December 24, 2013: 6:45 am: Splunk

You get a good bit of license usage trends when you install the Deployment Monitor and Splunk on Splunk applications. Or if you don\’t use those apps, data in the _internal index ages out over time and you lose your trends beyond approximately 30 days.

I prefer to setup my own index and collect the summarized usage data into it so I can keep it indefinitely and do easy graphs on the data in my daily admin dashboard. This is also handy on a Splunk instance where you do not have the CPU cores to spare for Deployment Monitor to be running a lot of scheduled searches. Such as your admin laptop instance.

Lastly, you may need this data over the long term so you can justify more Splunk license in your next budget as you get close to averaging at your license limit.


December 23, 2013: 7:00 am: Audio Production

Back in 2005 our podcasting group Friends in Tech made this wonderful adaptation of Christmas Carol. We retired the FiT site this year. So I wanted to share our 2005 Christmas special with you. I hope you enjoy it.The scary thing is that parts of it are still applicable to information technology today. [download link]

December 22, 2013: 9:26 am: Splunk

Getting Started

I am often asked how to start looking at Splunk when someone gets interested. This is the same thing I do for myself.

  1. Get the latest build of Splunk and install it on a machine you can test with. Usually this is your daily use laptop or desktop.
  2. Consider your license options. Splunk licensing is based on how much data per day you index into Splunk for searching. The free license will let you index up to 500MB per day. One thing many Splunk administrators do is to get a development license for their personal workstation. This will let you index up to 10GB per day and unlock all the enterprise features. This is great for prototyping and testing your parsing, apps etc on your workstation before moving it to your production system.
  3. Change your default admin password on Splunk once you login for the first time. The last thing you want is to be in a coffee shop and have someone poking into data you have indexed into Splunk that you might not want to share.
  4. Change the web interface to use https. Sure it is the default Splunk SSL certificate but it is better than no encryption at all. Just enable it under Settings->System Settings->General Settings

If you do not end up using a development license or your demo license runs out be sure to firewall Splunk from being accessed outside your local machine. Reference back to my someone in a coffee shop digging through your data comment.


August 10, 2013: 8:09 am: Data Security, Splunk

I was pointed at a great blog post on Hardening SSL Settings by Hyneck Schlawack to mitigate a number of attacks against SSL and then to evaluate it against the Qualys SSL Labs.

So I set out to figure out how much of the advice I could incorporate into Splunk SSL settings. I found that because Splunk uses CherryPy for the web server. That meant disabling server side SSL compression was problematic and I still have not solved that part. We need this to help mitigate the recently covered “Breach” and the old “Crime SSL” attack. Still I was able to adjust things to mitigate Beast and greatly improve the score given by the Qualys tool. Granted there are blog posts out there on setting up apache as the web front end and relaying traffic through to Splunk’s CherryPy. That would give us the controls we need. However, I like to write stuff up for now as Splunk vanilla doing it just with what is available in their install.

We will need to edit the web.conf file for Splunk. We can just take the recommended cipher list from Hyneck’s post. It addresses the Beast attack by eliminating CBC based ciphers from the available list to spunkWeb. We force SSLv3 only. And of course we have SSL enabled on the web interface.

One thing to note is that although we include the better newer ciphers in the list they will do nothing for us until openssl in Splunk is upgraded in a patch to support TLS 1.2. Right now it still only supports TLS 1.0. We put the list in and when the update covers it the newer ciphers should just start working.

Add the following stanza then bounce your Splunk service:

enableSplunkWebSSL = 1
supportSSLV3Only = true

March 6, 2013: 5:03 pm: Backup, General

I love the Magpi Magazine for Raspberry Pi owners. It has the feel of the old computer magazines from the 80s when I was a kid. In the last two issues there is a two part series on backing up your Raspberry Pi by Norman Dunbar. You can get the magazine for free though I encourage you to buy a subscription if you like it to support their efforts. You can start with the first part on page 12 of Issue #9 for Feb 2013. I will touch on the basics below but leave the details for Norman\’s articles.

In my case having just made the mount over to the transporter worked out great. Let\’s walk through the steps of making the image backup to the transporter folder. That will not only give you a backup but an offsite one too as the transporter syncs it off to another location.

