From 07122cafadcc61b3e38e5367d2531c5859a68f68 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Wed, 8 Jan 2025 18:21:51 -0500 Subject: [PATCH] Use ip command to determine IP address ('hostname -I' does not work on all Linux systems) Filter out multiple listing of the same btrfs volume Use mktemp for temp files (for times when the TA may be run outside of Splunk) If running rlog.sh outside of Splunk, use $HOME to store seek file Debian also uses apt Arch Linux uses pacman Add use of sudo -n for 'apt update' and 'pacman -Syy' vmstat uses "K paged out" Replace the use of 'sar' with netstat and vm_stat for MacOS --- VERSION | 4 ++-- app.manifest | 18 +++++++++--------- bin/bandwidth.sh | 6 +++--- bin/cpu_metric.sh | 4 ++-- bin/df.sh | 2 ++ bin/df_metric.sh | 6 ++++-- bin/hardware.sh | 2 +- bin/interfaces_metric.sh | 4 ++-- bin/iostat_metric.sh | 4 ++-- bin/ps_metric.sh | 4 ++-- bin/rlog.sh | 12 +++++++++--- bin/selinuxChecker.sh | 2 +- bin/update.sh | 21 ++++++++++++++++++--- bin/vmstat.sh | 23 +++++++++-------------- bin/vmstat_metric.sh | 27 +++++++++++---------------- default/app.conf | 14 +++++++------- docs/ReleaseNotes.md | 18 ++++++++++++++++++ splunkbase.manifest | 38 ++++++++++++++++++++------------------ 18 files changed, 122 insertions(+), 87 deletions(-) create mode 100644 docs/ReleaseNotes.md diff --git a/VERSION b/VERSION index 3267917..1d43a4b 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0 -9.2.0 \ No newline at end of file +9.2.0.1 +9.2.0.1 diff --git a/app.manifest b/app.manifest index 05b18b7..184ab32 100644 --- a/app.manifest +++ b/app.manifest @@ -4,9 +4,9 @@ "info": { "author": [ { - "company": "Splunk, Inc.", - "email": "support@splunk.com", - "name": "Splunk, Inc." + "company": "erdelynet.com", + "email": "mike@erdelynet.com", + "name": "erdelynet.com" } ], "classification": { @@ -25,11 +25,11 @@ "Network Sessions": "=4.20.2", "Performance": "=4.20.2" }, - "description": "Splunk Add-on for Unix and Linux", + "description": "Technical Add-on for Unix and Linux", "id": { "group": null, - "name": "Splunk_TA_nix", - "version": "9.2.0" + "name": "TA-nix", + "version": "9.2.0.1" }, "license": { "name": "Splunk Software License Agreement", @@ -45,9 +45,9 @@ "releaseNotes": { "name": "README", "text": "./README.txt", - "uri": "https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes" + "uri": "https://git.erdelynet.com/mike/TA-nix/docs/ReleaseNotes.md" }, - "title": "Splunk Add-on for Unix and Linux" + "title": "Technical Add-on for Unix and Linux" }, "inputGroups": null, "platformRequirements": null, @@ -63,4 +63,4 @@ "_indexers" ], "tasks": null -} \ No newline at end of file +} diff --git a/bin/bandwidth.sh b/bin/bandwidth.sh index e5a1364..da3ee0f 100755 --- a/bin/bandwidth.sh +++ b/bin/bandwidth.sh @@ -66,11 +66,11 @@ elif [ "$KERNEL" = "AIX" ] ; then # shellcheck disable=SC2016 FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS="?"; txKB_PS="?"}' elif [ "$KERNEL" = "Darwin" ] ; then - CMD='sar -n DEV 1 2' + CMD='eval ifconfig -a -u | awk "/^[^ \t]/{i=substr(\$1,1,length(\$1)-1)}/status: active/{print i}" | while read -r int; do netstat -bnI $int -w 1 | head -n3 | sed "s/^/$int/"; done' # shellcheck disable=SC2016 - FILTER='($0 !