search

wazuh / wazuh-documentation

Wazuh - Project documentation
https://wazuh.com
195 stars 354 forks source link

Splunk integration guide missing clarifications #6478

Closed javimed closed 1 year ago

javimed commented 1 year ago

While following the Splunk integration guide the following issues were found.

Forwarding events with logstash

Splunk Cloud: Unable to find valid certification path to requested target ```[ec2-user@ip-172-31-31-248 ~]$ sudo cat /etc/logstash/conf.d/wazuh-splunk.conf input { opensearch { hosts => ["172.31.28.206:9200"] user => "${WAZUH_INDEXER_USERNAME}" password => "${WAZUH_INDEXER_PASSWORD}" index => "wazuh-alerts-4.x-*" ssl => true ca_file => "/etc/logstash/wazuh-indexer-certs/root-ca.pem" query => '{ "query": { "range": { "@timestamp": { "gt": "now-1m" } } } }' schedule => "* * * * *" } } output { http { format => "json" # format of forwarded logs http_method => "post" # HTTP method used to forward logs url => "https://pr....splunkcloud.com:8088/services/collector/raw" # endpoint to forward logs to headers => ["Authorization", "Splunk ${SPLUNK_AUTH}"] cacert => "/etc/logstash/splunk-certs/pr...-splunkcloud-com.pem" } } [ec2-user@ip-172-31-31-248 ~]$ ``` ``` [ec2-user@ip-172-31-31-248 ~]$ sudo systemctl stop logstash [ec2-user@ip-172-31-31-248 ~]$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-splunk.conf --path.settings /etc/logstash/ Using bundled JDK: /usr/share/logstash/jdk Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties [2023-09-11T13:44:23,246][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties [2023-09-11T13:44:23,249][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"8.9.2", "jruby.version"=>"jruby 9.3.10.0 (2.6.8) 2023-02-01 107b2e6697 OpenJDK 64-Bit Server VM 17.0.8+7 on 17.0.8+7 +indy +jit [x86_64-linux]"} [2023-09-11T13:44:23,254][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED] [2023-09-11T13:44:23,526][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified /usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/sinatra-2.2.4/lib/sinatra/base.rb:938: warning: constant Tilt::Cache is deprecated [2023-09-11T13:44:24,484][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false} [2023-09-11T13:44:25,761][INFO ][org.reflections.Reflections] Reflections took 291 ms to scan 1 urls, producing 132 keys and 464 values [2023-09-11T13:44:26,434][INFO ][logstash.javapipeline ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise. [2023-09-11T13:44:26,498][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/wazuh-splunk.conf"], :thread=>"#"} [2023-09-11T13:44:27,192][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>0.69} [2023-09-11T13:44:28,121][INFO ][logstash.inputs.opensearch][main] ECS compatibility is enabled but `target` option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the `target` option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message) [2023-09-11T13:44:28,122][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"} [2023-09-11T13:44:28,137][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} ``` Upon generating alert... ``` [2023-09-11T13:48:00,382][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:00,381][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:00,385][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 0 seconds [2023-09-11T13:48:00,389][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 0 seconds [2023-09-11T13:48:00,518][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:00,519][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 2 seconds [2023-09-11T13:48:00,528][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:00,530][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 4 seconds [2023-09-11T13:48:02,651][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:02,652][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 8 seconds [2023-09-11T13:48:04,661][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:04,662][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 8 seconds [2023-09-11T13:48:10,783][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:10,784][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 10 seconds [2023-09-11T13:48:12,794][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:12,796][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 9 seconds [2023-09-11T13:48:20,918][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:20,918][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 23 seconds [2023-09-11T13:48:21,927][ERROR][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Could not fetch URL {:url=>"https://pr....splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :class=>Manticore::ClientProtocolException, :will_retry=>true} [2023-09-11T13:48:21,928][INFO ][logstash.outputs.http ][main][8308e111719aedef5afe946d51d035ebd5d00ac6dc3a27ceef6de2c3027fe8a6] Retrying http request, will sleep for 19 seconds ```
Splunk Enterprise: Connection reset ``` [ec2-user@ip-172-31-31-248 bin]$ sudo systemctl stop logstash [ec2-user@ip-172-31-31-248 bin]$ sudo cat /etc/logstash/conf.d/wazuh-splunk.conf input { opensearch { hosts => ["172.31.28.206:9200"] user => "${WAZUH_INDEXER_USERNAME}" password => "${WAZUH_INDEXER_PASSWORD}" index => "wazuh-alerts-4.x-*" ssl => true ca_file => "/etc/logstash/wazuh-indexer-certs/root-ca.pem" query => '{ "query": { "range": { "@timestamp": { "gt": "now-1m" } } } }' schedule => "* * * * *" } } output { http { format => "json" # format of forwarded logs http_method => "post" # HTTP method used to forward logs url => "http://ip-172-31-31-248.us-west-1.compute.internal:8088/services/collector/raw" # endpoint to forward logs to headers => ["Authorization", "Splunk ${SPLUNK_AUTH}"] } } ``` ``` [ec2-user@ip-172-31-31-248 bin]$ sudo systemctl stop logstash [ec2-user@ip-172-31-31-248 bin]$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-splunk.conf --path.settings /etc/logstash/ Using bundled JDK: /usr/share/logstash/jdk Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties [2023-09-11T18:46:50,348][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties [2023-09-11T18:46:50,351][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"8.9.2", "jruby.version"=>"jruby 9.3.10.0 (2.6.8) 2023-02-01 107b2e6697 OpenJDK 64-Bit Server VM 17.0.8+7 on 17.0.8+7 +indy +jit [x86_64-linux]"} [2023-09-11T18:46:50,353][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED] [2023-09-11T18:46:50,654][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified /usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/sinatra-2.2.4/lib/sinatra/base.rb:938: warning: constant Tilt::Cache is deprecated [2023-09-11T18:46:51,563][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false} [2023-09-11T18:46:52,601][INFO ][org.reflections.Reflections] Reflections took 240 ms to scan 1 urls, producing 132 keys and 464 values [2023-09-11T18:46:53,865][INFO ][logstash.javapipeline ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise. [2023-09-11T18:46:54,007][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/wazuh-splunk.conf"], :thread=>"#"} [2023-09-11T18:46:55,527][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>1.51} [2023-09-11T18:46:56,717][INFO ][logstash.inputs.opensearch][main] ECS compatibility is enabled but `target` option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the `target` option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message) [2023-09-11T18:46:56,718][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"} [2023-09-11T18:46:56,739][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} ``` Upon generating an alert ``` [2023-09-11T20:55:00,742][ERROR][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Could not fetch URL {:url=>"http://ip-172-31-31-248.us-west-1.compute.internal:8088/services/collector/raw", :method=>:post, :message=>"Connection reset", :class=>Manticore::SocketException, :will_retry=>true} [2023-09-11T20:55:00,770][INFO ][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Retrying http request, will sleep for 0 seconds [2023-09-11T20:55:00,771][ERROR][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Could not fetch URL {:url=>"http://ip-172-31-31-248.us-west-1.compute.internal:8088/services/collector/raw", :method=>:post, :message=>"Connection reset", :class=>Manticore::SocketException, :will_retry=>true} [2023-09-11T20:55:00,776][INFO ][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Retrying http request, will sleep for 0 seconds [2023-09-11T20:55:00,803][ERROR][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Could not fetch URL {:url=>"http://ip-172-31-31-248.us-west-1.compute.internal:8088/services/collector/raw", :method=>:post, :message=>"Connection reset", :class=>Manticore::SocketException, :will_retry=>true} [2023-09-11T20:55:00,803][INFO ][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Retrying http request, will sleep for 2 seconds [2023-09-11T20:55:00,800][ERROR][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Could not fetch URL {:url=>"http://ip-172-31-31-248.us-west-1.compute.internal:8088/services/collector/raw", :method=>:post, :message=>"Connection reset", :class=>Manticore::SocketException, :will_retry=>true} [2023-09-11T20:55:00,815][INFO ][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Retrying http request, will sleep for 2 seconds [2023-09-11T20:55:02,826][ERROR][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Could not fetch URL {:url=>"http://ip-172-31-31-248.us-west-1.compute.internal:8088/services/collector/raw", :method=>:post, :message=>"Connection reset", :class=>Manticore::SocketException, :will_retry=>true} [2023-09-11T20:55:02,832][INFO ][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Retrying http request, will sleep for 5 seconds [2023-09-11T20:55:02,831][ERROR][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Could not fetch URL {:url=>"http://ip-172-31-31-248.us-west-1.compute.internal:8088/services/collector/raw", :method=>:post, :message=>"Connection reset", :class=>Manticore::SocketException, :will_retry=>true} [2023-09-11T20:55:02,833][INFO ][logstash.outputs.http ][main][ffdb9ac07d40d006bcf14e9675bcbdeae823aaec9dc353660e0f40b1be692f29] Retrying http request, will sleep for 5 seconds ```
Splunk Enterprise: Attempt with https ``` [ec2-user@ip-172-31-31-248 ~]$ sudo cat /etc/logstash/conf.d/wazuh-splunk.conf input { opensearch { hosts => ["172.31.28.206:9200"] user => "${WAZUH_INDEXER_USERNAME}" password => "${WAZUH_INDEXER_PASSWORD}" index => "wazuh-alerts-4.x-*" ssl => true ca_file => "/etc/logstash/wazuh-indexer-certs/root-ca.pem" query => '{ "query": { "range": { "@timestamp": { "gt": "now-1m" } } } }' schedule => "* * * * *" } } output { http { format => "json" # format of forwarded logs http_method => "post" # HTTP method used to forward logs url => "https://172.31.31.248:8088/services/collector/raw" # endpoint to forward logs to headers => ["Authorization", "Splunk ${SPLUNK_AUTH}"] cacert => "/etc/logstash/splunk-certs/ca.pem" } } ``` ``` [ec2-user@ip-172-31-31-248 ~]$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-splunk.conf --path.settings /etc/logstash/ Using bundled JDK: /usr/share/logstash/jdk Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties [2023-09-12T19:20:28,997][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties [2023-09-12T19:20:28,999][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"8.9.2", "jruby.version"=>"jruby 9.3.10.0 (2.6.8) 2023-02-01 107b2e6697 OpenJDK 64-Bit Server VM 17.0.8+7 on 17.0.8+7 +indy +jit [x86_64-linux]"} [2023-09-12T19:20:29,007][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED] [2023-09-12T19:20:29,632][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified /usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/sinatra-2.2.4/lib/sinatra/base.rb:938: warning: constant Tilt::Cache is deprecated [2023-09-12T19:20:31,934][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false} [2023-09-12T19:20:33,306][INFO ][org.reflections.Reflections] Reflections took 248 ms to scan 1 urls, producing 132 keys and 464 values [2023-09-12T19:20:34,469][INFO ][logstash.javapipeline ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise. [2023-09-12T19:20:34,518][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/wazuh-splunk.conf"], :thread=>"#"} [2023-09-12T19:20:35,392][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>0.87} [2023-09-12T19:20:36,718][INFO ][logstash.inputs.opensearch][main] ECS compatibility is enabled but `target` option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the `target` option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message) [2023-09-12T19:20:36,720][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"} [2023-09-12T19:20:36,732][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} ``` ``` [2023-09-12T19:21:00,439][ERROR][logstash.outputs.http ][main][ef9f071a4d780b13fe0df8693cf86428224ed9570e7399627ab8334d0eaa49bd] Could not fetch URL {:url=>"https://172.31.31.248:8088/services/collector/raw", :method=>:post, :message=>"Unable to initialize, java.io.IOException: Too short", :class=>Java::JavaSecurityCert::CertificateException, :will_retry=>false} ``` ``` [ec2-user@ip-172-31-31-248 ~]$ curl https://172.31.31.248:8088/services/collector/raw -k {"text":"The requested URL was not found on this server.","code":404}[ec2-user@ip-172-31-31-248 ~]$ ```

Configuring the receiving port in Splunk Cloud: Missing Forwarding and receiving option

https://user-images.githubusercontent.com/47069802/266863359-6447cc4e-defc-4a9a-918a-d7476ff7251a.png

Installing Splunk Forwarder: SSL certificate generation failed