Determine the device name of the sd card

First we need to get the device name of the sd memory card our Raspberry Pi is running on. Log into the Pi and run the following command.

sudo fdisk -l

Disk /dev/mmcblk0: 8010 MB, 8010072064 bytes

4 heads, 16 sectors/track, 244448 cylinders, total 15644672 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0×00016187

Device Boot Start End Blocks Id System

/dev/mmcblk0p1 8192 122879 57344 c W95 FAT32 (LBA)

/dev/mmcblk0p2 122880 15644671 7760896 83 Linux

We can see that the partitions on the card start with \”mmcblk0\” and that is the part we need.

Run the backup to our mounted transporter drive

The backup will take a while to write especiallly if you have an 8GB or more card. You will not get a progress indicator. You will know it is done when you see records output lines.

sudo dd if=/dev/mmcblk0 of=/home/pi/transporter/raspi/Rpi-Backup.img bs=2M

3819+1 records in

3819+1 records out

8010072064 bytes (8.0 GB) copied, 1054.02 s, 7.6 MB/s

Confirm the backup is over on the transporter

ls -lh /home/pi/transporter/raspi

total 7.5G

drwxrwxrwx 0 root root 0 Sep 26 00:06 Python

-rwxrwxrwx 0 root root 7.5G Mar 5 23:18 Rpi-Backup.img

That is all there is to it. You have an image backup of your active sd card running your Raspberry Pi.
Check out Norman\’s two part series on all the other neat tricks such as mounting the image to pull out files.

March 5, 2013: 9:41 pm: General

I wanted to mount some external storage on my Raspi. I had thought about a USB drive etc. Then it occurred to me I had a better solution.

I have a FileTransporter on the same network as my Raspi. Here is how I hooked it up.

Preparing the Transporter

First log into your Transporter admin site. And go to your transporters.

Choose the desired unit if you have more than one.
Choose Advanced on the right side and go into the SMF/CIFS section.

If SMB/CIFS is not enabled. Check that box to turn it on.
Then I chose to enable the \”second login\” option and name the user raspi.
I entered a reasonable password and that has the Transporter ready for the Raspi to connect.

Configuring the Raspi

Log into the Raspi.
Create a folder in your home directory:

mkdir transporter

Set the folder permissions:

chmod 777 transporter

We need to setup a credentials file:

sudo su -

While escalated to root:

vi smbcreds

Edit the file to be as follows, substituting in the password and username you setup as the second smb login on the raspi


Save the file and exit.
Exit again to return to the pi user account from root.

Next we need to edit fstab to mount the drive to the transporter folder:

sudo vi /etc/fstab

Add the following line to your fstab. You will need to substitute the ipaddress, Name of the transporter, username and password from the transporter.

//ipaddress/nameoftransporter /home/pi/transporter cifs auto,credentials=/root/smbcreds,iocharset=utf8,file_mode=0777,dir_mode=0777

Finishing up

Now just execute the command:

sudo mount -a

You should be able to change into the transporter directory and find all the folders you have existing on your transporter. From now on if you restart your raspi it will auto mount the transporter.

If you set your rapsi to write any files to one of those folders it will now be automatically distributed to all other transporters sharing that folder. If you have other remote raspis and they have access to a transporter you now wide large distributed storage across them. Maybe one pi grabs photos and another elsewhere displays them.


February 18, 2013: 6:30 am: General

I have been thinking for some time just how much my iPhone is the central processor of my digital life. In some ways my real world life too. I do not carry a personal laptop. In fact, despite being in information security I rarely carry around a work laptop. I tend to just leave it at home for when I need it. My iphone even serves as my car\’s central brain for user functions. Sure Apple Maps gets a bad rap but it works well for me. Bluetooth hands free for both Siri and Phone calls. I rarely even turn on my XMRadio in my car because I just stream content from my phone to my car audio system using my TuneLink bluetooth adapter.

