Solved: Re: How does the SA_Syslog_collection app gather s...

rpquinlan · ‎12-14-2017

The app says that it needs to be installed on the indexers and the search heads, but how is the app to gather information (and perform the ' netstat -stu ' command mentioned in the docu) from the UF's without it being installed there as well?

I must be missing something simple.

nickhills · ‎12-15-2017

Having a quick look at the inputs, its been designed to run netstat on the indexers, not the forwarders.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎12-15-2017

Having a quick look at the inputs, its been designed to run netstat on the indexers, not the forwarders.

If my comment helps, please give it a thumbs up!

rpquinlan · ‎12-15-2017

That's how it appears to me as well, though the app's documentation talks about using syslog-ng on UF's and how it can gather additional metrics on the UF's.. Bummer.

nickhills · ‎12-20-2017

I guess you cold configure the UF app to run the same script on the forwarders too?

If my comment helps, please give it a thumbs up!

rpquinlan · ‎12-20-2017

Hmmm.. have a CRON job run the script and output it to a file that the UF watches... That is an idea!

nickhills · ‎12-20-2017

I meant as a scripted input - then you can manage it from your deployment server, without having to resort to cron.

If my comment helps, please give it a thumbs up!

rpquinlan · ‎12-20-2017

Got it! That's a better idea, working on that now.

rpquinlan · ‎12-20-2017

Brilliant. That's working, thank you for the suggestion!
Note for anyone else who may have a Windows deployment server and a *nix UF - you'll have to check/change the file permissions / owner on the .sh file after deployment,

How does the SA_Syslog_collection app gather stats from UF's?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?