Solved: Protect Splunk Forwarder from deleting

Chiko · ‎08-26-2021

Hi all,

We use Splunk and Splunk Forwarder for our project. Splunk is installed on EC2 and Forwarder is part of our installation package. So when clients install our app, it's installed with Splunk Forwarder.

So, our question how can we protect Splunk Forwarder from uninstalling by user in this case? For our app, we use uninstall password, a user needs to enter password for removing it.

Or, maybe does exist someway to say to a user, this Splunk Forwarder is a part of our app, when he will try to remove it?

Or, maybe in our situation we need to use an another way for forwarding logs to Splunk (w/o Splunk Forwarder)?

gcusello · ‎08-27-2021

Hi @Chiko,

no, sorry, it's not possible to block the unistall of Universal Forwarder for a machine administrator.

The only way is to limit the rights of your users.

You can only be informed when this happens putting an alert on your Splunk.

Ciao.

Giuseppe

View solution in original post

Chiko · ‎08-27-2021

@gcusello Thanks a lot. Your answers are very helpful for me

gcusello · ‎08-27-2021

Hi @Chiko,

no, sorry, it's not possible to block the unistall of Universal Forwarder for a machine administrator.

The only way is to limit the rights of your users.

You can only be informed when this happens putting an alert on your Splunk.

Ciao.

Giuseppe

Chiko · ‎08-27-2021

Hi @gcusello ,

Thanks for your answer.

What about custom logs forwarding? Is it possible? Does exist some recommended way?

Because if our app forwards logs to Splunk, it will be protected from uninstall.

gcusello · ‎08-27-2021

Hi @Chiko,

you can be informed that the Forwarder is unactive in this way:

create a lookup containing all the systems to monitor (called e.g. perimeter.csv) with only one field (e.g. host)

then you can run a simple search on Splunk:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

In this way you have noticed that there's some Forwarder that isn't sending logs.

I hint to use this control on all the systems of your infrastructure to monitor them and to be sure that they are sending, otherwise Splunk is blind!

Ciao.

Giuseppe

Chiko · ‎08-27-2021

@gcusello Thanks for the detailed answer.

But what about custom forwarding? Let's say in my code I'll send logs to Splunk instead of Splunk Forwarder. Is it not recommended? So, in this way my app won't depend on Splunk Forwarder, if user removes it from his computer

gcusello · ‎08-27-2021

Hi @Chiko,

please, better describe what you mean with custom forwarding:

are you sleaking of forwarding custom logs using the Universal Forwarding,
or you're meaning to find an alternative way to send logs to Splunk from a windows system?

If the first, you can send all kind of logs from a Univerasal Forwarder to Splunk, also custom logs.

If the second, to take logs from a Windows system, you could use WMI, but I use this method only as the last choice because it requires a Domain administrative account and it isn't a security good idea.

In addition Forwarder gives many feature very useful: local chaching in case of network or server fault, compression, bandwdth optimization, etc...

Ciao.

Giuseppe

Protect Splunk Forwarder from deleting

universal forwarder

Windows

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!