David Shpritz automine

## inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"

## indexer_disk_space.xml
<dashboard>
  <label>Indexer Disk Usage</label>
  <row>
    <panel>
      <table>
        <title>Disk Usage by Indexer</title>
        <search>
          <query>| rest  /services/server/status/partitions-space splunk_server_group=dmc_group_indexer | search mount_point=/data/* | eval usage = capacity - free
| eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server | eval splunk_server=lower(splunk_server)| table splunk_server mount_point usage capacity pct_used | sort splunk_server mount_point | addcoltotals | eval usage=round(usage/1024,2) | eval capacity=round(capacity/1024, 2) | rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query>
          <earliest>$earliest$</earliest>

## masa.md

      
              1 file
            
          
              1 fork
            
          
                9 comments
              
            
              2 stars
            
          
                automine
                / masa.md
            
            
              Last active
              May 23, 2024 16:23
            
          
    Masa Diagram in Mermaid

flowchart TB
    

    subgraph tail
        TailReader("TailReader (tailing)")
    end
    

## Master and Indexer distsearch.conf
[replicationSettings]
sendRcvTimeout = 120

## iaMasa.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              1 star
            
          
                automine
                / iaMasa.md
            
            
              Last active
              April 19, 2023 11:05
            
              
                Ingest Actions Flow
              
          
    flowchart TD
subgraph IDX

        TCP("TCP/UDP") -- Uncooked --> pQ
        TCP -- Cooked --> rulesetQ
        TailReader("TailReader") --> pQ
        
        
        fifo("FifoInput") --> pQ

  
## splunk_http_timeouts.md

      
              1 file
            
          
              1 fork
            
          
                0 comments
              
            
              4 stars
            
          
                automine
                / splunk_http_timeouts.md
            
            
              Created
              December 22, 2022 18:03
            
              
                Explanation of various HTTP(s) timeouts in Splunk
              
          
    Original version is here, I just wanted something easier to read.


Config
Default
Max Recommended
Purpose
When to use


## props.conf
[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g

## docker-compose.yml
version: '3'

services:
  splunksh:
    hostname: splunksh
    image: splunk/splunk:6.6.3
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt
      OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
    ports:

## syslog-ng.conf
template("$(format-welf ISODATE DATE SOURCEIP HOST ORIG_HOST PROGRAM PID MSGID SDATA MSGHDR MESSAGE FACILITY PRIORITY)\n");
template t_splunk_kv { template("ISODATE=\"${ISODATE}\", DATE=\"${DATE}\", SOURCEIP=\"${SOURCEIP}\", HOST=\"${HOST}\", ORIG_HOST=\"${ORIG_HOST}\", PROGRAM=\"${PROGRAM}\", PID=\"${PID}\", MSGID=\"${MSGID}\", SDATA=\"${SDATA}\", MSGHDR=\"${MSGHDR}\", MESSAGE=\"${MESSAGE}\", FACILITY=\"${FACILITY}\", PRIORITY=\"${PRIORITY}\"\n"); template_escape(no); };

## docker-compose.yml
version: '3'

services:
  splunksh:
    hostname: splunksh
    image: splunk/splunk:7.1.2
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt --seed-passwd changed123
      SPLUNK_USER: root
      OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
	[WinEventLog://Security]
	disabled = 0
	start_from = oldest
	current_only = 0
	evt_resolve_ad_obj = 1
	checkpointInterval = 5
	blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	<dashboard>
	<label>Indexer Disk Usage</label>
	<row>
	<panel>
	<table>
	<title>Disk Usage by Indexer</title>
	<search>
	<query>\| rest /services/server/status/partitions-space splunk_server_group=dmc_group_indexer \| search mount_point=/data/* \| eval usage = capacity - free
	\| eval pct_usage = round(usage / capacity * 100, 2) \| stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server \| eval splunk_server=lower(splunk_server)\| table splunk_server mount_point usage capacity pct_used \| sort splunk_server mount_point \| addcoltotals \| eval usage=round(usage/1024,2) \| eval capacity=round(capacity/1024, 2) \| rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query>
	<earliest>$earliest$</earliest>
	[WinEventLog:Security]
	#Returns most of the space savings XML would provide
	SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
	SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
	SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
	SEDCMD-clean3-blank_ipv6 = s/::ffff://g
	SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
	SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
	SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
	SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g
	version: '3'

	services:
	splunksh:
	hostname: splunksh
	image: splunk/splunk:6.6.3
	environment:
	SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt
	OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
	ports:
	template("$(format-welf ISODATE DATE SOURCEIP HOST ORIG_HOST PROGRAM PID MSGID SDATA MSGHDR MESSAGE FACILITY PRIORITY)\n");
	template t_splunk_kv { template("ISODATE=\"${ISODATE}\", DATE=\"${DATE}\", SOURCEIP=\"${SOURCEIP}\", HOST=\"${HOST}\", ORIG_HOST=\"${ORIG_HOST}\", PROGRAM=\"${PROGRAM}\", PID=\"${PID}\", MSGID=\"${MSGID}\", SDATA=\"${SDATA}\", MSGHDR=\"${MSGHDR}\", MESSAGE=\"${MESSAGE}\", FACILITY=\"${FACILITY}\", PRIORITY=\"${PRIORITY}\"\n"); template_escape(no); };