Seems like I’m staying on track for a post every 18-24 months, so it’s time… Some of us have to deal with NIST 800-53 controls. You certainly must if you’re in government or are government-adjacent. A few private organizations also use them. One of these, AC-8, has been implemented in Splunk over the years in […]
An evening with SVD-2022-0607
Back in June, along with the release of Splunk 9.0, Splunk dropped several security advisories. I’m spending a little time digging in on SVD-2022-0607. Come along with me as we learn together. The first thing of interest to me about this one is … we’ve been here before. Go back to https://www.duanewaddle.com/splunk-pass4symmkey-for-deployment-client-deployment-server/ and read the […]
Splunk UF 9.0 and POSIX Capabilities
Sorry this has taken so long to post. I caught a (thankfully very mild) case of covid at .cough2022 and between then and now life has not found a way (sorry Jurassic Park). Hopefully this is just the first of a few posts on stuff I’ve been working on and learning about since then. Anyone […]
New Host, lost some comments
I moved the blog to a new host. The old one was getting pretty old. In the process I got rid of Disqus and went to native WP comments, and cannot get the comment sync to work properly. So I’ve lost some comments, sorry. I don’t think this really affects anyone but me.
Searching date-time values in Splunk
If you’ve worked with Splunk for a little while then you are probably familiar with the existence of the field _time. With Splunk being a time series data store, it makes sense that every event will have a time. Internally, Splunk parses the timestamp from your event and converts it to epoch (seconds since Jan […]
Proving a Negative
I’ve got this Foo Fighters lyric stuck in my head … All my life I’ve been searching for something. Something never comes, never leads to nothing. This seems, relevant, given my focus on search technologies in my career. Today, I’m going to talk about proving a negative. That is, I’m going to talk about searching […]
Splunk and POSIX capabilities
UPDATE 2022-11-12, See https://www.duanewaddle.com/splunk-uf-9-0-and-posix-capabilities/ I seem to catch myself talking about this a lot in Slack, so I’m just going to write it all down here and refer people to it. A common issue for Splunk deployments is how to securely deploy the Universal Forwarder. Best practice says “don’t run anything as root that doesn’t […]
Splunk 7.2.2 and systemd
Consider this a draft. I’ll update it as I have time, but I’m posting now because it may help someone. Updated 2019-04-07: Some improvements thanks to Red Hat support. I am also trying to collect the knowledge and experience of other SplunkTrust and Splunk community people in order to document this more completely. Many thanks […]
Splunk pass4SymmKey for deployment client -> deployment server
Introduction So you want to secure your Splunk deployment server? There’s a couple of different angles to consider: Are all clients connecting to a given deployment server permitted to do so? Is the client certain that the deployment server they are talking to is the real one and not an impostor? Let’s start at the […]
RHEL 7 UDP metrics into splunk metrics index
We were discussing this on splunk-usergroups slack, and I said I should post it here and vraptor and dawnrise urged me to do so quickly — so here I am. (Thanks vraptor and dawnrise!) First up, a script to use the nstat tool to grab some kernel UDP metrics and write them out in a […]