a server cert for the heavy forwarder (servername.splunkidy.splunk.com), and it is in PEM format. The question is how do we install it when trying to secure a universal forwarder to a heavy forwarder? I haven't been able to find an example of universal to heavy forwarder ssl cert setup. I admit Certs are my kryptonite, but the Linux admin that is helping is having trouble figuring out how we need to do this. Do we send the other team the public key so they can access the heavy forwarder? I feel like we're missing a piece and can't figure out what that is.
... View more
08-03-2020
06:32 AM
1 Karma
My issue ended up being a problem with my inputs.conf file. The Universal Forwarder is on a logserver and has a rather large inputs.conf file. After working with Splunk support and my Linux team for about two weeks I ended up going my own route one night. I commented out every entry in my inputs.conf file, and Uncommented them one at a time and restarted the forwarder. The first 3-4 that were "turned back on" worked fine, continuously sent data with no issues. I believe it was the 5th entry, that when uncommented, started causing the issue again. It turned out to be a chance I needed to make in a wildcard in one of my inputs.conf lines. It was a "..." instead of a "*". Not sure why this made a difference, or what changed to cause the problem, since it had been working for months. Regardless, after I made this change, I still went one by one uncommenting each line of the inputs file. I ran into no other issue. This one wildcard issue was the cause of my forwarder not to work. it ran through the first 3-4 without issues then would hit that specific line and it would not move beyond that point in in the inputs file. This explained my burst of data then nothing. Coming up on a year with no issues since the correction was made.
... View more
09-27-2019
08:49 AM
Still working with support on this. Starting to get pressure since it's been going on so long.
Made multiple changes to ulimits(now 32000soft, 64000hard), MaxQueuesize 256MB, inicrclength (500, or 700), and a host of other settings.
rSyslog is now rotating logs more frequently so the file size is much lower.
A bad workaround we are using now is a Cron job that restarts splunkforwarder.service when the opened files size hit a certain limit. We did this workaround because when the forwarder stops sending data, it is still opening and holding open files. Between 5k-6k open files is about when the forwarder stops sending data.
... View more
09-09-2019
06:16 AM
Thank you for your response. I have checked this previously, but did it again just in case. There are no blocked=true in the metrics.log file.
... View more
09-06-2019
01:36 PM
1 Karma
Hi,
We have a Universal Forwarder on our Linux rSyslog server. It was working fine until two weeks ago. The problem was it would stop sending data to the indexer, but showed no errors in the splunkd.log. When we would restart it, it would send a burst of information over the course of 4-5 minutes then stop sending data again.
Over the past two weeks we have replaced the rSyslog server with a new server. The new server has 8 cores, tons of memory, and a 10GB network connection to the Splunk indexer. Once we installed the forwarder it ran for two days non-stop catching up on the data that had been missed over the two week period. At 6pm last night it stopped forwarding data again. We're now back to the same problem we started with. We get a burst of log data on restart, but then it just stops. No errors, nothing to suggest we've hit any limits. The splunkforwarder.server process is still running. What we DO notice is that Splunkd holds the files open, and the number of open files continues to climb once it stops forwarding data. Some of these files are large, but we don't get any error messages about batch
in limits.conf we have this set
maxKBps = 0
max_fd = 10240
The ulimits on the server are set to 100000 - we're averaging about 4500-5000 before the forwarder stops running.
Indexer 7.3.1
Universal Forwarder 7.3.1
We have about 35 windows forwarders working on servers with no issues at all. It's this one Linux forwarder that's not working correctly.
Any help you can give would be appreciate. Let me know if there is any additional information needed.
... View more
05-15-2017
10:24 AM
I wanted to accept all of the answers, I accepted the one I used to accomplish my goal. Appreciate everyone's input. I started with regex101 last week and indent to use it to get me further along.
... View more
05-12-2017
12:50 PM
I am attempting to extract the URL from our webfilter logs. The automatic field extraction process did not work. I now have a partially working expression and can't seem to find the reason it's not working. See below:
(?(https|http|ftp)://[a-zA-Z0-9.\-_]+/[a-zA-Z0-9+&@#/%=~_\-|!:,.;]*)
This command is only returning a couple of http URLs. It is not getting any https even though preview shows plenty of possibilities. Is there something simple I'm missing? One iteration only had https in the expression, however, it returned no results. The sample data below as it stands now, would not return results, as it is https.
Sample data (IPs have been changed)
"May 12 15:30:26 10.10.10.10 May 12 19:30:21 Sourcefire3D WFAccessURL: Protocol: TCP, SrcIP: 20.20.20.20, OriginalClientIP: ::, DstIP: 30.30.30.93, SrcPort: 64776, DstPort: 443, TCPFlags: 0x0, IngressInterface: Cisco, EgressInterface: outside, DE: Primary Detection Engine (dc1c2f78-185f-11e6-a6f7-dabf06bba1d5), Policy: SFR-Policy, ConnectType: Start, AccessControlRuleName: Unknown, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 715, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Uncategorized, URLReputation: Risk unknown, URL: https://www.splunk.com";
... View more
