Good morning all-
I'm working on a design in my lab where we have two indexers. I have data for one of the indexes 'networkvideo' that I want to only go to one of the indexers, while all of the other data gets sent to both. I'm having trouble getting my outputs.conf file to work properly. I read that 'forwardedindex' statements will work only in the global 'tcpout' stanza. How can I modify this to apply to only one of the indexers?
I appreciate any and all assistance. Below is a version of my work that I know is incorrect, but has all of the important pieces within:
`[tcpout]`
`defaultGroup = indexer1,indexer2`
`#overwrite the defaults:`
`forwardedindex.0.whitelist = `
`forwardedindex.1.blacklist = `
`forwardedindex.2.whitelist = `
`#new blacklist:`
`forwardedindex.0.blacklist=networkvideo`
`[tcpout:indexer1]`
`server = xx.xx.xx.1`
`[tcpout:indexer2]`
`server = xx.xx.xxx.2`
↧
Two Indexers - Blacklist Data to Specific Indexer
↧
About version difference between UF and SH.
I saw it.
https://docs.splunk.com/Documentation/Forwarder/7.2.4/Forwarder/Compatibilitybetweenforwardersandindexers
I am using IDX of 6.4 and UF of 7.2.
However, I can not communicate from client hello to x.
------------------
An S in a cell indicates that this version of forwarder can send data to this version of indexer after you change the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) version and cipher suite on the forwarder. See Known Issues in the Splunk Enterprise Release Notes for instructions on changing the SSL/TLS version and cipher suite.
------------------
I do not understand what settings I should add to UF.
Please teach me
↧
↧
How do I get a Splunk universal forwarder to send explicit Event ID Events Only?
Hello,
I'm interested in installing universal forwarders (UF) on machines to ingest local security event logs into Splunk. However, I don't want every single security event log sent from the UFs to the heavy forwarder.
This leads to two questions:
1. Am I able to specify exactly which Event log IDs to send?
2. In addition to specifying Event Log IDs, can I get more granular and, for instance, send only Event ID 4732 logs (a member was added to a security-enabled group) but specify ONLY to send if it matches additional criteria — for members added to particular groups such as the local administrators group?
↧
How come Windows Security events are taking 15-20 minutes to appear on Splunk?
We have configured a universal forwarder on 4 Domain Controllers in our environment.
Now, we receive security events in real time on 3 Domain Controllers. The 4th DC has a lag of around 20 minutes to appear.
I am wondering if anyone has come across this issue or is there any configuration which I might have missed out.
Thanks,
↧
When trying to Install a Splunk forwarder on Linux, why am I getting the following error: 'splunk: command not found'
I am trying to install the Splunk forwarder (for Splunk Cloud) on an Ubuntu 16.04 server using the instructions on the following:
https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/User/ForwardDataToSplunkCloudFromLinux
Everything seems to go well until I get to Step 3: Download and install the universal forwarder credentials. When I type in the command to install the .spl file, I keep getting the 'splunk: command not found' error message.
Does anybody know why I this is happening?
↧
↧
How to install splunk universal forwarder on multiple windows system with powershell script?
I want to install universal forwarder on multiple windows machine.
I tried using this command
Invoke-Command -ComputerName "Desktopname" -Scriptblock {msiexec /i path of forwarder(.msi) file} .
Without
desktopname ,I am able to install the file but when i specify the desktopname iam getting this error
Connecting to remote server desktopname failed with the following error message : Access is
denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (desktopname:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
Any suggestions would be helpful.
↧
How can I automate the downloading of universal forwarder?
Everything I am reading is that to download via wget, cURL, etc, that you have to specify the full path that contains the specific version number in the name/path. How can I get the latest/current version through automation versus hard-coding the path?
↧
Why am I getting high CPU and high memory on universal forwarder even though we have very little data coming into Splunk?
Hi,
We are using a forwarder (7.1.6) and we are seeing high CPU and high memory for Splunk forwarder (One whole core of a 20 core box).
![alt text][1]
However we are only getting in a trickle of data, so it's not like we are getting in millions of log files!
![alt text][2]
Is there anything I can do, to see what is happening inside it.
This is a tail of the log
You have new mail in /var/spool/mail/autoengine
dell479srv autoengine /dell479srv2/apps/splunkforwarder_MxOne_Testing_Latest/var/log/
bash$ tail -f splunk/splunkd.log
02-19-2019 15:30:02.144 +0100 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
02-19-2019 15:30:02.144 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
02-19-2019 15:35:03.296 +0100 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
02-19-2019 15:35:03.296 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
02-19-2019 15:40:02.983 +0100 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
02-19-2019 15:40:02.983 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
02-19-2019 15:45:03.007 +0100 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
02-19-2019 15:45:03.008 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
02-19-2019 15:50:03.320 +0100 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
02-19-2019 15:50:03.320 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/net/dell479srv/dell479srv2/apps/TheOne-RSAT/qcstTools/qcstOutFiles/qcst_out_toolsMonitoring_CheckToolLifeCycle.txt'.