``` [root@ip-172-31-25-10 ec2-user]# wget -O splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.1.1/linux/splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_64.tgz" --2023-09-11 19:35:05-- https://download.splunk.com/products/universalforwarder/releases/9.1.1/linux/splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_64.tgz Resolving download.splunk.com (download.splunk.com)... 18.238.192.32, 18.238.192.72, 18.238.192.2, ... Connecting to download.splunk.com (download.splunk.com)|18.238.192.32|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 46520222 (44M) [binary/octet-stream] Saving to: ‘splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_64.tgz’ splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_6 100%[===================================================================================================>] 44.36M --.-KB/s in 0.1s 2023-09-11 19:35:05 (321 MB/s) - ‘splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_64.tgz’ saved [46520222/46520222] ``` ``` [root@ip-172-31-25-10 ec2-user]# useradd -m splunk [root@ip-172-31-25-10 ec2-user]# groupadd splunk groupadd: group 'splunk' already exists ``` ``` [root@ip-172-31-25-10 ec2-user]# pwd /home/ec2-user [root@ip-172-31-25-10 ec2-user]# ls splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_64.tgz wazuh-install-files.tar wazuh-install.sh ``` ``` [root@ip-172-31-25-10 ec2-user]# export SPLUNK_HOME="./splunkforwarder" [root@ip-172-31-25-10 ec2-user]# mkdir $SPLUNK_HOME [root@ip-172-31-25-10 ec2-user]# tar xvzf splunkforwarder splunkforwarder/ splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_64.tgz ``` ``` [root@ip-172-31-25-10 ec2-user]# tar xvzf splunkforwarder-9.1.1-64e843ea36b1-Linux-x86_64.tgz ```
``` splunkforwarder/ splunkforwarder/swidtag/ splunkforwarder/swidtag/splunk-UniversalForwarder-primary.swidtag splunkforwarder/ftr splunkforwarder/openssl/ splunkforwarder/openssl/misc/ splunkforwarder/openssl/misc/c_info splunkforwarder/openssl/misc/tsget splunkforwarder/openssl/misc/c_issuer splunkforwarder/openssl/misc/CA.sh splunkforwarder/openssl/misc/c_hash splunkforwarder/openssl/misc/c_name splunkforwarder/openssl/misc/CA.pl splunkforwarder/openssl/openssl.cnf splunkforwarder/openssl/copyright.txt splunkforwarder/share/ splunkforwarder/share/mongo-c-driver/ splunkforwarder/share/mongo-c-driver/uninstall.sh splunkforwarder/share/mongo-c-driver/NEWS splunkforwarder/share/mongo-c-driver/COPYING splunkforwarder/share/mongo-c-driver/README.rst splunkforwarder/share/mongo-c-driver/THIRD_PARTY_NOTICES splunkforwarder/share/copyright.txt splunkforwarder/share/splunk/ splunkforwarder/share/splunk/3rdparty/ splunkforwarder/share/splunk/3rdparty/Copyright-for-zc.lockfile-2.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-bottle-0.12.19.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-pcre2-10.40.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-jemalloc-4.5.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-openssl-1.0.2zh.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-google-cloud-cpp-1.14.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-prometheus-cpp-0.9.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-setuptools_scm_git_archive-1.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-FormEncode-1.3.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-double-conversion-3.0.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-Babel-2.9.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-snappy-1.1.8.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-decorator-4.4.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-CherryPy-18.1.2.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-six-1.15.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-pcre2_wx-10.40.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-aws-checksums-0.1.9.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-openldap-2.4.45.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-idna-2.8.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-portend-2.5.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-crc32c-1.1.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-tempora-1.14.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-certifi-2019.6.16.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-snappy-java-NOTICE-1.1.1.7.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-c-ares-1.15.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-defusedxml-0.5.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-cpp-TimSort-2.1.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-thrift-0.14.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-hive_3_1-3.1.3.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-aws-sdk-cpp-1.8.95.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-h3-v3.4.2.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-setuptools_scm-3.3.3.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-future-0.17.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-apache-log4j-NOTICE-2.17.2.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-commons-io-NOTICE-2.4.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-opentracing-cpp-1.6.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-curl-8.0.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-protobuf-3.5.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-orc-1.6.3.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-libxml2-2.9.10.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-urllib3-1.26.6.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-aws-c-common-0.4.52.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-re2-2018-12-01.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-s3transfer-0.1.13.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-jaraco.functools-2.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-jaeger-client-cpp-0.7.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-xxHash-0.6.5.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-typing_extensions-3.7.4.3.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-hive_3_1-NOTICE-3.1.3.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-aws-sdk-1.10.8.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-commons-io-2.4.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-robin-map-v0.2.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-zstd-jni-1.4.0-1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-xmlsec1-1.2.24.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-beaker-1.10.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-aws-sdk-NOTICE-1.10.8.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-jmespath-0.9.4.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-azure-sdk-for-cpp-12.0.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-apache-log4j-2.17.2.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-googletest-release-1.11.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-cheroot-6.5.5.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-commons-compress-1.21.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-commons-compress-NOTICE-1.21.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-abseil-cpp-20200225.2.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-funcsigs-1.0.2.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-chardet-3.0.4.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-semantic_version-2.6.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-boto3-1.17.98.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-wheel-0.34.2.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-snappy-java-1.1.1.7.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-lz4-1.9.4.