Back in June, along with the release of Splunk 9.0, Splunk dropped several security advisories. I’m spending a little time digging in on SVD-2022-0607. Come along with me as we learn together. The first thing of interest to me about this one is … we’ve been here before. Go back to https://www.duanewaddle.com/splunk-pass4symmkey-for-deployment-client-deployment-server/ and read the […]
Uncategorized
Splunk UF 9.0 and POSIX Capabilities
Sorry this has taken so long to post. I caught a (thankfully very mild) case of covid at .cough2022 and between then and now life has not found a way (sorry Jurassic Park). Hopefully this is just the first of a few posts on stuff I’ve been working on and learning about since then. Anyone […]
New Host, lost some comments
I moved the blog to a new host. The old one was getting pretty old. In the process I got rid of Disqus and went to native WP comments, and cannot get the comment sync to work properly. So I’ve lost some comments, sorry. I don’t think this really affects anyone but me.
Searching date-time values in Splunk
If you’ve worked with Splunk for a little while then you are probably familiar with the existence of the field _time. With Splunk being a time series data store, it makes sense that every event will have a time. Internally, Splunk parses the timestamp from your event and converts it to epoch (seconds since Jan […]
Proving a Negative
I’ve got this Foo Fighters lyric stuck in my head … All my life I’ve been searching for something. Something never comes, never leads to nothing. This seems, relevant, given my focus on search technologies in my career. Today, I’m going to talk about proving a negative. That is, I’m going to talk about searching […]
Splunk and POSIX capabilities
UPDATE 2022-11-12, See https://www.duanewaddle.com/splunk-uf-9-0-and-posix-capabilities/ I seem to catch myself talking about this a lot in Slack, so I’m just going to write it all down here and refer people to it. A common issue for Splunk deployments is how to securely deploy the Universal Forwarder. Best practice says “don’t run anything as root that doesn’t […]
Splunk pass4SymmKey for deployment client -> deployment server
Introduction So you want to secure your Splunk deployment server? There’s a couple of different angles to consider: Are all clients connecting to a given deployment server permitted to do so? Is the client certain that the deployment server they are talking to is the real one and not an impostor? Let’s start at the […]
Back from the brink?
I really gave up on blogging for a long time. “So busy” and all that. I’m trying to get back, lets just call all of that ‘excuses’. So in support of that, a whole bunch of housekeeping on the site. Latest and greatest remote exploits .. err I mean wordpress 😉 SSL by default thanks […]
Nullqueue Sampling
One of the first things the average Splunk administrator has to learn about the hard way is how to send traffic to the Splunk nullQueue. It’s almost a rite of passage — you configure a new data source, somewhat unaware of the tens of thousands of mostly-useless events it produces. It blows out your license […]
Splunking bash history
The history tools built into the bash shell are rather powerful and a great source of information about what has been done to a system. One thing we can do to make these even more useful is add them as a data source in Splunk. While imperfect (see caveats below), this can be helpful in […]