Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search for Universal Forwarder getting dropped by the firewall?

max_ruas
Explorer
‎08-10-2022 02:10 AM

Hi Splunkers,

 

I am trying to do a search that gives me a list of forwarders that cannot contact the Deployment server do tô be dropped by the firewall, I have this search below but it gives me too many false positives,

is there a way I can have a search to only trigger if I have results with action!=allowed and 0 events for action=allowed? My search below,

 

index=firewall dest=deployment_server dest_port=8089 action!=allowed sourcetype=ops

| stats count by srcIP action _date

Labels (2)
Labels
0 Karma
Reply

max_ruas
Explorer
‎08-10-2022 08:15 AM

Hi @gcusello @thanks for this solution it does work I’ve checked and I do have something similar but what I am trying to get here is a way for us to know when there is a network impact, let’s say a user is onboarding but didn’t request the right firewall rule or when there is a network change and we can use this search to verify the impact to our clients (forwarders)

by the way your search

where total=0 should be total=1

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-10-2022 11:31 PM

Hi @max_ruas,

sorry but I don't know a search to have this, also becasue you cannor run a search not aving logs in Splunk.

You could run a search like the one I hinted and then, if there are results, use telnet to check if there's some block.

Probably the best approach is that in your installation procedure (you surely have one!) you could add as first step a connection check using telnet.

If you haven't it, create a new one!

Remember to check both connection with:

  • the Deployment Server on port 8089,
  • the Indexers on port 9997.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-10-2022 06:23 AM

Hi @max_ruas,

have you a list of installed Forwarders?

if yes, the solution is easy:

you have to put your list in a lookup called e.g. perimeter.csv, containing at least one field (host) and run a simple search on Splunk:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...