topic Re: How do you build a search that gets a list of forwarders using SSL with successful connections? in Security

How do you build a search that gets a list of forwarders using SSL with successful connections?

guheal — Sun, 25 Nov 2018 20:48:32 GMT

Can you help me make a search/query so I can get a list of forwarders using SSL with successful connections?

Re: How do you build a search that gets a list of forwarders using SSL with successful connections?

inventsekar — Mon, 26 Nov 2018 07:01:27 GMT

This works fine on my Splunk 7.0.3
index=_internal source=*metrics.log group=tcpin_connections ssl=true

To have the forwarder and the connect time as a table -
index=_internal source=*metrics.log group=tcpin_connections ssl=true | table sourceHost _time

Re: How do you build a search that gets a list of forwarders using SSL with successful connections?

mstjohn_splunk — Mon, 26 Nov 2018 21:29:16 GMT

Hi @guheal,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

Re: How do you build a search that gets a list of forwarders using SSL with successful connections?

zrxcrasher — Wed, 30 Sep 2020 02:29:44 GMT

I am working on the following which gives a more complete picture. Downloading to XLS and then turning on filtering allows you to easily see OS type, ForwarderType, Version, lastIndexer communicated with, etc.

index=_internal source=*metrics.log component=Metrics group=tcpin_connections
| dedup hostname
| table hostname, sourceIp, os, arch, fwdType, version, ssl, guid, lastIndexer, _time
| sort hostname