Splunk - Map users to roles

1) Navigate to Manager > Access controls > Authentication method > LDAP Groups
2) Click on the group to select the roles desired. Ex: user
3) You can search for a user name from the top to identify the groups
4) If you do not see the required LDAP group, modify Group Base DN from Manager > Access controls > Authentication method > LDAP strategies > ActiveDirectory (or your LDAP)

Setup X-Forwarded Proto in Apache

<VirtualHost *:80>
 RequestHeader set X-Forwarded-Proto "http"
</VirtualHost>

<VirtualHost *:443>
 RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>

Apache SSL setup on Windows

Download the software and go through the default installation process. I downloaded the one with openssl -
Win32 Binary including OpenSSL 0.9.8o (MSI Installer)
Start the apache from programs menu.
By default, port 80 works.

To setup SSL, follow these instructions.
1) Uncomment the following lines from httpd.conf
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

2) Edit these lines from extra/httpd-ssl.conf file
 Add NameVirtualHost *:443 under Listen 443
 Modify to <VirtualHost _default_:443> to <VirtualHost *:443>

3) Create self signed certficate using openssl.
Launch openssl from Apache binary folder
a) OpenSSL> req -config c:\openssl.cnf -out c:\myserver.csr -new -newkey rsa:2048 -nodes -keyout c:\myserver-privkey.key
Fill out the required parameters.
b) openssl x509 -req -days 3000 -in c:\myserver.csr -signkey c:\myserver-
privkey.key -out c:\myserver.crt

4) Update httpd-ssl.conf with the correct path for these attributes.
SSLCertificateFile "C:\apachessl\myserver.crt"
SSLCertificateKeyFile "C:\apachessl\myserver-privkey.key"

5) Restart server.

6) Access http://localhost/ https://locahost/
There will be certificate warning because it is self signed.


Common Issues:

Problem
Syntax error on line 56 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/extra/httpd-ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a
module not included in the server configuration
Note the errors or messages above, and press the <ESC> key to exit. 

Solution
Uncomment these line from httpd-conf.
LoadModule ssl_module modules/mod_ssl.so

Problem
Unable to load config info from /usr/local/ssl/openssl.cnf
Solution
OpenSSL requires a config file. Refer to step 3a) above to specify "-config c:\apache-conf-folder\openssl.cnf"

Problem
Syntax error on line 63 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/extra/httpd-ssl.conf:
SSLSessionCache: Invalid argument: size has to be >= 8192 bytes
Note the errors or messages above, and press the <ESC> key to exit. 

Solution
The error message is due to the default installation path which is lengthy
Create a shortcut c:\apache2.2 pointing to C:\Program Files (x86)\Apache Software Foundation\Apache2.2 and update your configuration accordingly.

Splunk Credit Card Search

You can use this regex to list credit card patterns in tabular form.
* | rex field=_raw "(?<Visa>4[0-9]{12})" | rex field=_raw "(?<AMEX>5[1-5][0-9]{14})" | table Visa, AMEX

Splunk Credit Card Masking

Create/update /opt/splunk/etc/apps/search/local/props.conf file with the following content. The file should be placed in each splunk client or forwarder.

[source::.../*server.log]
SEDCMD-ccard = s/(4[0-9]{12}(?:[0-9]{3})?|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11}|3(?:0[0-5]|[68][0-9])[0-9]{11}|5[1-5][0-9]{14})/xxxx-xxxx-xxxx-xxxx/g

... in source means server.log is searched under all directories
SEDCMD pretty much works like Unix sed.

IBM ILOG Team Server Setup on JBOSS EAP 5.1

1) Download the software from IBM passport advantage website
a) IBM WebSphere ILOG BRMS JRules V7.1.1 for UNIX Multilingual(CZLX6ML) - JRules_V711_CZLX6ML.bin
b) IBM WebSphere ILOG BRMS Rule Team Server V7.1.1 for UNIX Multilingual(CZM2UML) - RTS_V711_CZM2UML.bin
c) IBM WebSphere ILOG BRMS Rule Team Server V7.1.1.1 for UNIX Multilingual(CZUW0ML) - RTS_V7111_CZUW0ML.bin
d) IBM WebSphere ILOG BRMS JBoss Bundle V7.1.1 for Multiplatform Multilingual(CZLY1ML) - JRules_JBoss_V711_CZLY1ML.jar
e) IBM WebSphere ILOG BRMS JBoss Bundle V7.1.1.1 for Multiplatform Multilingual(CZUW8ML) - JRules_JBoss_V7111_CZUW8ML.jar

2) Install JDK on the server and make sure Java runtime is set.

