Splunk Universal Forwarder Audit - Windows - superseded
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is an older version.

1Splunk Universal Forwarder Audit - Windows7/22/2016 1:40:59 PM
2Splunk Universal Forwarder Audit - Windows7/22/2016 3:17:26 PM
3Splunk Universal Forwarder Audit - Windows7/22/2016 3:39:32 PM

Description

 

This is based upon @JasonWalker's analysis: https://bigfix.me/analysis/details/2994522

 

Property Details

ID2998315
StatusAlpha - Code that was just developed
TitleSplunk Universal Forwarder Audit - Windows
DomainBESC
Added by on 7/22/2016 1:40:59 PM
Last Modified by on 7/22/2016 1:40:59 PM
Counters 2025 Views / 40 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

SPLUNK_HOME path
Period 6 hours
 
  * Results in a true/false
Show indented relevance
unique values of pathnames of (folder it) of (it as string as trimmed string) of values "InstallLocation" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
Splunk Version
Period 6 hours
 
  * Results in a "string"/number
Show indented relevance
unique values of (it as string as trimmed string) of values "DisplayVersion" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
Splunk Service State
Period 1 hour
 
  * Results in a "string"/number
Show indented relevance
unique values of states of services "SplunkForwarder"
Splunk Connection Status
Period 1 hour
 
  * Results in a "string"/number
Show indented relevance
exists sockets whose(remote port of it = 9997 AND established of tcp state of it) of networks
Splunk Active Server IP Address
Period 1 hour
 
  * Results in a "string"/number
Show indented relevance
unique values of remote addresses of sockets whose(remote port of it = 9997 AND established of tcp state of it) of networks

Relevance

isWindows (Relevance 1172)
Used in 1146 fixlets and 539 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 1 fixlet and 3 analyses   * Results in a true/false
Show indented relevance
( exists (folder it) of (it as string as trimmed string) of values "InstallLocation" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries) ) OR ( exists services "SplunkForwarder" )

Sharing

Social Media:
Share this page on Yammer


Comments

Log In or Register to leave comments!
 

Content

Search
Share
Learn
Projects

Utilities

View SCM Scripts
Base64 Converter
Shell to Action Script

About

About Us
Tour
FAQ
Terms
Contact Us

BigFix Resources

Download BigFix
Support
Forum
Github/Bigfix
bigfix.me All Content
Hosted on bigfixme-as