Deployment Architecture

LDAP all Hosts and are they Connected?

c_stossek
Explorer

Hi, 

I need a query that gives me the following:

All servers in my domain that have not connected to Splunk. 

with someting like this: 
where domain="*" AND Type="*" AND dNSHostName="SEWI*" | rex field=distinguishedName "CN=(?<hostname>[^\,]+).+"

Hope u can help me. 

Thank you in advice,
Thomas

Labels (1)
Tags (2)
0 Karma

splunk219783
Path Finder

Surprisingly when we had professional services out initially, this was a long and convoluted search.

Ours essentially works like this:

 A scheduled search writes all ldap assets to a lookup table. Something like this:

 

| localop | ldapsearch domain="default" search="(objectClass=computer)" attrs="sAMAccountName, distinguishedName, dNSHostName, managedBy"

| rex max_match=5 field=distinguishedName "OU=(?<dn_parsed>[^,]+)" 
| eval category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_"))
| eval priority=case(
   match(category, "domain_controller|exchange|citrix"), "critical", 
   match(category, "server|disabled"), "high", 
   match(category, "workstation|desktop|mobile|laptop"), "medium", 
   match(category, "staging|test"), "low", 
   1==1, "unknown"
)

| eval is_expected=if(priority=="high" OR priority=="critical", "true", "false")
| eval nt_host=replace(sAMAccountName, "\$", "")
| rename dNSHostName AS dns managedBy AS owner

| eval val2lookup = coalesce(dns, nt_host)
| lookup dnslookup clienthost as val2lookup output clientip as ip

| fillnull value="unknown" category, priority, bunit
| table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

| dedup nt_host
| outputlookup ldap_assets

 

 

Another search then looks for all hosts in splunk and compares it to the lookup table above. 

 

| tstats count  where index=* OR index=_* NOT host=127.0.0.1 by host index | eval host=lower(host)
| eval host=lower(case(match(host,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),host,match(host,"mydomain\.com$"),host,1==1,host.".mydomain.com"))
| append [ | inputlookup ldap_assets | makemv delim="|" category | search category=servers | mvexpand category | eval dns=lower(case(dns=="localhost.localdomain",nt_host.".mydomain.com",1==1,dns))
| lookup dnslookup clientip as ip outputnew clienthost as dns
| stats count by dns
| fields - count
| rename dns as host]
| eval in_host_list=if(isnull(count),true(),null()),in_splunk=if(isnotnull(count),true(),null())
| append [|inputlookup manual_host_list.csv | fields host | eval in_host_list="True"]
| stats values(*) as * by host
| where isnull(in_host_list) OR isnull(in_splunk)
| search in_host_list=true
| eval splunk_data="No Data"
| table host splunk_data

 

 

To me this is a pretty nasty solution to something that should be relatively simple.  I've honestly never spent the time to try and fully understand these searches.  They work for us, and they're a mess so i'll leave it be.

 

0 Karma

c_stossek
Explorer

Hi,

Many thanks for the answer,

Unfortunately, the querys doesn't work for me:

Error in 'outputlookup' command: The lookup table 'ldap_assets' is invalid

Is it a Versionproblem? We use Splunk v. 7.3.1 

Kind regars,
Thomas

0 Karma

c_stossek
Explorer

edit:
need to see if the Service is not running or the agent isnt even installed on Servers. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...