Hi there folks,
I would like to ask if Universal Forwarder can support Server Name Indication (SNI)? That is extension of TLS protocol which can be used by nginx to deploy SNI-based-routing from UF`s to multiple hosts.
INFO:
- We have many clients with on-premise machines/laptops with Universal Forwarders sending traffic to our AWS Splunk Instances (Indexers). Our AWS Instances doesn`t have public IPv4 addresses and we would like to deploy single point of contact (nginx) with public IPv4 address for all TCP UF`s traffic which then differentiate by destination.
UF -> nginx with public IPv4 (SNI based-routing) -> AWS Target Indexer
Pre-requisites:
We need UF with enabled SSL - this is completed.
We need UF with enabled SNI (Its needed to differentiate destination hosts)
e.g. UF`s will send traffic to:
client1.mydomain.com
client2.mydomain.com
Nginx will then route the traffic to destination.
Have someone tried similar approach before? Also if you could give other suggestion for our solution will be much appreciated!
Thank you.
Kind Regards,
Tihomir Stoyanov
↧
Does Universal Forwarded supports Server Name Indication (SNI)?
↧
Issue filtering specific logs on UF
Hi,
I have recently started building apps on splunk. I am monitoring a log file on the UF , containing logs from various applications and trying to fetch specific alert logs from a containing "VERITAS-COMMAND-CENTRAL-MIB". Below are the files I have configured for the the requirement. Issue is, **the logs are getting tagged to a different source type(snmptrapd) instead of the intended one (st_netbackup)** . Both my enterprise and UF are on 7.1.4 version.
### inputs.conf
[monitor:///var/log/snmptrapd.log]
disabled = 0
index = acn_backup_netbackup_tier1_idx
#index = main
host = XX.XX.XX.XX
### System level outputs.con
[tcpout:acn-dev1-route-group]
server = xx.xx.xx.xx:9997
### props.conf
[source::/var/log/snmptrapd.log]
description = Netbackup log file
TRANSFORMS-set = removeNETSNMPHeader,removeOther
TRANSFORMS-route = parseNetbackup
SEDCMD-community = s/community (\w+)/community *****/g
BREAK_ONLY_BEFORE = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
TIME_FORMAT = %Y-%m-%d %T
TRANSFORMS-customsourcetype = st_netbackup
### transforms.conf
[st_netbackup]
REGEX = (!?)VERITAS\-COMMAND\-CENTRAL\-MIB
DEST_KEY = MetaData:Sourcetype
FORMAT = st_netbackup
[removeNETSNMPHeader]
REGEX =NET-SNMP version*
DEST_KEY = queue
FORMAT = nullQueue
[removeOther]
REGEX = (.)
DEST_KEY = queue
FORMAT = nullQueue
[parseNetbackup]
REGEX = (!?)VERITAS\-COMMAND\-CENTRAL\-MIB
DEST_KEY = _TCP_ROUTING
FORMAT = acn-dev1-route-group
Below is the log format as received on the desired index. It would be great to hear any suggestions here.
*2020-01-14 04:15:27 ip-xx.xx.xx.xx.ec2.internal [UDP: [xx.xx.xx.xx]:53318->[xx.xx.xx.xx]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (753481) 2:05:34.81 SNMPv2-MIB::snmpTrapOID.0 = OID: VERITAS-COMMAND-CENTRAL-MIB::ccError VERITAS-COMMAND-CENTRAL-MIB::alertRecipients = STRING: Splunk Dev VERITAS-COMMAND-CENTRAL-MIB::alertSummary = STRING: 27 Clear Connections To Media Server ec2amaz-akg3cqb Lost VERITAS-COMMAND-CENTRAL-MIB::alertDescription = STRING: Lost contact with media server VERITAS-COMMAND-CENTRAL-MIB::policyName = STRING: Lost Contact with Media Server VERITAS-COMMAND-CENTRAL-MIB::objectType = STRING: VERITAS-COMMAND-CENTRAL-MIB::collectorName = STRING: VERITAS-COMMAND-CENTRAL-MIB::ccHost = STRING: EC2AMAZ-AKG3CQB VERITAS-COMMAND-CENTRAL-MIB::sourceId = STRING: EC2AMAZ-AKG3CQB VERITAS-COMMAND-CENTRAL-MIB::ccObject = STRING: VERITAS-COMMAND-CENTRAL-MIB::sampleData = STRING: VERITAS-COMMAND-CENTRAL-MIB::ccAlertSeverity = STRING: Major VERITAS-COMMAND-CENTRAL-MIB::ccAlertTime = STRING: Tue Jan 14 04:15:27 UTC 2020
host =xx.xx.xx.xxsource = /var/log/snmptrapd.logsourcetype = snmptrapd*
↧
↧
How to do custom encryption and decryption on a Splunk universal forwarder?
