We are defaulting the provision of virtual machines with Splunk Forwarder as part of baseline. By default, each VM will get a set of apps, but I don't have any inputs defined for them yet (intentionally). I do see them in the Forwarder Management view as a client, as expected.
One of our test users is checking the event logs on his virtual desktop and sees that \splunk\etc\system\bin\admon.cmd (and a handful of other cmd files) are being run. I'm trying to determine why these are run and when. Admittedly I don't know Windows scripting well so I may be wrong, but it looks like these cmd files aren't executing a script, but echoing out scheme (perhaps there's some functionality behind that). Again, I don't know Windows scripting well, so I'm struggling to understand the utility.
My concern is two fold:
1. if these should be run, I need to let him know so that it will be allowed to run in prod. Right now we're in a test environment so it's wide open; however, in prod it would have denied based on current rules
2. My customer is trying to tie some other powershell scripts' execution to these commands temporally. In other words, if he sees \splunk\etc\system\bin\admon.cmd as one event and 10 seconds later a powershell script is being executed, he's surmising that it was spawned from the preceding cmd. I don't know that he's right or wrong, just want to be able to help him determine whether that's the case definitively.
Any assistance would be appreciated.
↧