App not populating #17
Comments
|
Have you done anything outside of the instructions? Is the SHC running ES? |
|
Yes, the SHC is running ES
…Sent from my iPhone
On Jan 23, 2017, at 8:25 PM, doksu ***@***.***> wrote:
Have you done anything outside of the instructions? Is the SHC running ES?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Apologies for the delay. Are you still experiencing issues? Could you please provide more detail? Which version of Splunk are you running? Have you created a local app import regex in ES to accommodate TA_ named apps? If you're on slack, please message me (trustedsubject) to setup a conference call. |
|
Here's the app import regex for SplunkEnterpriseSecuritySuite/local/inputs.conf:
|
|
I've just updated the documentation: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#enterprise-security |
|
Here is my setup:
I have installed the app on the MN and pushed it out to a SH. The app is monitoring the audit.log file on the SH server.
- local_posix_identities.csv lookup - configure correctly according to guide
- directory_posix_identities lookup - configured locally and is populated.
Receiving the follow errors on the app dashboard:
-security operations centre : "error in pivotprocessor: error in datamodelevaluator: data model auditd was not found".
- kernel: all information populated , but error messages :
- auditd_host_inventory lookup
Table does not exist
- posix_identites lookup table does
Not exist
- System Call : no results found for any
- type enforcement : no results for any
- sudo : no results
- user tty: error in lookup command
- host :" error in pivotprocessor: error in datamodelevaluator: data model auditd was not found".
- reports : working
- help : states "working" but other charts state "0"
- configure : auditd_hosts_lookup populated with host (sh) info and auditd_indices lookup populated with index data , other charts not populated
…-Splunk version 6.5.1
Hopefully all this information can help you guide me if I have made any mistakes in the setup process.
Thanks
Sent from my iPhone
On Feb 1, 2017, at 6:29 AM, doksu ***@***.***> wrote:
I've just updated the documentation: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#enterprise-security
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
The 'TA Status' pane on the 'Help' dashboard displays 'Working' if the TA is installed (this is determined by using the REST API). If other panes are saying they can't find the Auditd datamodel (which resides in the TA), I strongly suspect a metadata issue caused by ES' app import regex not accommodating the underscore TA naming convention used by the Linux Auditd's technology add-on. Would you mind sending me the app import stanzas from $SPLUNK_HOME/etc/app/SplunkEnterpriseSecuritySuite/local/inputs.conf on one of the SHC nodes? |
|
The app is not integrated with ES.
…On Wed, Feb 1, 2017 at 10:40 PM, doksu ***@***.***> wrote:
The 'TA Status' pane on the 'Help' dashboard displays 'Working' if the TA
is installed (this is determined by using the REST API). If other panes are
saying they can't find the Auditd datamodel (which resides in the TA), I
strongly suspect a metadata issue caused by ES' app import regex not
accommodating the underscore TA naming convention used by the Linux
Auditd's technology add-on.
Would you mind sending me the app import stanzas from $SPLUNK_HOME/etc/app/
SplunkEnterpriseSecuritySuite/local/inputs.conf on one of the SHC nodes?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#17 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AUI1WQ_ChN9HwAuRWmKEOYOgt8L7I-xAks5rYVAVgaJpZM4LrRbp>
.
|
|
I've updated the app's contact details here: https://github.com/doksu/splunk_auditd/wiki#support. Feel free to send me an e-mail (PGP encrypted if necessary) so we can have a chat in private. |
|
I know it is incredibly late but could i perhaps have some help ? We are having this issue too! @doksu |
|
@warrenmfrancis, what issue is it that you're having? Please provide details. |
|
@doksu thank you very much for the reply! We are having the "no results found" issue yet the TA is listed as "working" I am a bit of a splunk noob and would appreciate any help. Thanks in advance! |
|
@warrenmfrancis, has the configuration (population of the lookups, etc.) been completed as per the documentation? |
|
@doksu was this the following commands: awk -F ':' 'BEGIN {print "uid,user"} {print $3","$1}' /etc/passwd > /opt/splunk/etc/apps/TA-linux_auditd/lookups/local_posix_identities.csv | ldapsearch search="(&(objectclass=user)(uidNumber=*))" attrs="sAMAccountName,uidNumber" | rename sAMAccountName as user, uidNumber as uid | table uid user | outputlookup directory_posix_identities |
|
For some reason, the app is not finding my index which has all of my audit logs stored. I am using syslog-ng to send logs to splunk not sure if that would make a difference. |
|
@eljefe-3 that's almost certainly because the events don't have the correct sourcetype. |
Hi,
I have installed the app on a SHC. The installation and configuration instructions have been followed but the app is not populating and results in an error:
The text was updated successfully, but these errors were encountered: