Splunk and Microsoft Azure – Intro and Resource Roundup

We are often asked by customers about how Splunk can integrate with, or run in Microsoft’s Azure cloud platform. There’s actually a fair bit of information about this broad topic on splunk.com and elsewhere, but it can be a bit hard to find. This post will serve as an introduction to a few Azure terms, and a round-up of available resources. Subsequent posts will cover some of these concepts in more detail–just look for the posts tagged “Azure”! You might also want to check out the Microsoft tag for other resources related to Splunk and overall Microsoft ecosystem.

First, let’s be clear: this is a HUGE topic. Cloud platforms are very complex these days, and Azure is no exception. If you walk up to a Splunker and ask, “can Splunk run …

» Continue reading

Monitoring Network Traffic with Sysmon and Splunk

Every IT guy has a set of tools that they use every day. One of mine is sysinternals. It’s a set of Windows utilities made available by Microsoft that do a whole slew of things. You can install them with chocolatey (another in my toolset) or downloaded and unpacked from their website. If you use Windows and this toolset isn’t in your arsenal, maybe it’s time.

Back in August, I got a request from one of our engineers asking me if we had any plans to support the collection of Sysmon data. Sysmon is a Windows system service (yes, another agent) that logs system activity to the Windows Event Log. However, it places all the important stuff in the …

» Continue reading

Splunk App for SharePoint goes Open Source

For about the last year, I’ve been working on an update to the Splunk App for SharePoint. But it isn’t the one you would expect. I’ve been working to open source the app. At the end of the day the best person to write an IT Operations app for Splunk is the person who is intimately involved in the running of the workload. Today, we are flicking the switch and opening up the project. We are allowing you to directly file bugs and feature requests; we are allowing you to submit code; and we are encouraging you to get involved in the project.

So, how can you do this. Firstly, you will want to have some sort of test environment. …

» Continue reading

Splunk 6.2 Feature Overview: Perfmon Delocalization

Last week, I covered the XML Event Logs – an awesome feature that will reduce your data ingest, increase the fidelity of the data that is stored and allow us to work with localized data. Today, I want to discuss another localization feature – or at least a delocalization feature – perfmon.

Prior to Splunk 6.2, Windows perfmon was always collected localized. If you wanted the % Processor Time counter, you had to specify the localized version of this. If you were running on a french version of Windows, you would have to specify object=Processeur and counter=”% Temps Processeur” in both your inputs.conf and searches. Given that there are over 30 different localized versions of Windows, this really meant that …

» Continue reading

Splunk 6.2 Feature Overview: XML Event Logs

We’ve been (rightly) criticized for a couple of things in recent years. Firstly, when you configure a Windows Event Log, it’s too big. This is because we combine the event log object with the message from the locale-specific DLL and that includes a bunch of common explanatory text. I don’t really need to know what a login really means (to the tune of 1K of data ingest) every time someone logs in, especially when these events are happening hundreds of times a minute. Secondly, our event log extractions are for US/English only. Got German Windows? Sorry – our extractions don’t work for that. Finally, we discard the additional data that is provided in the event log object. A primary example …

» Continue reading

RDP to Windows Server from a Splunk Dashboard – Example Code

A while back, I wrote  blog post explaining how to RDP to a Windows Server from a Splunk Dashboard.  The steps involved the following:

  1. Create a Controller – this generates the .rdp file on the server and delivers it to the client.
  2. Create a custom endpoint in web.conf – this part enables url access to the controller created above.
  3. Add Javascript to the dashboard – this part renders the icon and passes the necessary parameters to the controller (via the custom endpoint).

All the nitty-gritty details were spelled out in the blog post.  However, if you learn better by example (like I do), then there is a new GitHub repo that has a working example for you.  In the …

» Continue reading

Integrating Active Directory into Splunk with SA-ldapsearch

On Tuesday, I introduced one of the first presentations at .conf2014 – a major update to the SA-ldapsearch app. This new app has now launched and you can download it at http://apps.splunk.com/app/1151/. The app consists of four specific commands: ldapsearch, ldapfetch, ldapfilter and ldapgroup.

Improvements include:

  • We dropped the requirement for Java on your search head
  • We added support for Search Head Pooling
  • We added a GUI configuration page and connection testing
  • We provided full UTF-8 support

The ldapsearch command is a generating command and is used in a similar way to other generating commands like inputlookup. You run it like this:

| ldapsearch domain=SPL search="(objectClass=user)" attrs="sAMAccountName,cn"

We have added some new features in this release. Firstly, the output …

» Continue reading

RDP to Windows Server from a Splunk Dashboard

UPDATE: A new blog post that has a self-contained working example can be found here -> http://blogs.splunk.com/2014/10/13/rdp-to-windows-server-from-a-splunk-dashboard-example-code/

Say you are browsing a Splunk dashboard and notice something odd in the data about a Windows server and you feel compelled to remote in to that server to do some more investigation. Sure, you could pull up your favorite RDP client and connect in. Or, you can save a couple of clicks and RDP to your server directly from the Splunk dashboard in one click.

Here is what the end results looks like in a dashboard:

RDP from Splunk

Clicking the RDP icon generates a .rdp file on the fly.  Your system’s file type association picks up the .rdp file and launches the RDP client …

» Continue reading

What’s new in TA-windows 4.7.0?

If you are a Windows admin and use Splunk then you’ve likely deployed Splunk_TA_windows on your endpoints. It’s a central method for handling Windows data and has all the extractions you need to handle Windows event logs. We’ve just released version 4.7.0. So what’s new and should you upgrade?

The first thing we did was we organized the data. The well considered best practice is to not put data in the default index. Yet here we were putting data in the default index. That has now changed. By default, we create three indices for you:

  • perfmon is used for performance data
  • wineventlog is used for event logs
  • windows is used for everything else

This change will not affect you if …

» Continue reading

Monitoring Local Administrators on Windows Hosts

It is always gratifying when one of my readers comes to me with a problem. I love challenges. This one had to do with one of my old posts surrounding Local Administrators remotely. Of course, the way to do this is via WMI. However, it doesn’t quite work the same way locally. This is because the WMI call to Win32_Group.GetRelated() returns other stuff as well. So the question posed was “how do I get the list of Local Administrators locally.” More specifically, I want to monitor the local Administrators group.

I look at this two ways. Firstly, I want to get a regular list of names in the Administrators group and secondly, I want to monitor for changes to the …

» Continue reading