Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About pck1983
pck1983
Explorer
Member since:
09-05-2023
09-16-2023
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 09-05-2023 |
Activity Feed
- Posted Why the ErrorCode 5 when trying to forward Sysmon logs (unable to subscribe)? on Installation. 09-16-2023 07:29 AM
- Posted Re: Importing sysmon logs into Splunk on Splunk Enterprise. 09-14-2023 03:25 AM
- Posted Importing sysmon logs into Splunk on Splunk Enterprise. 09-14-2023 02:06 AM
- Karma Re: Time in Splunk for gcusello. 09-08-2023 02:39 AM
- Karma Re: Time in Splunk for gcusello. 09-08-2023 02:39 AM
- Posted Re: Time in Splunk on Installation. 09-08-2023 02:14 AM
- Posted Time in Splunk on Installation. 09-08-2023 01:43 AM
- Posted Re: Beginner issues on Installation. 09-06-2023 01:22 AM
- Tagged Re: Beginner issues on Installation. 09-05-2023 11:09 PM
- Posted Re: Beginner issues on Installation. 09-05-2023 04:19 PM
- Tagged Re: Beginner issues on Installation. 09-05-2023 04:19 PM
- Posted Beginner issues on Installation. 09-05-2023 03:59 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-16-2023
07:29 AM
I got the following errors in my Splunk Error Logs:
Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5
The UniversalForwarder is installed on a Windows 10 Desktop (not part of a Doamin).
I can see Sysmon logging in the eventlog viewer and I can forward the System and Security logs but not the Sysmon logs. What do I overlook here?
inputs.conf:
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
... View more
- Tags:
- splunk search
Labels
- Labels:
-
universal forwarder
-
Windows
09-14-2023
03:25 AM
I got the following errors in my Splunk Error Logs: Failed to find Event Log with channel name=Applications and Services Logs/Microsoft/Windows/Sysmon/Operational Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5
... View more
09-14-2023
02:06 AM
Hello, I have installed sysmon and I try to send it with a UniversalForwarder on that machine to my Splunk-Indexer and Search-Head... I have tryed to add [WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
[WinEventLog://"Applications and Services Logs/Microsoft/Windows/Sysmon/Operational"]
disabled = 0
[WinEventLog://Applications and Services Logs/Microsoft/Windows/Sysmon/Operational]
disabled = 0 to the inputs.conf, but non of that versions worked... I have also restarted the UniversalForwarder and the Indexer / Search-Head has the Sysmom app installed. What am I doing wong?! PS.: Sysmon is running and I see the logged data in the Eventviewer of that machine...
... View more
Labels
09-08-2023
02:14 AM
Hi Giuseppe, so that was a parsing error - make sence because a hand full of older entries hat another formating. The majority of the entries from that older logfile where indexed correctly! Just that I understand it - Splunk parses the event and extract a time from the event. That parsed time is stored in _time. The indextime is stored in _indextime. In case there is not time entry in the file the indextime ist also used for _time. Correct so far? But what if I get events from machines in different timezones? Is _time converted fo my local timezone? What does it mean when I search for events from today 6:00am till 10:00am? Does that mean 6:00am - 10:00am in my timezone? Or in the timezones of the machines?
... View more
09-08-2023
01:43 AM
Hello, I have a few questions about the time in Splunk. That is a entry from an older logfile and here the _time field and the timestamp in the log does not match! 4/30/23 1:32:16.000 PM Mai 08 13:32:16 xxxxxx sshd[3312558]: Failed password for yyyyyyyy from 192.168.1.141 port 58744 ssh2 How could that happen? How does time come up with the time fields? And how does it handle files which comtain no time-stamps? Is then the index-time used? Ther is a few things which I do not fully understand - maybe there is some article in the documentation which explain that in detail but I have not found with a quick search. Could pleas someone clearify how splunk handle that or link to an article? Thanks!
... View more
09-06-2023
01:22 AM
I have it solved - no idea what it was but after I rebooted all of the machines it start to work... Thanks! BTW - when my 60 days of test period are done and I go back to the free license. Will the forwarders work or do I need a prof. license? I am pretty sure my 3 workstations will not exceed the 500MB / day limit!
... View more
09-05-2023
04:19 PM
I forgot to tell you what my inputs.conf contains: [WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[WinEventLog://Setup]
disabled = 0 My outputs.conf: [tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.1.2:9997
[tcpout-server://192.168.1.2:9997]
... View more
09-05-2023
03:59 PM
Hello, I try to learn splunk and thatfor I have setup a demo-version in my home-lab on the Linux system... Actually I have splunk running and I added the local files. Then I activated port 9997 and installed a universal forwarder on my Windows 10 PC. I can see on Linux with tcpdump that I get packages on port 9997 but I can't get the data into splunk! When I try to add data from a forwarder manually then I see the message that I have actually not forwarders configured... What am I doing wrong?
... View more
Labels
- Labels:
-
Linux
-
universal forwarder
-
Windows
