How do I use Splunk for NERC baseline compliance?

huangc · ‎02-06-2020

Hi!

I am trying to leverage splunk for NERC Compliance, but more than just logging. I want to get baseline configuration which captures OS, Patches, Software, and Port and Services.

My idea was to have the system generate the information and write it to a file and have the splunk universal forwarder monitor the file daily.

There would be a cronjob that would run daily to execute the commands like:

1) netstat -ano
2) uname -r
3) rpm -qa

This would then get ingested into Splunk. How has the community been using Splunk for NERC Baseline compliance? Are there any add-ons that could help?

It would need to be able to track changes to the baseline of allowable port and services, change records of the change, and run reports on a baseline of a particular day. This last part I was thinking of using a dash board or creating a table.

Thoughts or suggestion?

nickhills · ‎02-11-2020

The Splunk Add-on for Unix and Linux collects all of these for you:
https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

But if you want to roll your own specifically to collect data with the flags you specify I would deploy them as scripted inputs (like TA-nix) and have Splunk run the job and index the data rather than an external Cron job.

Take a look at the app and see if it works for you - long term it would be far simpler than managing your own, as all of the field extractions are provided for you.
https://splunkbase.splunk.com/app/833

If my comment helps, please give it a thumbs up!

How do I use Splunk for NERC baseline compliance?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms