- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: LDAP all Hosts and are they Connected?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP all Hosts and are they Connected?
Hi,
I need a query that gives me the following:
All servers in my domain that have not connected to Splunk.
with someting like this:
where domain="*" AND Type="*" AND dNSHostName="SEWI*" | rex field=distinguishedName "CN=(?<hostname>[^\,]+).+"
Hope u can help me.
Thank you in advice,
Thomas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Surprisingly when we had professional services out initially, this was a long and convoluted search.
Ours essentially works like this:
A scheduled search writes all ldap assets to a lookup table. Something like this:
| localop | ldapsearch domain="default" search="(objectClass=computer)" attrs="sAMAccountName, distinguishedName, dNSHostName, managedBy"
| rex max_match=5 field=distinguishedName "OU=(?<dn_parsed>[^,]+)"
| eval category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_"))
| eval priority=case(
match(category, "domain_controller|exchange|citrix"), "critical",
match(category, "server|disabled"), "high",
match(category, "workstation|desktop|mobile|laptop"), "medium",
match(category, "staging|test"), "low",
1==1, "unknown"
)
| eval is_expected=if(priority=="high" OR priority=="critical", "true", "false")
| eval nt_host=replace(sAMAccountName, "\$", "")
| rename dNSHostName AS dns managedBy AS owner
| eval val2lookup = coalesce(dns, nt_host)
| lookup dnslookup clienthost as val2lookup output clientip as ip
| fillnull value="unknown" category, priority, bunit
| table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
| dedup nt_host
| outputlookup ldap_assets
Another search then looks for all hosts in splunk and compares it to the lookup table above.
| tstats count where index=* OR index=_* NOT host=127.0.0.1 by host index | eval host=lower(host)
| eval host=lower(case(match(host,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),host,match(host,"mydomain\.com$"),host,1==1,host.".mydomain.com"))
| append [ | inputlookup ldap_assets | makemv delim="|" category | search category=servers | mvexpand category | eval dns=lower(case(dns=="localhost.localdomain",nt_host.".mydomain.com",1==1,dns))
| lookup dnslookup clientip as ip outputnew clienthost as dns
| stats count by dns
| fields - count
| rename dns as host]
| eval in_host_list=if(isnull(count),true(),null()),in_splunk=if(isnotnull(count),true(),null())
| append [|inputlookup manual_host_list.csv | fields host | eval in_host_list="True"]
| stats values(*) as * by host
| where isnull(in_host_list) OR isnull(in_splunk)
| search in_host_list=true
| eval splunk_data="No Data"
| table host splunk_data
To me this is a pretty nasty solution to something that should be relatively simple. I've honestly never spent the time to try and fully understand these searches. They work for us, and they're a mess so i'll leave it be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Many thanks for the answer,
Unfortunately, the querys doesn't work for me:
Error in 'outputlookup' command: The lookup table 'ldap_assets' is invalid
Is it a Versionproblem? We use Splunk v. 7.3.1
Kind regars,
Thomas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edit:
need to see if the Service is not running or the agent isnt even installed on Servers.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
