Anthony Reinke Just getting a few things out of my head

9Jul/100

Web (http) Certificate for Splunk

I prefer to use a signed web certificate and not the self signed certificate.  I found a couple different topics on the process, but found that most of them referred to the distributive searching certificate.  Here are the step to generate the certificate and get it in to the right place for Splunk to use it.

-----------------------------------------------------------------

## Generate the local key
openssl genrsa -out linux0001.key 4096

## Generate the csr
opensll req -new -key linux0001.key -out linux0001.csr

## Submit the .csr file to the CA

## Move the original certs for backup purposes
mv cert.pem cert.pem.bak
mv privkey.pem privkey.pem.bak

## Convert the binary cert to a standard cert
openssl x509 -in certnew.cer -inform DER -out cert.pem -outform PEM

## Copy the new files in the Splunk folder
cp linux0001.key /opt/splunk/share/splunk/certs/privkey.pem
cp cert.pem /opt/splunk/share/splunk/certs/cert.pem

## Restart Splunk
/opt/splunk/bin/splunk restart

Tagged as: , , , , , , , , , No Comments
2May/100

Splunk Dashboards

I have begun building my own dashboards in Splunk.  Once I have the custom views built, I will post them up here.  So far everything I have been working on is with a system's administrator in mind because that is what I have been doing for the past 12 years (wow, thats a long time).  Currently I am building a view for searching failed logins and the source of lockouts.  They tie in to one another.  Our technicians want to be more involved in the systems administration and hopefully this will help them respond quicker to our customers.  Everything comes from Splunk being installed on all our domain controllers.  From there we get all the logs in to our central logging system (Splunk).  Due to the amount of data we are pushing now everyday, we might have to build a backup environment just for our Splunk data.  How awesome is this!

Tagged as: , , , , , , , , No Comments
24Mar/100

Another good report

This will help to track down failed logins.  This could be due to someone changing their password and still are logged in to a server with the old account information.  The other side is that someone could be trying to brute force an account.

Type="Failure Audit" sourcetype="WinEventLog:Security" | chart count by User_Name | sort - count

Tagged as: , , , , , , , , No Comments
   Older Entries »

Archives

Tags

administrator blog chat clever cmd coach command prompt computer create daily delete desktop drink energy energy drink esxi event firefox first page hack hello help id idea ids linux new ossec practice report security server splunk start system ted user vent video website windows witulski wordpress work wrestling

Begging for money

Search & Win