I am trying to do custom encryption and decryption of data on the universal forwarders. I am trying to configure the Splunk UF to use own certificates and forward the encrypted data to the third-party system(Java socket). The reason I am doing this is to recover the Splunk event logs to the java socket connection by decrypting the event changelogs.
How can I do this on Splunk UF?
↧
Different target ports for different Log sources on Universal Log Forwarders
Does the Universal Log Forwarder support to send the syslogs traffic using different target ports based on source IP/port of the incoming traffic ?
for input source IP 1 / port 1 => use output target TCP port 1
for input source IP 2 / port 1 => use output target TCP port 2
Where can such port mapping configuration be entered?
Thanks !
↧
help needed with UF settings distributed over deployment server
Hello,
I would like to distribute one UF parameter to my clients, it is:
limits.conf
...
[inputproc]
file_tracking_db_threshold_mb = 150
...
For that I created an app called SplunkUniversalForwarder in the deployment-apps of the deployment server. I chose the app-name deliberately the same as on the forwarders, because I hoped that the changes there will be updated to the same folder on the UF.
Inside of the /etc/deployment-apps/SplunkUniversalForwarder/local, I created limits.conf with the single parameter above.
My expectation was that this app will be distributed to the clients and the "local" directory will be created inside of the existing /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder directory there.
This was the case, however the "default" directory there was wiped out. This means the app was distributed in the way that the existing one was overwritten.
Now, before I continue, I would like to ask what is the best practice to distribute the UF parametrisation like above via the deployment server. Per my understanding, if I use another app name, then it will be created on the UF, but will the limits.conf settings then be applied to the UF?
And what about upgrading the UF software to the higher version? Will it wipe out the changes I made in "local" above?
I mean I could copy-paste what is in the default/limits.conf to local/limits.conf on the deployment server and redistribute it, but my concern is if it stays there after the UF software upgrade ...
Please advise.
Kamil
↧
↧
Python 3 modular input on a universal forwarder version 8
In light to the discontinuation of Python 2.7 we have upgraded both our universal forwarders (to version 8) and our system python (to version 3.7). Unfortunately, the new UF does no longer seem to want to use the system python. In the logs it complains that ik cannot find C:\Program Files\SplunkForwarder\bin\Python3 which indeed does not exist, nor should it as this is a universal forwarder. Python 3 is in the PATH.
How do I get the UF to work with system python 3?
↧
Issue with AWS universal forward to SplunkCloud
Hello!
There is some strange situation i did like in article https://medium.com/@robert.r.svensson/how-to-send-security-logs-from-aws-ec2-linux-hosts-to-splunk-cloud-495f8a180ce6
But i have a error in Data Input UDP You currently don't have any forwarders installed. If you've recently installed a new forwarder, click the refresh button below to reload page.
But index=_internal |stats count by host - this command show me my internal logs from forward
On old version 7.0.11 work fine, but on 8.0.1 dont work
Any ideas ?
Thank you
↧
Universal forwarder setup wizard ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup wizard again. Click the finish button to exit the setup Wizard.
When Installing UF I am receiving error on Windows servers could you please help me on this
↧
Error while installing Splunk forwarder in windows system
I am installing 7.0.13.1 UF Agent but I am receiving above error...
