Hi,
I am developing a plugin for my organisation's security configuration compliance auditing system, and some Windows Server-based devices have come into scope which are using the Splunk Universal Forwarder to monitor privileged access events. As part of the auditing process for these devices, I will need to verify that Splunk is collecting the correct events and sending them to the correct destination. So far I have come to the conclusion that the audit criteria should be:
1) that inputs.conf includes all necessary logfiles and that disable = 0 for each,
2) that outputs.conf is sending the log digests to the right destination, and
3) the SplunkForwarder service is running and configured to start automatically.
Checking the service is easily done using the svSvc table in the lmmib2 (LanMgr MIB). But I'm struggling to find a way to retrieve the contents of inputs.conf and outputs.conf without literally retrieving the files themselves, something I'm reluctant to do in a production environment on a regular basis.
It doesn't help that I'm not especially familiar with the Windows server platforms, but I would like to know if there is an alternative way I can retrieve the inputs and outputs remotely? Is there a Universal Forwarder SNMP MIB for example? Or does this configuration get stored in the registry somewhere?
I'd also like to know if there's anything else I should be checking to give a reliable confirmation that the Universal Forwarder is operating as expected.
Thanks for your help.
↧