All Apps and Add-ons

Splunk Add-on for Unix and Linux: Scripts parsing strange information

test_qweqwe
Builder

Hi.
Unix:ListeningPorts and Unix:SSHDConfig shows in logs not valid information.
What should I do to fix it? Because, I have no idea.

For example — http://prntscr.com/i79m55

0 Karma
1 Solution

Yunagi
Communicator

Having a look at inputs.conf, there are comments which specify that these two inputs "may require Splunk forwarder to run as root on some platforms."

So which user is running Splunk on your system? Is it root? You can check via "ps aux | grep splunkd"

Alternatively, you can use the input [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh].

View solution in original post

Yunagi
Communicator

Having a look at inputs.conf, there are comments which specify that these two inputs "may require Splunk forwarder to run as root on some platforms."

So which user is running Splunk on your system? Is it root? You can check via "ps aux | grep splunkd"

Alternatively, you can use the input [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh].

test_qweqwe
Builder

Yes, it's root.
I can't use, [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh], coz it's not a same. I need something like this — http://prntscr.com/i942vd

And as I said Unix:SSHDConfig have the same problem (what u can see from screenshot).

What can affect to this?

0 Karma

Yunagi
Communicator

Try to run the script directly and see what happens: Change into the directory etc/apps/Splunk_TA_nix/bin and execute the script via ./openPortsEnhanced.sh

The output should be something like this:
[root@myhost bin]# ./openPortsEnhanced.sh
Fri Feb 2 13:33:15 CET 2018 app=ntpd dest_ip=* dest_port=123 pid=634 user=ntp fd=16u ip_version=4 dvc_id=15331 transport=UDP
Fri Feb 2 13:33:15 CET 2018 app=ntpd dest_ip=* dest_port=123 pid=634 user=ntp fd=17u ip_version=6 dvc_id=15332 transport=UDP
...

Having a look at the script, it runs the following command to get a list of the open ports:
lsof -i -P -n

What happens when you execute this command? Perhaps you need to install lsof.

0 Karma

test_qweqwe
Builder

@Yunagi
Hello.
So, if script run manually it's works, it's show correct information. Okay, how me fix this problem now? :S

0 Karma

Yunagi
Communicator

What I find confusing is that the openPortsEnhanced script produces an output line for each open port plus one output line in the form of "... file_hash=(stdin)=...". This last line (whatever its purpose) is correctly visible in the screenshot of your original post. However, the other lines (the open port lines) are missing.
Maybe your search is wrong. Try a Splunk search like: index=* sourcetype="Unix:ListeningPorts".
Perhaps you can find error information in the internals logs. Search for something like: index=_* openPortsEnhanced.sh.

0 Karma

test_qweqwe
Builder

I have no direct access to PC and my client has not given me correct information.
The problem was in not installed isof.
Tnx for helping!

0 Karma

test_qweqwe
Builder

Bump! Up! 🙂

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...