Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Anyone setup a netstat like input for Windows?

Lowell
Super Champion
‎01-12-2011 10:35 PM

Has anyone setup the windows "netstat" command as an input?

I like the "netstat" source provided in the unix app, and it seems like it should be possible to capture most of the same information using the built-in "netstat.exe" that comes with windows. I did notice that some of the columns are too wide (long host names or port names).

Is there a way to get the same information with a WMI source?

Reply

hazekamp
Builder
‎03-26-2011 04:55 AM

ESS currently does this in python. We will be loooking to use something else now that the Universal Forwarder doesn't have python. The following python can be saved and run by Splunk as a scripted input:

'''
Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.
'''
from time import gmtime, strftime
import subprocess
import re
import string
import hashlib

# set blank event
event = ''
netstat = False
ports = []
netstat_hash = ''
tempPorts = []
tempPort = ''

event = strftime('%b %d %Y %H:%M:%S') + ' '

try:
    netstat = subprocess.Popen(['netstat', '-nao'], stdout=subprocess.PIPE)

except:
        pass

if netstat:
    # run chkconfig command and split the output into a list
    ports = netstat.communicate()[0]
    ports = ports.split('\n')
    # remove header
    ports = ports[1:len(ports)]

    validRE = re.compile('LISTENING|UDP', re.I)
    hostRE = re.compile('(.*)\:(\d+)')

    for port in ports:

        tempEvent = event
        tempPort = ''
        validMatch = validRE.search(port)

        if validMatch:

            port = port.strip()
            port = port.split()
            # trim port array for lines with (LISTEN)

            hostMatch = hostRE.match(port[1])

            tempEvent += ' transport=' + port[0].strip()
            tempPort += port[0].strip()

            if hostMatch:
                tempEvent += ' dest_ip=' + hostMatch.group(1).strip()
                tempPort += hostMatch.group(1).strip()
                tempEvent += ' dest_port=' + hostMatch.group(2).strip()
                tempPort += hostMatch.group(2).strip()


                if len(port) == 5:
                    tempEvent += ' pid=' + port[4]
                elif len(port) == 4:
                    tempEvent += ' pid=' + port[3]

                print tempEvent
                tempPorts.append(tempPort)

if tempPorts:
    netstat = string.join(tempPorts, '')
    netstat_hash = hashlib.sha1(netstat).hexdigest()

    print event + 'file_hash=' + netstat_hash
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-12-2011 11:51 PM

I do not believe there is any standard way to get netstat (I'm assuming you mean process/port info, not interface stats) using WMI.

0 Karma
Reply

Lowell
Super Champion
‎01-13-2011 07:55 PM

That is correct. I'm looking for connected ports and listening ports, and seeing the PIDs is nice too. I think netstat -a -o will give me a good place to start.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...