3) Install the ILOG software in the above order (a through e) and select the default install options
./JRules_V711_CZLX6ML.bin
./RTS_V711_CZM2UML.bin
./RTS_V7111_CZUW0ML.bin
java -jar JRules_JBoss_V711_CZLY1ML.jar
java -jar JRules_JBoss_V7111_CZUW8ML.jar
Note: These installations can happen on any other machine and ear file can be copied over to target team server.

4) Install JBOSS EAP 5.1 on server. I slimmed JBOSS to bare minimum with no admin or jmx console and deleted all additional package. Follow the IBM ILOG infocenter instructions on cleaning up the environment under JBOSS section.
Some of the directories I deleted include
cd /opt/jboss-eap-5.1
rm -Rf mod_cluster picketlink resteasy seam
cd /opt/jboss-eap-5.1/jboss-as/server
rm -Rf production minimal all standard web

5) Create a local transaction data source (jdbc_ilogDataSource-ds.xml) with <jndi-name>jdbc/ilogDataSource</jndi-name>

6) Copy the jrules-teamserver-JBOSS5.ear from the teamserver directory to the deploy folder.
Expand the EAR file

7) If you have any custom groups to be added, append security roles to files
a) jrules-teamserver-JBOSS5.ear/META-INF/application.xml.
b) jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/web.xml
I have added two custom groups ilog-readonly and ilog-readwrite
  <security-role>
    <role-name>ilog-readonly</role-name>
  </security-role>
  <security-role>
    <role-name>ilog-readwrite</role-name>
  </security-role>

8) Add the following application security policy to jboss-eap-5.1/jboss-as/server/default/conf/login-config.xml
<application-policy name="jldap">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.provider.url">ldap://servername:389</module-option>
<module-option name="bindDN">CN=ldapbindid,OU=_Service Accounts,dc=something,dc=com</module-option>
<module-option name="bindCredential">ldapbindid-password</module-option>
<module-option name="baseCtxDN">DC=something,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">OU=ILOG,OU=_SECURITY GROUPS,OU=something,DC=something,DC=COM</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="trace">true</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">props/ilog-users.properties</module-option>
<module-option name="rolesProperties">props/ilog-roles.properties</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>

9) Create these files under jboss-eap-5.1/jboss-as/server/default/conf/props directory
ilog-users.properties  file is empty bcoz we use ldap authentication

ilog-roles.properties
user1=rtsUser,ilog-readonly
user2=rtsUser,ilog-readwrite
rtsAdmin=rtsAdministrator,rtsInstaller,ilog-readwrite
rtsConfig=rtsConfigManager,ilog-readwrite
ilogadminuser1=rtsAdministrator,rtsConfigManager,rtsInstaller,rtsUser

10) Update jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/web.xml to use the above application policy.
<jboss-web>
         <security-domain>java:/jaas/jldap</security-domain>
         <context-root>teamserver</context-root>
        <resource-ref>
                <res-ref-name>jdbc/ilogDataSource</res-ref-name>
                <jndi-name>java:/jdbc/ilogDataSource</jndi-name>
        </resource-ref>
</jboss-web>

11) Delete *jsf* JARs from jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/lib directory.

12) Place any Dynamic Domain jar under jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/lib directory.

13) Start the jboss ilog server

14) If your login is slow or you get IBM URL messages in logs, add the following line to /etc/hosts
127.0.0.1  publib.boulder.ibm.com

15) Access the team server http://ip_addr:8080/teamserver

Splunk - Purge Data

http://www.splunk.com/base/Documentation/4.1.7/Admin/RemovedatafromSplunk
- To purge all indexed data
1. Stop splunk
$SPLUNK_HOME/bin/splunk stop
2. Purge all data
$SPLUNK_HOME/bin/splunk clean eventdata -f
(-f option is to avoid being asked if you really delete the index.)
This command delete all the data in $SPLUNK_HOME/var/lib/splunk/
3. Start splunk
$SPLUNK_HOME/bin/splunk start

- If you want to purge a specific index, for example, "main" index
$SPLUNK_HOME/bin/splunk clean eventdata main -f