- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to configure Splunk to check for unauthorized ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure Splunk to check for unauthorized software installations and also, for unauthorized baseline configuration changes?
For the AWS environment, I need to create alerts notifying sys admins of the following: unauthorized software installation and unauthorized configuration changes. Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I did a bit of research, since I could not find an out-of-the-box solution and as always there are multiple approaches:
In my opinion the prefereable way would be to use the already existing system monitoring apps for Windows (https://splunkbase.splunk.com/app/1680/) and Linux (https://splunkbase.splunk.com/app/273/). Although I'm not sure on what level they can be used directly, I think they'll give you a fair starting point. At worst you would need to write your own alerts and maybe add a software installation monitoring system (https://www.raymond.cc/blog/monitor-software-installs-remove-leftovers-install-monitor/) which log files can be indexed into Splunk.
However you could also try it from scratch. On Windows, Splunk is able to monitor the registry and you could check any changes for new software installation (https://answers.splunk.com/answers/8005/how-do-i-monitor-only-the-changes-to-windows-registry.html). For Linux there are many more solutions, since there are many more ways to install software on it. For example if you'd like to monitor installation over the APT package manager you should look into https://askubuntu.com/questions/425809/where-are-the-logs-for-apt-get and add it as an input to Splunk.
I'm sorry that I can't give you a pinpoint solution, but depending on the vast amount of variables I think that you need to invest some time adapting it to your parameters.
Best regards,
Bojan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jonasm1 can you provide some more information, like on what systems are you planning to log your software installation and maybe the tools you are planning to use for this? The information analyzed by Splunk needs still somewhere to be generated, e.g. using a script or some professional tools.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The environment is mixed: Windows and Linux. We're planning to use a scripts however I was just asking if Splunk has built-in dashboards or add-ons where I could use out-of-the-box? On my research, for Change Management, Splunk has dashboards with over 40 reports built-in to it. What I'm trying to understand is if Splunk has this "out-of-the-box" capability to monitor unauthorized software installs. Would there be something written in the Splunk docs - so far have not found what I'm looking for.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
