Solved: Is there a way to create an alert if splunkd on an...

bishtk · ‎11-30-2020

Hi Guys,

In my project environment, every splunkd is installed using splunk user. So I need to create an alert if any splunkd on any splunk server (enterprise or UF) gets started with root or any other user post boot or if anyone starts it with any other user than splunk.

Please suggest.

-Thanks

gcusello · ‎11-30-2020

Hi @bishtk,

you could create a script that runs the ps command (e.g. in Linux) on the system to monitor, then Forwarder send results to Splunk and you can analyze the result.

If you want, you can also use the script in Splunk_TA-nix.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎11-30-2020

Hi @bishtk,

you could create a script that runs the ps command (e.g. in Linux) on the system to monitor, then Forwarder send results to Splunk and you can analyze the result.

If you want, you can also use the script in Splunk_TA-nix.

Ciao.

Giuseppe

bishtk · ‎12-01-2020

Thank you @gcusello . I will go for Splunk_TA_nix option

gcusello · ‎12-01-2020

Hi @bishtk,

good for yu.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

bishtk · ‎12-01-2020

@gcusello thank you and happy splunking 🙂

Is there a way to create an alert if splunkd on any Splunk instance is started by any user except "splunk user"?

forwarder

indexer clustering

splunkd

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?