Splunk Search

What is the best way to determine if a UFW is running without CLI access?

a212830
Champion

Hi,

I'm looking for options to validate that a UFW is running on servers, without actually logging into the server (we are losing ssh access to all servers). Any recommendations?

Tags (2)
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi

You can schedule below query on your search head. I am assuming that Splunk UF is sending splunk internal logs to your indexers, in this case below query will search hosts from splunk internal indexes and it will produce output if Splunk UF didn't sent data since more than 15 minutes.

| metadata type=hosts index=_* | eval Lag=(now()-recentTime) | eval LastTime=strftime(lastTime,"%d/%m/%y %H:%M") | eval RecentTime=strftime(recentTime,"%d/%m/%y %H:%M") | rename host as Hostname | fields Hostname RecentTime LastTime Lag | where Lag > 900 | rename Lag As Lag(Seconds)

I am running this query once in a day and searching last 7 days data but you can schedule based on your requirement.

I hope this helps.

Thanks,
Harshil

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I am a fan of this one since the metadata command does what you want without the load required for pulling events like a traditional search to _internal. I would tweak the search a little so it's a little easier to read/manage (in my opinion):

| metadata type=hosts ( index=_* OR index=* )
| eval Lag = ( now() - recentTime ) 
| where Lag > 900 
| fields host RecentTime LastTime Lag
| convert ctime(*Time)
| rename host AS Hostname, Lag As Lag(Seconds)

The differences I made are:

  • The search goes against all indexes, not just internal. That's just in case for some reason the instance is not sending it's _internal
  • Do the filtering where command earlier to reduce the results set we have to work on
  • convert command simplifies the string formatting of the epoch times
  • Moved all the renames and convert (pretty print) for the end

Essentially, the same brilliant idea that @harsmarvania57 proposed. Just tweaked with my OCD.

gcusello
SplunkTrust
SplunkTrust

Hi a212830,
on search head run the following search

index=_internal host=your_host

If you have results, Forwarder is active and alive.
If not there are two choices: stopped forwarder or connection problems, anyway there's a problem to debug.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...