~ "Average" || $0 ~ "sar" || $2~/lo[0-9]|IFACE/) {next}' + FILTER='$2~/^(input|packets)$/{next}' # shellcheck disable=SC2016 - FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$6/1024}' + FORMAT='{Name=$1; rxPackets_PS=$2; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$7/1024}' elif [ "$KERNEL" = "HP-UX" ] ; then # Sample output: http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02263324 CMD='netstat -i 1 2' diff --git a/bin/cpu_metric.sh b/bin/cpu_metric.sh index 04d73df..3f12dd6 100755 --- a/bin/cpu_metric.sh +++ b/bin/cpu_metric.sh @@ -16,9 +16,9 @@ if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand mpstat FOUND_MPSTAT=$? if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')" fi if [ $FOUND_SAR -eq 0 ] ; then CMD='sar -P ALL 1 1' diff --git a/bin/df.sh b/bin/df.sh index a2ab71c..4689cd4 100755 --- a/bin/df.sh +++ b/bin/df.sh @@ -12,6 +12,8 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 BEGIN='BEGIN { OFS = "\t" }' # shellcheck disable=SC2016 + FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}' + # shellcheck disable=SC2016 FILTER_POST='/(devtmpfs|tmpfs)/ {next}' # shellcheck disable=SC2016 PRINTF=' diff --git a/bin/df_metric.sh b/bin/df_metric.sh index 9f0d020..12d79a1 100755 --- a/bin/df_metric.sh +++ b/bin/df_metric.sh @@ -13,12 +13,14 @@ if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand df CMD='df -k --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target' if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" fi BEGIN='BEGIN { OFS = "\t" }' FORMAT='{OSName=OSName;OS_version=OS_version;IP_address=IP_address;IPv6_Address=IPv6_Address}' + # shellcheck disable=SC2016 + FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}' # shellcheck disable=SC2016 FILTER_POST='/(devtmpfs|tmpfs)/ {next}' # shellcheck disable=SC2016 diff --git a/bin/hardware.sh b/bin/hardware.sh index db40484..31eefec 100755 --- a/bin/hardware.sh +++ b/bin/hardware.sh @@ -9,7 +9,7 @@ FORMAT='{key = $1; if (NF == 1) {value = ""} else {value = $2; for PRINTF='{printf("%-20s %-s\n", key, value)}' if [ "$KERNEL" = "Linux" ] ; then - TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_hardware_error_tmpfile # For filtering out lshw warning from stderr + TMP_ERROR_FILTER_FILE=$(mktemp) # For filtering out lshw warning from stderr queryHaveCommand ip FOUND_IP=$? # CPUs diff --git a/bin/interfaces_metric.sh b/bin/interfaces_metric.sh index 52c799b..d6a75ef 100755 --- a/bin/interfaces_metric.sh +++ b/bin/interfaces_metric.sh @@ -18,9 +18,9 @@ if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand ip FOUND_IP=$? if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" fi if [ $FOUND_IP -eq 0 ]; then CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" diff --git a/bin/iostat_metric.sh b/bin/iostat_metric.sh index 2a69a6e..da1550e 100755 --- a/bin/iostat_metric.sh +++ b/bin/iostat_metric.sh @@ -11,9 +11,9 @@ if [ "$KERNEL" = "Linux" ] ; then CMD='iostat -xky 1 1' assertHaveCommand "$CMD" if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')" fi FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f' # shellcheck disable=SC2016 diff --git a/bin/ps_metric.sh b/bin/ps_metric.sh index 4855452..30f0878 100755 --- a/bin/ps_metric.sh +++ b/bin/ps_metric.sh @@ -12,9 +12,9 @@ if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; th CMD='ps auxww' if [ "$KERNEL" = "Linux" ] ; then if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" fi elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. diff --git a/bin/rlog.sh b/bin/rlog.sh index f1fa92b..72ae084 100755 --- a/bin/rlog.sh +++ b/bin/rlog.sh @@ -7,10 +7,16 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios +if [ -n "$SPLUNK_DB" ]; then + OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios + SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime +else + # handle the case where this is not being run by the Splunk user from Splunk + OLD_SEEK_FILE=$HOME/.splunk_unix_audit_seekfile # For handling upgrade scenarios + SEEK_FILE=$HOME/.splunk_unix_audit_seektime +fi CURRENT_AUDIT_FILE=/var/log/audit/audit.log # For handling upgrade scenarios -SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime -TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_rlog_error_tmpfile # For filering out "no matches" error from stderr +TMP_ERROR_FILTER_FILE=$(mktemp) # For filering out "no matches" error from stderr AUDIT_FILE="/var/log/audit/audit.log*" if [ "$KERNEL" = "Linux" ] ; then diff --git a/bin/selinuxChecker.sh b/bin/selinuxChecker.sh index b213dd8..e819196 100755 --- a/bin/selinuxChecker.sh +++ b/bin/selinuxChecker.sh @@ -5,7 +5,7 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_selinux_error_tmpfile # For filtering out awk warning from stderr +TMP_ERROR_FILTER_FILE=$(mktemp) # For filtering out awk warning from stderr PRINTF='END {printf "%s app=selinux %s %s %s %s\n", DATE, FILEHASH, SELINUX, SELINUXTYPE, SETLOCALDEFS}' if [ "$KERNEL" = "Linux" ] ; then diff --git a/bin/update.sh b/bin/update.sh index d834c3a..85f0732 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -5,18 +5,21 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_update_error_tmpfile # For filering out apt warning from stderr +TMP_ERROR_FILTER_FILE=$(mktemp) # For filering out apt warning from stderr if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand date OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) OS_FILE=/etc/os-release # Ubuntu doesn't have yum installed by default hence apt is being used to get the list of upgradable packages - if [ "$OSName" = "Ubuntu" ]; then + if [ "$OSName" = "Ubuntu" ] || [ "$OSName" = "Debian_GNU/Linux" ]; then assertHaveCommand apt assertHaveCommand sed + # For this to work properly, add a line to /etc/sudoers like this: + # splunk ALL=(root) NOPASSWD: /usr/bin/apt update + # Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script # sed command here replaces '/, [, ]' with ' ' - CMD='eval date ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' # shellcheck disable=SC2016 @@ -33,6 +36,18 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 PARSE_2='header_found { gsub(/[[:space:]]*\|[[:space:]]*/, "|"); split($0, arr, /\|/); printf "%s repository=%s package=%s current_package_version=%s latest_package_version=%s sles_architecture=%s\n", DATE, arr[2], arr[3], arr[4], arr[5], arr[6]}' MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2" + elif [ "$OSName" = "Arch_Linux" ] || [ "$OSName" = "Arch_Linux_ARM" ]; then + assertHaveCommand checkupdates + assertHaveCommand sed + # For this to work properly, add a line to /etc/sudoers like this: + # splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy + # Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update) + CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + PARSE_1='NR==2 {ARCH=$0}' + PARSE_2='NR>2 {printf "%s arch_architecture=%s package=%s current_package_version=%s latest_package_version=%s\n", DATE, ARCH, $1, $2, $4}' + MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2" else assertHaveCommand yum diff --git a/bin/vmstat.sh b/bin/vmstat.sh index 2fc902b..178c09f 100755 --- a/bin/vmstat.sh +++ b/bin/vmstat.sh @@ -26,7 +26,7 