Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best way to determine if a UFW is running without CLI access?

a212830
Champion
‎10-13-2017 05:54 AM

Hi,

I'm looking for options to validate that a UFW is running on servers, without actually logging into the server (we are losing ssh access to all servers). Any recommendations?

Tags (2)
0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-13-2017 06:04 AM

Hi

You can schedule below query on your search head. I am assuming that Splunk UF is sending splunk internal logs to your indexers, in this case below query will search hosts from splunk internal indexes and it will produce output if Splunk UF didn't sent data since more than 15 minutes. 

| metadata type=hosts index=_* | eval Lag=(now()-recentTime) | eval LastTime=strftime(lastTime,"%d/%m/%y %H:%M") | eval RecentTime=strftime(recentTime,"%d/%m/%y %H:%M") | rename host as Hostname | fields Hostname RecentTime LastTime Lag | where Lag > 900 | rename Lag As Lag(Seconds)

I am running this query once in a day and searching last 7 days data but you can schedule based on your requirement.

I hope this helps.

Thanks,
Harshil

0 Karma
Reply

sloshburch
Ultra Champion
‎10-18-2017 05:43 AM

I am a fan of this one since the metadata command does what you want without the load required for pulling events like a traditional search to _internal. I would tweak the search a little so it's a little easier to read/manage (in my opinion):

| metadata type=hosts ( index=_* OR index=* )
| eval Lag = ( now() - recentTime ) 
| where Lag > 900 
| fields host RecentTime LastTime Lag
| convert ctime(*Time)
| rename host AS Hostname, Lag As Lag(Seconds)

The differences I made are:

  • The search goes against all indexes, not just internal. That's just in case for some reason the instance is not sending it's _internal
  • Do the filtering where command earlier to reduce the results set we have to work on
  • convert command simplifies the string formatting of the epoch times
  • Moved all the renames and convert (pretty print) for the end

Essentially, the same brilliant idea that @harsmarvania57 proposed. Just tweaked with my OCD.

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2017 05:59 AM

Hi a212830,
on search head run the following search

index=_internal host=your_host

If you have results, Forwarder is active and alive.
If not there are two choices: stopped forwarder or connection problems, anyway there's a problem to debug.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...