How do you get a report of machines that are VMs?

ShaunBaker · ‎10-11-2018

I've seen searches using _internal to identify OS, but is there a way to identify what clients are physical and which are VMs?

FrankVl · ‎10-12-2018

I'd typically get that kind of context from a CMDB and feed that into lookups in Splunk to enrich events with such information (e.g. through Enterprise Security's Asset&Identity framework).

Not sure if there is any way to tell the difference between a VM and a physical from logs. What logs are you collecting and do you have a UF on the respective machines?

ShaunBaker · ‎10-16-2018

I think pretty basic/standard sourcetypes for windows, application, system and security. There are a lot of different eventtype though, so I will dig around.

I do have a UF on the VMs in question.

Hoping to use Splunk to help with generating my CMDB haha.

FrankVl · ‎10-17-2018

Right, ok 🙂

Not sure whether you can see it in the logs (maybe check the system events close to startup or something, maybe that holds a clue).

Otherwise, it should be possible to use some commands to check the system type, which you could put into a scripted input. Maybe the windows TA even already contains some scripted / wmi inputs that enable you to find out.

ShaunBaker · ‎10-26-2018

So we have WMI working and I found a string that at least got me some VMs, but it required that the VM be a Windows VM, no joy on the linux side. Could probably add something to our Linux deployment-app to check for VMware tools. If I cast the net really wide there seems to be snippets of VM info in sourcetype WinHostMon, WindowsUpdateLog, and even eventype nix-all-logs- so hopefully I can whip something up that is accurate and clean.

How do you get a report of machines that are VMs?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...