All Apps and Add-ons

Splunk Add-on for Unix and Linux: Scripts parsing strange information

test_qweqwe
Builder

Hi.
Unix:ListeningPorts and Unix:SSHDConfig shows in logs not valid information.
What should I do to fix it? Because, I have no idea.

For example — http://prntscr.com/i79m55

0 Karma
1 Solution

Yunagi
Communicator

Having a look at inputs.conf, there are comments which specify that these two inputs "may require Splunk forwarder to run as root on some platforms."

So which user is running Splunk on your system? Is it root? You can check via "ps aux | grep splunkd"

Alternatively, you can use the input [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh].

View solution in original post

Yunagi
Communicator

Having a look at inputs.conf, there are comments which specify that these two inputs "may require Splunk forwarder to run as root on some platforms."

So which user is running Splunk on your system? Is it root? You can check via "ps aux | grep splunkd"

Alternatively, you can use the input [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh].

test_qweqwe
Builder

Yes, it's root.
I can't use, [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh], coz it's not a same. I need something like this — http://prntscr.com/i942vd

And as I said Unix:SSHDConfig have the same problem (what u can see from screenshot).

What can affect to this?

0 Karma

Yunagi
Communicator

Try to run the script directly and see what happens: Change into the directory etc/apps/Splunk_TA_nix/bin and execute the script via ./openPortsEnhanced.sh

The output should be something like this:
[root@myhost bin]# ./openPortsEnhanced.sh
Fri Feb 2 13:33:15 CET 2018 app=ntpd dest_ip=* dest_port=123 pid=634 user=ntp fd=16u ip_version=4 dvc_id=15331 transport=UDP
Fri Feb 2 13:33:15 CET 2018 app=ntpd dest_ip=* dest_port=123 pid=634 user=ntp fd=17u ip_version=6 dvc_id=15332 transport=UDP
...

Having a look at the script, it runs the following command to get a list of the open ports:
lsof -i -P -n

What happens when you execute this command? Perhaps you need to install lsof.

0 Karma

test_qweqwe
Builder

@Yunagi
Hello.
So, if script run manually it's works, it's show correct information. Okay, how me fix this problem now? :S

0 Karma

Yunagi
Communicator

What I find confusing is that the openPortsEnhanced script produces an output line for each open port plus one output line in the form of "... file_hash=(stdin)=...". This last line (whatever its purpose) is correctly visible in the screenshot of your original post. However, the other lines (the open port lines) are missing.
Maybe your search is wrong. Try a Splunk search like: index=* sourcetype="Unix:ListeningPorts".
Perhaps you can find error information in the internals logs. Search for something like: index=_* openPortsEnhanced.sh.

0 Karma

test_qweqwe
Builder

I have no direct access to PC and my client has not given me correct information.
The problem was in not installed isof.
Tnx for helping!

0 Karma

test_qweqwe
Builder

Bump! Up! 🙂

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...