Getting Data In

How to edit inputs.conf to search a log file for a specific thread on all servers?

Explorer

i need help with adding this to my inputs.conf file on Splunk forwarder servers. i need Splunk to search this specific log file every 60 seconds and if a specific thread is found, to notify ASAP

Location of Log File = C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG

specific thread = ActionTaken=ARW_ACTION_KILL_THREAD

0 Karma

SplunkTrust
SplunkTrust

First you have to create an inputs app for this... maybe calling it "MyOrg_MBAM_Inputs".

Then you have to put an inputs.conf in the default directory:

[monitor://C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG]
index=mbam
sourcetype=mbamservicelog

Next you need to create the "mbam" index on your indexer(s)

After that, you need to deploy the MyOrg_MBAM_Inputs app to your hosts via deployment server or other means.

Finally, you can create a search that runs every minute which looks like this:

     index=mbam sourcetype=mbamservicelog _index_earliest=-1m@m ActionTaken=ARW_ACTION_KILL_THREAD

However, searching for this every minute is not recommended as there is usually a lag between when the event happens and when it will make it to your indexers. Therefore I would advise running the search with a "trailing" 5 minute window like this:

    index=mbam sourcetype=mbamservicelog earliest=-10m@m latest=-5m@m ActionTaken=ARW_ACTION_KILL_THREAD 

and then run this search every 5 minutes.

Even better for your performance as a whole, would be to run this every 15 minutes and modify the search as follows:

    index=mbam sourcetype=mbamservicelog earliest=-15m@m ActionTaken=ARW_ACTION_KILL_THREAD 

Cheers and good luck!

Here's some links you might be interested in:

inputs.conf <- input settings
savedsearches.conf <- saved searches and alerting settings
serverclass.conf <- deployment server settings

Explorer

this is how i placed it in my PC input file

[default]
host = NPC25


[monitor://C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG]
index=mbam
sourcetype=mbamservicelog
index=mbam sourcetype=mbamservicelog _index_earliest=-5m@m ActionTaken=ARW_ACTION_KILL_THREAD
index=mbam sourcetype=mbamservicelog earliest=-10m@m latest=-5m@m ActionTaken=ARW_ACTION_KILL_THREAD 
0 Karma

Explorer

thanks jkat54 - i am not using a deployment server, splunk is a new setup so once i configure the correct input.conf file i will use something like xcopy to push to local servers

0 Karma

SplunkTrust
SplunkTrust

ok but you will need to restart the forwarder too, which requires winrm or wmi queries to be able to restart the splunkforwarder service via scripting

0 Karma

Explorer

ok got it thanks

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!