Add data to Splunk
A. Splunk server
1. Click “Add data“
2. Click “A file or directory of files”
3. “Consume any file on this Splunk server”, click “Next“
4. Check “Skip preview” button and click “continue“
5. From “Specify the source” option, check “Continuously index data from a file or directory this Splunk instance can access”, and type “/opt/log/” and click “save”
* Ubuntu log file location is “/var/log/“
B. Using SplunkForwarder
1. Link to download SplunkForwarder
2. Logon Splunk server.
3. Click the ‘Manager’ link in the top right.
4. Clic ‘Forwarding and receiving‘ option
5. Click ‘Add new‘ in the Receive data section
6. Specify TCP port, default “9997“, you want the receiver to listen from forwarder.
7. Click ‘Save’. You must restart Splunk to complete the process.
C. Windows
1. Easy way would be using SplunkForwarder. Actually, it won’t take a lot of resources.
2. Click here for reference site
D. Syslog over UDP/TCP
> Error message : “splunk In handler ‘udp’: Parameter name: UDP port 514 is not available”, when you save with port 514 / source type:syslog.
It would be one of three reasons.
1. Splunk ran with low previlege(user level). try sudo ./splunk start.
2. Port 514 is already being used. Try netstat -nlup or -nltp
3. Firewall issue
E. VMWare
1. ESXi 4.x ;
– using vMA 5.0 (download from VMware.com[free] and install it.
vicfg-syslog --server esxhostsvr.mydomain.com -s splunksvr.mydomain.com -p 514
2. ESXi 5.x; vMA 5.x is ONLY supporting ESXi 4.x or vCenter4.x so… use vSphere console.
– Go to Host > Configuration > Advanced setting > Syslog > Syslog.global.logHost, type udp://splunk_srv:514
– Change firewall/Security profile to allow UDP 514 traffic outgoing from option
Host > Configuration > Security Profile, click Firewall/Properties and check box at Syslog
F. Cisco devices
G. SNMP Trap Message to Splunk
1. Configure Splunk IP to send trap message.
2. Chris@Ubuntu$ sudo snmptrapd -Lf /var/log/snmp-traps –disableAuthorization=yes
3. Configure Splunk to monitor the file, as described in “Monitor files and directories”.
To veriy;
1. Check a file named “snmp-traps” on /var/log/ directory
2. Execute a command; sudo snmptrap -v2c -c public localhost 1 1 (* you might need to install a snmp package. try “sudo apt-get install snmp“)
3. Verify content of the file, snmp-traps.
H. SNMP MIBs to Splunk
1. Download *.mib file and copy to /usr/share/mibs/netsnmp/
2. Execute a command; sudo snmptrap -m +ALL
Tips
- If you cannot add “receiving data” input such as syslog UDP 514
It would be permission issue. Splunk should be run as a Administrator.
sudo ./splunk restart from splunk folder.
2. Splunk is not receiving UDP 514 data
Check firewall setting. By shutdown iptables services, it can be verified.
First, to verify firewall is running or not : try “iptables -L -n”, if output comes with rules…. then the firewall is running on your system and it is blocking your source traffic.
To stop the firewall, try “service iptables stop”.
If you get error message like “Failed to stop iptables.service: Unit iptables.service no loaded”, then try “systemctl stop firewalld”. It will stop the firewall.
Probably, both of firewalls were working… disable regular “firewalld”.
Now, to add 514.
iptables -A INPUT -p udp -m udp –dport 514 -j ACCEPT
iptables-save
============================
fail* password
fail* password user=ad*
chart count over user by ip_addr ; use fields in reports for more details.
Stats sum(duration) by ip_addr
* | top source limit=4
host=”192.168.77.1″ | top msg limit=4
LIsa Guinn
>web service…. spoofing activity.
sourcetype=”access_combined” | transaction JSESSIONID
sourcetype=”access_combined” | transaction JSESSIONID | where mvcount(clientip) > 1
sourcetype=”access_combined” | transaction JSESSIONID | where mvcount(clientip) > 1 | table JSESSIONID
>multikv
sourcetype=”top” | multikv | where pctCPU > 50 | deduup COMMAND | table COMMAND USER
>Web Analytics
>Transaction by SLA
‘all_web_events’ | transaction JSESSIONID | where duration > 50
> Cisco security
src_ip=”x.x.x.x” eventtype=”ironport_proxy” x_wbrs_score <-5
src_ip=”x.x.x.x” eventtype=”ironport_proxy” x_wbrs_score <-5 sc_result_code=”TCP_REFRESH_HIT”
Make alert
1. search tap; eventtype=firewall-botnet-filter [search x_whrs_score<-5 eventtype=”ironport_proxy” sc_result_code=”TCP_REFRESH_HIT” | fields + src_ip]
2. Save search;
————
>temp define and extract IP address from raw data
sourcetype=syslog | rex field=_raw “b(?<ip>(?:d{1,3}.){3}d{1,3})b” | search
or
sourcetype=syslog | rex field=_raw “(?<ip>\d+\.\d+\.\d+\.\d+)” | search
sourcetype=syslog | rex field=_raw “(?<ip>\d+\.\d+\.\d+\.\d+)” | lookup geoip clientip as ip
—GeoIP
* | rex “(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})” | geoip ip (o)
* | rex “(?<src>d+.d+.d+.d+)” | eval clientip=src | lookup geoip clientip (x)
splunk In handler ‘udp’: Parameter name: UDP port 514 is not available.
