Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nsommars
nsommars
Explorer
Member since:
06-27-2017
11-07-2021
Community Statistics
| Posts | 11 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 5 |
| Member Since | 06-27-2017 |
Activity Feed
- Got Karma for Re: Linux Auditd: What is the best way to make /var/log/audit/audit.log accessible to a non-root Splunk forwarder?. 08-11-2023 04:42 AM
- Got Karma for Re: How to remove binary data from the event in files on a splunk forwarder?. 06-05-2020 12:49 AM
- Got Karma for Re: How to remove binary data from the event in files on a splunk forwarder?. 06-05-2020 12:49 AM
- Karma Re: Linux Auditd: What is the best way to make /var/log/audit/audit.log accessible to a non-root Splunk forwarder? for pbunts. 06-05-2020 12:47 AM
- Got Karma for Re: Linux Auditd: What is the best way to make /var/log/audit/audit.log accessible to a non-root Splunk forwarder?. 06-05-2020 12:47 AM
- Got Karma for Re: Linux Auditd: What is the best way to make /var/log/audit/audit.log accessible to a non-root Splunk forwarder?. 06-05-2020 12:47 AM
- Posted Re: I need to be able to detect packets dropped by Juniper SSG firewalls due to the firewalls' anti-spoofing on Getting Data In. 02-28-2019 03:35 AM
- Posted Re: /opt/splunkforwarder/bin/splunk enable boot-start ... Unknown option: levels (chkconfig) on Installation. 02-28-2019 03:22 AM
- Posted Re: Why does search complain about eventtype errors when no eventtype is used? on Splunk Search. 02-25-2019 04:32 AM
- Posted Re: Why does search complain about eventtype errors when no eventtype is used? on Splunk Search. 02-25-2019 04:30 AM
- Posted Why does search complain about eventtype errors when no eventtype is used? on Splunk Search. 02-25-2019 03:40 AM
- Tagged Why does search complain about eventtype errors when no eventtype is used? on Splunk Search. 02-25-2019 03:40 AM
- Tagged Why does search complain about eventtype errors when no eventtype is used? on Splunk Search. 02-25-2019 03:40 AM
- Tagged Why does search complain about eventtype errors when no eventtype is used? on Splunk Search. 02-25-2019 03:40 AM
- Tagged Why does search complain about eventtype errors when no eventtype is used? on Splunk Search. 02-25-2019 03:40 AM
- Posted Question about configuring the Master Node to forward OS logs on Getting Data In. 09-27-2018 07:21 AM
- Tagged Question about configuring the Master Node to forward OS logs on Getting Data In. 09-27-2018 07:21 AM
- Tagged Question about configuring the Master Node to forward OS logs on Getting Data In. 09-27-2018 07:21 AM
- Tagged Question about configuring the Master Node to forward OS logs on Getting Data In. 09-27-2018 07:21 AM
- Posted Re: How to remove binary data from the event in files on a splunk forwarder? on Getting Data In. 02-01-2018 06:52 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
02-28-2019
03:35 AM
We have kind of the same problem.
However, this is no Splunk issue...Netscreen firewall logs does not contain those packets because they are dropped before they hit the firewall functionality in ScreenOS.
... View more
02-28-2019
03:22 AM
chkconfig is (breifly explained) just a functionality that creates symlinks to the initscript in the different startup runlevel folders, and also provides an overview of what services that are started at different runlevels.
"runlevels" no longer exist for systems using systemd (or related init systems), so perhaps SuSE removed that option?
There is on the other hand no need to run the splunk script to make splunk start after boot....just use your systems built in auto start mechanisms and "point it" at the splunk binary $SPLUNK_HOME/bin/splunk
(the splunk enable boot-start functionality just creates a init script and, sets the runlevels for which splunk should run in that script and then use chkconfig with the same information to make the system changes at once.
... View more
02-25-2019
04:32 AM
Yes it is app specific. The question is however the other way around - I don't use the eventtype, but it still gives warnings that an eventtype (that I don't use) is not defined.
... View more
02-25-2019
04:30 AM
Nope, there are no tags related to this eventtype in the app space where this error occurs.
There are just a few tags in this app, and all of them are just referring to different hosts.
... View more
02-25-2019
03:40 AM
Hi, and sorry for the somewhat fuzzy question!
