Knowledge Management

How to verify the Splunk on local systems?

AL3Z
Builder

Hi,

I am attempting to determine if Splunk is installed on all of our local systems within our environment. Is there a way to check this through Tags, the Windows Registry (regedit), or ParentProcessname or a PowerShell script? If so, could you please provide guidance on the process?

Thanks

Labels (1)
Tags (1)
0 Karma

AL3Z
Builder

@gcusello 

What is the validation criteria for Splunk UniversalForwarder ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @AL3Z,

the validation criteria is the presence both in the lookup and in the search results of each host.

ciao.

Giuseppe

0 Karma

AL3Z
Builder

Hi @gcusello  I need something like below 

NameCommon CheckTool Specific
 Running Service NameApplication Name in Control Panel

 

 

UFSplunk ForwarderUF

How we can check the presence of uf like Path etc.,  

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

let me understand: you can check the activity of a Universal Forwarder searching on Splunk if it sends internal logs.

If it's down it doesn't send logs, but it's installed:

what do you want to check?

Then how do you want to merge Splunk data with other data as the one in the first row of your table?

It isn't clear for me how do you take data.

ciao.

Giuseppe

 

0 Karma

AL3Z
Builder

Hello @gcusello,
We are currently working on a script to verify the existence of various tools, including Tanium, Forescout, Akamai, and Splunk Forwarder, on all the machines.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

if you need a script outside Splunk, if check the presence of Splunk installation you have to check if the splunk folder (for Splunk server) or the splunkforwarder folder (for Universal Forwarders).

If you want to check the Splunk activity you have tosearch for the splunkd process that's present both in Windows and Linux.

In linux is:

ps -eafd | grep splunkd

in windows there's the command tasklist but I'm not a windows specialist.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

For UF,  Can you pls provide with the search to find all the host  contains Forwarder !

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

for forwarders, you should have a list of all the UFs to monitor in a lookup calleg e.g. perimeter.csv, containing at least one field (host).

Then you can run a search like the following:

| tstats count WHERE index=_internal BY host
| eval host=lower(host)
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

in this way you have the list of UFs not sending logs.

If you want a table with all hosts with their status, you could run something like this:

| tstats count WHERE index=_internal BY host
| eval host=lower(host)
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| eval status=if(total=0,"Missing","Present)

Ciao.

Giuseppe

AL3Z
Builder

For SE,  Its not possible to access the interface or check if the Splunk process is active for all other machines from my machine.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

can you run a script to check the process?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

are youskeaking of Splunk Enterprise or Splunk Universal Forwarder?

if SE, you can try to access the interface or check if the Splunk process is active.

if UF, you can see in Splunk if you have internal logs (index=_internal host=<your_host>), or check if the Splunk process is active.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...