Installation

Protect Splunk Forwarder from deleting

Chiko
Explorer

Hi all,

We use Splunk and Splunk Forwarder for our project. Splunk is installed on EC2 and Forwarder is part of our installation package. So when clients install our app, it's installed with Splunk Forwarder.

So, our question how can we protect Splunk Forwarder from uninstalling by user in this case? For our app, we use uninstall password, a user needs to enter password for removing it.

Or, maybe does exist someway to say to a user, this Splunk Forwarder is a part of our app, when he will try to remove it?

Or, maybe in our situation we need to use an another way for forwarding logs to Splunk (w/o Splunk Forwarder)?

Labels (2)
0 Karma
1 Solution

gcusello
Legend

Hi @Chiko,

no, sorry, it's not possible to block the unistall of Universal Forwarder for a machine administrator.

The only way is to limit the rights of your users.

You can only be informed when this happens putting an alert on your Splunk.

Ciao.

Giuseppe

View solution in original post

Chiko
Explorer

@gcusello Thanks a lot. Your answers are very helpful for me

0 Karma

gcusello
Legend

Hi @Chiko,

no, sorry, it's not possible to block the unistall of Universal Forwarder for a machine administrator.

The only way is to limit the rights of your users.

You can only be informed when this happens putting an alert on your Splunk.

Ciao.

Giuseppe

View solution in original post

Chiko
Explorer

Hi @gcusello ,

Thanks for your answer.

What about custom logs forwarding? Is it possible? Does exist some recommended way?

Because if our app forwards logs to Splunk, it will be protected from uninstall. 

 

0 Karma

gcusello
Legend

Hi @Chiko,

you can be informed that the Forwarder is unactive in this way:

create a lookup containing all the systems to monitor (called e.g. perimeter.csv) with only one field (e.g. host)

then you can run a simple search on Splunk:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

In this way you have noticed that there's some Forwarder that isn't sending logs.

I hint to use this control on all the systems of your infrastructure to monitor them and to be sure that they are sending, otherwise Splunk is blind!

Ciao.

Giuseppe

Chiko
Explorer

@gcusello Thanks for the detailed answer. 

But what about custom forwarding? Let's say in my code I'll send logs to Splunk instead of Splunk Forwarder. Is it not recommended? So, in this way my app won't depend on Splunk Forwarder, if user removes it from his computer

0 Karma

gcusello
Legend

Hi @Chiko,

please, better describe what you mean with custom forwarding:

  • are you sleaking of forwarding custom logs using the Universal Forwarding,
  • or you're meaning to find an alternative way to send logs to Splunk from a windows system?

If the first, you can send all kind of logs from a Univerasal Forwarder to Splunk, also custom logs.

If the second, to take logs from a Windows system, you could use WMI, but I use this method only as the last choice because it requires a Domain administrative account and it isn't a security good idea.

In addition Forwarder gives many feature very useful: local chaching in case of network or server fault, compression, bandwdth optimization, etc...

Ciao.

Giuseppe

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!