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-libxslt-1.1.34.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-xml-name-validator-2.0.1.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-botocore-1.20.98.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-zstd-1.5.0.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-aws-c-event-stream-0.1.6.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-libarchive-3.6.2.txt splunkforwarder/share/splunk/3rdparty/Copyright-for-libffi-3.2.1.txt splunkforwarder/share/splunk/cli-command-completion.sh splunkforwarder/lib/ splunkforwarder/lib/libz.so.1.2.11 splunkforwarder/lib/libpcre2-8.so.0.11.0 splunkforwarder/lib/libbson-1.0.so splunkforwarder/lib/with_stats/ splunkforwarder/lib/with_stats/libjemalloc.so.2 splunkforwarder/lib/with_stats/libjemalloc.so splunkforwarder/lib/libpcre2-posix.so splunkforwarder/lib/libz.so.1 splunkforwarder/lib/libxmlsec1-gcrypt.so.1.2.24 splunkforwarder/lib/libdlwrapper.so.1 splunkforwarder/lib/libxmlsec1-openssl.so.1 splunkforwarder/lib/libxslt.so.1 splunkforwarder/lib/libdlwrapper.so splunkforwarder/lib/libbz2.so.1 splunkforwarder/lib/libjemalloc.so.2 splunkforwarder/lib/libdlstub.so.1.0.0 splunkforwarder/lib/libxslt.so.1.1.34 splunkforwarder/lib/libbson-1.0.so.0.0.0 splunkforwarder/lib/libxmlsec1-gcrypt.so.1 splunkforwarder/lib/libmongoc-1.0.so.0.0.0 splunkforwarder/lib/libssl.so.1.0.0 splunkforwarder/lib/libxmlsec1-openssl.so splunkforwarder/lib/libjemalloc.so splunkforwarder/lib/libpcre2-8.so.0 splunkforwarder/lib/libxmlsec1.so.1.2.24 splunkforwarder/lib/libxml2.so.2 splunkforwarder/lib/copyright.txt splunkforwarder/lib/libcrypto.so splunkforwarder/lib/libarchive.so.13 splunkforwarder/lib/libxmlsec1-openssl.so.1.2.24 splunkforwarder/lib/libxslt.so splunkforwarder/lib/engines/ splunkforwarder/lib/engines/libcapi.so splunkforwarder/lib/engines/libgost.so splunkforwarder/lib/engines/libcswift.so splunkforwarder/lib/engines/lib4758cca.so splunkforwarder/lib/engines/libpadlock.so splunkforwarder/lib/engines/libubsec.so splunkforwarder/lib/engines/libnuron.so splunkforwarder/lib/engines/libatalla.so splunkforwarder/lib/engines/libchil.so splunkforwarder/lib/engines/libsureware.so splunkforwarder/lib/engines/libaep.so splunkforwarder/lib/engines/libgmp.so splunkforwarder/lib/pcre2_wx_tmp/ splunkforwarder/lib/pcre2_wx_tmp/man/ splunkforwarder/lib/pcre2_wx_tmp/man/man1/ splunkforwarder/lib/pcre2_wx_tmp/man/man1/pcre2test.1 splunkforwarder/lib/pcre2_wx_tmp/man/man1/pcre2-config.1 splunkforwarder/lib/pcre2_wx_tmp/man/man1/pcre2grep.1 splunkforwarder/lib/pcre2_wx_tmp/man/man3/ splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_serialize_decode.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_match_data_create.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_get_mark.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_match_context_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2serialize.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2convert.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_copy_bynumber.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_jit_stack_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_recursion_memory_management.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_pattern_info.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_jit_free_unused_memory.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_jit_compile.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_converted_pattern_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_glob_separator.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_bsr.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_copy_byname.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_max_pattern_length.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_list_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2limits.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_code_copy_with_tables.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_compile_context_create.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_serialize_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2build.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_length_bynumber.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2perform.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substitute.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_code_copy.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_number_from_name.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_heap_limit.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_get_match_data_size.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_serialize_get_number_of_codes.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_compile_context_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_serialize_encode.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_dfa_match.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2callout.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2api.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_compile_recursion_guard.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_get_ovector_pointer.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_match_context_create.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2compat.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_callout_enumerate.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2syntax.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_recursion_limit.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_substitute_callout.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_jit_stack_assign.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_get_startchar.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_parens_nest_limit.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_maketables_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_get_error_message.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_offset_limit.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_pattern_convert.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_character_tables.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2unicode.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2matching.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2sample.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_match_context_copy.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_convert_context_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_config.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_convert_context_copy.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_match_data_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_length_byname.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_newline.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_general_context_copy.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_compile.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_jit_match.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_jit_stack_create.