Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

host (PC) linux on my Network

numeroinconnu12
Path Finder
‎12-13-2019 02:54 AM

Good morning, everyone,

As the title says, I would like to know which Linux hosts have access to my network, not the servers but the hosts.

Thank you. Thank you.

0 Karma
Reply

ololdach
Builder
‎12-13-2019 09:21 AM

Hi,

let's assume you'd like to know all machines that run linux within your network. First, you have to find any active clients and you could use two approaches: Active scans or passive listening in on the traffic. For active scanning, nmap is a good starting point. https://en.wikipedia.org/wiki/Nmap

It will deliver some findings and can be configured to give you a probability for the OS that a client runs, based on open ports and probes that the tool uses to discover the version of OS. Whatever nmap delivers, you could index into splunk and do further analysis.

For passive scanning, you could always use the stream app https://splunkbase.splunk.com/app/1809/ have it listen to your network and you could do some forensics on the data. For example, you could look for ARP packages, disclosing the MAC to IP translations. If you wait long enough, a rogue linux system will likely contact a ntp time source outside of your own ntp setup. Luckily, linux clients don't use any microsoft.com domains for time resolution, but rather something like ntp.ubuntu.com. Unless you distribute NTP through dhcp... but hey, there are other ways... like testing port 22 as linux usually has ssh running or 5900 for vnc.

hih
Oliver

0 Karma
Reply

jpolvino
Builder
‎12-13-2019 05:44 AM

Are you asking if Splunk can detect when someone walks into your workplace with a PC running linux, and connects to your network?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-13-2019 03:49 AM

Hi @numeroinconnu123,
your request is rather generic, could you share some additional information?
Are you talking about servers that have the Universal Forwarder installed?
are you talking about network traffic or access to a certain system?
Are these servers already sending their logs to Splunk or not?

Ciao.
Giuseppe

0 Karma
Reply

numeroinconnu12
Path Finder
‎12-13-2019 05:03 AM

Hi @gcusello ,
The servers send their logs to splunk.
I would like to know if there are linux PCs that connect to the network? by what splunk search can I find out?
Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-13-2019 05:10 AM

Hi @numeroinconnu123,
if you already receiving logs from those servers, you have to run a simple search

index=_internal
| stats count BY host

in this way you have all the servers that are sending logs to Splunk.
To have the Linux servers you have two ways:
if in the hostname there's something to recognize them (e.g. hostname is something like srvx-0001) you can add a filter to your search

index=_internal host=srvx*
| stats count BY host

if you cannot recognize them from the naming convention, you should have a list of all your servers in a lookup and use it to filter your search: e.g. if you have a lookup called perimeter.csv where there are two fields: host and type, you could run something like this:

index=_internal [ | inputlookup perimeter.csv where type=unix | fields host ]
| stats count BY host

Ciao.
Giuseppe

0 Karma
Reply

numeroinconnu12
Path Finder
‎12-13-2019 05:28 AM

Hello @gcusello

thank you for your answer.

The problem is not the linux servers.

I would like to know if there are linux OS connecting to my network not the linux servers.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-13-2019 05:34 AM

Hi @numeroinconnu123,
the questions are the same:

  • Are you talking about systems that have the Universal Forwarder installed?
  • Are these servers already sending their logs to Splunk or not?

Anyway, if you have a list of your known systems, you could exclude the known ones and list the remaining:

 index=_internal NOT [ | inputlookup perimeter.csv | fields host ]
 | stats count BY host

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...