Hello guys,
Is there a way to show which applications and/or services are running on my server so that I can whitelist them and generate an alert when something else will run?]
greetings,
Nick
Hi nickbijmoer,
the best way to proceed is to build a lookup with all your services or application (only one or two depends by if services and applications are in the same field in your logs).
Then you have to run a search like this:
| inputlookup applications.csv | count=0 | append [ search your_search | stats count by application ] | stats sum(count) AS Total by application | where Total=0
in this way you can build an alert for applications that doesn't log.
A little bit modifying the above search you can build a dashboard that shows all your services status:
| inputlookup applications.csv | count=0 | append [ search your_search | stats count by application ] | stats sum(count) AS Total by application | rangemap field=Total elevated=0-0 low=1-1000000000 default=severe | table application range
You can also ahow this situation in a graphic form adding the following files to your app (in $SPLUNK_HOME/etc/apps/your_app/appserver/static):
Bye.
Giuseppe
To better understand the graphic mode download and install the Splunk 6.x Dashboard Examples App (https://splunkbase.splunk.com/app/1603/)
If you need to ingest services and applications status you could build your own scripts or take the ones that you can find in Windows (https://splunkbase.splunk.com/app/742/) and *nix (https://splunkbase.splunk.com/app/833/) TAs.
I usually use them, there was only one situation in which I built my script: to monitor which are active sessions on Windows.
Bye.
Giuseppe
Hi Nick,
yes this is possible. The way you can do this depends on your OS.
What OS are you using?
greetings
Patrick
Linux and windows, but mostly windows 🙂
The answer from @cusello is really a good one when you want to visualize it.
But as I understand you, your question is about how to get the Data in.
for Windows you could make an input stanza like this:
[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index = windows
[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index = windows
This will give you all processes and services running on your Windows Machine.
They are both included in the Splunk Addon for Microsoft Windows.
Does this fit your needs?
I use ossec as forwarder, do you know if it will be possible on that?
it should be possible.
can you pastebin an example of your data?
At the moment I dont get data about applications or services in splunk yet, Im figuring out how I can get the data in splunk with ossec