All Apps and Add-ons

How do I use Splunk for NERC baseline compliance?

huangc
New Member

Hi!

I am trying to leverage splunk for NERC Compliance, but more than just logging. I want to get baseline configuration which captures OS, Patches, Software, and Port and Services.

My idea was to have the system generate the information and write it to a file and have the splunk universal forwarder monitor the file daily.

There would be a cronjob that would run daily to execute the commands like:

1) netstat -ano
2) uname -r
3) rpm -qa

This would then get ingested into Splunk. How has the community been using Splunk for NERC Baseline compliance? Are there any add-ons that could help?

It would need to be able to track changes to the baseline of allowable port and services, change records of the change, and run reports on a baseline of a particular day. This last part I was thinking of using a dash board or creating a table.

Thoughts or suggestion?

0 Karma

nickhills
Ultra Champion

The Splunk Add-on for Unix and Linux collects all of these for you:
https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

But if you want to roll your own specifically to collect data with the flags you specify I would deploy them as scripted inputs (like TA-nix) and have Splunk run the job and index the data rather than an external Cron job.

Take a look at the app and see if it works for you - long term it would be far simpler than managing your own, as all of the field extractions are provided for you.
https://splunkbase.splunk.com/app/833

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...