Ryan Faircloth Data Nerd

Syslog-NG OSE is seeing many updates one of the things you might not know is docs can be found at their new home. I expect we will see new…

The problem with a pistol dual is often both parties lose. I often have time zone-centered conversations around logging that consume an…

There are certain things in machine data that can not be forgiven. Correct identification of time in UTC (time offsets are fine) Correct…

This won’t take long, I still read slashdot there you have my confession. This article discusses the “fallout” politically from the Tsar…

Microsoft has released a cool new tool for Linux ported from Windows. I was asked today why I don’t think “syslog” is an acceptable way to…

I have sensitive data in my logs and I need to filter that out Security teams world wide Filtering out sensitive data sounds like a good…

Do you have a workflow to check your work or are you trusting the system because you think it works? One of the most frequent conversations…

I’m very pleased with the progress tech has made this year, and I say progress, not arrival because change is hard for humans. As a segment…

I’ve finally been able to take a couple of days and update and refresh my MaxMind Add-on for Splunk Enterprise and Enterprise Cloud. The…

IETF Syslog meaning RFC5424 over TLS (RFC5425) seems like a good idea until you think of the consequences and just what those consequences…

Syslog is a ambiguous term so I thought I would clarify what I am talking about syslog is a daemon where Linux/UNIX sent logs back in the…

If the device has a host name in the event use that Else if our management/cmdb solution knows the right name use that instead Else maybe…

The faces I’ve seen made to this statement say a lot. I hope you read past the statement for my reasons and when other requirements may…

Splunk release 1.2.0 of Splunk Connect for syslog today. This release focused on timezone management. We all wish time was standardized on…

I’ve had quite a bit to say about syslog as a component of a streaming data architecture primarily feeding Splunk Enterprise (or Enterprise…

One day perhaps we can teach machines to avoid bias but maybe just maybe we need to understand how to teach humans the same first. https…

This is a theoretical attack abusing a compromised kubectl certificate pair and exposed K8s api to deploy a phishing site transparently on…

Splunk has a great token based auth solution for its S2S protocol it was added several versions back. Inputs have both just worked and…

This is a rather long time coming, today version 4.0.0 of SecKit for Geolocation with MaxMind is available for Splunk via Splunk base and…

A few years ago flying across the Atlantic, unable to sleep, I had an idea to integrate common syslog aggregation servers using Splunk’s new…

I’ve had this crop up enough times, I think its worth a short post. Most Splunk deployments use local and/or LDAP authentication. LDAP…

A Splunk customer wrote a utility to help translate old sourcetype to new source/sourcetype with visual review and a nice workflow for…

I’ve updated the SecKit templates and guidance for Windows TA 6.0 no longer do you need to also deploy the TA for Microsoft DNS and TA for…

Sometimes it is not noticed because there is no license charge associated with Splunk’s Universal forwarder internal logs and in some cases…

Splunk released a major update to the Splunk TA for Windows last month you may not have noticed but I think you should take a closer look. A…

Splunk’s SmartStore technology is a game changing advancement in data retention for Splunk Enterprise. Allowing Splunk to move least used…

This walk through will build a Splunk CIM compatible source addon extending the CEF source type from my CEF framework TA. This is part three…

In my prior post I walked you through setting up a development environment for Splunk Enterprise to allow for an IDE/RAD development…

As a life long (seems that way) software developer come to Splunk I would like to have some of the properties of a Integrated Development…

Last year I created content to help customers quickly get up and running with Windows Data making optimal use of their license. Splunk TA…

This topic comes up every now and then working with customers and partners deploying and upgrading add ons for Splunk does not have to be…

This is a short one, on boarding data into any system is great making it identifiable and usable by the end users thats even more important…

Just before Y2K and in the years after banking systems moved from proprietary operating systems and applications, custom interfaces and…

Setting up SSL/TLS on Splunk doesn’t have to be super hard or costly. While running Splunk in cloud providers has many benefits there are…

Isn’t it great when things are in meltdown and you can’t patch yet because your waiting on another patch? Microsoft has stated you can’t…

Your searches are queued but you have cores, memory and IO to spare? Tuning your limits can allow Splunk to utilize “more” of your hardware…

The sites been down for a few days, BlueHost has been suffering from a DDOS on at least one of the sites they host. My site shared…

Hunting we find URLs in logs both email and proxy that are interesting all the time. What will that URL return, if it redirects where is it…

This post is short and sweet, in ES 4.7 the Alexa download is not enabled by default enabling and using this list which can be very valuable…

I’ve had this in the bucket for a while waiting for the right time to share. There is a growing demand to develop “real time” analytic…

Updated Jan, 16, 2018 user security issue Updated Jan 19,2018 using forking type for splunk Updated Oct 2019 for format issues after…

I’ve updated my best practices a bit and moved the implementation guides from confluence out to the bitbuckets in markdown so they can be…

I really do “get” it, logging and monitoring can be very costly, we all agree not nearly as costly as a breach. Each organization is…

I pulled this out of the archives , on request notice this was originally developed for Splunk 6.2.x and RHEL 7.0. Please review the details…

I’m sharing something today that has been available thanks to many in white papers and presentations dealing with identification of…

Having great and informative data will make for some hefty lookups. I’ve heard from a few customers that run into this rather than plan for…

Ok, I said posts in threes so here it is. We all know RYSLOG config is much more painful than syslog-ng but for reasons beyond all of our…

Do blog posts come in threes, keep watching to find out? Yesterday I gave you the run down on a new way to collect syslog. Today I’m going…

A little while back I created a bit of code to help get data from linux systems in real time where the Splunk Universal Forwarder could not…

As a developer of “Apps” for the Splunk platform; I have been very eager to automate more tedious tasks including build and static code…

Hanging out in the dark corners of DefCon and watching what passes by you see some things. What can we find with Splunk…. Who’s here and…

This one is short and sweet, when building a Splunk search head cluster we often will create a search head unattached to indexers to “stage…

This is a brief followup on my earlier post in a very large scale environment write -> monitor –> read between a log appending source such…

Overview Preparation of a base infrastructure for high availability ingestion of syslog data with a default virtual server and configuration…

4375461 Just in case you need need yet another reason to utilize passive DNS analytic, a new significant vulnerability is out for GLIBC…

Every now and then a threat data provider will include invalid entries in their threat list creating loads of false positives in Enterprise…

Overview Preparation of a base infrastructure for high availability ingestion of syslog data with a default virtual server and configuration…

big_fire_01 Often SIEM projects begin where log aggregation projects end. So many logs cut into organized stacks of wood ready to burn for…

54080041 Update broken link 2017-10-04 Friend we need to talk, there is something important that you have been overlooking for a long time…

Splunk has initial support for export of “content” which can be dashboards and correlation searches created by the user to share with…

Long ago our in the distant past that is the late 1970s individuals were alone and unconnected. Visionaries of the future began to connect…

DNS is a fundamental component of our computing infrastructure before we identify bad actions easily we should remove what we can easily…

Passive DNS analysis is all the rage right now, the detection opportunities presented have been well discussed for some time. If your…

I get asked about this one often, I happen to have a bit of experience with this which is very rare. There is scant documentation on the…

Big data, open world a utopia we may one day have. Today I want my logs all of my logs, and then I want more. I often want to collect…

Author: Ryan Faircloth Summary: Using repositories for version managment of the Splunk Universal Forwarder assists in ensuring managed…

Author: Ryan Faircloth Summary: Rapid deployment of the universal forwarder in a production environment is possible with a minimal amount of…

Its been a busy year already Oracle’s Java, Adobe’s Flash, and so many Updates to Windows. Most users by how have heard they should keep…