All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk to check for unauthorized software installations and also, for unauthorized baseline configuration changes?

jonasm1
Explorer
‎02-02-2018 09:33 AM

For the AWS environment, I need to create alerts notifying sys admins of the following: unauthorized software installation and unauthorized configuration changes. Thanks for the help!

0 Karma
Reply

bojanisch
Path Finder
‎02-05-2018 01:16 AM

So I did a bit of research, since I could not find an out-of-the-box solution and as always there are multiple approaches:

In my opinion the prefereable way would be to use the already existing system monitoring apps for Windows (https://splunkbase.splunk.com/app/1680/) and Linux (https://splunkbase.splunk.com/app/273/). Although I'm not sure on what level they can be used directly, I think they'll give you a fair starting point. At worst you would need to write your own alerts and maybe add a software installation monitoring system (https://www.raymond.cc/blog/monitor-software-installs-remove-leftovers-install-monitor/) which log files can be indexed into Splunk.

However you could also try it from scratch. On Windows, Splunk is able to monitor the registry and you could check any changes for new software installation (https://answers.splunk.com/answers/8005/how-do-i-monitor-only-the-changes-to-windows-registry.html). For Linux there are many more solutions, since there are many more ways to install software on it. For example if you'd like to monitor installation over the APT package manager you should look into https://askubuntu.com/questions/425809/where-are-the-logs-for-apt-get and add it as an input to Splunk.

I'm sorry that I can't give you a pinpoint solution, but depending on the vast amount of variables I think that you need to invest some time adapting it to your parameters.

Best regards,
Bojan

0 Karma
Reply

bojanisch
Path Finder
‎02-02-2018 10:31 AM

@jonasm1 can you provide some more information, like on what systems are you planning to log your software installation and maybe the tools you are planning to use for this? The information analyzed by Splunk needs still somewhere to be generated, e.g. using a script or some professional tools.

0 Karma
Reply

jonasm1
Explorer
‎02-02-2018 10:49 AM

The environment is mixed: Windows and Linux. We're planning to use a scripts however I was just asking if Splunk has built-in dashboards or add-ons where I could use out-of-the-box? On my research, for Change Management, Splunk has dashboards with over 40 reports built-in to it. What I'm trying to understand is if Splunk has this "out-of-the-box" capability to monitor unauthorized software installs. Would there be something written in the Splunk docs - so far have not found what I'm looking for.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...