AFS Syslog Notes.md 1.2 KB
AFS Syslog Notes
The AFS Customer has a different syslog setup than other customers. This document was created to track some of those differences.
Splunk Searches
Is data not being tagged correctly and instead going into the junk index?
index=junk sourcetype="*syslog"
What index is the syslog data going into?
See this file: https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-afs-pop/blob/master/deployment-apps/afs_hf_inputs/local/inputs.conf
There are multiple indexes containing the syslog data. Here is a search to look through the data for specific missing hosts.
index=junk OR index=network_firewall OR index=network OR index=ids source="*syslog*" host=pic1-rwc-0101 OR host=pic1-rwc-0102 OR host=pic1-csw-0001 OR host=pic1-csw-0002 OR host=pic1-srt-0003 OR host=pic1-srt-0004 OR host=sat-ntp-0101 OR host=sat-ntp-0102
| tstats count WHERE (host=10.55.255.140 OR host=pic1-rwc-0101 OR host=pic1-rwc-0102 OR host=pic1-csw-0001 OR host=pic1-csw-0002 OR host=pic1-srt-0003 OR host=pic1-srt-0004 OR host=sat-ntp-0101 OR host=sat-ntp-0102) (index=junk OR index=network_firewall OR index=network OR index=ids) by host, index | eval index=if(index="junk","staging",index)