Security

unused Vms/PCs

pawelsh
New Member

Hello,

If I wanted to find certain machines (virtual or not) that have no been logged into BY ANYONE in, lets say, the past 30 days, could you assist with a query/statement?

Or the easiest method to use finding workstations or VM's we can remove based on no logins in the past X amount of days...

thanks in advance,

Patrick

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

So you want to search the logs for something that is not there. That is inherently problematic.
In essence you'll have to search through your logs for the last 30 days, and identify the systems that were used. Then you'll have to search through all the rest of your logs and make note of any system that is not part of the result set from the first search. Those would be the systems you really want to find.

One way to do that is through a subsearch;

sourcetype=your_sourcetype latest=-30@d NOT [sourcetype=your_sourcetype earliest=-30@d | dedup field_identifying_VM_or_PC | fields + field_identifying_VM_or_PC]

Another - far more efficient way, is if you have a trustworthy asset-list that can be used as a lookup, since that would eliminate the outer part of the search above;

| inputlookup your_asset_file.csv | search NOT [sourcetype=your_sourcetype earliest=-30@d | dedup field_identifying_VM_or_PC | fields + field_identifying_VM_or_PC]

If you don't have an asset list, it might be useful to build one, with Splunk that is - especially if you are going to run this search on a regular basis. A good description of how to build state tables (which a list of currently active servers can be seen as) can be found here;

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

The idea is to;

  • read the list from disk as search results
  • search for new data (hostnames) and append them to the results
  • dedup the results
  • write out the new file to disk

Once you have this going, you could have a scheduled daily search that only has to go through a single days worth of data.

What sort of data DO you have?

/k

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...