All Apps and Add-ons

Splunk Add-on for Unix and Linux: Scripts parsing strange information

test_qweqwe
Builder

Hi.
Unix:ListeningPorts and Unix:SSHDConfig shows in logs not valid information.
What should I do to fix it? Because, I have no idea.

For example — http://prntscr.com/i79m55

0 Karma
1 Solution

Yunagi
Communicator

Having a look at inputs.conf, there are comments which specify that these two inputs "may require Splunk forwarder to run as root on some platforms."

So which user is running Splunk on your system? Is it root? You can check via "ps aux | grep splunkd"

Alternatively, you can use the input [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh].

View solution in original post

Yunagi
Communicator

Having a look at inputs.conf, there are comments which specify that these two inputs "may require Splunk forwarder to run as root on some platforms."

So which user is running Splunk on your system? Is it root? You can check via "ps aux | grep splunkd"

Alternatively, you can use the input [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh].

test_qweqwe
Builder

Yes, it's root.
I can't use, [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh], coz it's not a same. I need something like this — http://prntscr.com/i942vd

And as I said Unix:SSHDConfig have the same problem (what u can see from screenshot).

What can affect to this?

0 Karma

Yunagi
Communicator

Try to run the script directly and see what happens: Change into the directory etc/apps/Splunk_TA_nix/bin and execute the script via ./openPortsEnhanced.sh

The output should be something like this:
[root@myhost bin]# ./openPortsEnhanced.sh
Fri Feb 2 13:33:15 CET 2018 app=ntpd dest_ip=* dest_port=123 pid=634 user=ntp fd=16u ip_version=4 dvc_id=15331 transport=UDP
Fri Feb 2 13:33:15 CET 2018 app=ntpd dest_ip=* dest_port=123 pid=634 user=ntp fd=17u ip_version=6 dvc_id=15332 transport=UDP
...

Having a look at the script, it runs the following command to get a list of the open ports:
lsof -i -P -n

What happens when you execute this command? Perhaps you need to install lsof.

0 Karma

test_qweqwe
Builder

@Yunagi
Hello.
So, if script run manually it's works, it's show correct information. Okay, how me fix this problem now? :S

0 Karma

Yunagi
Communicator

What I find confusing is that the openPortsEnhanced script produces an output line for each open port plus one output line in the form of "... file_hash=(stdin)=...". This last line (whatever its purpose) is correctly visible in the screenshot of your original post. However, the other lines (the open port lines) are missing.
Maybe your search is wrong. Try a Splunk search like: index=* sourcetype="Unix:ListeningPorts".
Perhaps you can find error information in the internals logs. Search for something like: index=_* openPortsEnhanced.sh.

0 Karma

test_qweqwe
Builder

I have no direct access to PC and my client has not given me correct information.
The problem was in not installed isof.
Tnx for helping!

0 Karma

test_qweqwe
Builder

Bump! Up! 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...