Splunk 7.1.0 and DMA acceleration backfill.

Splunk version 7.1.0 Datamodel backfill casue heavy load on indexer peers.

SPL-155560, SPL-155219

DMA accelerating too much data when acceleration.backfill_time unset, resulting in heavy indexer load.

Workaround:

acceleration.backfill_time needs to be set for all DMA searches in datamodels.conf. Otherwise the DMA will attempt to accelerate for "all time"

# list all apps using acceleration datamodel on your SH or deployment server (/etc/deployment-apps) run this:

grep --include="datamodels.conf" -R /opt/splunk/etc/apps/ -e "acceleration = true" -e "acceleration = 1"

Then create your changes in /local to prevent that it will be overwritten by upgrades. Also consider to lower the max concurrent from default 3 if your indexer is very busy. For every stanza with acceleration =1 create your config:

/local/datamodels.conf

[stanza]

acceleration.backfill_time = -5d

acceleration.max_concurrent = 2

How many days back you chose to backfill depends on your environments performance, but it can never be more than  “acceleration.earliest_time”

# verify datamodel

https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Acceleratedatamodels

At the SH under Settings – Data Model

List all apps and expand the the Data model that is active and check the status.

 

Splunk - Tips & trix

Search macro

In a query you often tend do refer to indexes like this "index=main sourcetype=syslog" and then you build this into a dashboard. When your creations grow and you need to change to another index this will be many places to edit your code.

Instead go to Settings > Advanced search > Search macro - edit/create your macro, place your index code there "index=main".

Now in your querys in any code refer to this macro instead like this:
`my_macro` sourcetype=syslog
Whenever you need to change index or add more index you only have this one place to edit the macro.

Blue Coat Proxy SG shortcuts

Under 'Statistics - Advanced' you'll find more then you need, here are a short sumary.

sysinfo & sysinfo-stat

https://proxy:8082/Diagnostics/Snapshot

# Sysinfo

https://proxy:8082/sysinfo

# Core Images

https://proxy:8082/CM/core_images

# Access Logs

https://proxy:8082/Accesslog/directory

Check Point Cli Commands

Cli commands

Some good cli commands that are useful, I always forget the syntax so it's good to have them in one place.

 

### Cluster XL Debug

# Expert

clish -c "show routed cluster-state detailed"

# clish

show routed cluster-state detailed

##### VPN

### VPN encryption domain overlap

vpn overlap_encdom > temp.txt

### list tunnels

vpn tu tlist -p peer_ip

##### FW

### proxy arp and active local.arp

fw ctl arp -n

### CCC (good script (dangerous))

curl_cli http://dannyjung.de/ccc | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc

I WannaCry - Don't get ransomware

Backup process to avoid Ransomware.

This process will off course not protect me from getting my disk encrypted, but at least it will prevent my backups from also getting encrypted. I fear many people at home or at work don't have a good process to verify their data status and backup as well. 

How do I know If I got a ransomware on my NAS?
How do I prevent my backup from running if I got a ransomware?

For me I found myself a handy solution, my NAS rarely change a lot of files, most of them are static so a script that will check the number of changed files during the last 24h is sufficient.

The script will update Domoticz via json and set a Dummy Switch to 'Off' if there are too many files and also set a Dummy Alert with log. The Dummy Switch has a notification that will send me an email about the situation. The script will then bail out and no rsync between primary and secondary disk will occur.

The next day when the script starts again, by crontab, it will first check the status from Domoticz for the Dummy Switch, if that still is set to 'Off' no backup will occur and a new Log entry will be set for the utility Dummy Alert.

I then need to manually verify why I got more changed files than I expected on my NAS and then set my Dummy switch 'NAS_Backup_Script' to 'On' again.

Additional security to this script is to have a honeypot folder with documents of type that most ransomware will attack, and monitor any change in there, this method is a very good indication that you have some kind of intrusion in your network.

Other solutions could be if you got version based incremental backups to monitor the growth of the backup and have limits with alerts.


Find my process, and scripts at my GitHub

Check for malicious sites

Here is a good start by a collection with tools.

https://zeltser.com/lookup-malicious-websites/

Check Point Endpoint protection - SandBlast Agent

Check out the new features from Check Point with their new SandBlast Agent.

https://youtu.be/rXwCqrDcZJ4

https://www.checkpoint.com/products/endpoint-sandblast-agent/

Also take notice of that with the new firmware for the SMB series SandBlast is also available even on all embedded devices from the 700 to 1400 series.