Ryan Faircloth ryanfaircloth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #This will get used for anything that for some reason skips transforms like hec event such data is cooked and should lb well enough | |
| [tcpout] | |
| defaultGroup = target-0 | |
| #only used by default | |
| [target-0] | |
| server= idx1, idx2, idx3, idx4 | |
| autoLBVolume=20MB | |
| #Only used by randomizer | |
| [target-1] | |
| server= idx1, idx2, idx3, idx4 |
ryanfaircloth
/ condfigmap.yaml
Last active
March 4, 2021 20:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: uf-config | |
| data: | |
| deploymentclient.conf: | | |
| [deployment-client] | |
| clientName=foo | |
| [target-broker:deploymentServer] | |
| targetUri=deploymentserver.splunk.mycompany.com:8089 |
ryanfaircloth
/ socksd.conf
Created
February 19, 2021 15:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logoutput: stdout | |
| #debug: 2 | |
| internal: eth0 port = 2020 | |
| external: eth0 | |
| #external.rotation: same-same | |
| clientmethod: none | |
| socksmethod: none |
ryanfaircloth
/ splunk cluster
Created
March 30, 2020 11:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: enterprise.splunk.com/v1alpha2 | |
| kind: LicenseMaster | |
| metadata: | |
| name: tail000 | |
| namespace: a380 | |
| finalizers: | |
| - enterprise.splunk.com/delete-pvc | |
| spec: | |
| requests: | |
| memory: "2Gi" |
ryanfaircloth
/ splunkconfig perf
Created
March 12, 2020 20:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #server.conf | |
| parallelIngestionPipelines = 3 | |
| pipelineSetSelectionPolicy = weighted_random | |
| #indexes.conf.spec | |
| [default] | |
| rtRouterThreads = 0 | |
| enableRealtimeSearch = 0 | |
| maxHotSpanSecs = 86401 | |
| maxHotBuckets = 10 |
ryanfaircloth
/ test-juniper-port.sh
Last active
September 19, 2019 15:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Juniper Netscreen | |
| echo | |
| echo Sending Juniper Netscreen event: | |
| echo | |
| echo The event will show up in Splunk with a sourcetype of "syslog-ng:fallback" unless a | |
| echo "hostname wildcard or CIDR block is configured (see beta test SC4SB002)." | |
| echo |
ryanfaircloth
/ test-bluecoat
Created
September 7, 2019 23:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Bluecoat | |
| # <134> 2019-08-21T17:42:08.000z bluecoat-host bluecoat[0]:SPLV5.1 c-ip=192.0.0.6 cs-bytes=6269 cs-categories="unavailable" cs-host=gg.hhh.iii.com cs-ip=192.0.0.6 cs-method=GET cs-uri-path=/Sample/abc-xyz-01.pqr_sample_Internal.crt/MFAwTqADAgEAMEcwRTBDMAkGBSsOAwIaBQAEFOoaVMtyzC9gObESY9g1eXf1VM8VBBTl1mBq2WFf4cYqBI6c08kr4S302gIKUCIZdgAAAAAnQA%3D%3D cs-uri-port=8000 cs-uri-scheme=http cs-User-Agent="ocspd/1.0.3" cs-username=user4 clientduration=0 rs-status=0 s-action=TCP_HIT s-ip=10.0.0.6 serveripservice.name="Explicit HTTP" service.group="Standard" s-supplier-ip=10.0.0.6 s-supplier-name=gg.hhh.iii.com sc-bytes=9469 sc-filter-result=OBSERVED sc-status=200 time-taken=20 x-bluecoat-appliance-name="10.0.0.6-sample_logs" x-bluecoat-appliance-primary-address=10.0.0.6 x-bluecoat-proxy-primary-address=10.0.0.6 x-bluecoat-transaction-uuid=35d24c931c0erecta-0003000012161a77e70-00042100041002145cc859ed c-url="http://randomserver:8000/en-US/app/examples/" | |
| echo | |
| echo Sending Bluecoat event: | |
| echo | |
| ech |
ryanfaircloth
/ test-fortigate
Created
September 7, 2019 23:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Fortigate | |
| # <111> Aug 17 00:00:00 fortigate date=2015-08-11 time=19:19:43 devname=fortigate-host devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1 | |
| echo | |
| echo Sending Fortigate event: | |
| echo | |
| echo -e "<111> Aug 17 00:00:00 fortigate date=`date +%Y-%m-%d` time=`date +%H:%M:%S` devname=fortigate-host devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf=\"port3\" dstip=ff02::1:ff77:20d4 dstintf=\"port3\" sessionid=408903 proto=58 action=accept policyid=2 dstco |
ryanfaircloth
/ test-juniper
Created
September 7, 2019 23:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Juniper Netscreen | |
| echo | |
| echo Sending Juniper Netscreen event: | |
| echo | |
| echo The event will show up in Splunk with a sourcetype of "syslog-ng:fallback" unless a | |
| echo "hostname wildcard or CIDR block is configured (see beta test SC4SB002)." | |
| echo |
ryanfaircloth
/ test-pan
Created
September 7, 2019 23:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Palo Alto TRAFFIC | |
| # <190>Jan 28 01:28:35 panw-host 1,2014/01/28 01:28:35,007200001056,TRAFFIC,end,1,2014/01/28 01:28:34,192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0 | |
| echo | |
| echo Sending Palo Alto TRAFFIC event: | |
| echo | |
| echo -e "<190>`date +\"%b %d %H:%M:%S\"` panw-traffic-host 1,`date +\"%Y/%m/%d %H:%M:%S\"`,007200001056,TRAFFIC,end,1,`date +\"%Y/%m/%d %H:%M:%S\"`,192.168.41.30,192.168.41.255,10.193.16.193,192.168.4 1.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:2 8:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0 ,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0" |
NewerOlder