Alerting

How pull a file from host that triggered alert

Explorer

I've been searching for a way to pull a file from Splunk universal forwarder installed host, but couldn't find anything useful.

What I need is, after my specific alert is triggered, I need to pull a file from that host that triggered the alarm.

I created 1-2 custom alert actions so I'm familiar with that stuff simply.
Maybe running some python codes on the host can help me to upload that file to my server but I'm not sure with that.

Is there any other stuff that helps me with these problems?
Thanks in advance.

0 Karma

Explorer

Still looking for a way.

0 Karma

Legend

Hi @batuhankutluca,
did you already tried to execute a script that pulls a file from when alert is fired?

Ciao.
Giuseppe

0 Karma

Explorer

Hi @gcusello

Actually I didn't try to do that because I don't know how to do it. Maybe setting up a ftp listener on my deployment server and running a python code that connects my server via ftp works. Just a thought tho, I don't even know if it is reasonable or not.

0 Karma

Legend

Hi @batuhankutluca,
for my knowledge (I'm not an expert of scripting!) the only way is to execute a script that access the remote server and copy the file: I don't like this solution because it's a break in security!

A workaround: if the file to pull is a text file, you could index it in Splunk and put in a separate index, eventually with a low retention (to not have too storage), so you can have it when an alert is fired.

Ciao.
Giuseppe

0 Karma

Explorer

Hi @gcusello,
Thanks for your answer. It may be a txt file but not for the all events. I was looking for a splunk feature to do that but I guess there is not. I mean since we can run scripts on host via forwarder, I thought we can do more like fetching a file instead monitoring it. As you mentioned, it would be a security problem for enterprise 🙂

0 Karma