topic Re: How To Determine When a Host Stops Sending particular type of Logs to Splunk in Splunk Search

How To Determine When a Host Stops Sending particular type of Logs to Splunk

AL3Z — Fri, 17 Nov 2023 02:00:48 GMT

Hi all,

I have facing an issue where exactly we can troubleshoot when a Host Stops Sending cmd Logs to Splunk.

Thanks

Re: How To Determine When a Host Stops Sending particular type of Logs to Splunk

bowesmana — Fri, 17 Nov 2023 02:58:47 GMT

Do a search in this community and you will find many many examples of the same question being answered.

Re: How To Determine When a Host Stops Sending particular type of Logs to Splunk

gcusello — Fri, 17 Nov 2023 06:21:03 GMT

Hi @AL3Z ,

as @bowesmana said, this is a very frequesnt question in this Community and you'll find many resolutive answers to it (also from me and him!) that analyzed many different situations and Use Cases.

Anyway, in few words, you have to create a lookup (called e.g. perimeter.csv), with at list one column (host) and containing the list of hosts to monitor and then run a search like the following:

Ciao.

Giuseppe

Re: How To Determine When a Host Stops Sending particular type of Logs to Splunk

AL3Z — Fri, 17 Nov 2023 07:47:58 GMT

@gcusello Hi,

I'd like to investigate which hosts aren't forwarding the specific events with the ParentProcessName="C:\Windows\System32\cmd.exe" to Splunk. How can we troubleshoot if a host isn't sending its logs to Splunk?

Thanks

Re: How To Determine When a Host Stops Sending particular type of Logs to Splunk

gcusello — Fri, 17 Nov 2023 07:52:32 GMT

Hi @AL3Z,

in this case you cannot use tstats but the norma search, anyway the logic is the same:

Ciao.

Giuseppe