How to troubleshoot the Adaptive Response script n...

b_chris21 · ‎03-11-2022

Hello everyone,

I have set an Adaptive Response Action (custom bash script) along with a Notable event on a simple correlation search. The Notable triggers but the script not.

The script is used to initiate a tcpdump capture on an indexer. The script is placed under:

- /opt/splunk/etc/apps/SplunkEnterpriseSecurity/bin/tcpdump.sh

- /opt/splunk/bin/scripts/tcpdump.sh

Owner: splunk Permissions: 755

tcpdump.sh

#!/bin/bash
#Initiate tcpdump (3 dumps for 5mins each)
tcpdump -i ens33 -G 300 -W 3 -w /mnt/nfs/pcaps/pcap-%Y-%m-%d_%H.%M.%S

I tried to create an app with an Adaptive Response Action with Addon-Builder but my coding skills are not good.

How can I troubleshoot why the script is not running at all?

Thanks

Chris

venky1544 · ‎03-11-2022

Hi @b_chris21

try to add the full path and give it a try

/usr/sbin/tcpdump

b_chris21 · ‎03-11-2022

Hello,

this works when manually triggering the script as splunk user (on the indexer directly). I know try to get the adaptive response action work.

Question: the script should reside on Splunk ES or on remote indexer? Or normally it should replicated via the replication bundle?

Thanks

b_chris21 · ‎03-11-2022

I managed to have the script run after the Notable was triggered, but the script actually run on the machine where ES is installed.

How can I get it run on the Indexer?

Thanks

How to troubleshoot the Adaptive Response script not running?

troubleshooting

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!