|
|
@@ -0,0 +1,19 @@
|
|
|
+# AFS Syslog Notes
|
|
|
+
|
|
|
+The AFS Customer has a different syslog setup than other customers. This document was created to track some of those differences.
|
|
|
+
|
|
|
+## Splunk Searches
|
|
|
+
|
|
|
+Is data not being tagged correctly and instead going into the junk index?
|
|
|
+
|
|
|
+`index=junk sourcetype="*syslog"`
|
|
|
+
|
|
|
+What index is the syslog data going into?
|
|
|
+
|
|
|
+See this file: https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-afs-pop/blob/master/deployment-apps/afs_hf_inputs/local/inputs.conf
|
|
|
+
|
|
|
+There are multiple indexes containing the syslog data. Here is a search to look through the data for specific missing hosts.
|
|
|
+
|
|
|
+`index=junk OR index=network_firewall OR index=network OR index=ids source="*syslog*" host=pic1-rwc-0101 OR host=pic1-rwc-0102 OR host=pic1-csw-0001 OR host=pic1-csw-0002 OR host=pic1-srt-0003 OR host=pic1-srt-0004 OR host=sat-ntp-0101 OR host=sat-ntp-0102`
|
|
|
+
|
|
|
+`| tstats count WHERE (host=10.55.255.140 OR host=pic1-rwc-0101 OR host=pic1-rwc-0102 OR host=pic1-csw-0001 OR host=pic1-csw-0002 OR host=pic1-srt-0003 OR host=pic1-srt-0004 OR host=sat-ntp-0101 OR host=sat-ntp-0102) (index=junk OR index=network_firewall OR index=network OR index=ids) by host, index | eval index=if(index="junk","staging",index)`
|
Brad Poulton