Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a weekly report comparing changes i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DanAlexander
Communicator
07-26-2022
12:01 AM
Hello All,
I would like to be able to track down any and every configuration change on our monitored DC, AD etc.
I need to be able to see those changes in comparison fashion - week to week.
I aim to create an auto report that would run every Monday for instance and let us know of any changes being introduced on the monitored assets (focusing on OS type; Linux, Windows and their previous and current versions).
Thank you All in advance!
D
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
07-26-2022
01:13 AM
Hi @DanAlexander,
usually this add-on is always present in ES installations, so you shouldn't have problems and should already have it.
At the same time, usually, on ES machines aren't installed other apps than ES and its add-ons (between them also TA-Windows), but if your custom app isn't so heavy, it shouldn't bring too much load
Without the data ingested with this add-on isn't possible to have the data to use for this check.
Answering to your last question: these informations aren't extracted from WinEventLog but using some script in the TA, so it's very difficoult to have them without the TA.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
07-26-2022
12:08 AM
Hi @DanAlexander,
you can installa a Universal Forwarder on your DCs and deploy the Splunk-TA_Windows (https://splunkbase.splunk.com/app/742/)
in this TA you can enable the acquisition of all configuration informations and then check if there's some change.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DanAlexander
Communicator
07-26-2022
12:14 AM
Morning @gcusello
I should have mentioned that we do have UFs installed on the assets and we have logs coming into Splink.
I need a search query, please
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
07-26-2022
12:35 AM
Hi @DanAlexander,
if you enabled the input stanzas in TA-Windows, you should be able to see all panels of this dashboard that displays all the server information:
<form>
<label>Hardware and Software Details: Windows Servers</label>
<fieldset submitButton="false">
<input type="dropdown" token="host">
<label>Server</label>
<prefix>host="</prefix>
<suffix>"</suffix>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>index=windows sourcetype=WinHostMon Type=Computer | eval host=upper(host) | dedup host | sort host | table host</query>
</search>
</input>
</fieldset>
<row>
<panel>
<title>HostName</title>
<html>
<h3 align="center">
<strong> <font size="10">Server<img src="/static/app/infrastructure_monitoring/Windows_logo.png" style="height:100px;border:0;"/>
</font>
</strong>
</h3>
</html>
<single>
<search>
<query>index=windows sourcetype=WinHostMon Type=Computer $host$
| eval host=upper(host)
| dedup host
| sort host
| table host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
</single>
</panel>
</row>
<row>
<panel>
<title>Model</title>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=Computer $host$
| eval host=upper(host)
| dedup host
| lookup Server host OUTPUT IP Tipologia
| table Manufacturer Model IP Tipologia</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
<panel>
<title>Operative System</title>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=OperatingSystem $host$
| eval host=upper(host)
| dedup host
| sort host
| table OS Version ServicePack BuildNumber SerialNumber InstallDate LastBootUpTime
| eval
InstallDate=strftime(strptime(InstallDate,"%Y%m%d%H%M%S"),"%d/%m/%Y %H.%M.%S"),
LastBootUpTime=strftime(strptime(LastBootUpTime,"%Y%m%d%H%M%S"),"%d/%m/%Y %H.%M.%S")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h3 align="center">
<strong> <font size="6">Hardware</font>
</strong>
</h3>
</html>
</panel>
</row>
<row>
<panel>
<title>CPU</title>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=Processor $host$
| eval host=upper(host)
| dedup host
| sort host
| table Name NumberOfCores Architecture ClockSpeedMHz Manufacturer
| rename name AS CPU Manufacturer AS "CPU Manufacturer"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
<panel>
<title>RAM</title>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=OperatingSystem $host$
| eval host=upper(host)
| dedup host
| sort host
| eval
FreePhysicalMemoryGB=FreePhysicalMemoryKB/1024/1024,
FreeVirtualMemoryGB=FreeVirtualMemoryKB/1024/1024,
TotalPhysicalMemoryGB=TotalPhysicalMemoryKB/1024/1024,
TotalVirtualMemoryGB=TotalVirtualMemoryKB/1024/1024,
Virtual_mem_free_percent=FreeVirtualMemoryKB/TotalVirtualMemoryKB*100
| table FreePhysicalMemoryGB TotalPhysicalMemoryGB mem_free_percent FreeVirtualMemoryGB TotalVirtualMemoryGB Virtual_mem_free_percent
| rename FreePhysicalMemoryGB AS "Free Physical Memory" TotalPhysicalMemoryGB AS "Total Physical Memory" mem_free_percent AS "Free Physical Memory%" FreeVirtualMemoryGB AS "Free Virtual Memory" TotalVirtualMemoryGB AS "Total Virtual Memory" Virtual_mem_free_percent AS "Free Virtual Memory%"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<format type="number" field="FreeVirtualMemoryGB">
<option name="unit">GB</option>
</format>
<format type="number" field="FreePhysicalMemoryGB">
<option name="unit">GB</option>
</format>
<format type="number" field="TotalVirtualMemoryGB">
<option name="unit">GB</option>
</format>
<format type="number" field="TotalPhysicalMemoryGB">
<option name="unit">GB</option>
</format>
<format type="number" field="FreePhysicalMemory%">
<option name="unit">%</option>
</format>
<format type="number" field="FreeVirtualMemory%">
<option name="unit">%</option>
</format>
<format type="number" field="Free Physical Memory">
<option name="unit">GB</option>
</format>
<format type="number" field="Total Physical Memory">
<option name="unit">GB</option>
