Thursday, November 10, 2011 at 11:53 Just a small post with the instructions on upgrading Splunk on Ubuntu Linux.
First download the Splunk update. The Splunk website also gives you the wget command, which you can use directly on the Linux commandline.
Wednesday, June 29, 2011 at 15:59 My Mac Mini with OSX Server had this thing that the hostname (as displayed in the Terminal app) would change after a reboot. Something that annoyed me tremendously. Thankfully there are several (Terminal) commands to change the hostname (back) to its 'original name'.
Since I wanted to change my hostname PERMANENTLY, I used the following command:
sudo scutil –set HostName new_hostname
This worked perfectly. Or so I thought.
Friday, March 11, 2011 at 16:14 Now that I have a SRX running at home and a syslog server powered by Splunk (free version) it's time to be able to understand the logging. The raw logging is pretty unreadable for the average Joe. Thankfully, Splunk can be used to make more sense of it.
Downside is that I haven't found any add-ons / plugins etc. for Splunk to analyze the logging of a Juniper SRX firewall. There is a post on the Splunk forum which offers two regular expression which can be used to define the RT_FLOW fields.
Thursday, November 18, 2010 at 20:50 It's no surprise that a lot of cyberattacks originate from the the 'excellent' People's Republic of China. Some of these attacks are funded by or even originating from the Chinese government. Well, the latter is definitely true.
My (private) ssh server is a point of interest to the Chinese government, since they are trying to get in.
Every couple minutes a possible break-in entry is recorded in my logs. I guess that they decided not to hammer the front door, in order to evade automatic blacklisting of the originating IP.
reverse mapping checking getaddrinfo for mail.zdpri.gov.cn [218.108.28.189] failed - POSSIBLE BREAK-IN ATTEMPT!
I checked the IP and it seems to host the web-mail for the Zhejang prov. Development Planning & Research Institute [1].
;)
I guess it's time to tighten the timers on blacklisting.....
B.t.w. The reporting on the IP was provided by Splunk. Excellent tool for digging in logfiles and reporting.
Splunk, blacklisting, chinese, government, sshd in Annoying, Security Tuesday, July 13, 2010 at 12:43 
My area of expertise in the professional world is Network Security. This includes protecting network from intrusions, but also delivering reports about the network status. For the latter we use SIEM(like) environments like the Cisco CS-MARS and the Juniper STRM.
The 'problem' with these devices is that they are great in reporting incidents and creating awesome reports about everything, but they lack the functionality to do some serious investigating.
I have several customers with a SIEM, and most of them still use (Linux) commandline tools like awk, grep, etc. these tools work, but you need to scrape everything together yourself, and building queries can be quite challenging. This is where Splunk> comes in.
