Alerting

Is there a way to create a baseline of installed applications and alert if one is removed or a new application is installed?

skparkj
New Member

Is there a way to create a baseline of installed applications and have Splunk trigger a warning/alert to notify others that a baseline application was removed or an application not within the baseline was installed? Thanks!

0 Karma

lguinn2
Legend

There is nothing built-in that will do this easily. However, you could write a scripted input that simply does a directory listing of $SPLUNK_HOME/etc/apps and indexes that listing. Then you could write a search that looks for changes between events.

Details:

Scripted input example (listdir.sh)

#!/bin/sh
# Script to generate a directory listing    
ls -l $SPLUNK_HOME/etc/apps

inputs.conf (collects the listing approximately every 10 minutes)

[../bin/listdir.sh]
index=tracking
sourcetype=listdir
interval = 600

props.conf

[listdir]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
LINE_BREAKER = ((*FAIL))

Also, remember to create the index named tracking - you can easily do that via the Splunk GUI. Once all of this is set up, you can easily set an alert based on a scheduled search to run every 10 minutes (hopefully between the run times of the script). Here is what the search would look like:

index=tracking earliest=-10m | head 2 
| stats earliest(_raw) as previousList latest(_raw) as latestList 
| where previousList!=latestList

The alert trigger should be "number of results > zero."

Now you have set up so that you will be alerted within 10 minutes of any change to the Splunk apps directory - this could be as simple as an app was updated, or that an app was added or removed. You can use this trick to monitor any directory, not just the Splunk apps directory. And of course you could do more sophisticated tracking.

0 Karma

skparkj
New Member

Hi Iguinn,

Thanks for the thorough reply. When I asked about Baseline of Applications, I shouldve specified that I meant applications/software installed on our endpoints i.e. skype, vpn, etc. We want to create create a baseline of apps that should be installed and send a warning when the baseline does not match with the endpoint's current configuration.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...