Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search for Universal Forwarder getting dropped by the firewall?

max_ruas
Explorer
‎08-10-2022 02:10 AM

Hi Splunkers,

 

I am trying to do a search that gives me a list of forwarders that cannot contact the Deployment server do tô be dropped by the firewall, I have this search below but it gives me too many false positives,

is there a way I can have a search to only trigger if I have results with action!=allowed and 0 events for action=allowed? My search below,

 

index=firewall dest=deployment_server dest_port=8089 action!=allowed sourcetype=ops

| stats count by srcIP action _date

Labels (2)
Labels
0 Karma
Reply

max_ruas
Explorer
‎08-10-2022 08:15 AM

Hi @gcusello @thanks for this solution it does work I’ve checked and I do have something similar but what I am trying to get here is a way for us to know when there is a network impact, let’s say a user is onboarding but didn’t request the right firewall rule or when there is a network change and we can use this search to verify the impact to our clients (forwarders)

by the way your search

where total=0 should be total=1

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-10-2022 11:31 PM

Hi @max_ruas,

sorry but I don't know a search to have this, also becasue you cannor run a search not aving logs in Splunk.

You could run a search like the one I hinted and then, if there are results, use telnet to check if there's some block.

Probably the best approach is that in your installation procedure (you surely have one!) you could add as first step a connection check using telnet.

If you haven't it, create a new one!

Remember to check both connection with:

  • the Deployment Server on port 8089,
  • the Indexers on port 9997.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-10-2022 06:23 AM

Hi @max_ruas,

have you a list of installed Forwarders?

if yes, the solution is easy:

you have to put your list in a lookup called e.g. perimeter.csv, containing at least one field (host) and run a simple search on Splunk:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...