All Apps and Add-ons

How do I use Splunk for NERC baseline compliance?

huangc
New Member

Hi!

I am trying to leverage splunk for NERC Compliance, but more than just logging. I want to get baseline configuration which captures OS, Patches, Software, and Port and Services.

My idea was to have the system generate the information and write it to a file and have the splunk universal forwarder monitor the file daily.

There would be a cronjob that would run daily to execute the commands like:

1) netstat -ano
2) uname -r
3) rpm -qa

This would then get ingested into Splunk. How has the community been using Splunk for NERC Baseline compliance? Are there any add-ons that could help?

It would need to be able to track changes to the baseline of allowable port and services, change records of the change, and run reports on a baseline of a particular day. This last part I was thinking of using a dash board or creating a table.

Thoughts or suggestion?

0 Karma

nickhills
Ultra Champion

The Splunk Add-on for Unix and Linux collects all of these for you:
https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

But if you want to roll your own specifically to collect data with the flags you specify I would deploy them as scripted inputs (like TA-nix) and have Splunk run the job and index the data rather than an external Cron job.

Take a look at the app and see if it works for you - long term it would be far simpler than managing your own, as all of the field extractions are provided for you.
https://splunkbase.splunk.com/app/833

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...