Solved: Splunk for Asset Discovery: How Can I get the MAC ...

rbacon · ‎01-29-2015

After trying several NMAP command line options, including "nmap -A", it appears that Asset Discovery script does not capture the MAC address of scanned machines on the network. How can I get it using this Splunk App?

Thanks!

mw · ‎01-29-2015

The app scripted input injects a -oG argument in order to force greppable output format. Unfortunately, that output format doesn't support outputting Mac addresses (for whatever reason). So, you'd need to modify the script and then create the necessary configs to deal with the other format. Certainly all possible, but at that point there's not a ton of use for this particular app.

View solution in original post

bbiandov · ‎04-20-2016

I've been struggling with this too so guess what sludgy way of solving this worked for me 🙂

cron job: LOL

*/5 * * * * /usr/bin/snmpbulkwalk -v 2c -c public@1 -OXsq 192.168.248.5 .1.3.6.1.2.1.17.4.3.1.2 >> /home/splunk/vlan1.txt

Then monitor the log via the universal splunk forwarded and that's how the data gets into splunk. Sad I know ...

mw · ‎01-29-2015

The app scripted input injects a -oG argument in order to force greppable output format. Unfortunately, that output format doesn't support outputting Mac addresses (for whatever reason). So, you'd need to modify the script and then create the necessary configs to deal with the other format. Certainly all possible, but at that point there's not a ton of use for this particular app.

RMcCurdyDOTcom · ‎08-17-2023

I used XtremeNmapParser to convert the xml to JSON and then used HEC to send it all to Spunk!

https://github.com/xtormin/XtremeNmapParser/issues/1

Splunk for Asset Discovery: How Can I get the MAC address?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?