In Windows server 2012 R2 64 bit Universal forwarder setup wizard ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup wizard again. Click the finish button to exit the setup Wizard
Could anyone please help me on this..
Best Regards,
Indudhar
↧
↧
Sending audit log data to Splunk from PL/SQL
We have been tasked with obtaining audit log data from a vendor's cloud hosted application via a web service call. We have written Oracle PL/SQL to obtain the data and parse it. We now need a strategy for getting this data into a Splunk Enterprise instance. How can this be done in the simplest, most secure way with as few additional software add ins or components possible? We are looking into DB Connect and Universal Forwarder but need to be able to call the forwarder from PL/SQL or Linux based process or make the data available for Splunk Enterprise to come for it in tables or files via an automated process.
↧
Help configuring a domain controller on a universal forwarder to send data to indexer
Hello Guys,
I am very new to Splunk and am trying to configure UF to send data to an indexer on port 9997. I have enabled the receiver in indexer instance. I have added [tcp://....DC IP Address:9997] and index = indexname in the inputs.conf file for UF found in $SPLUNK_HOME$/etc/system/local. I restarted splunkd services but am not getting any data coming to the specified indexer. The firewalls are OFF on the server. Indexer and UF are installed on the same server and this server is part of the domain controller. I apologize if I am not able to provide all the details as I do not have much understanding on it. Please let me know if you require any more information.
Also, when I try to stop splukd services, I get Error:1035 but the service stops and I can start it again.
Any help is much appreciated. Thank You!
↧
Any suitable option for collecting data from HP, Dell switches using Universal Forwarder
Hello Everyone!
So, I have my Splunk Enterprise and universal forwarder installed on the same machine running Windows Server 2019.
I wanted to know if there was a suitable way of collecting logs from switches using UF and bringing it to the indexer?
↧
Inputs.conf blacklist with a negative regex
Hello,
I need create a whitelist with the blacklist. I mean...
I have three blacklist in the windows security input:
[WinEventLog://Security]
disabled=0
index = wineventlog
source = XmlWinEventLog:Security
sourcetype = XmlWinEventLog
...
...
...
blacklist = 4624,4625,2222
blacklist1 = EventCode="4688" $XmlRegex="(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\btool.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-admon.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe)"
blacklist2 = EventCode="1111" $XmlRegex="C:\\ProgramData\\random\\andom2\\dasdfa.exe"
I need add another blacklist like this:
blacklist3 = EventCode="4663" $XmlRegex="(C:\\Windows\\System32\\Taskmgr.exe)"
This blacklist remove all 4663 events with the processname Taskmgr.exe (works). But actually, I want to remove all 4663 events except, 4663 events with the process name Taskmgr.exe
I tried use expression like this, but it isn't work:
blacklist3 = EventCode="4663" $XmlRegex="(?!C:\\Windows\\System32\\Taskmgr.exe)"
blacklist3 = EventCode="4663" $XmlRegex="?!(C:\\Windows\\System32\\Taskmgr.exe)"
blacklist3 = EventCode="4663" $XmlRegex="^((?!C:\\Windows\\System32\\Taskmgr.exe)[\s\S])*$"
Has it a solution? I can't use a whitelist becouse I have blacklist.
Thanks a lot!
↧
↧
Is it possible to force an Universal Forwarder to use an specific ip address for the connection to the indexer/hf?
We have several Universal Forwarders installed on different Linux machines. Due to the virtualization technology, each of the Linux servers has several ip addresses. By default the Universal Forwarder uses the first one (eth0 on this example). I assume this happens because the UF just asks the OS for opening the connection without specifying the interface to be used.
Linux ifconfig:
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX
inet addr:XX:XX:XX:XX Bcast:XX:XX:XX:XX Mask:255.255.254.0
inet6 addr: XX:XX:XX:XX/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10680683134 errors:0 dropped:11120 overruns:0 frame:0
TX packets:8692419851 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3381271414547 (3224631.7 Mb) TX bytes:3873093410263 (3693669.7 Mb)
eth0:0 Link encap:Ethernet HWaddr XX:XX:XX:XX
inet addr:YY:YY:YY:YY Bcast:XX:XX:XX:XX Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Due to firewall restrictions we need to use a (secondary/virtual) different ip address for the outgoing connections (eth0:0 YY.YY.YY.YY on the example). We didnt find any clue on the documentation about how to achieve this behavior. Any idea?
