All Apps and Add-ons

Splunk Add-on for Unix and Linux: Scripts parsing strange information

test_qweqwe
Builder

Hi.
Unix:ListeningPorts and Unix:SSHDConfig shows in logs not valid information.
What should I do to fix it? Because, I have no idea.

For example — http://prntscr.com/i79m55

0 Karma
1 Solution

Yunagi
Communicator

Having a look at inputs.conf, there are comments which specify that these two inputs "may require Splunk forwarder to run as root on some platforms."

So which user is running Splunk on your system? Is it root? You can check via "ps aux | grep splunkd"

Alternatively, you can use the input [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh].

View solution in original post

Yunagi
Communicator

Having a look at inputs.conf, there are comments which specify that these two inputs "may require Splunk forwarder to run as root on some platforms."

So which user is running Splunk on your system? Is it root? You can check via "ps aux | grep splunkd"

Alternatively, you can use the input [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh].

test_qweqwe
Builder

Yes, it's root.
I can't use, [script://./bin/openPorts.sh] instead of [script://./bin/openPortsEnhanced.sh], coz it's not a same. I need something like this — http://prntscr.com/i942vd

And as I said Unix:SSHDConfig have the same problem (what u can see from screenshot).

What can affect to this?

0 Karma

Yunagi
Communicator

Try to run the script directly and see what happens: Change into the directory etc/apps/Splunk_TA_nix/bin and execute the script via ./openPortsEnhanced.sh

The output should be something like this:
[root@myhost bin]# ./openPortsEnhanced.sh
Fri Feb 2 13:33:15 CET 2018 app=ntpd dest_ip=* dest_port=123 pid=634 user=ntp fd=16u ip_version=4 dvc_id=15331 transport=UDP
Fri Feb 2 13:33:15 CET 2018 app=ntpd dest_ip=* dest_port=123 pid=634 user=ntp fd=17u ip_version=6 dvc_id=15332 transport=UDP
...

Having a look at the script, it runs the following command to get a list of the open ports:
lsof -i -P -n

What happens when you execute this command? Perhaps you need to install lsof.

0 Karma

test_qweqwe
Builder

@Yunagi
Hello.
So, if script run manually it's works, it's show correct information. Okay, how me fix this problem now? :S

0 Karma

Yunagi
Communicator

What I find confusing is that the openPortsEnhanced script produces an output line for each open port plus one output line in the form of "... file_hash=(stdin)=...". This last line (whatever its purpose) is correctly visible in the screenshot of your original post. However, the other lines (the open port lines) are missing.
Maybe your search is wrong. Try a Splunk search like: index=* sourcetype="Unix:ListeningPorts".
Perhaps you can find error information in the internals logs. Search for something like: index=_* openPortsEnhanced.sh.

0 Karma

test_qweqwe
Builder

I have no direct access to PC and my client has not given me correct information.
The problem was in not installed isof.
Tnx for helping!

0 Karma

test_qweqwe
Builder

Bump! Up! 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...