Category: Splunk

Splunk_TA_Windows error: DsBind failed (1753)

I started seeing the error DsBind failed (1753) in Splunk’s _internal index shortly after a Domain Controller replacement project. The error was only occurring on two DCs: The first thing I checked was the configuration in inputs.conf. We are using the Splunk_TA_Windows add-on to collect Security Event Logs, with a separate inputs app to deploy to servers. I

Splunking Bash history

I’ve been doing a lot of work recently setting up auditing of Splunk. One of the components of this is ingesting bash history, as most Splunk config changes are made from the command line. I found this great blog post by Duanne Waddle that explains how to enhance and capture bash history, which saved me a

Splunk: ERR_CONNECTION_ABORTED on port 8089

After updating the SSL certificate on our Splunk servers, I needed to verify that the new SSL certificate was in place and working. I did this by browsing to each server on port 8089. I was able to connect to all of the servers except one: To check that Splunk was listening on the correct

Issue with EventID field extraction in Windows_TA app

Today’s very short post is about an issue I came across viewing Application event logs that were onboarded using the Windows_TA app. The EventID field wasn’t being populated for most events. When I looked closer at the events, I could see that EventID can be represented in two different ways in different events: <EventID>1530</EventID> <EventID Qualifiers='16384'>16384</EventID> The first

How to install the IMAPmailbox app on Windows

The IMAPmailbox app is a Splunk app that monitors a single mailbox using IMAP. More information about the app can be found on Splunkbase: https://splunkbase.splunk.com/app/1739/. WARNING: By default, the app will delete emails once they’ve been onboarded into Splunk. To avoid this, in imap.conf set the deleteWhenDone flag to false. I was asked to install

How to get a real-time view of Splunk file onboarding

Recently I was onboarding a large number of files into Splunk (nearly 2,800 files, with a total size of around 1 TB), and needed to view the progress in real time. I was pointed to this blog post, which has a neat python script to show real-time status of the Tailing Processor’s activities. This posed a problem as