We just found SSLv3 "POODLE" vulnerability alerts from our IPS system. And our Splunk Universal Forwarder is in 6.4.2.
I thought the SSLv3 POODLE issue only appear at Splunk version earlier than 6.3?
Should I use the same workaround mention here?
https://answers.splunk.com/answers/176970/is-it-possible-to-disable-ssl-v3-on-the-universal.html
Many thanks in advance.
↧
Found a SSLv3 "POODLE" vulnerability on Universal Forwarder 6.4.2. How to resolve this?
↧
How to monitor Windows Event Logs that roll to an archive every hour?
I have a WinEventLog://System log which rolls to archive every hour or so. I have 4 questions;
1) is the Splunk Universal Forwarder (UF) clever enough to ingest archived files based on the default [WinEventLog://System] input or does it only ingest the data in the current log?
2) Does the UF catch all events in the log or is there a chance some events could be lost at the point when the log rolls?
3) if either the UF or Index layer are unavailable for a period of time (possibly days), will all of the logs be lost until the connection is re-established?
4) what is Splunk's recommended optimum file size for a WinEventLog source?
↧
↧
How to check the universal forwarder's metrics.log to get instantaneous_kbps and average_kbps?
From Documentation:
To verify how often the forwarder is hitting this limit, check the forwarder's metrics.log. (Look for this on the forwarder because metrics.log is not forwarded by default on universal and light forwarders.)
cd $SPLUNK_HOME/var/log/splunk/metrics.log
grep "name=thruput" metrics.log
Example: The instantaneous_kbps and average_kbps are always under 256KBps.
11-19-2013 07:36:01.398 -0600 INFO Metrics - group=thruput, name=thruput, instantaneous_kbps=251.790673,instantaneous_eps=3.934229, average_kbps=110.691774, total_k_processed=101429722, kb=7808.000000, ev=122
But when i run the grep -i "name=thruput" metrics.log , i wouldn't get any result. So, can i please know whether there is any way to check the instantaneous_kbps and average_kbps ?
↧
Can we configure the forwarders to use SFTP for transferring the files?
Can we configure the forwarders to use SFTP for transferring the files? If not is there any way to encrypt data by Universal Forwarder (UF)? Does UF support SSL?
↧
Can we configure some Universal Forwarders to forward data to port 9998 with SSL on indexers and the remaining Universal Forwarders to forward data to port 9997 without SSL on same indexers?
Can we configure some Universal Forwarders to forward data to port 9998 with SSL on indexers and the remaining Universal Forwarders to forward data to port 9997 without SSL on same indexers? If yes, what do we need to configure?
↧
↧
Why are universal forwarders installed on domain controllers not sending all Windows security and Cisco ASA logs?
I have 4 domain controllers with Splunk Universal Forwarders installed on them. I'm trying to get the Windows Security logs and Cisco ASA logs sent to my Splunk Light server.
I get the ASA sys logs from all the forwarders except one and I get Windows Security logs from one of the forwards, but the other three I don't get them from.
Nothing makes sense. There are no firewall issues. All the domain controllers can ping one another. I don't have any of the Splunk ports blocked.
I checked the splunkd.txt log files and there are no errors. The inputs and outputs conf files are all set up exactly the same, but still only some forwarders send data while others don't.
I followed this article http://docs.splunk.com/Documentation/SplunkLight/6.4.1/GettingStarted/GettingdataintoSplunkLightusingWindows and still can't get every forwarded to communicate,
Under Forwarder Management -> Server Classes all of them are checking in, but there not all sending the data asked them to send.
Any help would be appreciated.
↧
How to prevent linux_message_syslog input from overriding the FQDN of the host sent from a universal forwarder?
All,
I have an input in linux_message_syslog that seems to be working fine, but the universal forwarder is providing the FQDN of the host back to Splunk. This specific input seems to be overriding the hostname to the one found in the log, which is just the host name and not the FQDN. Any recommendation on how to handle that?