</format>
<format type="number" field="Free Physical Memory%">
<option name="unit">%</option>
</format>
<format type="number" field="Free Virtual Memory">
<option name="unit">GB</option>
</format>
<format type="number" field="Total Virtual Memory">
<option name="unit">GB</option>
</format>
<format type="number" field="Free Virtual Memory%">
<option name="unit">%</option>
</format>
</table>
</panel>
<panel>
<title>Disks</title>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=Disk $host$
| eval host=upper(host)
| dedup Name
| sort Name
| eval
storage=storage/1024,
storage_free=storage_free/1024,
storage_used=storage_used/1024,
storage_free_perc=storage_free/storage*100
| table Name DriveType FileSystem storage storage_free storage_used storage_free_perc
| rename storage AS "Disk Space" storage_free AS "Free Disk Space" storage_used AS "Used Disk Space" storage_free_perc AS "Free Disk Space %"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="Disk Space">
<option name="unit">GB</option>
</format>
<format type="number" field="Free Disk Space">
<option name="unit">GB</option>
</format>
<format type="number" field="Used Disk Space">
<option name="unit">GB</option>
</format>
<format type="number" field="Free Disk Space %">
<option name="unit">%</option>
</format>
</table>
</panel>
<panel>
<title>Network Adapters</title>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=NetworkAdapter $host$
| eval host=upper(host)
| dedup Name
| sort Name
| table Name Manufacturer ProductName</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="Disk Space">
<option name="unit">GB</option>
</format>
<format type="number" field="Free Disk Space">
<option name="unit">GB</option>
</format>
<format type="number" field="Used Disk Space">
<option name="unit">GB</option>
</format>
<format type="number" field="Free Disk Space %">
<option name="unit">%</option>
</format>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h3 align="center">
<strong> <font size="6">Software</font>
</strong>
</h3>
</html>
</panel>
</row>
<row>
<panel>
<title>Applications</title>
<input type="text" token="appname">
<label>Name</label>
<default>*</default>
<prefix>Name="</prefix>
<suffix>"</suffix>
</input>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=Application $host$ $appname$
| eval host=upper(host)
| dedup Name
| sort Name
| eval InstallDate=strftime(strptime(InstallDate,"%Y%m%d"),"%d/%m/%Y")
| table Name Vendor Version SerialNumber InstallDate InstallLocation</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Drivers</title>
<input type="text" token="drivname">
<label>Name</label>
<default>*</default>
<prefix>DeviceID="</prefix>
<suffix>"</suffix>
</input>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=Driver $host$ $drivname$
| eval host=upper(host)
| dedup DeviceID
| sort DeviceID
| table DeviceID DriverVersion</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="Disk Space">
<option name="unit">GB</option>
</format>
<format type="number" field="Free Disk Space">
<option name="unit">GB</option>
</format>
<format type="number" field="Used Disk Space">
<option name="unit">GB</option>
</format>
<format type="number" field="Free Disk Space %">
<option name="unit">%</option>
</format>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h3 align="center">
<strong> <font size="6">Run</font>
</strong>
</h3>
</html>
</panel>
</row>
<row>
<panel>
<title>Processes</title>
<input type="text" token="procname">
<label>Name</label>
<default>*</default>
<prefix>Name="</prefix>
<suffix>"</suffix>
</input>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=Process $host$ $procname$
| eval host=upper(host)
| dedup Name
| sort Name
| eval StartTime=strftime(strptime(StartTime,"%Y%m%d%H%M%S"),"%d/%m/%Y %H.%M.%S")
| table Name Path ProcessId StartTime</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Services</title>
<input type="text" token="servname">
<label>Name</label>
<default>*</default>
<prefix>Name="</prefix>
<suffix>"</suffix>
</input>
<table>
<search>
<query>index=windows sourcetype=WinHostMon Type=Service $host$ $servname$
| eval host=upper(host)
| dedup Name
| sort Name
| table Name DisplayName Description Path Started StartMode State</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>Then to map differences, you should make a stats dc for each information, e.g.
index=windows sourcetype=WinHostMon Type=OperatingSystem $host$
| stats
dc(TotalPhysicalMemoryKB) AS TotalPhysicalMemoryKB_count
dc(TotalVirtualMemoryKB) AS TotalVirtualMemoryKB_count
BY host
| where TotalPhysicalMemoryKB_count>1 OR TotalVirtualMemoryKB_count>1Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DanAlexander
Communicator
07-26-2022
12:47 AM
Hi @gcusello
Thank you for the feedback. All that makes lots of sense.
However, I wanted to know if we can do simple stats without the Add-on? We have a restricted ability to install add-ons to our ES instance. Are they any Win Event Logs that can generate those figures by a chance, please?
D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
07-26-2022
01:13 AM
Hi @DanAlexander,
usually this add-on is always present in ES installations, so you shouldn't have problems and should already have it.
At the same time, usually, on ES machines aren't installed other apps than ES and its add-ons (between them also TA-Windows), but if your custom app isn't so heavy, it shouldn't bring too much load
Without the data ingested with this add-on isn't possible to have the data to use for this check.
Answering to your last question: these informations aren't extracted from WinEventLog but using some script in the TA, so it's very difficoult to have them without the TA.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DanAlexander
Communicator
07-26-2022
01:32 AM
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
