There are serveral linux/unix/suse servers where antivirus solution is not installed.
what is the query to get the list of unix servers where antivirus solution is not installed.
In that case, you can install Splunk Add on for linux and use a scripted input [look at default/inputs.conf] to monitor all the processes [ e.g. AV] . You can then write a search to find out which host has AV process or not.
Do you store the AV logs in any splunk index, that can show on which hosts it has installed AV solution? If yes, we can look at that and compare against your list of all servers.
thats good idea, but I am thinking in different direction. we have the logs that which services are running on unix servers. so if AV service is running
OR if there is some script to check AV status on servers and write the logs in messages. from messages we can get the 100% authentic logs.
because you know asset modeling is always dynamic specially where most of the machines are VM.