DOWNLOAD AND INSTALL TCPDUMP FULL
splunkd.log: ERROR ExecProcessor - message from "/usr/sbin/tcpdump -pnns0 -i ens32 -tttt port 53" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode - not an error, but STDOUT from tcpdump, can be ignored.splunkd.log: ERROR ExecProcessor - message from "/usr/sbin/tcpdump -pnns0 -i eth0 -tttt port 53" (SIOCGIFHWADDR: No such device) - check "ip a" output and change the interface name in nf.
splunkd.log: ERROR ExecProcessor - message from "/usr/sbin/tcpdump -pnns0 -i eth0 -tttt port 53" tcpdump: eth0: No such device exists - check "ip a" output and change the interface name in nf.copy provided tcpdump file to /etc/logrotate.d.copy provided rvice file to /etc/systemd/system and modify it (interface name, port) if needed.copy default/nf to local/nf and enable monitor input in local/nf.Method 2: run tcpdump as a service and write output to a log setcap cap_net_raw,cap_net_admin=ep /usr/sbin/tcpdump.check that splunk user (by default "splunk") belongs to his own group: id splunk.modifiy bin/tcpdump.path if needed (interface).copy default/nf to local/nf and enable script input in local/nf.install TA-tcpdump on UF and configure forwarding.This TA enables a direct tcpdump input on a linux system running Splunk Universal Forwarder.
0 kommentar(er)
