Blogs

Someone’s started another Splunk blog called Splunk Ideas, and no, the author really doesn’t work here. I really like the post on proactive system administration. Updated link.

If you’ve enabled selinux for whatever reason, you need to either disable it or configure it to allow splunk to run.

To configure selinux to allow splunk to run, you need to run the chcon command on the splunk lib directory. Here is what you type :

chcon -c -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null
You can also disable the check when splunk starts by adding this line to the $SPLUNK_HOME/bin/setSplunkEnv script

export SPLUNK_IGNORE_SELINUX=1

(2.1.1 only)

We’ve had a few people ask for this. Its going to be in the documentation eventually, but until then here is how you do it.

Edit $SPLUNK_HOME/etc/myinstall/search.xml

Change :

<updateCheckerBaseURL>http://quickdraw.splunk.com/js/</updateCheckerBaseURL> <updateCheckerBaseURL>0</updateCheckerBaseURL>

(2.1)

$SPLUNK_HOME/share/splunk/search/static/js/update_checker_pro.js.

At the top of the file, and within that same setup function, comment out these two lines:
createUpdateCheckerScriptlet();
setTimeout(’possiblyFallBackToCannotConnectMessage()’, 5000);

by Mark Cohen

One of our sales reps, Jon Hart (who’s a real security log analysis vet), told me he’s had a lot of customers ask him about using Splunk along with an MSSP service. He asked me to do a quick post about it.

MSSP stands for Managed Security Service Provider. MSSPs outsource your security monitoring function. They usually do this by placing a box onsite in your datacenter. You send it security-relevant logs in real time, usually via syslog. These logs are filtered by the box down to a subset that are relevant to alerting on network intrusions and other security incidents, which are then sent over a VPN to the MSSP. The MSSPs staff security operations centers (SOCs) 24/7 to look…