[1]: /storage/temp/270597-2019-02-19-14-45-15-dell479srv-autoengine.png
[2]: /storage/temp/270598-2019-02-19-14-46-27-search-splunk-716.png
↧
How do you filter out an event based on an account name?
Hello,
I am trying to exclude specific event logs from a Windows system being forwarded and indexed to Splunk.
What I need to do is to filter out an event based on the content of the event (actually for a specific user called installer).
What i did so far is:
Under props.conf of universal forwarder ($PROGRAMFILES\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\props.conf) I defined the following:
[WinEventLog:Security]
TRANSFORMS-t1=exclude-installer
and under transforms.conf on the same path the following:
[exclude-installer]
REGEX=(?s)(Account Name:\s\sinstaller)
DEST_KEY=queue
FORMAT=nullQueue
The problem is that this specific configuration does not work. Events are not filtered out...
Any suggestions?
Thank you in advance.
↧
↧
Scripted input is done many times regardless of interval setting.
My environment :
Splunk Indexer : 7.2.3 on Linux7
Splunk Deployment Server : 7.2.3 on Linux7
Universal Forwarder : 7.2.3 on Linux7
I configured that Deployment Server deploys below inputs.conf to UF.
[script//./bin/sample.sh]
interval = 14 12 * * *
index = sample_index
source = sample.sh
sourcetype = sample
disabled = 0
Everyday, UF kicks this script which runs "cat" to file(* about 7MB), and forwards result to Indexer.
However, sometimes UF ignores the setting of "interval" and tried to do this script input many times (* dozens times etc.), and it caused duplicate on Indexer.
Why does it happen?
If anyone knows a similar event, please tell me.
↧
"invalid key in stanza" error after restarting the forwarder using Splunk_TA_nix (Splunk Add-on for Unix and Linux) in eventgen.conf on forwarders running on AIX operating system
Hi All,
We have installed the Splunk_TA_nix (Splunk Add-on for Unix and Linux - https://splunkbase.splunk.com/app/833/) in the Search Head (/opt/splunk/etc/deployment-apps folder), added a /local folder with inputs.conf enabling all the scripts supported for AIX (based on what is indicated here https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes) but after have deployed the app in the forwarders that are running on AIX we are getting those errors in eventgen.conf:
Checking mgmt port [8089]: open
Checking conf files for problems...
Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 4: interval (value: 10).
Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 5: earliest (value: -10m).
Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 6: latest (value: now).
Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 7: source (value: sample.dhcpd).
Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 8: sourcetype (value: dhcpd).
and lot more with same error.
Do you know how can we solve it?
Thanks a lot,
Edoardo
↧
Issue with syslog data getting behind when read from our syslog server with a UF
We are running Splunk 6.6.3 and have UFs on our syslog servers. We are finding some of the data gets behind for some of the hosts that the syslog server has files for.
Some of the files get very large throughout the day (the file for each host sending tot he syslog server cycle into a new file daily). At least 3 of the files get to a point where Splunk is enqueuing the files into Batch mode. these files are mostly from our InfoBlox servers or our Panorama for our firewalls.
The syslogs servers are not being over taxed so I should be able to adjust some numbers higher to allow for better thruput but not sure what the best setting changes would be.
Thanks.
↧
Issue with syslog data getting behind when read from our syslog server with a universal forwarder
We are running Splunk 6.6.3 and have universal forwarders on our syslog servers. We are finding that some of the data gets behind for some of the hosts that the syslog server has files for.
Some of the files get very large throughout the day (the file for each host sending to the syslog server cycle into a new file daily). At least 3 of the files get to a point where Splunk is enqueuing the files into Batch mode. These files are mostly from our InfoBlox servers or our Panorama for our firewalls.
The syslogs servers are not being over taxed, so I should be able to adjust some numbers higher to allow for better thruput, but I'm not sure what the best setting changes would be.
Thanks.
↧
↧
Hello, Please could you some one help me to find out weather i am getting the data from Universal forwarder to heavy forwarder?
Hello, Please could you some one help me to find out weather i am getting the data from Universal forwarder to heavy forwarder?
Note : I don't have UF and Indexers, Serch head CLI access.
Thanks.
↧
Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder?
Hello, Please could someone help me find out whether i am getting data from the universal forwarder to the heavy forwarder?
Note : I don't have UF and Indexers, Search head CLI access.
Thanks.
