All Apps and Add-ons

Windows netstat

raysonjoberts
Explorer

Has anyone ever set up a script to monitor ESTABLISHED sessions for Windows using a netstat command?
I was looking to copy/modify the win_listening_ports.bat script that is part of the Splunk for Windows app but am not having much luck. I want to gather local address:local port and foreign address:foreign port, can anyone help?

BTW - I am aware of the WinNetMon inbound;outbound monitors that are part of the same Windows app. I don't want to capture all connections, rather see a snapshot at specified intervals, like once hourly.

Thanks in advance!

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @raysonjoberts,

did you explored the possibility to use the perfmon://Network input in Splunk TA Windows?

Maybe can solve your need.

Otherwise you can create a script, containing the netstat command and, without saving output in a txt file, you can launch it by inputs.conf, so the script output will be automatically sent to Splunk.

Ciao.

Giuseppe

0 Karma

raysonjoberts
Explorer

Thank you @gcusello 

The perfmon for network monitor does not get the data I am looking for, I am really just looking for the outputs of a netstat -nao command for established connections.

 

As to the second part of your answer, I agree, a script would be what I am looking for here but I do not know how to script this and was wondering if anyone had already done it and could provide some direction. The script (win_listening_ports.bat) that is in the Windows app is 'close' to what I need but I don't know how to modify it to get what I want.  I want to filter by ESTABLISHED, instead of LISTENING, but also, I want to see the local address and port as well as the foreign address and port.  The listening ports script only looks for the local address and port and calls them dest_ip and dest_port, I don't know how to modify that script to also capture the foreign address/ports.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @raysonjoberts,

using a scipt is very easy in Splunk, you have to:

  • create a script (e.g. netstat.bat) containing thge command you want to execute with all the options, without redirtecting in a file (e.g. netstat -nao);
  • than you have to put this file in the bin folder of the TA to deploy;
  • than you have to define the following information to insert in the inputs.conf file:
    • index: the index to store events,
    • sourcetype: the sourcetype to parse the events,
    • interval: the interval of script execution,
  • than you have to add in the inputs.conf of that TA the following stanza:
    • [script://.\bin\netstat.bat]
    • disabled = 0
    • interval = 300
    • sourcetype = win_netstat
    • index = your_index
  • and deploy  the TA to the Servers.

In this way you'll have the output of the netstat command in Splunk.

Ciao.

Giuseppe

0 Karma

raysonjoberts
Explorer

Thank you @gcusello, I appreciate the response.

My question was whether or not anyone has made a script like this and if so, if they could share the script. I understand how to deploy it, I was just having a hard time getting the correct syntax in the script itself. Through some trial and error, I was able to figure out the syntax of the script so I am gathering the data I was looking for.

Thanks again!

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @raysonjoberts,

I'm not an expert in scripting, but, for my knowledge, it should be sufficient to put the command with all the needed option in a text file and launch it from inputs.conf as I described.

Ciao.

Giuseppe

0 Karma

deastman
SplunkTrust
SplunkTrust

The easiest way to handle this is to create a scheduled task to run this once an hour.  Then set a filemonitor on your forwarder that will read the file and ingest it into Splunk at some point after the scheduled task.    

 

netstat -nao| FIND "ESTABLISHED" > myestablishedconn.txt

 

 

So for example, set the scheduled task with the above command to run every hour at the top of the hour,  Then just to ensure to allow time for latency and such set the splunk configuration to monitor that file for ingestion.   I'll let you decide how to handle the file, either delete it (if it exists at the begin of each run, by adding a del filename at the beginning of the scheduled task, otherwise ensure when you create the input that you salt the file).     

deastman_0-1626241174227.png

Here is the page from documentation discussing file monitoring in greater detail.   
https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories

 

I hope this helps!   Happy Splunking!!

Dustin

 

0 Karma

raysonjoberts
Explorer

Thanks for this, and I assume it would work. However, I am looking to gather this information on thousands of servers and may, at times, want to modify the intervals at which I gather this data on a server-by-server basis.  In my mind, the best way to do this is through a script, similar to the listening ports script in the Splunk for Windows App, I just don't know how to modify that script to get what I want.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...