How do I use Splunk for NERC baseline compliance?

New Member


I am trying to leverage splunk for NERC Compliance, but more than just logging. I want to get baseline configuration which captures OS, Patches, Software, and Port and Services.

My idea was to have the system generate the information and write it to a file and have the splunk universal forwarder monitor the file daily.

There would be a cronjob that would run daily to execute the commands like:

1) netstat -ano
2) uname -r
3) rpm -qa

This would then get ingested into Splunk. How has the community been using Splunk for NERC Baseline compliance? Are there any add-ons that could help?

It would need to be able to track changes to the baseline of allowable port and services, change records of the change, and run reports on a baseline of a particular day. This last part I was thinking of using a dash board or creating a table.

Thoughts or suggestion?

0 Karma

Ultra Champion

The Splunk Add-on for Unix and Linux collects all of these for you:

But if you want to roll your own specifically to collect data with the flags you specify I would deploy them as scripted inputs (like TA-nix) and have Splunk run the job and index the data rather than an external Cron job.

Take a look at the app and see if it works for you - long term it would be far simpler than managing your own, as all of the field extractions are provided for you.

If my comment helps, please give it a thumbs up!
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.