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_list_get.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2posix.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_convert_context_create.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_code_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_depth_limit.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_match_data_create_from_pattern.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_maketables.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_callout.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_match_limit.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_get_bynumber.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_get_byname.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2pattern.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_compile_context_copy.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_compile_extra_options.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_match.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2jit.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_set_glob_escape.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2demo.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_general_context_create.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_substring_nametable_scan.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_general_context_free.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2partial.3 splunkforwarder/lib/pcre2_wx_tmp/man/man3/pcre2_get_ovector_count.3 splunkforwarder/lib/pcre2_wx_tmp/share/ splunkforwarder/lib/pcre2_wx_tmp/share/doc/ splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/ splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/ splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_bsr.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2jit.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2serialize.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2compat.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_code_copy_with_tables.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2callout.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_converted_pattern_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_maketables.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_max_pattern_length.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_offset_limit.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_number_from_name.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2sample.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_copy_byname.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_list_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_compile_context_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_nametable_scan.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2convert.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2posix.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2api.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2test.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_convert_context_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2perform.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_pattern_convert.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_serialize_get_number_of_codes.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_get_ovector_pointer.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_glob_separator.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_match_data_create.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substitute.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_list_get.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_callout.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_jit_compile.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_parens_nest_limit.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_get_match_data_size.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_newline.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_substitute_callout.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_get_startchar.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_length_bynumber.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_code_copy.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_dfa_match.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_callout_enumerate.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_compile_recursion_guard.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2syntax.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_jit_stack_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_jit_stack_assign.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_jit_stack_create.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_general_context_create.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_compile_context_create.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_match_context_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_serialize_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_config.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_general_context_copy.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_get_bynumber.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_compile_extra_options.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_recursion_limit.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2matching.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_match_data_create_from_pattern.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_serialize_encode.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_depth_limit.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2limits.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_convert_context_copy.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2-config.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_pattern_info.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_get_error_message.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_jit_free_unused_memory.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2unicode.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_match_context_create.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_glob_escape.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2partial.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_heap_limit.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_copy_bynumber.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2pattern.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2demo.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_get_ovector_count.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2build.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_get_mark.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_code_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_general_context_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_recursion_memory_management.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_compile_context_copy.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_match_limit.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_maketables_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_match.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_set_character_tables.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_get_byname.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_substring_length_byname.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_convert_context_create.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_compile.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_serialize_decode.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_jit_match.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_match_data_free.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2grep.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/pcre2_match_context_copy.html splunkforwarder/lib/pcre2_wx_tmp/share/doc/pcre2/html/index.html splunkforwarder/lib/pcre2_wx_tmp/lib/ splunkforwarder/lib/pcre2_wx_tmp/lib/libpcre2-8.so.0.11.0 splunkforwarder/lib/pcre2_wx_tmp/lib/libpcre2-posix.so splunkforwarder/lib/pcre2_wx_tmp/lib/libpcre2-8.so.0 splunkforwarder/lib/pcre2_wx_tmp/lib/pkgconfig/ splunkforwarder/lib/pcre2_wx_tmp/lib/pkgconfig/libpcre2-8.pc splunkforwarder/lib/pcre2_wx_tmp/lib/pkgconfig/libpcre2-posix.pc splunkforwarder/lib/pcre2_wx_tmp/lib/libpcre2-8.so splunkforwarder/lib/pcre2_wx_tmp/lib/libpcre2-posix.so.3 splunkforwarder/lib/pcre2_wx_tmp/lib/libpcre2-posix.so.3.0.2 splunkforwarder/lib/pcre2_wx_tmp/bin/ splunkforwarder/lib/pcre2_wx_tmp/bin/pcre2grep splunkforwarder/lib/pcre2_wx_tmp/bin/pcre2test splunkforwarder/lib/pcre2_wx_tmp/bin/pcre2-config splunkforwarder/lib/pcre2_wx_tmp/bin/pcre2_jit_test splunkforwarder/lib/pcre2_wx_tmp/cmake/ splunkforwarder/lib/pcre2_wx_tmp/cmake/pcre2-config-version.cmake splunkforwarder/lib/pcre2_wx_tmp/cmake/pcre2-config.cmake splunkforwarder/lib/pcre2_wx_tmp/include/ splunkforwarder/lib/pcre2_wx_tmp/include/pcre2posix.h splunkforwarder/lib/pcre2_wx_tmp/include/pcre2.h splunkforwarder/lib/libarchive.so.13.6.2 splunkforwarder/lib/libxml2.so.2.9.10 splunkforwarder/lib/libxmlsec1.so splunkforwarder/lib/libmongoc-1.0.so splunkforwarder/lib/libdlwrapper.so.1.0.0 splunkforwarder/lib/libxml2.so splunkforwarder/lib/cmake/ splunkforwarder/lib/cmake/bson-1.0/ splunkforwarder/lib/cmake/bson-1.0/bson-1.0-config.cmake splunkforwarder/lib/cmake/bson-1.0/bson-targets.cmake splunkforwarder/lib/cmake/bson-1.0/bson-targets-release.cmake splunkforwarder/lib/cmake/bson-1.0/bson-1.0-config-version.cmake splunkforwarder/lib/cmake/libmongoc-static-1.0/ splunkforwarder/lib/cmake/libmongoc-static-1.0/libmongoc-static-1.0-config.cmake splunkforwarder/lib/cmake/libmongoc-static-1.0/libmongoc-static-1.0-config-version.cmake splunkforwarder/lib/cmake/libbson-static-1.0/ splunkforwarder/lib/cmake/libbson-static-1.0/libbson-static-1.0-config.cmake splunkforwarder/lib/cmake/libbson-static-1.0/libbson-static-1.0-config-version.cmake splunkforwarder/lib/cmake/libbson-1.0/ splunkforwarder/lib/cmake/libbson-1.0/libbson-1.0-config-version.cmake splunkforwarder/lib/cmake/libbson-1.0/libbson-1.0-config.cmake splunkforwarder/lib/cmake/mongoc-1.0/ splunkforwarder/lib/cmake/mongoc-1.0/mongoc-targets-release.cmake splunkforwarder/lib/cmake/mongoc-1.0/mongoc-1.0-config.cmake splunkforwarder/lib/cmake/mongoc-1.0/mongoc-targets.cmake splunkforwarder/lib/cmake/mongoc-1.0/mongoc-1.0-config-version.cmake splunkforwarder/lib/cmake/libmongoc-1.0/ splunkforwarder/lib/cmake/libmongoc-1.0/libmongoc-1.0-config-version.cmake splunkforwarder/lib/cmake/libmongoc-1.0/libmongoc-1.0-config.cmake splunkforwarder/lib/libssl.so splunkforwarder/lib/libz.so splunkforwarder/lib/libbz2.so.1.0.3 splunkforwarder/lib/libxmlsec1-gcrypt.so splunkforwarder/lib/libbz2.so splunkforwarder/lib/libsqlite3.so.0 splunkforwarder/lib/libexslt.so splunkforwarder/lib/libsqlite3.so splunkforwarder/lib/libsqlite3.so.0.8.6 splunkforwarder/lib/libdlstub.so.1 splunkforwarder/lib/libdlstub.so splunkforwarder/lib/libmongoc-1.0.so.0 splunkforwarder/lib/libexslt.so.0 splunkforwarder/lib/libpcre2-8.so splunkforwarder/lib/libexslt.so.0.8.20 splunkforwarder/lib/libpcre2-posix.so.3 splunkforwarder/lib/libbson-1.0.so.0 splunkforwarder/lib/libpcre2-posix.so.3.0.2 splunkforwarder/lib/pcre2_wx/ splunkforwarder/lib/pcre2_wx/libpcre2-8.so.0.11.0 splunkforwarder/lib/pcre2_wx/libpcre2-8.so.0 splunkforwarder/lib/pcre2_wx/libpcre2-8.so splunkforwarder/lib/libxmlsec1.so.1 splunkforwarder/lib/libcrypto.so.1.0.0 splunkforwarder/lib/libarchive.so splunkforwarder/bin/ splunkforwarder/bin/slim splunkforwarder/bin/splunkd splunkforwarder/bin/classify splunkforwarder/bin/easy_install-3.7 splunkforwarder/bin/btprobe splunkforwarder/bin/scripts/ splunkforwarder/bin/scripts/readme.txt splunkforwarder/bin/genWebCert.sh splunkforwarder/bin/btool splunkforwarder/bin/idle3 splunkforwarder/bin/openssl splunkforwarder/bin/wheel splunkforwarder/bin/copyright.txt splunkforwarder/bin/bzip2 splunkforwarder/bin/pripalpng splunkforwarder/bin/priforgepng splunkforwarder/bin/genRootCA.sh splunkforwarder/bin/splunkmon splunkforwarder/bin/pripnglsch splunkforwarder/bin/pydoc3.7 splunkforwarder/bin/pydoc3 splunkforwarder/bin/prichunkpng splunkforwarder/bin/pripngtopam splunkforwarder/bin/genSignedServerCert.sh splunkforwarder/bin/pid_check.sh splunkforwarder/bin/pip3 splunkforwarder/bin/idle3.7 splunkforwarder/bin/2to3-3.7 splunkforwarder/bin/priweavepng splunkforwarder/bin/S3benchmark splunkforwarder/bin/pip3.7 splunkforwarder/bin/setSplunkEnv splunkforwarder/bin/pcre2-config splunkforwarder/bin/splunk splunkforwarder/bin/pripamtopng splunkforwarder/bin/prigreypng splunkforwarder/copyright.txt splunkforwarder/license-eula.txt splunkforwarder/splunkforwarder-9.1.1-64e843ea36b1-linux-2.6-x86_64-manifest splunkforwarder/cmake/ splunkforwarder/cmake/pcre2-config-version.cmake splunkforwarder/cmake/pcre2-config.cmake splunkforwarder/README-splunk.txt splunkforwarder/include/ splunkforwarder/include/copyright.txt splunkforwarder/uf splunkforwarder/etc/ splunkforwarder/etc/log.cfg splunkforwarder/etc/myinstall/ splunkforwarder/etc/myinstall/splunkd.xml.cfg-default splunkforwarder/etc/splunk.version splunkforwarder/etc/system/ splunkforwarder/etc/system/bin/ splunkforwarder/etc/system/bin/splunk-journald.path splunkforwarder/etc/system/bin/gnome_keyring.py splunkforwarder/etc/system/bin/journald.sh splunkforwarder/etc/system/bin/splunk-logd.path splunkforwarder/etc/system/bin/logd.sh splunkforwarder/etc/system/static/ splunkforwarder/etc/system/static/atom.xsl splunkforwarder/etc/system/static/splunkrc_cmds.xml splunkforwarder/etc/system/metadata/ splunkforwarder/etc/system/metadata/default.meta splunkforwarder/etc/system/local/ splunkforwarder/etc/system/local/README splunkforwarder/etc/system/README/ splunkforwarder/etc/system/README/outputs.conf.spec splunkforwarder/etc/system/README/workload_policy.conf.example splunkforwarder/etc/system/README/default.meta.spec splunkforwarder/etc/system/README/workload_pools.conf.spec