Cisco Security Suite 3.0.2 now includes Cisco IronPort Email Security Appliance (ESA) Data

The Cisco Security Suite app continues to get updated for Splunk 6.x.  The latest addition is support to Cisco IronPort Email Security Appliance (ESA).  A new add-on has been published that provides Common Information Model compliant field extractions and tags for data from Cisco ESA.  So now, the Cisco Security Suite supports:

  • Cisco ASA and PIX firewall appliances, the FWSM firewall services module
  • WSA web security appliance
  • Cisco IronPort Email Security Appliance (ESA)
  • Cisco Identity Services Engine (ISE)

Also, with each release, we incorporate more feedback about documentation.  So, in addition to documentation found within the Cisco Security Suite app itself, a subset of “getting started” documentation has been published under the Documentation tab on http://apps.splunk.com/app/525/.

 

Stay tuned, there …

» Continue reading

Splunk App for VMware v3.1: Transforming operational visibility into virtualized datacenters with built-in storage correlation

Earlier today, we announced the general availability of the latest release version 3.1 of the Splunk App for VMware. This release is monumental providing radical cross-tier insights into your virtual infrastructure. In this latest release, we’ve focused on improving time-to-value with 3 important features – correlated insights, adaptable reporting and enhanced topology map. Let’s delve a little deeper into each area.

1. Built-in correlation between VMware and storage environments:

If you’re running a virtual datacenter, storage latency in virtual environments is one of the most common performance issues you are likely to deal with. Storage I/O latencies impact performance of VMs because read/write operations can cause performance issues to the shared resources in your datacenter; as VMs contend with each …

» Continue reading

Building custom search commands in Python part I – A simple Generating command

Custom search commands in our Python SDK allow you to extend Splunk’s search language and teach it new capabilities. In this and other upcoming posts we’re going to look at how to develop several different search commands to illustrate what you can do with this.

In this post, we’re going to focus on building a very basic Generating command.  A generating command generates events which can be from any source, for example an internal system, or an external API. We’re going to create a GenerateHello command that will generate Hello World events based on a supplied count. The command is not very useful in itself, but it is a quick way to see how you can author custom commands.

Below …

» Continue reading

Detecting Windows XP Systems with Splunk

Windows XP is dead! Soon after Windows XP was introduced, Microsoft introduced the Trustworthy Computing Initiative – a kind of “security first” thinking that has been the hallmark of Microsoft for the last decade. Prior to the security focus, Microsoft operating systems were well known as a leaky sieve for viruses. Now, 12 years later, Windows XP is finally ready to be dropped. Well, to be honest – that happened a few years back. But many people are holding on to their XP installs for one reason or another. Now it’s time to give them up.

How can you tell who is connecting to your facilities with Windows XP systems? There are a variety of ways depending on if they …

» Continue reading

Splunk as a Recipient on the JMS Grid

A number of years ago, I was fascinated by the idea of SETI@home. The idea was that home computers, while idling, would be sent calculations to perform in the search for extraterrestrial life. If you wanted to participate, you would register your computer with the project and your unused cycles would be utilized for calculations sent back to the main servers. You could call it a poor man’s grid, but I thought it of it as a massive extension for overworked servers. I thought the whole idea could be applied to the Java Messaging Service (JMS) used in J2EE application servers.

Background

Almost a decade ago, I would walk around corporations at “closing” time and see a mass array …

» Continue reading

Another NY Metro Splunk Users Group Meeting

We had our first NY Metro Splunk Users Group meeting of the year this week and it was hosted at Blackrock in NYC with Reed Kelly, one of the leaders of the users group playing host. Thanks Reed.

Our first order of business was to watch a presentation from Splunk Product Manager Jack Coates on the new 3.0 Splunk Common Information Model. Unlike the past CIM that focused heavily on security, the new CIM is general purpose for all of IT and flexible to add more knowledge to it, when needed. As a bonus, the app in the app store has data models to quickly get started and test your data sources.

Next, we had a discussion (or some …

» Continue reading

Fix now available: Splunk and the Heartbleed vulnerability

Dear Splunk users,

This is an update to yesterday’s post on our handling of the OpenSSL Heartbleed vulnerability.  Thank you again for your patience and understanding as we spent the necessary time to prepare and test our fix for this important issue. As I mentioned yesterday, we are working hard to balance getting the fix out to you as quickly as possible while still spending sufficient time testing it to ensure a high quality delivery.

Take me to the fix!

As of now, Splunk Enterprise 6.0.3 is now available for download. This includes universal forwarder builds.

This release contains two fixes for vulnerabilities in OpenSSL:

  • CVE-2014-0160 – OpenSSL 1.0.1 TLS Heartbeat leaks sensitive information (also known as the “Heartbleed”
» Continue reading

Splunk and the Heartbleed SSL vulnerability

(Update: we’ve posted a fix for this issue, see http://blogs.splunk.com/2014/04/10/fix-now-available-splunk-and-the-heartbleed-vulnerability/.)

Dear Splunk users,

As you’re likely aware, a significant vulnerability in OpenSSL, which the security community is calling the “Heartbleed” vulnerability, was discovered and publicized earlier this week. This is not a bug in code that Splunk produced, but rather in a component of a package that is in common use throughout the software industry.

The purpose of this blog post is to inform you about what Splunk is doing to address this issue.   For more detailed information about the vulnerability itself, refer to http://heartbleed.com.

Here’s what you need to know:

What versions of Splunk are affected?

  • Splunk Enterprise versions 6.0, 6.0.1, and 6.0.2 are affected. This includes
» Continue reading

Running two Universal Forwarders on Windows

We get quite a few requests on how to run two Splunk Universal Forwarders on the same Windows host. Why would you do this? The primary reason is that you have a lab environment and want to compare one version of Splunk to another during an evaluation of a new version. You may also have two sets of files you need to ingest into Splunk and the files have differing access permissions such that Splunk needs to run as different users. It’s really an edge case and definitely not something you want to generally do in production.

In Linux, this is a fairly simple process – just install to a different directory and change the ports and you are done. …

» Continue reading

The 2014 CyberPatriot National Finals

This blog post was jointly written by Tolga Tohumcu and Bert Hayes… Tolga mentored the student teams before the completion, Bert was on-site at the competition to help out in person, and Enoch Long was working behind the scenes to build relationships with folks running the competition.

 

The 2014 CyberPatriot National Finals http://www.digitaljournal.com/pr/1828452 took place recently at the Gaylord National Resort and Conference Center in National Harbor, Maryland with all of the spectator appeal of a competitive archeological dig.  Two shifts of high school aged students made up a total of twenty eight different “Blue Teams” and tested their mettle by defending their networks from a pack of active, aggressive, and skilled attackers (the Red Team). The CyberPatriot program …

» Continue reading