- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Splunk Enterprise Security: How to automate the po...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise Security: How to automate the population of assets.csv with DB Connect?
We are running Enterprise Security and I'm trying to schedule and automate the population of assets.csv that ES uses as an Identity Management lookup file. I figured I could use DB Connect to connect to our SQL-based CMDB and pull the required information. This connection works fine and I'm able to access a stored report in the CMDB to use to create the exact format of the assets.csv file.
I see 3 options to save anything in DB Connect:
DB Inputs
DB Outputs
DB Lookups
I don't see any of these options doing what I want to do above which is just call the query and output it as a lookup csv file. I'm thinking there's a sloppy workaround to be found here but I was wondering how others are automating their asset inventory in ES?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We connect to our CMDB to get our assets and identities as well. We have a scheduled search that run the dbquery, massage the data as needed, format the data as needed and then at the very end of the search we pipe to the outputlookup command to create the csv itself.
For the lookups themselves, we have them configured in a custom SA of ours. And then we configure ES to include those lookups for its asset/identities lists.
Also, our ES env is clustered and we haven't got around to feeling comfortable with dbconnect in that ES cluster. So we actually run the above search on our heavy forwarder and rsync the custom app with our lookups over to the ES boxes a couple times a day.
Not sure if that's the best approach, but that's how we're doing it. Oh and we're still on ES 3.3.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking to continuously update the asset list from CMDB. DB connect is installed in the heavy forwarder. i got the part of running dbquery in dbconnect to generate the lookup file. now how do i get the lookup file to the ES search head and place it in the SAidentity management? I am not familiar with rsync. Can you please explain more?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
