flowchart TB
subgraph tail
TailReader("TailReader (tailing)")
end
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[replicationSettings] | |
sendRcvTimeout = 120 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[WinEventLog://Security] | |
disabled = 0 | |
start_from = oldest | |
current_only = 0 | |
evt_resolve_ad_obj = 1 | |
checkpointInterval = 5 | |
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" | |
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" | |
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" | |
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" |
flowchart TD
subgraph IDX
TCP("TCP/UDP") -- Uncooked --> pQ
TCP -- Cooked --> rulesetQ
TailReader("TailReader") --> pQ
fifo("FifoInput") --> pQ
Original version is here, I just wanted something easier to read.
Config | Default | Max Recommended | Purpose | When to use |
---|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[WinEventLog:Security] | |
#Returns most of the space savings XML would provide | |
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g | |
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g | |
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g | |
SEDCMD-clean3-blank_ipv6 = s/::ffff://g | |
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g | |
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g | |
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g | |
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: '3' | |
services: | |
splunksh: | |
hostname: splunksh | |
image: splunk/splunk:6.6.3 | |
environment: | |
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt | |
OPTIMISTIC_ABOUT_FILE_LOCKING: '1' | |
ports: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
template("$(format-welf ISODATE DATE SOURCEIP HOST ORIG_HOST PROGRAM PID MSGID SDATA MSGHDR MESSAGE FACILITY PRIORITY)\n"); | |
template t_splunk_kv { template("ISODATE=\"${ISODATE}\", DATE=\"${DATE}\", SOURCEIP=\"${SOURCEIP}\", HOST=\"${HOST}\", ORIG_HOST=\"${ORIG_HOST}\", PROGRAM=\"${PROGRAM}\", PID=\"${PID}\", MSGID=\"${MSGID}\", SDATA=\"${SDATA}\", MSGHDR=\"${MSGHDR}\", MESSAGE=\"${MESSAGE}\", FACILITY=\"${FACILITY}\", PRIORITY=\"${PRIORITY}\"\n"); template_escape(no); }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: '3' | |
services: | |
splunksh: | |
hostname: splunksh | |
image: splunk/splunk:7.1.2 | |
environment: | |
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt --seed-passwd changed123 | |
SPLUNK_USER: root | |
OPTIMISTIC_ABOUT_FILE_LOCKING: '1' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
You should use this: https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml |
NewerOlder