Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitoring services and process and which port using

test_qweqwe
Builder
‎12-18-2017 08:05 AM

HI.
I know how to monitoring process and services in Windows, but I don't know how to see port which use process/service.
All logs that I have right now and including process/services not have any fields with ports.
For example, I wanna make one table which will include service/process and port. How can I realize it?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adigrio
Path Finder
‎12-18-2017 08:58 AM

On Splunk Windows 64-bit installations you can configure a Splunk network monitoring data input to collect this type of information:

alt text

This will collect quite a lot of details about each TCP/IP connection on that system. Here is a sample list:

alt text

View solution in original post

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution
Solution

adigrio
Path Finder
‎12-18-2017 08:58 AM

On Splunk Windows 64-bit installations you can configure a Splunk network monitoring data input to collect this type of information:

alt text

This will collect quite a lot of details about each TCP/IP connection on that system. Here is a sample list:

alt text

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution

ttovarzoll
Path Finder
‎04-30-2020 03:22 PM

This looks great but I don't see an input-type, "Splunk network monitoring" when I try to add it to my Splunk Enterprise 7.3 environment. Is that a particular add-on or app?

0 Karma
Reply
Solved! Jump to solution

jacobpevans
Motivator
‎06-11-2020 05:22 AM

Splunk Add-on for Microsoft Windows

https://splunkbase.splunk.com/app/742/

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Tags (1)
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎12-18-2017 08:49 AM

Preempting your reply.

If your universal forwarders are *nix based, the splunk_TA_nix TAcomes with an input called openPortsEnhanced.sh which you can enable.
Add the following to your inputs.conf in the TA.

[script://./bin/openPortsEnhanced.sh]
disabled = false

It will yield results as follows:

Mon Dec 18 16:43:54 GMT 2017 app=splunkd dest_ip=* dest_port=8089 pid=34624 user=splunk fd=5u ip_version=4 dvc_id=46637453 transport=TCP
Mon Dec 18 16:43:54 GMT 2017 app=splunkd dest_ip=* dest_port=8000 pid=34624 user=splunk fd=53u ip_version=4 dvc_id=46655525 transport=TCP
Mon Dec 18 16:43:54 GMT 2017 app=mongod dest_ip=* dest_port=8191 pid=36671 user=splunk fd=5u ip_version=4 dvc_id=46645516 transport=TCP
Mon Dec 18 16:43:54 GMT 2017 app=python dest_ip=127.0.0.1 dest_port=8065 pid=36831 user=splunk fd=15u ip_version=4 dvc_id=46655518 transport=TCP
If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

test_qweqwe
Builder
‎12-18-2017 01:16 PM

Thank you for answer!

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎12-18-2017 08:40 AM

Is this on a universal forwarder - and which OS?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...