LDAP all Hosts and are they Connected?

c_stossek · ‎06-09-2021

Hi,

I need a query that gives me the following:

All servers in my domain that have not connected to Splunk.

with someting like this:
where domain="*" AND Type="*" AND dNSHostName="SEWI*" | rex field=distinguishedName "CN=(?<hostname>[^\,]+).+"

Hope u can help me.

Thank you in advice,
Thomas

splunk219783 · ‎06-10-2021

Surprisingly when we had professional services out initially, this was a long and convoluted search.

Ours essentially works like this:

A scheduled search writes all ldap assets to a lookup table. Something like this:

| localop | ldapsearch domain="default" search="(objectClass=computer)" attrs="sAMAccountName, distinguishedName, dNSHostName, managedBy"

| rex max_match=5 field=distinguishedName "OU=(?<dn_parsed>[^,]+)" 
| eval category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_"))
| eval priority=case(
   match(category, "domain_controller|exchange|citrix"), "critical", 
   match(category, "server|disabled"), "high", 
   match(category, "workstation|desktop|mobile|laptop"), "medium", 
   match(category, "staging|test"), "low", 
   1==1, "unknown"
)

| eval is_expected=if(priority=="high" OR priority=="critical", "true", "false")
| eval nt_host=replace(sAMAccountName, "\$", "")
| rename dNSHostName AS dns managedBy AS owner

| eval val2lookup = coalesce(dns, nt_host)
| lookup dnslookup clienthost as val2lookup output clientip as ip

| fillnull value="unknown" category, priority, bunit
| table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

| dedup nt_host
| outputlookup ldap_assets

Another search then looks for all hosts in splunk and compares it to the lookup table above.

| tstats count  where index=* OR index=_* NOT host=127.0.0.1 by host index | eval host=lower(host)
| eval host=lower(case(match(host,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),host,match(host,"mydomain\.com$"),host,1==1,host.".mydomain.com"))
| append [ | inputlookup ldap_assets | makemv delim="|" category | search category=servers | mvexpand category | eval dns=lower(case(dns=="localhost.localdomain",nt_host.".mydomain.com",1==1,dns))
| lookup dnslookup clientip as ip outputnew clienthost as dns
| stats count by dns
| fields - count
| rename dns as host]
| eval in_host_list=if(isnull(count),true(),null()),in_splunk=if(isnotnull(count),true(),null())
| append [|inputlookup manual_host_list.csv | fields host | eval in_host_list="True"]
| stats values(*) as * by host
| where isnull(in_host_list) OR isnull(in_splunk)
| search in_host_list=true
| eval splunk_data="No Data"
| table host splunk_data

To me this is a pretty nasty solution to something that should be relatively simple. I've honestly never spent the time to try and fully understand these searches. They work for us, and they're a mess so i'll leave it be.

c_stossek · ‎06-11-2021

Hi,

Many thanks for the answer,

Unfortunately, the querys doesn't work for me:

Error in 'outputlookup' command: The lookup table 'ldap_assets' is invalid

Is it a Versionproblem? We use Splunk v. 7.3.1

Kind regars,
Thomas

c_stossek · ‎06-09-2021

edit:
need to see if the Service is not running or the agent isnt even installed on Servers.

LDAP all Hosts and are they Connected?

distributed search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!