Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk and Compliance

itsmevic
Communicator
‎12-09-2019 10:42 AM

Hello fellow Splunkers - I have a quick question. We have a few platforms in our environment that are reporting different counts on which machines have AV installed on them. I'd like to incorporate Splunk in the mix and search all three platforms so that I can run side-by-side analysis on the counts of these platforms. What would be the best way to do this?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-10-2019 12:11 AM

Hi @itsmevic,
in Splunk the 70% of the work is to know what to do and then 30% is to do it in Splunk.

In other words, the first thing is to write a clear requisite in a file to maintain during the life of the application:

  • the list of the server to monitor (perimeter),
  • the list of logs to take and where they are stored (e.g. Kaspersky stores its logs in a special wineventlog, other antivures use files, etc...),
  • the list of interesting fields in logs (e.g. ComputerName, AV_Version, patch_level, etc...),
  • the information to display in dashboards (interesting fields),
  • the confitions to trigger alerts (frequency, time period, thresholds, etc...),
  • the specifics of the compliance needed reports.

When you have a clear idea of above, then the job in Splunk is easy:

  • in my mind you already have an installed Splunk Enterprise or Splunk Cloud and you have only to take data (if not, start from this point!),
  • you have to install a Universal Forwarder on each server to monitor (probably you already did),
  • then create a Technical Add-On (TA) containing the inputs.conf to take the logs you need for monitoring (see requirements),
  • when you have these logs in Splunk you have to create a search to find what you need (see requirements),
  • using the same search you can create a dashboard to display the status of you AV, an alert and eventually (for compliance) a report to send by email (see requirements).

I found that Splunk is one of the most fantastic solutions for compliance and I use daily for this!

Ciao.
Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎12-13-2019 02:38 AM

Hi @itsmevic,
did the above answer solve your need?
If yes, please accept and/or upvote it, if not give me additional infos to continue to help you.

Ciao.
Giuseppe

0 Karma
Reply

to4kawa
Ultra Champion
‎12-11-2019 03:54 AM

it is very easy to understand. thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...