Installation

Protect Splunk Forwarder from deleting

Chiko
Explorer

Hi all,

We use Splunk and Splunk Forwarder for our project. Splunk is installed on EC2 and Forwarder is part of our installation package. So when clients install our app, it's installed with Splunk Forwarder.

So, our question how can we protect Splunk Forwarder from uninstalling by user in this case? For our app, we use uninstall password, a user needs to enter password for removing it.

Or, maybe does exist someway to say to a user, this Splunk Forwarder is a part of our app, when he will try to remove it?

Or, maybe in our situation we need to use an another way for forwarding logs to Splunk (w/o Splunk Forwarder)?

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Chiko,

no, sorry, it's not possible to block the unistall of Universal Forwarder for a machine administrator.

The only way is to limit the rights of your users.

You can only be informed when this happens putting an alert on your Splunk.

Ciao.

Giuseppe

View solution in original post

Chiko
Explorer

@gcusello Thanks a lot. Your answers are very helpful for me

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Chiko,

no, sorry, it's not possible to block the unistall of Universal Forwarder for a machine administrator.

The only way is to limit the rights of your users.

You can only be informed when this happens putting an alert on your Splunk.

Ciao.

Giuseppe

Chiko
Explorer

Hi @gcusello ,

Thanks for your answer.

What about custom logs forwarding? Is it possible? Does exist some recommended way?

Because if our app forwards logs to Splunk, it will be protected from uninstall. 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Chiko,

you can be informed that the Forwarder is unactive in this way:

create a lookup containing all the systems to monitor (called e.g. perimeter.csv) with only one field (e.g. host)

then you can run a simple search on Splunk:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

In this way you have noticed that there's some Forwarder that isn't sending logs.

I hint to use this control on all the systems of your infrastructure to monitor them and to be sure that they are sending, otherwise Splunk is blind!

Ciao.

Giuseppe

Chiko
Explorer

@gcusello Thanks for the detailed answer. 

But what about custom forwarding? Let's say in my code I'll send logs to Splunk instead of Splunk Forwarder. Is it not recommended? So, in this way my app won't depend on Splunk Forwarder, if user removes it from his computer

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Chiko,

please, better describe what you mean with custom forwarding:

  • are you sleaking of forwarding custom logs using the Universal Forwarding,
  • or you're meaning to find an alternative way to send logs to Splunk from a windows system?

If the first, you can send all kind of logs from a Univerasal Forwarder to Splunk, also custom logs.

If the second, to take logs from a Windows system, you could use WMI, but I use this method only as the last choice because it requires a Domain administrative account and it isn't a security good idea.

In addition Forwarder gives many feature very useful: local chaching in case of network or server fault, compression, bandwdth optimization, etc...

Ciao.

Giuseppe

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...