icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Splunk for Asset Discovery
SHA256 checksum (splunk-for-asset-discovery_60.tgz) 30f362e6b821e483a1a998e87e52bb8e8ae3315f458bf021918e3ea7fa297d75
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Splunk for Asset Discovery

This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
The asset discovery application provides ping scans, port scans, operating system and port fingerprinting through the use of nmap in order to gain visibility into asset availability, port statistics, and even rogue device detection. The app can be deployed on a per-subnet basis in order to provide distributed scanning capabilities.

Splunk for Asset Discovery

Version: 6.0

Developed by: Mike Wilson (mwilson at splunk.com)

Noteworthy


The latest version of Splunk seems to have changed something in the way LD_LIBRARY_PATH is handled. If you are not receiving scan data and you're sure that everything is enabled and setup properly, it's quite possible that you're just being affected by this. More information and a fix can be found here: http://answers.splunk.com/answers/105439/no-port_scan-data. Please let me know if you encounter this issue.

Notes on the Windows scripted input, nmap.cmd (which calls nmap.vbs): You must create the file bin\nmap.path which contains the full path to your nmap.exe (i.e. C:\Program Files\Nmap\nmap.exe). There is an example_nmap.path in the bin directory. If you do not do this, the input will fail. The Windows scripts are lightly tested, please report bugs.

General


This app utilizes its own "asset_discovery" index. All searches have been created to use eventtypes which reference index=asset_discovery which can easily be overriden depending on your needs.

This app utilizes the nmap command, but does not provide it. It assumes that the command is available and in the path. Additionally, the nmap binary works best if it is run as root. Running as a standard user will most likely yield unexpected results.

This app utilizes a scripted input, nmap.sh or nmap.cmd, to execute nmap scans of (hopefully) any type. The included scripted input will automatically include the necessary argument for "Grepable" output format as defined by nmap.org.

The scripted input will attempt to find the current host's IP address and, if no other target is given, use that IP to perform a scan of the local subnet. In this way, the app can be deployed to remote forwarders to regularly scan the forwarder's subnet, without having to configure the target for each individual forwarder. This behavior can be overriden by passing a "-t target_spec" argument to the script.

With no arguments given, the scripted input will perform a ping scan of the local subnet of the current system:
nmap -oG - -v -R -sP -PE 192.168.1.158/24

You may pass standard nmap arguments through in order to perform a port scan. An input of "nmap.sh -A -O" will yield:
nmap -oG - -A -O 192.168.1.158/24

In order to set a target, use the "-t" option (not a standard nmap option). "nmap.cmd -t 10.159.1.100-150" will yield:
nmap -oG - -v -R -sP -PE 10.158.1.100-150

Customizing scan targets


In the event that you'd prefer to have a small number of scan points which will scan multiple networks you'll need to create some custom data inputs. There are 2 types of inputs for this app: ping scans and port scans. Knowing that, from your Splunk instance (i.e. the scan point) head to Manager -> Data Inputs -> Scripts and search for "nmap". There should be 4 results, a ping scan and port scan for *nix, and the same for Windows. Find the appropriate input and "Clone" it. Enter the proper command for your situation (e.g. For a port scan of 2 subnets, something like: /opt/splunk/demo/etc/apps/asset_discovery/bin/nmap.sh -A -O -t 10.159.26.0/24 -t 10.59.27.0/24) and leave the remaining fields alone, click "Save".

You can have a single scan which has many targets, per the previous example, or you may create new inputs for each in the event that you'd like to stagger their execution, etc. You should be able to pass in any standard nmap arguments. A "-oG" option will be automatically inserted in order to force the "Grepable" format. Targets should be prefixed with a "-t" switch per the example.

Connections


Internal:
Only those network connection which are initiated by nmap for the purpose of scanning.

External:
None

Troubleshooting


The nmap.sh or nmap.cmd scripted input can be run directly from the command line for testing. However, nmap's stderr is redirected to null, so you may want to comment that out when testing (e.g., change 2>/dev/null to #2>/dev/null)

Known Issues


The latest version of Splunk seems to have changed something in the way LD_LIBRARY_PATH is handled. If you are not receiving scan data and you're sure that everything is enabled and setup properly, it's quite possible that you're just being affected by this. More information and a fix can be found here: http://answers.splunk.com/answers/105439/no-port_scan-data

Port Signature chart will be empty when drilling down from an "OS Signature" chart to the
port overview. This is because of quoting issues in a match operation which I don't have
an elegant fix for currently

Credits


Nmap and its open source goodness: nmap.org

Release Notes

Version 6.0
Oct. 3, 2013

Update for Splunk 6.0


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.