Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About seankoniarz
seankoniarz
Explorer
Member since:
05-16-2019
01-16-2021
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 05-16-2019 |
Activity Feed
- Got Karma for Re: VMWare Unified Access Gateway. 01-19-2021 07:34 AM
- Posted Re: VMWare Unified Access Gateway on Splunk Enterprise Security. 01-15-2021 01:24 PM
- Posted Is there any guidance on finding the proper frozen bucket I would need for a specific time frame? on Getting Data In. 12-14-2020 11:42 AM
- Posted Re: Remove Health messages on Splunk Enterprise Security. 01-07-2020 01:28 PM
- Posted Remove Health messages on Splunk Enterprise Security. 01-06-2020 01:08 PM
- Tagged Remove Health messages on Splunk Enterprise Security. 01-06-2020 01:08 PM
- Tagged Remove Health messages on Splunk Enterprise Security. 01-06-2020 01:08 PM
- Posted Re: Route to index based on source IP/Dest IP in log (Not source host) on Getting Data In. 05-16-2019 03:08 PM
- Posted Route to index based on source IP/Dest IP in log (Not source host) on Getting Data In. 05-16-2019 08:03 AM
- Tagged Route to index based on source IP/Dest IP in log (Not source host) on Getting Data In. 05-16-2019 08:03 AM
- Tagged Route to index based on source IP/Dest IP in log (Not source host) on Getting Data In. 05-16-2019 08:03 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-15-2021
01:24 PM
1 Karma
So we have made SOME progress on using UAG + Vmware View in terms of finding logs and interesting logs. We are still working on it fully but after investigating with our vmware teams we found a log actually stored on the hosts themselves in the debug logs. C:\ProgramData\VMware\VDM\logs Our goal was to be able to provide session data and understand where all the connections were coming from. Not sure if this pretains to every environment as I am not a vmware expert. The data however does include external IPs, systems they are connecting with and disconnecting with, session time and a few others. Going to see from management what we can share if it would be valuable.
... View more
12-14-2020
11:42 AM
Is there any guidance on finding the proper frozen bucket I would need for a specific time frame?
... View more
Labels
- Labels:
-
Linux
01-07-2020
01:28 PM
Thanks! Looks like this message falls under the Might or Might Not be configurable
... View more
01-06-2020
01:08 PM
Is it possible to remove the health warnings for certain users/roles from the top splunk bar? We have an error that will likely occur no matter what and we don't want certain end users to see it.
... View more
05-16-2019
03:08 PM
So I might not need to redirect it after receiving the data if that is an option. But I guess let me better explain the use case.
We act as an ISP essentially for some clients. They use traverse our firewalls and out to the internet.
1 FW for Multiple clients
So the source device could be 10.1.1.6. But that device is going to have multiple client CIDR ranges.
10.2.0.0/16 = client1
10.3.0.0/16 = client2
10.4.0.0/16 = client3
sample log style
Device(sourceHost) source dest
1. 10.1.1.6 client1 to google
2. 10.1.1.6 client2 to bing
3. 10.1.1.6 client3 to amazon
Log #1 to index client1
Log #2 to index client2
Log #3 to index client3
Does that make more sense? If they all had separate firewalls this would be very simple, but that is not the case. If I can do this in a more efficient way I am all about doing that.
... View more
05-16-2019
08:03 AM
I cannot seem to get this to work so I assume I am doing something wrong. We are about to start a POC for splunk but we wanted to get a head start on some of our use cases.
We need to route specific data coming in to different indexes for our clients. Proxy and Firewall logs. The actual host sending us the logs could be the same for 100 clients so we need to do the routing based on Source or Dest with in the log.
Samples are below. But we basically want to route that data into the index called 1000. We would then want to make more that does different regex for other CIDR ranges. From what I am reading, this appears it should be at least close to what I want.
Props.conf
[cisco:asa]
TRANSFORMS-1000 = 1000cisco
Transforms.conf
[1000cisco]
REGEX = :10\.1\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))
DEST_KEY = _MetaData:Index
FORMAT = 1000
Sample Log
<172>May 16 10:51:17 hostip %ASA-4-106023: Deny tcp src fwinterface:10.1.1.57/64176 dst outside:172.217.7.14/443(cloud.google.com) by access-group "aclname" [0x0, 0x0]
... View more