—————–
Radial Gauge
source=WMI:CPUTime host=”test-splunk” PercentUserTime=”*” | timechart avg(PercentUserTime)
> How many page views were requested?
sourcetype=access_* method=GET
sourcetype=access_* method=GET | stats count AS Views
> What was the difference between page views and purchases made?
sourcetype=access_* method=GET | stats count AS Views, count(eval(action=”purchase”)) AS Purchases
sourcetype=access_* method=GET | stats count AS Views, count(eval(action=”purchase”)) as Purchases | eval percentage=round(100-(Purchases/Views*100)) | rename percentage AS “% Difference”
> What was purchased and how much was made?
sourcetype=access_* action=purchase | stats count by product_name
sourcetype=access_* action=purchase | stats count, values(price), sum(price) by product_name
sourcetype=access_* action=purchase | stats count AS “# Purchased”, values(price) AS Price, sum(price) AS Total by product_name | eval Total=”$ “.tostring(Total, “commas”)
>How many purchase attempts failed?
sourcetype=access_* action=purchase status=503
sourcetype=access_* action=purchase status=503 | stats count
> To convert the value of Value (0.02931234123) to 2.9;
…| eval newValue=round(Value * 100,1)
>To convert the value of Value (0.02931234123) to 2.93;
…| eval newValue=round(Value * 100,2)
>To change it into a string (‘2.93 %’) as well:
…| eval newValue=round(Value * 100,2) . ” %”
> Window system event last 24hours
source=wineventlog:* earliest_time=-24h
>Linux system diskspace usage.
index=”os” sourcetype=”df” host=* | multikv fields FileSystem, UsePct | strcat host ‘@’ Filesystem Host_FileSystem | timechart avg(UsePct) by Host_FileSystem | rename avg(UsePct) as %Used
>Send search results to the specified email.
… | sendemail to=”[email protected]”
>Save the running total of “count” in a field called “total_count”.
… | accum count AS total_count
>Add information about the search to each event.
… |addinfo
>Search for “404” events and append the fields in each event to the previous search results.
… | appendcols [search 404]
>For each event where ‘count’ exists, compute the difference between count and its previous value and store the result in ‘countdiff’.
… | delta count AS countdiff
>Extracts out values like “7/01”, putting them into the “monthday” attribute.
… | erex monthday examples=”7/01″
>Set velocity to distance / time.
… | eval velocity=distance/time
>Return the number of events in your data that have no recognizable timestamp.
timestamp=none | stats count(_raw) as count
>Search for events containing the term “404”, and are from any host that starts with “192”.
404 | regex host=*192.\d\d\d\.\d\d\d\.\d\d\d\*
>Search for events with the term “apache” that occurred between 10pm and 12am on the current day.
apache (date_hour >= 22 AND date_hour <= 24)
>Search for events containing the term “apache” that occurred between the 1st and 15th day of the current month.
apache (date_mday >= 1 AND date_mday <= 15)
>Search for events with the term “apache” that occurred in september.
blocked date_month=”september”
—————
don’t think Wubi would affect bootup speed.
To remove WUBI I would remove C:\ubuntu and C:\wubildr* and the remove the boot.ini entry and the deleting the registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wubi
edits: added full procedure to remove wubi.
FREEBSD made easy, http://www.freebsdmadeeasy.com/tutorials/web-server/configure-apache-web-server-on-freebsd.php
FreeBSD command http://www.youtube.com/watch?v=svFqfmgWpeU&feature=channel&list=UL
Splunk naver cafe
http://cafe.naver.com/splunkkbi/
Splunk install on FreeBSD
http://docs.splunk.com/Documentation/Splunk/latest/Installation/InstallonFreeBSD
splunk user manual – english
http://docs.splunk.com/Documentation/Splunk/latest/User/Timelinetutorial
————
Alert
source=”/var/log/secure.log” “BAD SU”
———————–
misc activity NOT reply | stats avg(IpLen) by dest_ip ; Last 60 minutes
——————–
Save Eventtype
Name: Snort-alert
Search string
“[**]”; classicfication; priority;
Tag(s) Optional
application attempt communicate ids.
———————-
Report & dashboard
sourcetype=access_combined | chart count by status
———————
Report & dashboard
sourcetype=access_combined | timechart count by status
sourcetype=access_combined | timechart count span-1s, 1m, 5m, 1d, 1h, 1mom by status
———————–
…status=503| stats count | rangmap field=count low=0-199 elevated=200-1000
<single>
<searchName>Number of Http 503 Errors</searchName>
<title>count of Http Status 503 Errors</title>
<Option name=”classField”>range</option>
</single>
————————–
This is an example Splunk command called slogan that adds random Splunk slogans to your results table.
The add-on was written strictly for entertainment value.
Usage:
<some search> |slogan
You will then get a new field called splunk_slogan with your results. You can do things like:
<some search> |slogan|top splunk_slogan limit=100
<some search> |slogan|stats count by splunk_slogan
Installation
Copy the slogan. py and slogans.txt file to your SPLUNK_HOME/etc/system/bin directory. Register the command in commands.conf and authorize it in authorize.comf. Restart Splunk. Futher instructions are in the README.txt. Initial slogans come from Splunk T-shirts and new ones are from Gerald K.
—
x.x.x.x
[Sat Sep 08 01:25:28 2012] [error] [client 69.255.190.62] File does not exist: /home/ipbalanc/public_html/templates/ipbalance32/images/rssicon.png, referer: https://ipbalance.com
The www.ipBalance.com runs by a volunteer group with IT professionals and experts at least over 25 years of experience developing and troubleshooting IT in general. ipBalance.com is a free online resource that offers IT tutorials, tools, product reviews, and other resources to help you and your need.
