Solved: How do you detect when a host stops sending logs t...

test_qweqwe · ‎11-13-2017

I created correlation search by this guide:
https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/use-cases/detect-when-criti...

So, I tested it by lookup critical_systems where was working machines and machines that not sending logs near 2-3 days.
Was success trigger. But after a while the critical machine stopped sending logs - the correlation search did not work.

What can be problem?

gcusello · ‎11-14-2017

Hi test_qweqwe,
why you don't use a different search:

| metasearch index=your_index
| eval host=upper(host)
| stats count by host
| append [ | inputlookup critical_systems | eval host=upper(Host_name), count=0 | fields host count ]
| stats sum(count) AS Total BY host
| where Total=0

So hosts where Total>0 are OK hosts where Total=0 are missed.

Bye.
Giuseppe

View solution in original post

gcusello · ‎11-14-2017

Hi test_qweqwe,
why you don't use a different search:

| metasearch index=your_index
| eval host=upper(host)
| stats count by host
| append [ | inputlookup critical_systems | eval host=upper(Host_name), count=0 | fields host count ]
| stats sum(count) AS Total BY host
| where Total=0

So hosts where Total>0 are OK hosts where Total=0 are missed.

Bye.
Giuseppe

HiroshiSatoh · ‎11-13-2017

The fact that it was not detected means that the log was being sent.

How about adding conditions to target only the necessary logs?

ex.
| metadata type=hosts index=your_index

How do you detect when a host stops sending logs to Splunk?

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!