- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to troubleshoot the Adaptive Response script not running?
Hello everyone,
I have set an Adaptive Response Action (custom bash script) along with a Notable event on a simple correlation search. The Notable triggers but the script not.
The script is used to initiate a tcpdump capture on an indexer. The script is placed under:
- /opt/splunk/etc/apps/SplunkEnterpriseSecurity/bin/tcpdump.sh
- /opt/splunk/bin/scripts/tcpdump.sh
Owner: splunk Permissions: 755
tcpdump.sh
#!/bin/bash
#Initiate tcpdump (3 dumps for 5mins each)
tcpdump -i ens33 -G 300 -W 3 -w /mnt/nfs/pcaps/pcap-%Y-%m-%d_%H.%M.%S
I tried to create an app with an Adaptive Response Action with Addon-Builder but my coding skills are not good.
How can I troubleshoot why the script is not running at all?
Thanks
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
this works when manually triggering the script as splunk user (on the indexer directly). I know try to get the adaptive response action work.
Question: the script should reside on Splunk ES or on remote indexer? Or normally it should replicated via the replication bundle?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to have the script run after the Notable was triggered, but the script actually run on the machine where ES is installed.
How can I get it run on the Indexer?
Thanks
