Splunk Enterprise Security

Splunk enterprise security-is there a way to execute the following process of the OS?

human96
Communicator

is there a way to execute the following process of the OS? ??

 

-Cluster master server (Splunk Enterprise installed)

/ Usr / bin / eu-stack

/ Usr / bin / iostat

/ Usr / bin / netstat

/ Usr / bin / ps

/ Usr / bin / strace

/ Usr / sbin / lsof

/ Usr / sbin / tcpdump ・

Search head server (Splunk Enterprise and Splunk Enterprise Security installed)

/ Usr / bin / eu-stack

/ Usr / bin / iostat

/ Usr / bin / netstat

/ Usr / bin / ps

/ Usr / bin / strace

/ Usr / bin / uname

/ Usr / sbin / lsof

/ Usr / sbin / tcpdump

-Deployment server (Splunk Enterprise installed)

/ Usr / bin / eu-stack

/ Usr / bin / iostat

/ Usr / bin / netstat

/ Usr / bin / ps

/ Usr / bin / strace

/ Usr / sbin / lsof

/ Usr / sbin / tcpdump

Labels (3)
0 Karma
1 Solution

tshah-splunk
Splunk Employee
Splunk Employee

Hi @human96,

You can definitely run the above commands on the instances. An easy approach to this would be to install Splunk Add-On for Unix and Linux (https://splunkbase.splunk.com/app/833/) and enable the scripted inputs present in it based on your requirement. Those commands can be run on the instance and the output of those scripts can be ingested to Splunk indexers. Just be sure of placing the add-on at appropriate installation paths. 

PS. You will also need to define outputs.conf to forward the data to indexers on all the servers you enable the inputs.

---
If you find the answer helpful, an upvote/karma is appreciated

View solution in original post

tshah-splunk
Splunk Employee
Splunk Employee

Hi @human96,

You can definitely run the above commands on the instances. An easy approach to this would be to install Splunk Add-On for Unix and Linux (https://splunkbase.splunk.com/app/833/) and enable the scripted inputs present in it based on your requirement. Those commands can be run on the instance and the output of those scripts can be ingested to Splunk indexers. Just be sure of placing the add-on at appropriate installation paths. 

PS. You will also need to define outputs.conf to forward the data to indexers on all the servers you enable the inputs.

---
If you find the answer helpful, an upvote/karma is appreciated
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques

Hello! We are excited to kick off a new series of blogs from SplunkTrust member ITWhisperer, who demonstrates ...

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...