Alerting

How pull a file from host that triggered alert

batuhankutluca
Explorer

I've been searching for a way to pull a file from Splunk universal forwarder installed host, but couldn't find anything useful.

What I need is, after my specific alert is triggered, I need to pull a file from that host that triggered the alarm.

I created 1-2 custom alert actions so I'm familiar with that stuff simply.
Maybe running some python codes on the host can help me to upload that file to my server but I'm not sure with that.

Is there any other stuff that helps me with these problems?
Thanks in advance.

0 Karma

batuhankutluca
Explorer

Still looking for a way.

0 Karma

gcusello
Esteemed Legend

Hi @batuhankutluca,
did you already tried to execute a script that pulls a file from when alert is fired?

Ciao.
Giuseppe

0 Karma

batuhankutluca
Explorer

Hi @gcusello

Actually I didn't try to do that because I don't know how to do it. Maybe setting up a ftp listener on my deployment server and running a python code that connects my server via ftp works. Just a thought tho, I don't even know if it is reasonable or not.

0 Karma

gcusello
Esteemed Legend

Hi @batuhankutluca,
for my knowledge (I'm not an expert of scripting!) the only way is to execute a script that access the remote server and copy the file: I don't like this solution because it's a break in security!

A workaround: if the file to pull is a text file, you could index it in Splunk and put in a separate index, eventually with a low retention (to not have too storage), so you can have it when an alert is fired.

Ciao.
Giuseppe

0 Karma

batuhankutluca
Explorer

Hi @gcusello,
Thanks for your answer. It may be a txt file but not for the all events. I was looking for a splunk feature to do that but I guess there is not. I mean since we can run scripts on host via forwarder, I thought we can do more like fetching a file instead monitoring it. As you mentioned, it would be a security problem for enterprise 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...