Getting Data In

Anyone setup a netstat like input for Windows?

Super Champion

Has anyone setup the windows "netstat" command as an input?

I like the "netstat" source provided in the unix app, and it seems like it should be possible to capture most of the same information using the built-in "netstat.exe" that comes with windows. I did notice that some of the columns are too wide (long host names or port names).

Is there a way to get the same information with a WMI source?

Builder

ESS currently does this in python. We will be loooking to use something else now that the Universal Forwarder doesn't have python. The following python can be saved and run by Splunk as a scripted input:

'''
Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.
'''
from time import gmtime, strftime
import subprocess
import re
import string
import hashlib

# set blank event
event = ''
netstat = False
ports = []
netstat_hash = ''
tempPorts = []
tempPort = ''

event = strftime('%b %d %Y %H:%M:%S') + ' '

try:
    netstat = subprocess.Popen(['netstat', '-nao'], stdout=subprocess.PIPE)

except:
        pass

if netstat:
    # run chkconfig command and split the output into a list
    ports = netstat.communicate()[0]
    ports = ports.split('\n')
    # remove header
    ports = ports[1:len(ports)]

    validRE = re.compile('LISTENING|UDP', re.I)
    hostRE = re.compile('(.*)\:(\d+)')

    for port in ports:

        tempEvent = event
        tempPort = ''
        validMatch = validRE.search(port)

        if validMatch:

            port = port.strip()
            port = port.split()
            # trim port array for lines with (LISTEN)

            hostMatch = hostRE.match(port[1])

            tempEvent += ' transport=' + port[0].strip()
            tempPort += port[0].strip()

            if hostMatch:
                tempEvent += ' dest_ip=' + hostMatch.group(1).strip()
                tempPort += hostMatch.group(1).strip()
                tempEvent += ' dest_port=' + hostMatch.group(2).strip()
                tempPort += hostMatch.group(2).strip()


                if len(port) == 5:
                    tempEvent += ' pid=' + port[4]
                elif len(port) == 4:
                    tempEvent += ' pid=' + port[3]

                print tempEvent
                tempPorts.append(tempPort)

if tempPorts:
    netstat = string.join(tempPorts, '')
    netstat_hash = hashlib.sha1(netstat).hexdigest()

    print event + 'file_hash=' + netstat_hash
0 Karma

Splunk Employee
Splunk Employee

I do not believe there is any standard way to get netstat (I'm assuming you mean process/port info, not interface stats) using WMI.

0 Karma

Super Champion

That is correct. I'm looking for connected ports and listening ports, and seeing the PIDs is nice too. I think netstat -a -o will give me a good place to start.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!