Re: Is it possible to have a custom REST endpoint ...

a212830 · ‎05-25-2016

Hi,

Is it possible to have a custom REST endpoint that executes scripts on a universal forwarder?

m_zimmermann · ‎11-13-2016

Not going that route seems like the right approach. There is usually a good reason that certain scenarios are not covered in the security guide
https://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Hardeningstandards

jkat54 · ‎11-13-2016

I agree with all three comments above.

The answer is no you can't do it on a universal forwarder, you could do it on a heavy forwarder, and be careful that you do it with security in mind. Bmacias84 gave some great info on settings you should consider if you do this with a heavy forwarder.

What you could do is execute scripts via scripted inputs and deploy those via the deployment server.

bmacias84 · ‎11-01-2016

If you want to do this I would suggest using a HF and extend the Splunk Rest endpoints with restmap.conf. restmap.conf supports requireAuthentication settings.

dominiquevocat · ‎11-01-2016

I am wondering the same. Since the handling seems to be done by $SPLUNK_HOME/bin/rest_handler.py i think it will n ot work since there is no python on a universal forwarder.
I have a script that i would like to expose as a custom rest endpoint but i get a 400/bad request as a reply.

m_zimmermann · ‎11-01-2016

If there is any, I'd be very careful about exposing it. Properly securing that endpoint would be an interesting challenge.

Is it possible to have a custom REST endpoint that executes scripts on a universal forwarder?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?