I've seen searches using _internal to identify OS, but is there a way to identify what clients are physical and which are VMs?
I'd typically get that kind of context from a CMDB and feed that into lookups in Splunk to enrich events with such information (e.g. through Enterprise Security's Asset&Identity framework).
Not sure if there is any way to tell the difference between a VM and a physical from logs. What logs are you collecting and do you have a UF on the respective machines?
I think pretty basic/standard sourcetypes for windows, application, system and security. There are a lot of different eventtype though, so I will dig around.
I do have a UF on the VMs in question.
Hoping to use Splunk to help with generating my CMDB haha.
Right, ok 🙂
Not sure whether you can see it in the logs (maybe check the system events close to startup or something, maybe that holds a clue).
Otherwise, it should be possible to use some commands to check the system type, which you could put into a scripted input. Maybe the windows TA even already contains some scripted / wmi inputs that enable you to find out.
So we have WMI working and I found a string that at least got me some VMs, but it required that the VM be a Windows VM, no joy on the linux side. Could probably add something to our Linux deployment-app to check for VMware tools. If I cast the net really wide there seems to be snippets of VM info in sourcetype WinHostMon, WindowsUpdateLog, and even eventype nix-all-logs- so hopefully I can whip something up that is accurate and clean.