Alerting

How pull a file from host that triggered alert

batuhankutluca
Explorer

I've been searching for a way to pull a file from Splunk universal forwarder installed host, but couldn't find anything useful.

What I need is, after my specific alert is triggered, I need to pull a file from that host that triggered the alarm.

I created 1-2 custom alert actions so I'm familiar with that stuff simply.
Maybe running some python codes on the host can help me to upload that file to my server but I'm not sure with that.

Is there any other stuff that helps me with these problems?
Thanks in advance.

0 Karma

batuhankutluca
Explorer

Still looking for a way.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @batuhankutluca,
did you already tried to execute a script that pulls a file from when alert is fired?

Ciao.
Giuseppe

0 Karma

batuhankutluca
Explorer

Hi @gcusello

Actually I didn't try to do that because I don't know how to do it. Maybe setting up a ftp listener on my deployment server and running a python code that connects my server via ftp works. Just a thought tho, I don't even know if it is reasonable or not.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @batuhankutluca,
for my knowledge (I'm not an expert of scripting!) the only way is to execute a script that access the remote server and copy the file: I don't like this solution because it's a break in security!

A workaround: if the file to pull is a text file, you could index it in Splunk and put in a separate index, eventually with a low retention (to not have too storage), so you can have it when an alert is fired.

Ciao.
Giuseppe

0 Karma

batuhankutluca
Explorer

Hi @gcusello,
Thanks for your answer. It may be a txt file but not for the all events. I was looking for a splunk feature to do that but I guess there is not. I mean since we can run scripts on host via forwarder, I thought we can do more like fetching a file instead monitoring it. As you mentioned, it would be a security problem for enterprise 🙂

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...