If I search `index="test" NOT sourcetype="WinEventLog:Security"` I get a few dozen log files from one RHEL6 server that don't appear to be handled elsewhere. In the context of today if I search `index="test"` I get thousands of WinEventLog:Security from every Windows server on our network. The second is a Forwarder app that has a default `nf` that looks like this: The first is DesktopForwarder that has a default `nf` file that looks like this (extra line breaks removed):įilters=filetypes-blacklist,system32-blacklist When I logon to our Splunk Deployment Server and do a search for "Index = test" or "Index=test" I get back to apps in $SPLUNK_HOME/etc/deployment-apps/. In our environment we have an Index called "test" that is eating away at a highly disproportionate amount of our license (it's 50 % of our daily usage). I inherited a Splunk Enterprise deployment with a deployment management server used to make changes to all forwarders in the environment. Oct 25 13:31:5""0 Oct 25 13:31:43 172.23.0.24 1 - event: text="'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date=" 6:30:38 PM" ip_address="172.16.1.12" process="c:\windows\system32\mmc.exe" file_path="c:\users\dccon\appdata\roaming\microsoft\windows\start menu\programs\administrative tools" file_name="administrative tools" policy="Windows High Enforcement" rule_name="FIM_Directory" process_key="00000000-0000-0848-01d3-4d9cda329d68" server_version="7." process_trust="10" process_threat="0" Oct 25 14:47:20 Oct 25 14:47:19 172.23.0.24 system event: text="Modification (Create Key) of registry '\registry\machine\system\currentcontrolset\services\napagent\qecs\' by 'company\user' was allowed." type="Policy Enforcement" subtype="Report write (registry rule)" hostname="domain\computer" username="domain\user" date=" 7:46:25 PM" ip_address="172.23.1.13" process="c:\windows\system32\mmc.exe" policy="Windows Medium Enforcement" rule_name="FIM_OSSEC" process_key="00000000-0000-15e8-01d3-490915c2f584" server_version="7." process_trust="10" process_threat="0" The path could be any directory, and the filename could be named anything. Watch this video to see how to configure and deploy these two Splunk ITSI episode monitoring correlation searches, as well as how to validate the creation of the notable events and the action rule processing.I want a regular expression to pull a file name out of a path that is the process field. This design pattern is an integral part of the ITSI Monitoring and Alerting content pack and is explained further in the following video. Next, the ITSI rules engine, which runs the NEAP Policy, applies action rules against the newly created notable events. If the action rule's specific activation criteria matches against the notable event data, then an action (such as creating a Splunk On-Call incident) is performed as defined in the action rule. These new notable events become part of the associated episode. These two episode monitoring correlation searches evaluate all open episodes and create new notable events when a new Splunk On-Call incident needs to be created or when an episode state change occurs.
0 Comments
Leave a Reply. |