splunkforwarder/etc/system/README/authentication.conf.example splunkforwarder/etc/system/README/restmap.conf.example splunkforwarder/etc/system/README/props.conf.example splunkforwarder/etc/system/README/web.conf.spec splunkforwarder/etc/system/README/workload_rules.conf.example splunkforwarder/etc/system/README/visualizations.conf.spec splunkforwarder/etc/system/README/default-mode.conf.spec splunkforwarder/etc/system/README/sourcetypes.conf.spec splunkforwarder/etc/system/README/passwords.conf.spec splunkforwarder/etc/system/README/deploymentclient.conf.example splunkforwarder/etc/system/README/livetail.conf.spec splunkforwarder/etc/system/README/limits.conf.spec splunkforwarder/etc/system/README/authorize.conf.spec splunkforwarder/etc/system/README/workload_rules.conf.spec splunkforwarder/etc/system/README/wmi.conf.spec splunkforwarder/etc/system/README/health.conf.example splunkforwarder/etc/system/README/bookmarks.conf.spec splunkforwarder/etc/system/README/metric_alerts.conf.example splunkforwarder/etc/system/README/source-classifier.conf.spec splunkforwarder/etc/system/README/authorize.conf.example splunkforwarder/etc/system/README/migration.conf.spec splunkforwarder/etc/system/README/collections.conf.spec splunkforwarder/etc/system/README/metric_rollups.conf.example splunkforwarder/etc/system/README/web-features.conf.example splunkforwarder/etc/system/README/federated.conf.spec splunkforwarder/etc/system/README/global-banner.conf.example splunkforwarder/etc/system/README/default-mode.conf.examples splunkforwarder/etc/system/README/web.conf.example splunkforwarder/etc/system/README/procmon-filters.conf.example splunkforwarder/etc/system/README/workload_policy.conf.spec splunkforwarder/etc/system/README/inputs.conf.example splunkforwarder/etc/system/README/literals.conf.spec splunkforwarder/etc/system/README/inputs.conf.spec splunkforwarder/etc/system/README/web-features.conf.spec splunkforwarder/etc/system/README/deploymentclient.conf.spec splunkforwarder/etc/system/README/transforms.conf.spec splunkforwarder/etc/system/README/messages.conf.spec splunkforwarder/etc/system/README/user-seed.conf.example splunkforwarder/etc/system/README/checklist.conf.spec splunkforwarder/etc/system/README/props.conf.spec splunkforwarder/etc/system/README/server.conf.example splunkforwarder/etc/system/README/conf_checker.rules splunkforwarder/etc/system/README/server.conf.spec splunkforwarder/etc/system/README/transforms.conf.example splunkforwarder/etc/system/README/user-seed.conf.spec splunkforwarder/etc/system/README/bookmarks.conf.example splunkforwarder/etc/system/README/source-classifier.conf.example splunkforwarder/etc/system/README/livetail.conf.examples splunkforwarder/etc/system/README/messages.conf.example splunkforwarder/etc/system/README/workload_pools.conf.example splunkforwarder/etc/system/README/restmap.conf.spec splunkforwarder/etc/system/README/default.meta.example splunkforwarder/etc/system/README/limits.conf.example splunkforwarder/etc/system/README/instance.cfg.example splunkforwarder/etc/system/README/federated.conf.example splunkforwarder/etc/system/README/authentication.conf.spec splunkforwarder/etc/system/README/wmi.conf.example splunkforwarder/etc/system/README/instance.cfg.spec splunkforwarder/etc/system/README/splunk-launch.conf.spec splunkforwarder/etc/system/README/serverclass.seed.xml.example splunkforwarder/etc/system/README/outputs.conf.example splunkforwarder/etc/system/README/metric_rollups.conf.spec splunkforwarder/etc/system/README/literals.conf.example splunkforwarder/etc/system/README/alert_actions.conf.example splunkforwarder/etc/system/README/audit.conf.spec splunkforwarder/etc/system/README/metric_alerts.conf.spec splunkforwarder/etc/system/README/procmon-filters.conf.spec splunkforwarder/etc/system/README/sourcetypes.conf.example splunkforwarder/etc/system/README/collections.conf.example splunkforwarder/etc/system/README/user-prefs.conf.example splunkforwarder/etc/system/README/passwords.conf.example splunkforwarder/etc/system/README/global-banner.conf.spec splunkforwarder/etc/system/README/user-prefs.conf.spec splunkforwarder/etc/system/README/alert_actions.conf.spec splunkforwarder/etc/system/README/audit.conf.example splunkforwarder/etc/system/README/health.conf.spec splunkforwarder/etc/system/default/ splunkforwarder/etc/system/default/literals.conf splunkforwarder/etc/system/default/server.conf splunkforwarder/etc/system/default/transforms.conf splunkforwarder/etc/system/default/default-mode.conf splunkforwarder/etc/system/default/inputs.conf splunkforwarder/etc/system/default/app.conf splunkforwarder/etc/system/default/alert_actions.conf splunkforwarder/etc/system/default/procmon-filters.conf splunkforwarder/etc/system/default/authorize.conf splunkforwarder/etc/system/default/outputs.conf splunkforwarder/etc/system/default/workload_rules.conf splunkforwarder/etc/system/default/sourcetypes.conf splunkforwarder/etc/system/default/messages.conf splunkforwarder/etc/system/default/props.conf splunkforwarder/etc/system/default/federated.conf splunkforwarder/etc/system/default/health.conf splunkforwarder/etc/system/default/visualizations.conf splunkforwarder/etc/system/default/metric_alerts.conf splunkforwarder/etc/system/default/limits.conf splunkforwarder/etc/system/default/workload_pools.conf splunkforwarder/etc/system/default/conf.conf splunkforwarder/etc/system/default/telemetry.conf splunkforwarder/etc/system/default/livetail.conf splunkforwarder/etc/system/default/metric_rollups.conf splunkforwarder/etc/system/default/authentication.conf splunkforwarder/etc/system/default/source-classifier.conf splunkforwarder/etc/system/default/global-banner.conf splunkforwarder/etc/system/default/restmap.conf splunkforwarder/etc/system/default/web.conf splunkforwarder/etc/system/default/audit.conf splunkforwarder/etc/system/default/web-features.conf splunkforwarder/etc/system/default/workload_policy.conf splunkforwarder/etc/log-btool.cfg splunkforwarder/etc/apps/ splunkforwarder/etc/apps/search/ splunkforwarder/etc/apps/search/metadata/ splunkforwarder/etc/apps/search/metadata/default.meta splunkforwarder/etc/apps/search/default/ splunkforwarder/etc/apps/search/default/transforms.conf splunkforwarder/etc/apps/search/default/app.conf splunkforwarder/etc/apps/search/default/props.conf splunkforwarder/etc/apps/search/default/restmap.conf splunkforwarder/etc/apps/introspection_generator_addon/ splunkforwarder/etc/apps/introspection_generator_addon/bin/ splunkforwarder/etc/apps/introspection_generator_addon/bin/collector.path splunkforwarder/etc/apps/introspection_generator_addon/default/ splunkforwarder/etc/apps/introspection_generator_addon/default/server.conf splunkforwarder/etc/apps/introspection_generator_addon/default/inputs.conf splunkforwarder/etc/apps/introspection_generator_addon/default/app.conf splunkforwarder/etc/apps/introspection_generator_addon/default/README splunkforwarder/etc/apps/splunk_internal_metrics/ splunkforwarder/etc/apps/splunk_internal_metrics/default/ splunkforwarder/etc/apps/splunk_internal_metrics/default/transforms.conf