Skip to content

Instantly share code, notes, and snippets.

Avatar

David Shpritz automine

View GitHub Profile
@automine
automine / inputs.conf
Last active Oct 2, 2020
Nice windows event blacklisting
View inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
@automine
automine / extended_search_reporting.xml
Last active Sep 11, 2020
Extended Search Reporting, v1.4 thanks to cerby on the Splunk Community Slack (dpaper@splunk.com)!
View extended_search_reporting.xml
You should use this: https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml
@automine
automine / props.conf
Last active Jun 23, 2020
Windows Event Clean Up in Splunk
View props.conf
[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g
@automine
automine / docker-compose.yml
Last active Dec 11, 2019
Splunk DS+MN, SH, 2xIDX, UF
View docker-compose.yml
version: '3'
services:
splunksh:
hostname: splunksh
image: splunk/splunk:6.6.3
environment:
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt
OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
ports:
@automine
automine / docker-compose.yml
Created Sep 24, 2018
Splunk 7.1 docker-compose, single instance
View docker-compose.yml
version: '3'
services:
splunksh:
hostname: splunksh
image: splunk/splunk:7.1.2
environment:
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt --seed-passwd changed123
SPLUNK_USER: root
OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
View server.conf
# Disable the default management listener which binds to 0.0.0.0
# And then set up a new listener that listens on the loopback
[httpServer]
disableDefaultPort = true
[httpServerListener:127.0.0.1:8089]
ssl=true
@automine
automine / syslog-ng.conf
Created Mar 19, 2019
Template to test syslog-ng headers
View syslog-ng.conf
template("$(format-welf ISODATE DATE SOURCEIP HOST ORIG_HOST PROGRAM PID MSGID SDATA MSGHDR MESSAGE FACILITY PRIORITY)\n");
template t_splunk_kv { template("ISODATE=\"${ISODATE}\", DATE=\"${DATE}\", SOURCEIP=\"${SOURCEIP}\", HOST=\"${HOST}\", ORIG_HOST=\"${ORIG_HOST}\", PROGRAM=\"${PROGRAM}\", PID=\"${PID}\", MSGID=\"${MSGID}\", SDATA=\"${SDATA}\", MSGHDR=\"${MSGHDR}\", MESSAGE=\"${MESSAGE}\", FACILITY=\"${FACILITY}\", PRIORITY=\"${PRIORITY}\"\n"); template_escape(no); };
View Master and Indexer distsearch.conf
[replicationSettings]
sendRcvTimeout = 120
@automine
automine / README.md
Created Jan 29, 2019
Windows TA 5 Changes
View README.md

Windows TA 5 Changes

Overview

There were changes made in the Splunk Add-on for Windows in version 5.0 which are very different from past versions. With this change, some apps may have issues, such as the Exchange App, Windows Infrastructure app (certain versions), and possibly others. Consultants should be aware of these changes when deciding which version to use with a customer. Below are the Splunk Add-on For Microsoft Windows 5.0.0 changes related to WinEventLog Sourcetypes that may impact Winfra/Exchange/ITSI apps.

Why these changes were made

  1. Enhancing code robustness: clean up existing bugs, simplify maintainability, prepare add-on for further enhancements
  2. Improve performance
  3. Follow knowledge management best practices
  4. Remove any unsupported functionality, such as wildcard sourcetyping
  5. Produce well-structured code with a dedicated stanza per log format, instead of the previous mix
@automine
automine / docker-compose.yml
Created Oct 16, 2017
Splunk DS, SH, IDX, UF
View docker-compose.yml
version: '3'
services:
splunksh:
hostname: splunksh
image: splunk/splunk:6.6.3
environment:
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt
OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
ports:
You can’t perform that action at this time.