Using just my iPhone I do 90% of what I need. I download podcasts and audiobooks on a daily basis. I check email, twitter with Tweetbot, etc all using my phone. It was a little difficult to manage at times due to power. Even with having two Mophie Air iPhone cases. I airplay content such as my audio books to an appleTV while gives plenty of volume for whole room audio via a TV. It could be inconvenient if I needed check a message, pause playback etc when the phone was on the charger. Now enter my Pebble watch. I put in a few minutes and cleaned up what types of notifications get sent to the Pebble. Now I can actually leave my iPhone plugged in on my Kensington Night Stand, with the iHandy Alarm Clock up and still stream my content and check messages all with the iPhone as the central management point.

It just amazes me to live in the future. I grew up with the Vic20 and Commodore64 and recall when modems went from acoustic couplers to plug in modular cables. Now, I even write full blog posts using my iPad with a bluetooth keyboard. Sometimes I even edit those posts via my iPhone prior to posting. Got to love it.

February 17, 2013: 1:11 pm: Review


I was excited to find my Pebble waiting for me this weekend. Reviews by other backers have generally been good. You can find several others listed below so I will not rehash all of the common details. Instead, I want to touch on a couple of issues specific to my experience.

I wore my Pebble to dinner on Friday night. The $spouse\’s comment was that it looked like something out of a cereal box due to the black plastic. My reply was: I was just as excited to get it as when digging the prize out of said cereal box. Granted, it is not formal wear like a Rolex. It does handle the things that I wanted it for. Viewing information and controlling music on my iPhone when walking to and from the office or working out. Even the black rubber band it comes with works best for my immediate needs. I won\’t mess it up with water or sweat.

Issues – Siri and Bluetooth

I have run into a couple of the reported issues. The Siri blocking issue frustrates me most. This occurs most of the time when the Pebble is active with my iPhone and I try and trigger Siri. You will see the bluetooth selector next to Siri\’s microphone icon. If the pebble is selected then it dead ends the audio and Siri cannot hear you. Sometimes you can select the iPhone to get Siri working again. Often it will flip back to the Pebble if you have lost Bluetooth connectivity. Such as leaving the watch on your desk and carrying your iPhone around the house.

I did find that I never have the Siri issue when I am in my car. My iPhone is set to automatically pair with my car handsfree system. The non phone audio of my iPhone also automatically associates with my TuneLink bluetooth adapter that goes to the line in of my car audio system. Siri functions every time normally without hooking into the Pebble by accident.

There is another issue I have noticed that no one else seems to have mentioned. If I open an app that consumes a lot of iPhone memory and other resources I think the iPhone is killing the Pebble app. It comes back when the Pebble communicates with the iPhone. That triggers the popup to request approval for allowing the Pebble to talk to the phone again. This is something I hope Pebble can fix in a software update to better hook approved status and not keep prompting going forward.

Issues – Notifications

I have had a mixed experience on notifications. I had some sporadic issues with even normal notifications working such as iMessages. A reboot of my iPhone seemed to clear that up.

Email notifications gave me a brief headache. I did not want every single email showing up on my Pebble. So I killed display in lock screen on the main settings for my two primary mail accounts in the iPhone. However I left it active on my VIP list which is supposed to override the settings. I had hoped this would mean that I only saw email on the Pebble from that list of people. Unfortunately that temporarily broke email notifications.

I did a run through to reset all notification styles and got it working again. Then moved it back to VIP list only and that seems to have cleared it up for me. I am now just seeing email notifications on my Pebble from those on my VIP list.

I strongly suspect the reset notification hook dance has a tie to the Bluetooth reconnection after the iPhone and Pebble gets back into range of each other.

Update 2/17/13 7PM I have found I definitely have to do the trick of changing notification type to none and back to the desired type like banner after I have gotten the pop up requesting permission to give the Pebble permission to connect to my phone. It is consistent.

Summary Opinion

I love the watch so far despite the odd bluetooth and Siri issues. I think it will fit the need exactly as I intended. Future software updates should keep the experience improving. It is not going to be a purchase for everyone for a while yet. But perfect for my walking and exercising needs. One other scenario I look forward to with the Pebble. I listen to a lot of audio books. Now I can leave my iPhone plugged in and charging on the night stand with airplay of my books to speakers. I get to see important messages and pause the book if needed all without having to take the phone from it\’s charger.


« Previous PageNext Page »