Solved: Is there a way to create an alert if splunkd on an...

bishtk · ‎11-30-2020

Hi Guys,

In my project environment, every splunkd is installed using splunk user. So I need to create an alert if any splunkd on any splunk server (enterprise or UF) gets started with root or any other user post boot or if anyone starts it with any other user than splunk.

Please suggest.

-Thanks

gcusello · ‎11-30-2020

Hi @bishtk,

you could create a script that runs the ps command (e.g. in Linux) on the system to monitor, then Forwarder send results to Splunk and you can analyze the result.

If you want, you can also use the script in Splunk_TA-nix.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎11-30-2020

Hi @bishtk,

you could create a script that runs the ps command (e.g. in Linux) on the system to monitor, then Forwarder send results to Splunk and you can analyze the result.

If you want, you can also use the script in Splunk_TA-nix.

Ciao.

Giuseppe

bishtk · ‎12-01-2020

Thank you @gcusello . I will go for Splunk_TA_nix option

gcusello · ‎12-01-2020

Hi @bishtk,

good for yu.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

bishtk · ‎12-01-2020

@gcusello thank you and happy splunking 🙂

Is there a way to create an alert if splunkd on any Splunk instance is started by any user except "splunk user"?

forwarder

indexer clustering

splunkd

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application