The effective security buyer

Sometimes I’m glad I keep around the mounds of free trade publications that tend to pile up on my desk.  About once a month I start going through the stack but I never quite finish.  I got through placing 4 or 5 publications into the recycling bin before I read How to be an effective security buyer by Andreas M. Antonopoulos in the May 2011 on-line edition of Network World. This article (more than others I’ve read) takes a basic and practical approach to the hard buying decisions (and trade-offs) we all have to make.  The buying decision criteria is crisp and fresh and discourages simply relying on vendors that would “draw you into a single-vendor closed integration package” of …

» Continue reading

Splunk for DST

Fellow Splunkers,

I hope everyone had a great International Caps Lock Day last Friday.  I KNOW I DID!!!1

As we approach that glorious time of the year when we all get an extra hour of sleep or drinking (I prefer to think of it as ‘time travel’), discussion around the topic of daylight savings time has centered on answering the following two questions:

  1. Are we (Splunk) testing for any DST-related bugs?
  2. Can we (Splunk) help detect machines that didn’t get the DST memo?
» Continue reading

Introducing “allowRemoteLogin”

Fellow Security-conscious Splunkers,

Beginning in Splunk 4.1.4, a new option, ‘allowRemoteLogin’, has been added to server.conf to better control access to Splunk’s management port (TCP port 8089 by default).…

» Continue reading

SQL Injections: The Splunk Method for Auditing Your Application Security Model

Unless you have had your head in the sand, SQL Injections have made a fierce comeback to the top of the threat vector charts this year. According to the WHID (Web Hacking Incidents Database), SQL injection is still king of the attack vectors, accounting for 19 percent of attacks, followed by authentication abuse (11 percent), content spoofing (10 percent), DDoS/brute force (10 percent), configuration/admin error (8 percent), cross-site scripting (8 percent), cross-site request forgery (5 percent), DNS highjacking (5 percent), and worms (3 percent).

Reflect on the recent increase in compliance legislation requiring businesses to provide dynamic data access to customers for banking, healthcare, or the influx simple purchases on the web, and the concern may be scarier for all …

» Continue reading

Be successful with Splunk in about an hour…

Here’s a document that can get you analyzing real data and making real charts, in about an hour or two…

Dive into Splunk

Feedback really, really appreciated.…

» Continue reading

Parsing the Splunk Timezone Format

Every once in a while, rarely, you may get a splunkd.log error that looks something like this:

12-07-2009 14:32:06.894 ERROR bucket - Failed to resurrect timezone ('
' delimited): '### SERIALIZED TIMEZONE FORMAT 1.0
Y0 NW 47 4D 54

This is splunk saying it can’t parse the timezone description it just got. This can be a problem when you’re in a distributed environment, and you’re asking for data to be bucketed (collected) into time-specific chunks. A typical example is when using timecharts.

The fix for this particular issue is called Splunk 4.0.7, but if you’re curious to know what timzeone it actually is, the digits of hex are the name, represented as ascii values.

A quick trip to …

» Continue reading

Having trouble finding Splunk for Free?

Although Splunk Free shipped with 4.0.5, we’re getting a bunch of questions to support asking “where’s the Free?” Turns out actually turning Splunk Trial into Free-as-in-Beer Splunk may not be as obvious as we hoped.

When the trial expires, Splunk will automatically prompt you to get a trial extension, or convert to Free. However, if you’re ready to go to Splunk Free right away:

Go to Manager (from any app) -License

Down in the text area of the license page, you’ll see text for “switch to a Free Splunk at any time” When you click that, you’ll go to the license switcher that will turn your Splunk into a Free Splunk.

click here for the free license

Note however, …

» Continue reading

Reverse DNS Lookups for Host Entries

When Splunk indexes, by default is going to take the hostname/ip that exists directly in the logfile entry…

Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called “Lookups“. Lookups allow for the enrichment of events in Splunk with data from external sources. Those sources can be a static CSV file (HTTP error codes is a good example), or a python script that is called at searchtime and grabs data from whereever you need it to. The python script must take in a CSV data structure and spit a CSV data structure back to Splunk.

Little did we know, Splunk included a file in …

» Continue reading

Indexing Events Delivered by Multicast

Although the title of this entry says indexing events delivered by multicast, the first thing I need to point out is not to do it. If you are indexing log type events, it is not a good idea to multicast this data to all machines on the LAN just to have one Splunk indexer that is listening for it to index it. Since most of the machines on the LAN won’t be interested in this data, It would be a waste of network resources, not to mention potentially unreliable.

Having said that, there may be cases where indexing events, such as control data, that are delivered via multicast may be useful. For instance, application servers in a cluster often are …

» Continue reading

Poke at our API

With this tool:

$ splunk _internal call <relative rest path>
[-get:<param> <value>] ... [-post:<param> <value>] ...
[-method <http action>] [-multival] [-auth <user>:<pass>]

As mentioned in my previous post, exploring our endpoints is pretty simple to do, by pointing your browser at the Splunk management port. Actually making use of the endpoints requires more work, but this utility makes it easy to get started.

Restarting an input component is a handy example, such as restarting monitoring after editing inputs.conf by hand:

splunk _internal call /data/inputs/monitor/_reload
This is supported by the other components in /data/inputs, as well – browse there and look for the _reload links.


  • get:foo bar – adds an HTTP GET parameter to the request, with name ‘foo’
» Continue reading