Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search when firewall disabled on servers

syed_star357
New Member
‎11-02-2016 01:08 AM

Dear Team,

How to search when firewall disabled on servers. the below search able to see firewall status and server last log on. we want to know when the firewall option has been disabled.

| dbquery "" "SELECT * FROM tb_EntityInfo"|rename EI_OS_MachineName as Host|fillnull value="-"|search PFWSetting!=1|rename EI_OS_MachineName as Host EI_IPAddressList as IPAddress EI_UserDomain as Domain EI_UserAccount as LoggedInUser EI_LastLogonTime as LastLogonTime LastScheduleScanUTC as LastScheduleScan EI_DomainName as Group EI_MACAddressList as MAC|search Host!=|search EI_State= Host=* |eval AVEngine_Version=EI_ProductVersion+" "+EI_ProductBuildNumber|eval Operating_System=EI_OS_Name+" "+EI_OS_Version+" "+EI_OS_SPVersion|eval LastLogonTime=strftime(LastLogonTime,"%c") |eval LastScheduleScan=strftime(LastScheduleScan,"%c")|eval Firewall=if(PFWSetting="1","Enabled","Disabled")|eval State=if(EI_State="100","Online",if(EI_State="101","Offline","Roaming"))|fields - ID EI_*|table Host IPAddress MAC Operating_System Firewall State LastLogonTime

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2016 02:14 AM

this one finds out the Firewall status as Enabled or Disabled
| eval Firewall=if(PFWSetting="1","Enabled","Disabled")

and you are printing a table output which includes "Firewall", which was calculated above, as well.
|table Host IPAddress MAC Operating_System Firewall State LastLogonTime

so, the disabled firewall status is already printed by this query.
please update us more.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2016 02:14 AM

this one finds out the Firewall status as Enabled or Disabled
| eval Firewall=if(PFWSetting="1","Enabled","Disabled")

and you are printing a table output which includes "Firewall", which was calculated above, as well.
|table Host IPAddress MAC Operating_System Firewall State LastLogonTime

so, the disabled firewall status is already printed by this query.
please update us more.

0 Karma
Reply
Solved! Jump to solution

syed_star357
New Member
‎11-02-2016 02:17 AM

Dear Investsekar,

We want to know when the firewall status has been disabled from servers. what is the search to get firewall status disabled date and time.

Regards,
Syed

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2016 02:27 AM

Hi Syed,
the query got two timestamps -
LastLogonTime
and
LastScheduleScan

so, disabled time is not picked up by the query, i guess.

maybe, you need to check the output of this and see if there is any field for disabled time and include that in the later part of the query.
| dbquery "" "SELECT FROM tb_EntityInfo"|rename EI_OS_MachineName as Host|fillnull value="-"|search PFWSetting!=1

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...