Splunk Enterprise Security

How to troubleshoot the Adaptive Response script not running?

b_chris21
Communicator

Hello everyone,

I have set an Adaptive Response Action (custom bash script) along with a Notable event on a simple correlation search. The Notable triggers but the script not.

The script is used to initiate a tcpdump capture on an indexer. The script is placed under:

- /opt/splunk/etc/apps/SplunkEnterpriseSecurity/bin/tcpdump.sh

- /opt/splunk/bin/scripts/tcpdump.sh

Owner: splunk  Permissions: 755

tcpdump.sh

 

#!/bin/bash
#Initiate tcpdump (3 dumps for 5mins each)
tcpdump -i ens33 -G 300 -W 3 -w /mnt/nfs/pcaps/pcap-%Y-%m-%d_%H.%M.%S

 

I tried to create an app with an Adaptive Response Action with Addon-Builder but my coding skills are not good.

How can I troubleshoot why the script is not running at all?

Thanks

Chris

Labels (1)
0 Karma

venky1544
Contributor

Hi @b_chris21 

try to add the full path and give it a try 

/usr/sbin/tcpdump

 

 

b_chris21
Communicator

Hello,

this works when manually triggering the script as splunk user (on the indexer directly). I know try to get the adaptive response action work.

Question: the script should reside on Splunk ES or on remote indexer? Or normally it should replicated via the replication bundle?

Thanks

0 Karma

b_chris21
Communicator

I managed to have the script run after the Notable was triggered, but the script actually run on the machine where ES is installed.

How can I get it run on the Indexer?

Thanks

0 Karma