Archive

Splunk and Compliance

Communicator

Hello fellow Splunkers - I have a quick question. We have a few platforms in our environment that are reporting different counts on which machines have AV installed on them. I'd like to incorporate Splunk in the mix and search all three platforms so that I can run side-by-side analysis on the counts of these platforms. What would be the best way to do this?

0 Karma

SplunkTrust
SplunkTrust

Hi @itsmevic,
in Splunk the 70% of the work is to know what to do and then 30% is to do it in Splunk.

In other words, the first thing is to write a clear requisite in a file to maintain during the life of the application:

  • the list of the server to monitor (perimeter),
  • the list of logs to take and where they are stored (e.g. Kaspersky stores its logs in a special wineventlog, other antivures use files, etc...),
  • the list of interesting fields in logs (e.g. ComputerName, AV_Version, patch_level, etc...),
  • the information to display in dashboards (interesting fields),
  • the confitions to trigger alerts (frequency, time period, thresholds, etc...),
  • the specifics of the compliance needed reports.

When you have a clear idea of above, then the job in Splunk is easy:

  • in my mind you already have an installed Splunk Enterprise or Splunk Cloud and you have only to take data (if not, start from this point!),
  • you have to install a Universal Forwarder on each server to monitor (probably you already did),
  • then create a Technical Add-On (TA) containing the inputs.conf to take the logs you need for monitoring (see requirements),
  • when you have these logs in Splunk you have to create a search to find what you need (see requirements),
  • using the same search you can create a dashboard to display the status of you AV, an alert and eventually (for compliance) a report to send by email (see requirements).

I found that Splunk is one of the most fantastic solutions for compliance and I use daily for this!

Ciao.
Giuseppe

SplunkTrust
SplunkTrust

Hi @itsmevic,
did the above answer solve your need?
If yes, please accept and/or upvote it, if not give me additional infos to continue to help you.

Ciao.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

it is very easy to understand. thank you.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!