FAQ » History » Version 7
Luke Murphey, 09/19/2018 09:29 PM
| 1 | 1 | Luke Murphey | h1. FAQ |
|---|---|---|---|
| 2 | 1 | Luke Murphey | |
| 3 | 1 | Luke Murphey | h2. How do I audit changes to the lookup files? |
| 4 | 1 | Luke Murphey | |
| 5 | 1 | Luke Murphey | The lookup editor keeps a log that is indexed into the _internal index. You can view that logs like this: |
| 6 | 1 | Luke Murphey | |
| 7 | 1 | Luke Murphey | <pre> |
| 8 | 1 | Luke Murphey | index=_internal "Lookup edited successfully" | table _time user namespace lookup_file |
| 9 | 1 | Luke Murphey | </pre> |
| 10 | 2 | Luke Murphey | |
| 11 | 2 | Luke Murphey | h2. My lookup file cannot be opened, why not? |
| 12 | 2 | Luke Murphey | |
| 13 | 2 | Luke Murphey | Look into the logs to see if there is a reason given why the files are not loading: |
| 14 | 2 | Luke Murphey | |
| 15 | 2 | Luke Murphey | <pre> |
| 16 | 2 | Luke Murphey | index=_internal source=*lookup_editor_controller.log |
| 17 | 2 | Luke Murphey | </pre> |
| 18 | 3 | Luke Murphey | |
| 19 | 7 | Luke Murphey | h2. What do I need to know about running the app on Search Head Cluster? |
| 20 | 7 | Luke Murphey | |
| 21 | 7 | Luke Murphey | Here are several things to keep in mind: |
| 22 | 7 | Luke Murphey | |
| 23 | 7 | Luke Murphey | # Backup lookup files will not replicate unless you specifically enable it |
| 24 | 7 | Luke Murphey | # CSV and KV store lookups will be replicated automatically by default |
| 25 | 7 | Luke Murphey | # Make doubly sure that the app has properly been distributed to all of the search heads before going too far down troubleshooting issues with the app. I have seen several cases where issues had been caused the app not being distributed correctly yet. |
| 26 | 7 | Luke Murphey | # Make sure the web-browsers are not caching old versions of the app. |
| 27 | 7 | Luke Murphey | |
| 28 | 3 | Luke Murphey | h2. How do I enable replicating of the lookup file backups to other search heads when using a Search Head Cluster? |
| 29 | 3 | Luke Murphey | |
| 30 | 3 | Luke Murphey | You can enable replication of the lookup backups by using the REST replay feature. To enable this, add the following in restmap.conf (in $SPLUNK_HOME/etc/shcluster/lookup_editor/default/restmap.conf): |
| 31 | 3 | Luke Murphey | |
| 32 | 3 | Luke Murphey | <pre> |
| 33 | 3 | Luke Murphey | [global] |
| 34 | 3 | Luke Murphey | allowRestReplay = true |
| 35 | 3 | Luke Murphey | </pre> |
| 36 | 3 | Luke Murphey | |
| 37 | 3 | Luke Murphey | This will work on Splunk 6 from (6.3+) and on Splunk 7.1+. +*However, do not enable*+ this on Splunk 7.0 (7.0 to 7.0.3) because there is a bug in Splunk 7.0 that causes REST replay to crash splunkd. |
| 38 | 4 | Luke Murphey | |
| 39 | 6 | Luke Murphey | h2. What does the lookup editor app do to prevent security issues (such as directory traversal attacks, cross site scripting)? |
| 40 | 4 | Luke Murphey | |
| 41 | 4 | Luke Murphey | Directory traversal attacks are prevented by stripping path information from the lookup names. The app also relies on asking Splunk for the canonical path of the lookup file and thus doesn't assume that the user's input is valid. See https://lukemurphey.net/projects/splunk-lookup-editor/repository/entry/trunk/src/bin/lookup_editor/__init__.py#L185 |
| 42 | 4 | Luke Murphey | |
| 43 | 4 | Luke Murphey | XSS attacks are specifically tested for too. See the test-case here: https://github.com/LukeMurphey/splunk-lookup-test/tree/master/test/Katalon%20Test%20Cases/Lookup%20Editor/Test%20Cases/Lookup%20Edit |
| 44 | 4 | Luke Murphey | |
| 45 | 6 | Luke Murphey | The app uses Splunk's APIs to edit the lookup files. Splunk sets the file permissions to read & write to the owning user and allows no other access (equivalent to "chmod 600"). The app keeps copies of lookup files (for CSV lookups) which it writes out directly. These are also written with the same permissions (equivalent to "chmod 600"). These files are never written to again. |