Splunk Enterprise Security

Splunk Enterprise Security: How to automate the population of assets.csv with DB Connect?

oagtexas
Explorer

We are running Enterprise Security and I'm trying to schedule and automate the population of assets.csv that ES uses as an Identity Management lookup file. I figured I could use DB Connect to connect to our SQL-based CMDB and pull the required information. This connection works fine and I'm able to access a stored report in the CMDB to use to create the exact format of the assets.csv file.

I see 3 options to save anything in DB Connect:

DB Inputs
DB Outputs
DB Lookups

I don't see any of these options doing what I want to do above which is just call the query and output it as a lookup csv file. I'm thinking there's a sloppy workaround to be found here but I was wondering how others are automating their asset inventory in ES?

0 Karma

maciep
Champion

We connect to our CMDB to get our assets and identities as well. We have a scheduled search that run the dbquery, massage the data as needed, format the data as needed and then at the very end of the search we pipe to the outputlookup command to create the csv itself.

For the lookups themselves, we have them configured in a custom SA of ours. And then we configure ES to include those lookups for its asset/identities lists.

Also, our ES env is clustered and we haven't got around to feeling comfortable with dbconnect in that ES cluster. So we actually run the above search on our heavy forwarder and rsync the custom app with our lookups over to the ES boxes a couple times a day.

Not sure if that's the best approach, but that's how we're doing it. Oh and we're still on ES 3.3.2

0 Karma

rishrai
New Member

I am looking to continuously update the asset list from CMDB. DB connect is installed in the heavy forwarder. i got the part of running dbquery in dbconnect to generate the lookup file. now how do i get the lookup file to the ES search head and place it in the SAidentity management? I am not familiar with rsync. Can you please explain more?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...