Many thanks in advance!
Regards,
↧
Monitor multiple unrelated directories
Using the universal forwarder I need to monitor multiple directories in separate parts of the filesystem.
Specifically (obfuscated so as not to identify our customer):
[monitor:///var/log]
[monitor:///home//logs]
It seems that multiple monitor stanzas are not working (at least our customer is reporting that the second monitor stanza is not forwarding any files to their splunk instance.
Is there a workable solution?
↧
How to monitor multiple unrelated directories
Using the universal forwarder I need to monitor multiple directories in separate parts of the filesystem.
Specifically (obfuscated so as not to identify our customer):
[monitor:///var/log]
[monitor:///home//logs]
It seems that multiple monitor stanzas are not working (at least our customer is reporting that the second monitor stanza is not forwarding any files to their Splunk instance.
Is there a workable solution?
↧
Missing events from Splunk Universal Forwarder
I have one missing event out of 168 events from our Universal Forwarder. I've already checked the internal logs and the file has been indexed "Batch input finished reading file=", but I cannot find this source on my index. I also tried to expand time range and nothing appears, then check if the forwarder was restarted on the time of file was index, but it is not.
Settings on my forwarder is:
**inputs.conf**
[batch://my_path]
move_policy = sinkhole
disabled = false
sourcetype = my_sourcetype
index = my_index
**outputs.conf**
[tcpout]
defaultGroup = default-autolb-group-forwarder
[tcpout:default-autolb-group-forwarder]
disabled = false
server = myIndexer:9997
useACK = true
↧
↧
Setting up "Windows Host Information" gathering with universal forwarder?
Good Morning
I wanted to ask if i could get some assistance/clarification on setting up the Windows Host Information gathering function in Splunk not just for local hosts but remote hosts also, via the universal forwarder.
I am trying to follow the following document but I am not clear on how to set things up with a remote server and the Universal forwarder:
Splunk® Enterprise - Getting Data In- Monitor Windows host information located here:
"https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/MonitorWindowshostinformation"
In the section called Use Splunk Web to configure host monitoring subsection Select the input source
It describes choosing the Local Windows host monitoring option. I have performed the steps outlined and indeed I am getting information from my Splunk server but it is not entirely clear in the documentation on how to perform this on remote servers.
When going into Settings> data inputs> Forwarded Inputs (as opposed to local inputs) > Files and directories > New remote file and trying to setup a new data input there is no option to setup windows host information, it appears to be available under the local inputs only.
I am sure I am missing something but I am not sure what that step is?
Any guidance/information on how to set this up would be helpful
Thank you
Dan
↧
Universal Fowarder: Upgrade and switch to low privilege mode
Hey All,
We are planning on moving all of our UF's to the low priv mode install but I had a question.
Our current UF's are on 7.2.4. and we are looking to upgrade very soon. We are also planning on switching all of our UF's to low priv mode. My question is this: Can we upgrade the UF's to a more recent version and switch them to low priv mode at the same time? Can we run the installer to upgrade and switch to low priv mode without having to uninstall the UF first?
Thanks,
Andrew
↧
How to configure universal forwarder to ignore a directory
Hello,
I currently have a Splunk universal forwarder on a few of my windows servers. The UF config is received by my Splunk deployment server. I have .exe processes that are currently utilizing much of my license and would like to disable Splunk from indexing those processes.
All .exe processes I want to ignore are in the c:\Program Files (x86)\Camera System Center 6\* subdirectory. I included * for all of them.
Would I just add something like below to the universal forwarder config file in the deployment server to achieve my goal?
(Pound sign here#) Disable Camera Process Monitoring
[monitor:c:\Program Files (x86)\Camera System Center 6\*]
disabled = 1
Thank you!
↧