Getting Data In

Is it possible to have a custom REST endpoint that executes scripts on a universal forwarder?

Champion

Hi,

Is it possible to have a custom REST endpoint that executes scripts on a universal forwarder?

0 Karma

New Member

Not going that route seems like the right approach. There is usually a good reason that certain scenarios are not covered in the security guide
https://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Hardeningstandards

0 Karma

SplunkTrust
SplunkTrust

I agree with all three comments above.

The answer is no you can't do it on a universal forwarder, you could do it on a heavy forwarder, and be careful that you do it with security in mind. Bmacias84 gave some great info on settings you should consider if you do this with a heavy forwarder.

What you could do is execute scripts via scripted inputs and deploy those via the deployment server.

0 Karma

Champion

If you want to do this I would suggest using a HF and extend the Splunk Rest endpoints with restmap.conf. restmap.conf supports requireAuthentication settings.

0 Karma

Motivator

I am wondering the same. Since the handling seems to be done by $SPLUNK_HOME/bin/rest_handler.py i think it will n ot work since there is no python on a universal forwarder.
I have a script that i would like to expose as a custom rest endpoint but i get a 400/bad request as a reply.

0 Karma

New Member

If there is any, I'd be very careful about exposing it. Properly securing that endpoint would be an interesting challenge.

0 Karma