↧
Unable to execute script on universal forwarder due to permission issue
I am trying to install UFs on a number of hosts using the below script got from one of the post in this forum,
#!/bin/sh
# This EXAMPLE script shows how to deploy the Splunk universal forwarder
# to many remote hosts via ssh and common Unix commands.
# For "real" use, this script needs ERROR DETECTION AND LOGGING!!
# --Variables that you must set -----
# Set username using by splunkd to run.
SPLUNK_RUN_USER="splunk"
# Populate this file with a list of hosts that this script should install to,
# with one host per line. This must be specified in the form that should
# be used for the ssh login, ie. username@host
#
# Example file contents:
# splunkuser@10.20.13.4
# splunkker@10.20.13.5
HOSTS_FILE="uf_hosts"
# This should be a WGET command that was *carefully* copied from splunk.com!!
# Sign into splunk.com and go to the download page, then look for the wget
# link near the top of the page (once you have selected your platform)
# copy and paste your wget command between the ""
WGET_INSTALL="sudo yum -y install wget"
WGET_CMD="wget -O splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.4&product=universalforwarder&filename=splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz&wget=true'"
# Set the install file name to the name of the file that wget downloads
# (the second argument to wget)
INSTALL_FILE="splunkforwarder-7.2.4-8a94541dcfac-Linux-x86_64.tgz"
# After installation, the forwarder will become a deployment client of this
# host. Specify the host and management (not web) port of the deployment server
# that will be managing these forwarder instances.
# Example 1.2.3.4:8089
DEPLOY_SERVER="18.207.205.49:8089"
# Set the seed app folder name for deploymentclien.conf
DEPLOY_APP_FOLDER_NAME="ap3_all_deploymentclient"
# Set the new Splunk admin password
PASSWORD="QzpU9l8T"
REMOTE_SCRIPT_DEPLOY="
cd /opt
sudo $WGET_INSTALL
sudo $WGET_CMD
sudo tar xvzf $INSTALL_FILE
sudo rm $INSTALL_FILE
sudo useradd $SPLUNK_RUN_USER
echo "
[user_info]
USERNAME = admin
PASSWORD = $PASSWORD
" > /opt/splunk/etc/system/local/user-seed.conf
sudo mkdir -p /opt/splunkforwarder/etc/apps/$DEPLOY_APP_FOLDER_NAME/local
sudo echo "[target-broker:deploymentServer] targetUri = $DEPLOY_SERVER" > /opt/splunkforwarder/etc/apps/$DEPLOY_APP_FOLDER_NAME/local/deploymentclient.conf
sudo chown -R $SPLUNK_RUN_USER:$SPLUNK_RUN_USER /opt/splunkforwarder
sudo -u $SPLUNK_RUN_USER /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
sudo /opt/splunkforwarder/bin/splunk enable boot-start -user $SPLUNK_RUN_USER
exit
"
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
#===============================================================================================
echo "In 5 seconds, will run the following script on each remote host:"
echo
echo "===================="
echo "$REMOTE_SCRIPT_DEPLOY"
echo "===================="
echo
sleep 5
echo "Reading host logins from $HOSTS_FILE"
echo
echo "Starting."
for DST in `cat "$DIR/$HOSTS_FILE"`; do
if [ -z "$DST" ]; then
continue;
fi
echo "---------------------------"
echo "Installing to $DST"
echo "Initial UF deployment"
sudo ssh -t "$DST" "$REMOTE_SCRIPT_DEPLOY"
done
echo "---------------------------"
echo "Done"
echo "Please use the following app folder name to override deploymentclient.conf options: $DEPLOY_APP_FOLDER_NAME"
After executing the script, I am getting the below error in the logs,
bash: line 7: /opt/splunkforwarder/etc/system/local/user-seed.conf: Permission denied
bash: line 9: /opt/splunkforwarder/etc/apps/ap3_all_deploymentclient/local/deploymentclient.conf: Permission denied
Already executing those commands as a sudo user, still I am getting the errors. Please advise.
↧
Can I monitor a file with extension .splunk?
Trying to monitor a file that ends with .splunk but for some reason splunk will not index it. Only when I change the extension to .txt, it ingests. Any reasons why this is happening?
Thanks
↧
↧
Splunk Universal Forwarder Caching Functionality
Does anyone know the functionality for the Universal Forwarder and its caching of logs if its disconnected from the indexer. Specifically, what is the functionality of caching a file when it gets rotated to a zipped file while its still disconnected from the indexer?
Do we lose everything that got rotated to a zipped file? Or did everything still get cached, regardless of the log rotation happening or not?
↧
What is Splunk Universal Forwarder caching functionality?
Does anyone know the functionality for the Universal Forwarder and its caching of logs if its disconnected from the indexer. Specifically, what is the functionality of caching a file when it gets rotated to a zipped file while its still disconnected from the indexer?
Do we lose everything that got rotated to a zipped file? Or did everything still get cached, regardless of the log rotation happening or not?
↧
universal forwarder経由で取り込んだログが途中で途切れている。
universal forwarder経由で取り込んだログが途中で途切れてしまいます。
一行約4050文字でログの取り込みをやめてしまうようです。
そのログは一行一行がとても長いです。
splunkに行の最後まで読み込ませたいのです。
何か方法はありますか。
↧