Getting Data In

Monitoring services and process and which port using

test_qweqwe
Builder

HI.
I know how to monitoring process and services in Windows, but I don't know how to see port which use process/service.
All logs that I have right now and including process/services not have any fields with ports.
For example, I wanna make one table which will include service/process and port. How can I realize it?

Labels (2)
0 Karma
1 Solution

adigrio
Path Finder

On Splunk Windows 64-bit installations you can configure a Splunk network monitoring data input to collect this type of information:

alt text

This will collect quite a lot of details about each TCP/IP connection on that system. Here is a sample list:

alt text

View solution in original post

adigrio
Path Finder

On Splunk Windows 64-bit installations you can configure a Splunk network monitoring data input to collect this type of information:

alt text

This will collect quite a lot of details about each TCP/IP connection on that system. Here is a sample list:

alt text

ttovarzoll
Path Finder

This looks great but I don't see an input-type, "Splunk network monitoring" when I try to add it to my Splunk Enterprise 7.3 environment. Is that a particular add-on or app?

0 Karma

jacobpevans
Motivator

Splunk Add-on for Microsoft Windows

https://splunkbase.splunk.com/app/742/

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Tags (1)
0 Karma

nickhills
Ultra Champion

Preempting your reply.

If your universal forwarders are *nix based, the splunk_TA_nix TAcomes with an input called openPortsEnhanced.sh which you can enable.
Add the following to your inputs.conf in the TA.

[script://./bin/openPortsEnhanced.sh]
disabled = false

It will yield results as follows:

Mon Dec 18 16:43:54 GMT 2017 app=splunkd dest_ip=* dest_port=8089 pid=34624 user=splunk fd=5u ip_version=4 dvc_id=46637453 transport=TCP
Mon Dec 18 16:43:54 GMT 2017 app=splunkd dest_ip=* dest_port=8000 pid=34624 user=splunk fd=53u ip_version=4 dvc_id=46655525 transport=TCP
Mon Dec 18 16:43:54 GMT 2017 app=mongod dest_ip=* dest_port=8191 pid=36671 user=splunk fd=5u ip_version=4 dvc_id=46645516 transport=TCP
Mon Dec 18 16:43:54 GMT 2017 app=python dest_ip=127.0.0.1 dest_port=8065 pid=36831 user=splunk fd=15u ip_version=4 dvc_id=46655518 transport=TCP
If my comment helps, please give it a thumbs up!

test_qweqwe
Builder

Thank you for answer!

0 Karma

nickhills
Ultra Champion

Is this on a universal forwarder - and which OS?

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...