We're running the asset discovery app on a Linux indexer, and it returns data just fine for hosts, but for some reason nothing is showing up in the OS signatures field. I ran $SPLUNK_HOME/etc/apps/asset_discovery/bin/nmap.sh -A -O just as in the scripted input, and it returns just fine, greppable output and all. Takes fifteen minutes to run in a /24 network which is somewhat worrying and maybe the proximate cause of failure on the Splunk side. Thoughts?
Any thoughts?
Relevant field extractions can be found (roughly) here: http://localhost:8000/en-US/manager/launcher/data/props/extractions?ns=asset_discovery&pwnr=-&search...
Do we know which job contains the field extraction for this - eg - the file that needs to get fixed?
If you look at the raw scan results in splunk and they contain proper OS signatures, then the field extraction isn't catching it. You can modify the extraction in that case. If the raw results don't contain signatures it's an issue with nmap itself.
It has to be running as root: when I tried to run nmap.sh as splunk user the output was: "./nmap.sh: line 96: ifconfig: command not found" and I know it's working better than that. I should have mentioned having set the setuid bit on nmap but apparently that was not needed.
Here's an example output from running ./nmap.sh -A -O as root:
Host: 192.168.1.32 (hostname.example.com) Ports: 135/open/tcp//msrpc//Microsoft Windows RPC/, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds//Microsoft Windows 2003 microsoft-ds/, 515/open/tcp//printer//Microsoft lpd/, 1025/open/tcp//msrpc//Microsoft Windows RPC/, 3389/open/tcp//microsoft-rdp//Microsoft Terminal Service/, 8080/open/tcp//http-proxy?/// OS: Microsoft Windows 98SE + IE5.5sp1|Microsoft Windows XP SP2 or 2003 Server Seq Index: 9999999 IPID Seq: Incremental
That's accurate to the given host. It looks like it's returning good data.
What user is the scan running as?
What does the raw data look like? Is the OS string included? A single result should look something like this sample (notice the "OS: Linux ..." portion at the end).
Host: 192.168.1.2 () Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/, 80/open/tcp//http//Apache httpd/, 111/open/tcp//rpcbind//2 (rpc #100000)/, 443/open/tcp//ssl|http//Apache httpd/, 8089/open/tcp//ssl|http//Splunkd httpd/, 9001/open/tcp//vnc//VNC (protocol 3.8)/, 9002/open/tcp//vnc//VNC (protocol 3.8)/ Ignored State: closed (993) OS: Linux 2.6.17 - 2.6.31 Seq Index: 205 IP ID Seq: All zeros
Finally, nmap isn't always successful in matching a fingerprint to the OS. In those cases, please consult nmap.org: http://nmap.org/book/osdetect-unidentified.html#osdetect-contrib
Regarding the scan time, 15 minutes for a subnet sounds fairly reasonable to me. The scan time will really depend on the characteristics of the network itself -- how many hosts are online, for instance. Fortunately, with this app you can distribute scanners out to multiple subnets and scan many subnets in roughly that same amount of time.
hi MW,
i see that Asset Discovery on my Splunk is scanning only the host on the same subnet where splunk server is.
do i have to make any configuration?
Thanks