Jan 27 17:50:05 myawesomeserver clamd[23110]: SelfCheck: Database status OK.
so I end up with
host=myawesomeserver AND host=myawesomeserver.domain.local
thoughts?
↧
Oracle WebLogic App for Splunk: How to resolve universal forwarder error "system cannot find the path specified"?
Hi,
We're trying to configure this app, but after reading and re-reading the guide, still no luck.
We're running:
Splunk: 6.5.2
WebLogic 10.3
I think the issue is related to this error we see in the universal forwarder logs:
01-27-2017 16:24:43.656 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\Function1_WLS_Admin_win_TA\bin\runWlstScriptsDaily.cmd" %ProgramFiles%\SplunkUniversalForwarder\etc\apps\Function1_WLS_Admin_win_TA C:\Oracle\Middleware" The system cannot find the path specified.
No matter what paths we enter in the inputs.conf file (in either default or local directories), we can't get this error to resolve. Our WLS index has 0 events, dashboards are blank, etc.
I would really appreciate any help you guys can lend.
↧
Socket not supported error while installing universal forwarder on Bash (Virtual machine on windows)
Hi,
I am trying to install a universal forwarder on Bash(Virtual Linux terminal on windows).
Step 1: Install Splunk universal forwarder using - tar xvzf splunkforwarder-6.5.2-67571ef4b87d-linux-2.6-x86_64 -C /opt
Step 2:Start Splunk using ./splunk start --accept-license
When I execute ./splunk start --accept-license, I am getting the error,
Splunk> Now with more code!
Checking prerequisites...
Checking mgmt port [8089]: open
terminate called after throwing an instance of 'ProcessRunnerException'
what(): cannot set up ProcessRunner fd passing socket: Socket type not supported
Dying on signal #6 (si_code=-6), sent by PID 135 (UID 0). Attempting to clean up pidfile
ERROR: pid 135 terminated with signal 6 (core dumped)
SSL certificate generation failed.
I am using Splunk Enterprise. Please help me out.
↧
↧
Splunk Universal Forwader constantly crashes with "Crashing thread: indexerPipe".
Splunk Universal Forwader constantly crashes with "Crashing thread: indexerPipe".
splunkd.log shows:
WARN IndexerService - Indexer was started dirty: splunkd startup may take longer than usual; searches may not be accurate until background fsck completes.
ERROR IndexConfig - stanza=default Required parameter=defaultDatabase not configured
FATAL IndexerService - Cannot load IndexConfig: stanza=default Required parameter=defaultDatabase not configured
ERROR IndexConfig - stanza=default Required parameter=defaultDatabase not configured
FATAL IndexerService - Cannot load IndexConfig: stanza=default Required parameter=defaultDatabase not configured
INFO IndexProcessor - Initializing: readonly=false reloading=false
↧
Splunk Add-on for Microsoft Windows: How to disable this add-on on all Universal Forwarders?
If i wanted to disable Splunk Add-on for Microsoft Windows on all Universal Forwarders (6.4.4) and only use my own app to collect Windows logs, what would be the best way to do this? I was going to make a directory in deployment apps named the same thing as the app on the UF's "splunk_ta_windows" and set it to disable in app.conf.
any thoughts?
↧
Splunk Universal Forwarder 6.4.1 and all Versions younger than 6.2 cannot be installed to 7 of our systems
The Error Message on the screen is`enter code here`: "UniversalForwarder Setup ended prematurely"
Versions older than 6.2 (e.g. 6.1.3) of Splunk Universal Forwarder and Splunk Enterprise (and other applications) can be installed without problems.
Since SSLv3 has been disabled in our environment, the older versions do not deliver any data and cannot be used.
As I can see in the MSI Installer log splunk has problems getting installed version:
--------------------
Action start 16:49:22: GetPreviousSettings.
GetPreviousSettings: Error 0x80004005: Failed to get lookup product code.
-------------------
Also tried to install as administrator from CMD-Line
↧
Why is props.conf in my deployment-app not getting picked up?
I have a standalone Splunk environment - I have universal forwarders and an indexer/Deployment server which acts as the Search head also.
