I tried to raise a case but the support portal wouldn't play ball.
We've found several problems with SoS on Windows, specifically the Security Health Check dashboard.
splunk_server_cache.csv
so has a wrong idea of what the splunk servers are anyway. It is now supported to customise splunk_server_cache.csv
but the python script doesn't look at it.What this code should do is use the drop-down you select in the XML as a parameter to the script, to get the security info from just one server. However, we weren't able to fix this because the code is pretty obfuscated, and it isn't really clear how it does anything at all. For instance, having set sos_server
(incorrectly) it doesn't seem to do anything with it.
There must be some implicit or hidden stuff going on.
PS if anyone knows what the 'Raise Case' support page will accept as a valid phone number, this would be good to know. I tried around a dozen variations, including Support's own number as given on the page, and it didn't like any of them nor would it give me a hint.
Thank you for reporting these issues! I'll do my best to answer point by point:
splunk_server
can be passed to only distribute the search and execute the command on a given host. The best you can do would be some introspective logic where the command is given a target hostname as an argument, runs on every search peer and first checks if the local hostname matches what has been given as an argument. The command would then exit immediately except on peers for whom both peer values match. So, you're still running some Pyhon everywhere, really. Given that securityinfo.py is fairly lightweight, that optimization didn't seem worth the trouble.Anyway as long as all of SoS is aware of splunk_server_cache it should work fine.
The PCI and ES search heads are on different machines. As far as we can tell it's not best practice to peer PCI and ES heads. We've offloaded the data to a single indexer; each of the search heads is peered with that.
There's a third search head running SOS and general searches. We have the two other SH's forwarding internal logs to the indexer; SOS on its own SH can therefore see everything it needs to-in theory!
In practice our rather arcane setup was probably not visualised in the design of SOS, despite the fact that each individual configuration step we made is supported and legal.