splunkforwarder/etc/apps/splunk_internal_metrics/default/app.conf splunkforwarder/etc/apps/splunk_internal_metrics/default/props.conf splunkforwarder/etc/apps/learned/ splunkforwarder/etc/apps/learned/metadata/ splunkforwarder/etc/apps/learned/metadata/default.meta splunkforwarder/etc/apps/learned/default/ splunkforwarder/etc/apps/learned/default/README splunkforwarder/etc/apps/SplunkUniversalForwarder/ splunkforwarder/etc/apps/SplunkUniversalForwarder/metadata/ splunkforwarder/etc/apps/SplunkUniversalForwarder/metadata/default.meta splunkforwarder/etc/apps/SplunkUniversalForwarder/default/ splunkforwarder/etc/apps/SplunkUniversalForwarder/default/server.conf splunkforwarder/etc/apps/SplunkUniversalForwarder/default/default-mode.conf splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf splunkforwarder/etc/apps/SplunkUniversalForwarder/default/app.conf splunkforwarder/etc/apps/SplunkUniversalForwarder/default/outputs.conf splunkforwarder/etc/apps/SplunkUniversalForwarder/default/props.conf splunkforwarder/etc/apps/SplunkUniversalForwarder/default/health.conf splunkforwarder/etc/apps/SplunkUniversalForwarder/default/limits.conf splunkforwarder/etc/apps/SplunkUniversalForwarder/default/README splunkforwarder/etc/apps/SplunkUniversalForwarder/default/web.conf splunkforwarder/etc/apps/splunk_httpinput/ splunkforwarder/etc/apps/splunk_httpinput/default/ splunkforwarder/etc/apps/splunk_httpinput/default/inputs.conf splunkforwarder/etc/apps/journald_input/ splunkforwarder/etc/apps/journald_input/default/ splunkforwarder/etc/apps/journald_input/default/inputs.conf splunkforwarder/etc/apps/journald_input/default/authorize.conf splunkforwarder/etc/disabled-apps/ splunkforwarder/etc/disabled-apps/README splunkforwarder/etc/datetime.xml splunkforwarder/etc/copyright.txt splunkforwarder/etc/licenses/ splunkforwarder/etc/licenses/forwarder/ splunkforwarder/etc/licenses/forwarder/splunkforwarder.lic splunkforwarder/etc/auth/ splunkforwarder/etc/auth/ca.pem.default splunkforwarder/etc/auth/scripts/ splunkforwarder/etc/auth/cloudCA.pem splunkforwarder/etc/auth/appsCA.pem splunkforwarder/etc/auth/cacert.pem.default splunkforwarder/etc/auth/crl/ splunkforwarder/etc/auth/crl/README splunkforwarder/etc/auth/prev_release/ splunkforwarder/etc/auth/prev_release/ca.pem.default splunkforwarder/etc/auth/prev_release/cacert.pem.default splunkforwarder/etc/log-cmdline-debug.cfg splunkforwarder/etc/users/ splunkforwarder/etc/users/users.ini.default splunkforwarder/etc/manager-apps/ splunkforwarder/etc/manager-apps/_cluster/ splunkforwarder/etc/manager-apps/_cluster/local/ splunkforwarder/etc/manager-apps/_cluster/local/README splunkforwarder/etc/manager-apps/_cluster/default/ splunkforwarder/etc/manager-apps/_cluster/default/indexes.conf splunkforwarder/etc/log-btool-debug.cfg splunkforwarder/etc/modules/ splunkforwarder/etc/modules/parsing/ splunkforwarder/etc/modules/parsing/config.xml splunkforwarder/etc/modules/input/ splunkforwarder/etc/modules/input/FIFO/ splunkforwarder/etc/modules/input/FIFO/config.xml splunkforwarder/etc/modules/input/exec/ splunkforwarder/etc/modules/input/exec/config.xml splunkforwarder/etc/modules/input/RemoteQueue/ splunkforwarder/etc/modules/input/RemoteQueue/config.xml splunkforwarder/etc/modules/input/tailfile/ splunkforwarder/etc/modules/input/tailfile/config.xml splunkforwarder/etc/modules/input/UDP/ splunkforwarder/etc/modules/input/UDP/config.xml splunkforwarder/etc/modules/input/structuredparsing/ splunkforwarder/etc/modules/input/structuredparsing/config.xml splunkforwarder/etc/modules/input/TCP/ splunkforwarder/etc/modules/input/TCP/config.xml splunkforwarder/etc/modules/input/fschangemanager/ splunkforwarder/etc/modules/input/fschangemanager/config.xml splunkforwarder/etc/modules/output/ splunkforwarder/etc/modules/output/config.xml splunkforwarder/etc/modules/output/RemoteQueue/ splunkforwarder/etc/modules/output/RemoteQueue/config.xml splunkforwarder/etc/shcluster/ splunkforwarder/etc/shcluster/apps/ splunkforwarder/etc/shcluster/apps/README splunkforwarder/etc/shcluster/users/ splunkforwarder/etc/shcluster/users/README splunkforwarder/etc/log-utility.cfg splunkforwarder/etc/prettyprint.xsl splunkforwarder/etc/init.d/ splunkforwarder/etc/init.d/README splunkforwarder/etc/splunk-launch.conf.default splunkforwarder/etc/log-cmdline.cfg splunkforwarder/etc/deployment-apps/ splunkforwarder/etc/deployment-apps/README splunkforwarder/etc/log-debug.cfg [root@ip-172-31-25-10 ec2-user]# ```
``` [root@ip-172-31-25-10 ec2-user]# ls splunkforwarder/ README-splunk.txt bin cmake copyright.txt etc ftr include lib license-eula.txt openssl share splunkforwarder-9.1.1-64e843ea36b1-linux-2.6-x86_64-manifest swidtag uf [root@ip-172-31-25-10 ec2-user]# chown -R splunk:splunk $SPLUNK_HOME [root@ip-172-31-25-10 ec2-user]# ``` ``` [root@ip-172-31-25-10 ec2-user]# sudo $SPLUNK_HOME/bin/splunk start --accept-license Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R splunk:splunk /home/ec2-user/splunkforwarder" This appears to be your first time running this version of Splunk. Splunk software must create an administrator account during startup. Otherwise, you cannot log in. Create credentials for the administrator account. Characters do not appear on the screen when you type in credentials. Please enter an administrator username: fwdadmin Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password: Please confirm new password: Creating unit file... Important: splunk will start under systemd as user: splunk The unit file has been created. Splunk> The Notorious B.I.G. D.A.T.A. Checking prerequisites... Checking mgmt port [8089]: open Creating: /home/ec2-user/splunkforwarder/var/lib/splunk Creating: /home/ec2-user/splunkforwarder/var/run/splunk Creating: /home/ec2-user/splunkforwarder/var/run/splunk/appserver/i18n Creating: /home/ec2-user/splunkforwarder/var/run/splunk/appserver/modules/static/css Creating: /home/ec2-user/splunkforwarder/var/run/splunk/upload Creating: /home/ec2-user/splunkforwarder/var/run/splunk/search_telemetry Creating: /home/ec2-user/splunkforwarder/var/run/splunk/search_log Creating: /home/ec2-user/splunkforwarder/var/spool/splunk Creating: /home/ec2-user/splunkforwarder/var/spool/dirmoncache Creating: /home/ec2-user/splunkforwarder/var/lib/splunk/authDb Creating: /home/ec2-user/splunkforwarder/var/lib/splunk/hashDb The certificate generation script did not generate the expected certificate file:/home/ec2-user/splunkforwarder/etc/auth/server.pem. Splunkd port communication will not work. SSL certificate generation failed. [root@ip-172-31-25-10 ec2-user]# ```
javimed commented 1 year ago

Edit: Added error when attempting https configuration

gdiazlo commented 1 year ago

The documentation related to the Splunk tools are in the Splunk documentation site, https://docs.splunk.com/Documentation. The documentation of the integrations we published assumes someone wanting to integrate Wazuh into Splunk knows to deploy and operate Splunk.

I believe the cases you're describing are all related to the deployment, configuration and operation of Splunk.