All Apps and Add-ons

SCCM App will not index Installed_Software and Malware DB Tails

asofo
Path Finder

Hello,

I've recently installed the SCCM app and cannot get any of the dashboards to display info. The only data I see is from the 2 out of the box reports. In an attempt to troubleshoot this issue, I ran a query to see what (if anything) was being indexed and while there is a good amount of data, it looks as though all DB Tails being indexed except dbmon-tail://sccm/ta_sccm_malware_dbinput and dbmon-tail://sccm/sccm_installed_software_dbinput. Is there any setting I'm missing? I thought it may be disabled somewhere but can't find anything in the config files.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I vaguely remember a problem when I set this up as well. Check that you have both the sccm and a sccm_status indexes in existence - some inputs go to one, some go to the other and I think one wasn't set up by default.

If you find nothing wrong there, compare your working inputs with the non-working inputs. One that should be working (given what you didn't say above) would be [dbmon-tail://sccm/sccm_status_message_dbinput]. Double-check that you pasted all of them into dbx/local/inputs.conf, and that they match for everything they should match on and that differences are reasonable.

Have you had any malware incidents since you set this up? Maybe there's just no data yet? (I thought it grabbed history, but if, for instance, you tested the inputs once but something went wrong, you might have to reset the rising column's stored value in Splunk to make it read all the records again).

If those aren't it, check your $splunkhome/var/log/splunk/dbx.log file for more information. That may tell you pretty much exactly what's wrong or at least give you hints as to where to look. If you still can't get it, reply in here with what you've tried as best you can, reporting any errors you found or warnings that seem relevant and we can take a further look.

Good luck, and let us know what you find!

0 Karma

asofo
Path Finder

Thanks for the info. I do have the sccm and sccm_status indexes and they are being written to. I also verified the inputs I pasted in the dbx/local/inputs.conf. Then I checked the log and it looks as though there aren't any errors. All the database monitors are executing fine with no failures.

I did notice that by default, the sccm and sccm_status are not being searched when I open the Query String in the panels. I confirmed that in the sccm_user role, both were listed in the Indexes searched by default.

I've never run into this before. I don't think I have anything set to override this setting.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Is the user you are checking with assigned the sccm_user role?

You could try adding searching of those indexes by default to your main user role temporarily just to confirm.

Beyond that - a random panel in my SCCM App (now that I'm back at work) says the root search for it is

tag=malware vendor_product=SystemCenterEndpointProtection  action_result=false

So, each of those pieces can be tested in a search -

  • Are your tags working and being applied to what it should be applied to (the screen you are looking at which has data it ought to be showing will have the tag required in one of the search strings)?
  • Is "vender_product" defined and set to SystemCenterEndpointProtection?
  • Is action_result defined properly?

My guess is one of those isn't set right. Chasing it down can be a bit of work some times, but let us know what you do find.

0 Karma

asofo
Path Finder

Ugg, that was one of the missing pieces. It was on a rebuilt system that blew away the sccm_user role. So now I have data in the dashboards, but still missing the sccm:installed_software and eventtype="sccm_change_audit" data. I'll keep digging and let you know what I find. Thank you for your help.

0 Karma

jeffriesa
Path Finder

I also do not have any data for installed software.

All other dashboards and search are working. I have confirmed the user role and the two indexes.

I have also double checked db connect for dbmon-tail://sccm/sccm_installed_software_dbinput. Changed that to 5 minutes.But still no information?

Here is what is in the sql query:

with software as (
select
  [timestamp],
  resourceid,
  active=1,
  softwarepropertieshash0,
  softwarepropertieshashex0,
  normalizedname as product_name,
  normalizedversion as product_version,
  normalizedpublisher as product_publisher,
  InstallDate0 as installation_date,
  categoryname as category,
  familyname as family
from v_gs_installed_software_categorized
UNION ALL
select
  s.[timestamp],
  s.resourceid,
  active=0,
  s.softwarepropertieshash0,
  s.softwarepropertieshashex0,
  coalesce (sl.commonname, s.productname0) as product_name,
  coalesce (sl.commonpublisher, s.publisher0) as product_publisher,
  coalesce (sl.commonversion, s.productversion0) as product_version,
  installdate0 as installation_date,
  fam.familyname,
  cat.categoryname
from v_hs_installed_software s
left outer join  v_lu_softwarehash sh
   on sh.softwarepropertieshash = s.softwarepropertieshash0
left outer join v_lu_softwarelist sl
  on sl.softwareid = sh.softwareid
inner join v_lu_category as cat
  on cat.categoryid = coalesce(sl.categoryid, 4892)
inner join v_lu_family as fam
  on fam.familyid = coalesce(sl.familyid, 4891)
where softwarepropertieshash0 is not null)
select *
from software
{{WHERE $rising_column$ > ?}}
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!