topic Re: Protect Splunk Forwarder from deleting in Installation

Protect Splunk Forwarder from deleting

Chiko — Fri, 27 Aug 2021 05:54:31 GMT

Hi all,

We use Splunk and Splunk Forwarder for our project. Splunk is installed on EC2 and Forwarder is part of our installation package. So when clients install our app, it's installed with Splunk Forwarder.

So, our question how can we protect Splunk Forwarder from uninstalling by user in this case? For our app, we use uninstall password, a user needs to enter password for removing it.

Or, maybe does exist someway to say to a user, this Splunk Forwarder is a part of our app, when he will try to remove it?

Or, maybe in our situation we need to use an another way for forwarding logs to Splunk (w/o Splunk Forwarder)?

Re: Protect Splunk Forwarder from deleting

gcusello — Fri, 27 Aug 2021 07:20:03 GMT

Hi @Chiko,

no, sorry, it's not possible to block the unistall of Universal Forwarder for a machine administrator.

The only way is to limit the rights of your users.

You can only be informed when this happens putting an alert on your Splunk.

Ciao.

Giuseppe

Re: Protect Splunk Forwarder from deleting

Chiko — Fri, 27 Aug 2021 10:14:59 GMT

Hi @gcusello ,

Thanks for your answer.

What about custom logs forwarding? Is it possible? Does exist some recommended way?

Because if our app forwards logs to Splunk, it will be protected from uninstall.

Re: Protect Splunk Forwarder from deleting

gcusello — Fri, 27 Aug 2021 10:31:03 GMT

Hi @Chiko,

you can be informed that the Forwarder is unactive in this way:

create a lookup containing all the systems to monitor (called e.g. perimeter.csv) with only one field (e.g. host)

then you can run a simple search on Splunk:

In this way you have noticed that there's some Forwarder that isn't sending logs.

I hint to use this control on all the systems of your infrastructure to monitor them and to be sure that they are sending, otherwise Splunk is blind!

Ciao.

Giuseppe

Re: Protect Splunk Forwarder from deleting

Chiko — Fri, 27 Aug 2021 12:58:45 GMT

@gcusello Thanks for the detailed answer.

But what about custom forwarding? Let's say in my code I'll send logs to Splunk instead of Splunk Forwarder. Is it not recommended? So, in this way my app won't depend on Splunk Forwarder, if user removes it from his computer

Re: Protect Splunk Forwarder from deleting

gcusello — Fri, 27 Aug 2021 13:06:41 GMT

Hi @Chiko,

please, better describe what you mean with custom forwarding:

are you sleaking of forwarding custom logs using the Universal Forwarding,
or you're meaning to find an alternative way to send logs to Splunk from a windows system?

If the first, you can send all kind of logs from a Univerasal Forwarder to Splunk, also custom logs.

If the second, to take logs from a Windows system, you could use WMI, but I use this method only as the last choice because it requires a Domain administrative account and it isn't a security good idea.

In addition Forwarder gives many feature very useful: local chaching in case of network or server fault, compression, bandwdth optimization, etc...

Ciao.

Giuseppe

Re: Protect Splunk Forwarder from deleting

Chiko — Fri, 27 Aug 2021 13:22:19 GMT

@gcusello Thanks a lot. Your answers are very helpful for me