I would like to get the IP address of my Windows universal forwarders.
[WinHostMon://NetworkAdapter] doesn't give an IP, just MAC address.
[WinNetMon://inbound] and [WinNetMon://outbound] give an IP address, but it is also very noisy.
Does the Splunk Add-on for Microsoft Windows have a way to poll the UF IP using an interval?
I'm looking for something similar to this, but the solution given won't work. I need to know the IP address list associated with each MAC address on my servers. For unix, the interfaces type provides a nice table that works. Anything with this capability in windows?
I think you could write and deploy a simple scripted input to just run "ipconfig /all" and index the results. May take some scripting to get it into a nicer format, but I honestly don't think this capability already exists in the Windows TA.
I don't think the answer you are after is where you are looking. However, this information IS in Splunk:
index=_internal source=*metrics.log group=tcpin_connections| stats count(_time) AS checkins, latest(_time) AS last_checkin by sourceHost, sourceIp
Obviously, that's just a sample or example - I don't know the purpose you want to put it to or how you want to use it so I just guessed as some small but reasonable search to show. Hopefully this will help you get started. Also, if you search for something like "splunk list forwarders" you'll get more answers, questions and blog entries on this topic.
Sorry, I think I distracted myself with the "app for windows" portion. 😞
There should be both in the events themselves. Check, for instance, src_ip. src_ip, src_domain and src_nt_host are all available which tells you a lot.
Field names may vary - do the "show more fields" (because there's probably a LOT more available than are showing) and in there you can search for "ip" and it should tell you what fields are available for use.
Hmm, I'm not seeing src_ip and src_nt_host.
These are the inputs that I have enabled:
###### OS Logs ###### [WinEventLog://Security] disabled = 0 [WinEventLog://Application] disabled = 0 [WinEventLog://System] disabled = 0 ###### Host monitoring ###### [WinHostMon://NetworkAdapter] disabled = 0 ###### Network monitoring ###### [WinNetMon://inbound] disabled = 0 [WinNetMon://outbound] disabled = 0