I'll try to explain the scenario, so bare with me if the explanation gets a bit long 😉
We have lots of eventtypes in our environment, where most of them are defined within specific apps.
The problem here is that when I (or anyone for that matter) run a search from the standard search tab, the job result complains that one particular eventtype is missing or disabled. This eventtype is defined within a specific app, but is never used in the query.
Example, search executed in the "standard" search and reporting app space:
index=network "10.20.30.40" <-- No eventtype used!
The search query displays all results containing 10.20.30.40 - as expected, but the job-inspector complains that "eventtype login_failure_wdm does not exist or is disabled".
This error would make sense if I tried to use this particular eventtype (since I am running the query outside the app where the eventtype is defined), but no eventtype is used!
As expected there are no complaints if I run the same query from within the app space where login_failure_wdm is defined.
The thing is that it does not matter what indexes and searches I do - the error is there.
The eventtype in question is "nested" from another eventtype, but we use a lot of those without any issues.
login_failure_wdm: eventtype=wdm "authorization error"
where 'wdm' is an eventtype defined as:
index=network host=itc*wdm*
This environment consists of a 2 node indexer cluster (+ 1 master node) and one searchhead (where all searches are performed).
I have run a recursive grep through the entire config on my searchhead, cluster master and the indexer servers, but the eventtype is not included anywhere (except for the definition of the eventtype itself) on the searchhead.
Has anyone seen this phenomena, and found a solution?
... View more
09-27-2018
07:21 AM
Reading OS logs from a cluster indexer node is controlled by the master node $SPLUNK_HOME/etc/master-apps/_cluster/local/inputs.conf , but that only affects the indexer nodes, not the master node itself.
If I configure outputs.conf in $SPLUNK_HOME/etc/system/local/ on the master node, will it then forward everything from the master node or only the monitored paths specified in inputs.conf ?
The thing is that I only want to forward OS logs (under /var/log or any other specified file), not the internal stuff from Splunk on the master node itself.
... View more
02-01-2018
06:52 AM
2 Karma
Just in case someone has a similar problem:
Since an intermediate heavy forwarder was not an option right now, I added a SEDCMD regexp in props.conf on the indexer servers, under the sourcetype stanza that these files belong to.
The regexp itself will of course vary depending on how/what the application server logs, but in my case there was a Content-Type: application/octet-stream that started the binary part. the binary then continued to the end of the event which gave:
SEDCMD-filterbinary = s/(?ms)(?<=Content-Type: application\/octet-stream)(.*$)/\n**Removed binary part**/g
which leaves the Content-Type: application\/octet-stream row in the log and replaces the rest with **Removed binary part**
Your mileage may vary! 😉
... View more
02-01-2018
02:04 AM
Thanks!
I was a bit confused regarding SEDCMD and where it was applicable. It obviously belongs to props.conf which is parsed by UF...but apparently UF does not support all methods available in props.conf
... View more
02-01-2018
12:39 AM
Well, the file is not binary, and I don't want to process binary data...I wan't do get rid of it 😉
... View more
01-31-2018
02:14 PM
Hi!
On a Splunk forwarder (universal) some of the files monitored contain binary data that we do not want to send to the indexers.
It seems impossible to prevent the logging applications on the server from logging these binary parts, so the data is on a Splunk forwarder monitored log on the server.
The problem is that the binary data is within an event, meaning that the file itself is not binary.
Is there any way to use the props.conf directive NO_BINARY_CHECK on these files, or does that only apply to binary files, and not textfiles containing binary sections?
What would be the best way to remove the binary parts from the event before forwarding it to the indexers?
When the data enters the indexers it can be removed with SEDCMD, but to save bandwidth, and possibly indexing license, it would be nice if the binary part could be removed before it enters the indexers.
Any ideas?
... View more
06-27-2017
02:25 AM
3 Karma
For /var/log/audit/audit.log it is better to use pbunts solution (answer below).
Posix file ACLs tend to get tricky when there is no automatic way to apply the acl when the daemon rotates the log file.
(yes, you could have a cron script that applies the ACL at short intervals...but that is quite an ugly solution)
For other log files, rotated by logrotate, file ACLs is the way to go when one can re-apply the ACL in postrotate.
... View more
