LDAP all Hosts and are they Connected?

c_stossek — Wed, 09 Jun 2021 12:16:40 GMT

Hi,

I need a query that gives me the following:

All servers in my domain that have not connected to Splunk.

with someting like this:
where domain="*" AND Type="*" AND dNSHostName="SEWI*" | rex field=distinguishedName "CN=(?<hostname>[^\,]+).+"

Hope u can help me.

Thank you in advice,
Thomas

Re: LDAP all Hosts and are they Connected?

c_stossek — Wed, 09 Jun 2021 12:17:53 GMT

edit:
need to see if the Service is not running or the agent isnt even installed on Servers.

Re: LDAP all Hosts and are they Connected?

splunk219783 — Thu, 10 Jun 2021 13:03:25 GMT

Surprisingly when we had professional services out initially, this was a long and convoluted search.

Ours essentially works like this:

A scheduled search writes all ldap assets to a lookup table. Something like this:

| localop | ldapsearch domain="default" search="(objectClass=computer)" attrs="sAMAccountName, distinguishedName, dNSHostName, managedBy" | rex max_match=5 field=distinguishedName "OU=(?<dn_parsed>[^,]+)" | eval category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_")) | eval priority=case( match(category, "domain_controller|exchange|citrix"), "critical", match(category, "server|disabled"), "high", match(category, "workstation|desktop|mobile|laptop"), "medium", match(category, "staging|test"), "low", 1==1, "unknown" ) | eval is_expected=if(priority=="high" OR priority=="critical", "true", "false") | eval nt_host=replace(sAMAccountName, "\$", "") | rename dNSHostName AS dns managedBy AS owner | eval val2lookup = coalesce(dns, nt_host) | lookup dnslookup clienthost as val2lookup output clientip as ip | fillnull value="unknown" category, priority, bunit | table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av | dedup nt_host | outputlookup ldap_assets

Another search then looks for all hosts in splunk and compares it to the lookup table above.

| tstats count where index=* OR index=_* NOT host=127.0.0.1 by host index | eval host=lower(host) | eval host=lower(case(match(host,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),host,match(host,"mydomain\.com$"),host,1==1,host.".mydomain.com")) | append [ | inputlookup ldap_assets | makemv delim="|" category | search category=servers | mvexpand category | eval dns=lower(case(dns=="localhost.localdomain",nt_host.".mydomain.com",1==1,dns)) | lookup dnslookup clientip as ip outputnew clienthost as dns | stats count by dns | fields - count | rename dns as host] | eval in_host_list=if(isnull(count),true(),null()),in_splunk=if(isnotnull(count),true(),null()) | append [|inputlookup manual_host_list.csv | fields host | eval in_host_list="True"] | stats values(*) as * by host | where isnull(in_host_list) OR isnull(in_splunk) | search in_host_list=true | eval splunk_data="No Data" | table host splunk_data

To me this is a pretty nasty solution to something that should be relatively simple. I've honestly never spent the time to try and fully understand these searches. They work for us, and they're a mess so i'll leave it be.

Re: LDAP all Hosts and are they Connected?

c_stossek — Fri, 11 Jun 2021 09:41:44 GMT

Hi,

Many thanks for the answer,

Unfortunately, the querys doesn't work for me:

Error in 'outputlookup' command: The lookup table 'ldap_assets' is invalid

Is it a Versionproblem? We use Splunk v. 7.3.1

Kind regars,
Thomas

topic Re: LDAP all Hosts and are they Connected? in Deployment Architecture

LDAP all Hosts and are they Connected?

Re: LDAP all Hosts and are they Connected?

Re: LDAP all Hosts and are they Connected?

Re: LDAP all Hosts and are they Connected?