tfhartmann

Search string used to identify a user who has logged in an excessive amount of times outside of the standard deviation

index=os ( sourcetype=syslog OR sourcetype=postfix_syslog) sasl_method="LOGIN" | stats count(sasl_username) as usercount by sasl_username, _time | sort - usercount | eventstats avg(usercount) as avg_usercount stdev(usercount) as std_usercount |convert ctime(_time) | stats sum(usercount) as usercount by sasl_username, avg_usercount, std_usercount | where usercount>(900*avg_usercount + std_usercount)| rename avg_usercount as "Avg Count of Logins for all Users", std_usercount as "Standard Deviation of Logins for all Users", usercount as "Count of Logins"

tfhartmann

This is search we use to try and product future Splunk Throughput

`index_usage_macro` | bucket _time span=1d | stats sum(kb) as kb by series, _time | timechart span=1d per_day(eval(kb/1024/1024)) as GB | predict upper95=High lower95=low future_timespan=180 algorithm=LLT GB as "Predicted"

tfhartmann

In this case we are doing a lookup of all successes that are NOT rpc1918 address apce and formating the output in a table

`vpn` action="success" NOT Calling_Station_Id=10.0.0.0/8 | rename Calling_Station_Id as src_ip | stats dc(user) as Users by src_ip, user  | geoip src_ip  | search NOT src_ip_country_code=US | rename src_ip_country_name as Country | stats dc(user) as Users by Country| sort -Users

tfhartmann

The interesting part of this search is the lookup!

`autoreg_registrations` | lookup local=t mac2huid mac AS src_mac  | search NOT os=unknown | chart count by os

The autoreg_registrations macro expands to this:

autoreg_registrations

tfhartmann

This week VS Lastweek!

`vpn` action=success earliest=-0d@d latest=now | eval ReportKey="Today" | append [search `vpn` action=success earliest=-1d@d latest=-0d@d | eval ReportKey="Last Week"   | eval new_time=_time+86400] | eval _time=if(isnotnull(new_time), new_time, _time)| timechart count by ReportKey

Sparkline for logins

 index=radius host= |stats sparkline count(action) as count by action | sort -count 

tfhartmann

How I made this Blog - A Drama in Many Parts.

[The Quick and Dirty](#The Quick and Dirty) [Install s3_website](#Install s3_website)

This post may get a little long and ramble a bit, so let me skip directly to the payoff - quick and easy content managment on crazy robust and reliable infrastructure. Here's the commands I need to add and post new content:

 ]$ vim _posts/2013-09-27-hello-world.md 
 

tfhartmann

class iam_ldap_server (
  <parameters go here>
) {
  # 389_server is the module written by IAM
  class { '389_server':
    ensure  => 'present',
    require => Class['server'],
    <other parameters go here>
 }

tfhartmann

~ 6 month Project

• "Where were going we don't need offices"

• Everything should be open source and published publicly

A release is tagged every two weeks and we hold ourselves accountable to that Based on a two week scrum cycle

tfhartmann

entrance portal for amazon Joe suggestion - walk you though the different levels of proctections and what templates fill those obligations

lets get the definition of what the levels are - ala SOB and the security portals (TH)

reference architectures on cloud portal

from AWS the model of of shared security

tfhartmann

Problem

===

• I was running a AWS instence to host a Minecraft Map ( http://map.ob3y.com/mcmap ) with friends and it was costing me a bunch of $$$
• Rendering on a cluster was slow, since disk was a bit slow, and MC Overviewer would only use 1 single note (no parrallel feature)
• rsyncing from the "map processing" nodes to the "web node" was slooooo
• I ran out of disk space on the web node ... booo... and this equals small maps...

===

ideas