I have a deployment-app under $SPLUNK_HOME/etc/deployment-apps/my_inputs/local/inputs.conf and props.conf. The inputs.conf was recognized fine, but the props.conf changes weren't picked up.
When i put the props.conf under $SPLUNK_HOME/etc/apps/my-IDX/props.conf, alongside the indexes.conf, the changes were picked up.
Is there a reason why the props.conf wasn't picked up from deployment-app?
↧
↧
Are there any specific settings to apply for DC's that generate a lot of logging?
Hello,
I'm missing some logging in Splunk from several DC's. Most likely, the reason behind is that the DC's are generating too much logging the Universal Forwarder (UF) is capable of handling. Setting the UF limit uncapped did not solve the issue. What I'm about to try next is to set useACK at the client site. However I still have some questions.
Can we enable useACK on the same TCP port (default 9997) which is used for non-ACK traffic?
Are there any specific settings which we should apply for DC's generating a lot of logging?
Many Thanks.
Kind regards,
Stefan
↧
What is the difference between these two configurations in inputs.conf on Universal Forwarder?
Under inputs.conf on Universal Forwarder (UF), i have these config as below:-
1.) [monitor:///var/home/jboss/logs/*.log]
disabled = false
followTail = 0
sourcetype= xyz
2.) [monitor:///export/home/tomcat/*.log]
disabled = false
followTail = 0
index = abc_tomcat
sourcetype = pqrs
My questions are ,
a.) index is not configured in 1st monitor stanza whereas index is configured in 2nd monitor stanza, so where will the 1st monitor stanza logs will be going , to the main_index ?
b.) is this really a good configuration ?
c.) do we really need followTail=0 , this option is only used by Splunk for the first time it is monitoring this log which says to read from first line
d) any Suggestions to change this configuration of monitor stanza ?
↧
Is there a search to check if the universal forwarder has enabled forceTimeBasedAutoLB?
I have enabled forceTimeBasedAutoLB on universal forwarder, but i want check whether that forwarder is making use of this change or not. So, is there any search or command to check that?
↧
Has anyone integrated Puppet with Splunk?
Did anyone integrated Puppet Enterprise to Splunk? I'm not getting proper documentation how to setup. I found Puppet Enterprise App for Splunk but I don't see much documentation how to set it up and what puppet files need to be given as a input to the Universal Forwarder to monitor?
↧
↧
Is it possible for the Splunk Log driver for Docker to include options to extract the custom host names instead of just the hostname of the machine?
An enhancement request to splunk log driver for Docker containers to include an option to mention the customized hostnames, I read an article on http://dev.splunk.com/view/event-collector/SP-CAAAE6P#meta, so all that's required here is for the Splunk log driver to support a "--log-opt splunk-host=my-special-hostname" type parameter to allow for the supplied host value to be customized.
Is it possible to add the my-special-hostname during extraction ?
line: 2017/01/23 09:16:40 [info] 14#0: *80000 client closed connection while SSL handshaking error
source: stderr
tag: Bhavesh-DEV-docker/image_name
}
Show as raw text
• host = vc2c_name
• source = http:pi_docker
• sourcetype = json_no_timestamp
If you see the host name is vc2c_name rather what we want is to have the logging driver put the host name as Bhavesh-DEV for instance akin to what we manipulate in the forwarders inputs.conf/server.conf in the Universal forwarder.
↧
Is there a version of the universal forwarder that is compatible with Windows Server 2016 for 64 bits?
Hi Splunker,
Currently, we are panning upgrade to Windows Server 2016, may i know, will Splunk release latest msi version which is supported Windows Server 2016 64 bits? Or we still can use latest Universal Forwarder version 6.5.2 on Windows Server 2016 to forward the log detail?
Thanks
↧
How to calculate autoLB time interval?
Can i please know how to calculate the autoLB time interval as i am planning to change the default value. For example, a Universal Forwarder (UF) sends 15GB of data, so how much autoLB time interval should be?
↧