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}' # shellcheck disable=SC2016 - PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' + PARSE_2='/(K|pages) paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' # shellcheck disable=SC2016 PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}' # shellcheck disable=SC2016 @@ -126,9 +126,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then elif [ "$KERNEL" = "Darwin" ] ; then assertHaveCommand sysctl assertHaveCommand top - assertHaveCommand sar + assertHaveCommand vm_stat # shellcheck disable=SC2016 - CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2' + CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; vm_stat | awk "/Pageouts:/{print \"pgpageout \" \$NF}/^Swapouts:/{print \"pgswapout \" \$NF}"; vm_stat -c5 1 | tail -n -4 | awk "{pi=pi+\$19;po=po+\$20;si=si+\$21;so=so+\$22}END{printf \"pginps %.2f pgoutps %.2f swinps %.2f swoups %.2f\n\",pi/4,po/4,si/4,so/4}"' FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' # shellcheck disable=SC2016 PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}' @@ -137,24 +137,19 @@ elif [ "$KERNEL" = "Darwin" ] ; then # shellcheck disable=SC2016 PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}' # shellcheck disable=SC2016 - PARSE_3='/^VM:/ {pgPageOut=0+$7}' - if $OSX_GE_SNOW_LEOPARD; then - # shellcheck disable=SC2016 - PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' - else - # shellcheck disable=SC2016 - PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}' - fi + PARSE_3='/^pgpageout / {pgPageOut=0+$2}' + # shellcheck disable=SC2016 + PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' # shellcheck disable=SC2016 PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}' # shellcheck disable=SC2016 PARSE_6='/^CPU_COUNT/ {cpuCount=$2}' # shellcheck disable=SC2016 - PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}' + PARSE_7='$1 == "pginps" {pgPageIn_PS=$2;pgPageOut_PS=$4;pgSwapIn=$6;pgSwapOut=$8}' # shellcheck disable=SC2016 - PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}' + PARSE_8='/^pgswapout / {pgSwapOut=0+$2}' MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE" - FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}' + FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}' elif [ "$KERNEL" = "FreeBSD" ] ; then # shellcheck disable=SC2016 CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' diff --git a/bin/vmstat_metric.sh b/bin/vmstat_metric.sh index b9f4ce7..e0c56e2 100755 --- a/bin/vmstat_metric.sh +++ b/bin/vmstat_metric.sh @@ -23,16 +23,16 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2' if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')" fi # shellcheck disable=SC2016 PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}' # shellcheck disable=SC2016 PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}' # shellcheck disable=SC2016 - PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' + PARSE_2='/(K|pages) paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' # shellcheck disable=SC2016 PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}' # shellcheck disable=SC2016 @@ -136,9 +136,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then elif [ "$KERNEL" = "Darwin" ] ; then assertHaveCommand sysctl assertHaveCommand top - assertHaveCommand sar + assertHaveCommand vm_stat # shellcheck disable=SC2016 - CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2' + CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; vm_stat | awk "/Pageouts:/{print \"pgpageout \" \$NF}/^Swapouts:/{print \"pgswapout \" \$NF}"; vm_stat -c5 1 | tail -n -4 | awk "{pi=pi+\$19;po=po+\$20;si=si+\$21;so=so+\$22}END{printf \"pginps %.2f pgoutps %.2f swinps %.2f swoups %.2f\n\",pi/4,po/4,si/4,so/4}"' DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' # shellcheck disable=SC2016 @@ -148,24 +148,19 @@ elif [ "$KERNEL" = "Darwin" ] ; then # shellcheck disable=SC2016 PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}' # shellcheck disable=SC2016 - PARSE_3='/^VM:/ {pgPageOut=0+$7}' - if $OSX_GE_SNOW_LEOPARD; then - # shellcheck disable=SC2016 - PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' - else - # shellcheck disable=SC2016 - PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}' - fi + PARSE_3='/^pgpageout / {pgPageOut=0+$2}' + # shellcheck disable=SC2016 + PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' # shellcheck disable=SC2016 PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}' # shellcheck disable=SC2016 PARSE_6='/^CPU_COUNT/ {cpuCount=$2}' # shellcheck disable=SC2016 - PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}' + PARSE_7='$1 == "pginps" {pgPageIn_PS=$2;pgPageOut_PS=$4;pgSwapIn=$6;pgSwapOut=$8}' # shellcheck disable=SC2016 - PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}' + PARSE_8='/^pgswapout / {pgSwapOut=0+$2}' MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE" - FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}' + FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}' elif [ "$KERNEL" = "FreeBSD" ] ; then # shellcheck disable=SC2016 CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' diff --git a/default/app.conf b/default/app.conf index 52645ba..444c420 100644 --- a/default/app.conf +++ b/default/app.conf @@ -12,19 +12,19 @@ build = 1720176219 [ui] setup_view = ta_nix_configuration is_visible = true -label = Splunk Add-on for Unix and Linux +label = Technical Add-on for Unix and Linux docs_section_override = AddOns:released [launcher] -author = Splunk, Inc. -version = 9.2.0 -description = Splunk Add-on for Unix and Linux +author = Michael Erdely +version = 9.2.0.1 +description = Technical Add-on for Unix and Linux [package] -id = Splunk_TA_nix +id = TA-unix check_for_updates = true [id] -name = Splunk_TA_nix -version = 9.2.0 +name = TA-unix +version = 9.2.0.1 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md new file mode 100644 index 0000000..a28658b --- /dev/null +++ b/docs/ReleaseNotes.md @@ -0,0 +1,18 @@ +# Technical Add-on for Unix and Linux + +## Version 9.2.0.1 + +Initial fork of the Splunk Add-on for Unix and Linux + +Changes: + +* Use ip command to determine IP address + ('hostname -I' does not work on all Linux systems) +* Filter out multiple listing of the same btrfs volume +* Use mktemp for temp files (for times when the TA may be run outside of Splunk) +* If running rlog.sh outside of Splunk, use $HOME to store seek file +* Debian also uses apt +* Arch Linux uses pacman +* Add use of sudo -n for 'apt update' and 'pacman -Syy' +* vmstat uses "K paged out" +* Replace the use of 'sar' with netstat and vm_stat for MacOS diff --git a/splunkbase.manifest b/splunkbase.manifest index 934b98e..7099cc4 100644 --- a/splunkbase.manifest +++ b/splunkbase.manifest @@ -1,10 +1,11 @@ { "version": "1.0", "date": "2024-10-18T12:52:23.073000921Z", + "date": "2025-01-08T18:38:19.132050611Z", "hashAlgorithm": "SHA-256", "app": { "id": 833, - "version": "9.2.0", + "version": "9.2.0.1", "files": [ { "path": "LICENSES/Apache-2.0.txt", @@ -28,11 +29,11 @@ }, { "path": "VERSION", - "hash": "4b083d27782e80fd5bce34252adc7de9e9ab611475e170cb507e49586483025e" + "hash": "fd47b230df0f247b21e965b9529efd00447fdbf1cb1740848b529f79a9feacac" }, { "path": "app.manifest", - "hash": "24b4bb6f47bc1472038f5c983ec91705052162da89555f52a78c9f3c830cfd82" + "hash": "251b481753129caea80da188d33f2b99bbd178560e136ee2936b4e9499e1416e" }, { "path": "appserver/static/appIcon.png", @@ -76,19 +77,19 @@ }, { "path": "bin/cpu_metric.sh", - "hash": "2d175a98ded5f141b20fd3b3847217447b5489b4d989512d8b8679a4f2777a0b" + "hash": "c5e937d91afab8ec06376a0db3c79f37e0da6377ea2b34cfde67793d89fd14d5" }, { "path": "bin/df.sh", - "hash": "27b0ad779340e6bd8a26e296ce9b0b9cd2721eaadcf4669e5579560a676c9db7" + "hash": "15c4e33987209afe1cb807af7aecfbd522107746d318827d161d1ee233d00acf" }, { "path": "bin/df_metric.sh", - "hash": "4457b92d8d8ee24441eb38df2134113f5a821111b7c3573b48313adcee39d3e8" + "hash": "286830c6b30cc9a3e5240e3b63db0edd2c68c9e797d452483dea09b4ad6f48e9" }, { "path": "bin/hardware.sh", - "hash": "20e341826d21047e9cc3b7cd632422f6b9a0364282333616c1f912b4dddb7093" + "hash": "7722f446226609784d219cb525eee3ed65d622ce05122301f65625c6fd2e4434" }, { "path": "bin/interfaces.sh", @@ -96,7 +97,7 @@ }, { "path": "bin/interfaces_metric.sh", - "hash": "9458deb6ba4c56a22264df75d42945e170f6f1a729d93220617c85810733ef19" + "hash": "374e24c7e87669fbd25ded5e56c05fd057c0c272e03e0df6cabcd5db31267db9" }, { "path": "bin/iostat.sh", @@ -104,7 +105,7 @@ }, { "path": "bin/iostat_metric.sh", - "hash": "4af68e89e6a93fa34ccd724ff78a509b7868bc06e60a4f16a6aa24d300d8efc8" + "hash": "59b775cc60e92950605b621989ee17aa947adc07d407c78b657ecedf90452f77" }, { "path": "bin/lastlog.sh", @@ -148,15 +149,15 @@ }, { "path": "bin/ps_metric.sh", - "hash": "0c3dc356f47728b9b99be79fffe40256eded1644f599b1bbe8b1a9e8db05b10d" + "hash": "ff65aec6a98560667d08e1b75f4661d99b5255be239756f89cc72a58d1e44fe2" }, { "path": "bin/rlog.sh", - "hash": "271fcaf091527670df3e794c29d7bf57d1371909c72c25d56c79dd136b029513" + "hash": "96d0cc8f2c0beec46bca37d7ddf73c122f76525b7363d9a2fec92125abab83a2" }, { "path": "bin/selinuxChecker.sh", - "hash": "07135df789924f8d4f5ae8228ccbfe0a5e47756de202fcf00a019a12712d8312" + "hash": "409ad1927603069c7b08e09e60f2edf1c7e50f02eb6a64c7a514693131dc82e6" }, { "path": "bin/service.sh", @@ -184,7 +185,7 @@ }, { "path": "bin/update.sh", - "hash": "048f6e678f873d2b856ec851c52389d9f8d5ccde0fee0ead0dcf5348cc3cb587" + "hash": "2cce5510b8cf94e3c32681c934985a01164e2b63b64d458de9a7dc0ff81bc679" }, { "path": "bin/uptime.sh", @@ -200,11 +201,11 @@ }, { "path": "bin/vmstat.sh", - "hash": "b816aa5e67ad18b995eb577e16ca7c91ae3ecdeeb019d0b79321ade83a90daef" + "hash": "9ce5a407629d5d47c2c3f8b1d046f712d24a232950c54d450ddbc21bd34aea84" }, { "path": "bin/vmstat_metric.sh", - "hash": "47df351e2afd7abedb49f8d38f5350ce6276fdb512005ba56e7ff9692f581515" + "hash": "85c516f1d73b9cb45e3b16819fada786753fa417f2fbded1955ccace62de41f8" }, { "path": "bin/vsftpdChecker.sh", @@ -216,7 +217,7 @@ }, { "path": "default/app.conf", - "hash": "451c717df6073aabd78b5ba4abb33ac71b6d61df8d46a243913b01ed9ac77040" + "hash": "e5c48e804d836b03361fea96c1e78f265116f5117a739f4dad9bc1916ad873f8" }, { "path": "default/data/ui/nav/default.xml", @@ -320,7 +321,8 @@ "9.0", "9.1", "9.2", - "9.3" + "9.3", + "9.4" ], "architectures": [ "x86_64" @@ -356,4 +358,4 @@ ] } ] -} \ No newline at end of file +}