Hi!
I am trying to leverage splunk for NERC Compliance, but more than just logging. I want to get baseline configuration which captures OS, Patches, Software, and Port and Services.
My idea was to have the system generate the information and write it to a file and have the splunk universal forwarder monitor the file daily.
There would be a cronjob that would run daily to execute the commands like:
1) netstat -ano
2) uname -r
3) rpm -qa
This would then get ingested into Splunk. How has the community been using Splunk for NERC Baseline compliance? Are there any add-ons that could help?
It would need to be able to track changes to the baseline of allowable port and services, change records of the change, and run reports on a baseline of a particular day. This last part I was thinking of using a dash board or creating a table.
Thoughts or suggestion?
The Splunk Add-on for Unix and Linux collects all of these for you:
https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes
But if you want to roll your own specifically to collect data with the flags you specify I would deploy them as scripted inputs (like TA-nix) and have Splunk run the job and index the data rather than an external Cron job.
Take a look at the app and see if it works for you - long term it would be far simpler than managing your own, as all of the field extractions are provided for you.
https://splunkbase.splunk.com/app/833