Archive

Is there a way to show which applications and/or services are running

Path Finder

Hello guys,

Is there a way to show which applications and/or services are running on my server so that I can whitelist them and generate an alert when something else will run?]

greetings,

Nick

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

Hi nickbijmoer,
the best way to proceed is to build a lookup with all your services or application (only one or two depends by if services and applications are in the same field in your logs).
Then you have to run a search like this:

| inputlookup applications.csv | count=0 | append [ search your_search | stats count by application ] | stats sum(count) AS Total by application | where Total=0

in this way you can build an alert for applications that doesn't log.
A little bit modifying the above search you can build a dashboard that shows all your services status:

| inputlookup applications.csv | count=0 | append [ search your_search | stats count by application ] | stats sum(count) AS Total by application | rangemap field=Total elevated=0-0 low=1-1000000000 default=severe | table application range

You can also ahow this situation in a graphic form adding the following files to your app (in $SPLUNK_HOME/etc/apps/your_app/appserver/static):

  • table_icons_rangemap.js,
  • table_decorations.css. and the following information in the first row of your app

Bye.
Giuseppe
To better understand the graphic mode download and install the Splunk 6.x Dashboard Examples App (https://splunkbase.splunk.com/app/1603/)

SplunkTrust
SplunkTrust

If you need to ingest services and applications status you could build your own scripts or take the ones that you can find in Windows (https://splunkbase.splunk.com/app/742/) and *nix (https://splunkbase.splunk.com/app/833/) TAs.
I usually use them, there was only one situation in which I built my script: to monitor which are active sessions on Windows.
Bye.
Giuseppe

0 Karma

Contributor

Hi Nick,

yes this is possible. The way you can do this depends on your OS.
What OS are you using?

greetings
Patrick

Path Finder

Linux and windows, but mostly windows 🙂

0 Karma

Contributor

The answer from @cusello is really a good one when you want to visualize it.
But as I understand you, your question is about how to get the Data in.

for Windows you could make an input stanza like this:

[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index = windows

[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index = windows

This will give you all processes and services running on your Windows Machine.
They are both included in the Splunk Addon for Microsoft Windows.

Does this fit your needs?

0 Karma

Path Finder

I use ossec as forwarder, do you know if it will be possible on that?

0 Karma

Contributor

it should be possible.
can you pastebin an example of your data?

0 Karma

Path Finder

At the moment I dont get data about applications or services in splunk yet, Im figuring out how I can get the data in splunk with ossec

0 Karma