diff --git a/THIRDPARTY b/THIRDPARTY index 3c4aff4..4b08779 100644 --- a/THIRDPARTY +++ b/THIRDPARTY @@ -7,9 +7,9 @@ The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-unix-and-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means. -Date generated: 2024-7-5 +Date generated: 2025-1-31 -Revision ID: a08b431842df3cfc234ba3f0675de8898f9ef6ac +Revision ID: 79a4b3bf642285d427e11cd81adb8baaf923e0e9 ================================================================================ ================================================================================ @@ -55,7 +55,14 @@ No licenses found ================================================================================ +================================================================================ + + Copyrights + +================================================================================ + + -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -Report Generated by FOSSA on 2024-7-5 +Report Generated by FOSSA on 2025-1-31 diff --git a/VERSION b/VERSION index e4b0645..17a98bb 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.13 -9.2.0.13 +10.0.0.0 +10.0.0.0 diff --git a/app.manifest b/app.manifest index d8b132e..6477357 100644 --- a/app.manifest +++ b/app.manifest @@ -1,66 +1,66 @@ { - "dependencies": null, - "incompatibleApps": null, - "info": { - "author": [ - { - "company": "erdelynet.com", - "email": "mike@erdelynet.com", - "name": "erdelynet.com" - } - ], - "classification": { - "categories": [ - "IT Operations", - "Utilities" - ], - "developmentStatus": "Production/Stable", - "intendedAudience": "IT" - }, - "commonInformationModels": { - "Authentication": "=4.20.2", - "Change": "=4.20.2", - "Endpoint": "=4.20.2", - "Inventory": "=4.20.2", - "Network Sessions": "=4.20.2", - "Performance": "=4.20.2" - }, - "description": "Technical Add-on for Unix and Linux", - "id": { - "group": null, - "name": "TA-nix", - "version": "9.2.0.13" - }, - "license": { - "name": "Splunk Software License Agreement", - "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", - "uri": "http://www.splunk.com/view/SP-CAAAAFA" - }, - "privacyPolicy": { - "name": null, - "text": null, - "uri": null - }, - "releaseDate": null, - "releaseNotes": { - "name": "README", - "text": "./README.txt", - "uri": "https://git.erdelynet.com/mike/TA-nix/docs/ReleaseNotes.md" - }, - "title": "Technical Add-on for Unix and Linux" + "dependencies": null, + "incompatibleApps": null, + "info": { + "author": [ + { + "name": "Michael Erdely", + "email": mike@erdelynet.com, + "company": "erdelynet.com" + } + ], + "classification": { + "categories": [ + "IT Operations", + "Utilities" + ], + "developmentStatus": "Production/Stable", + "intendedAudience": "IT" }, - "inputGroups": null, - "platformRequirements": null, - "schemaVersion": "2.0.0", - "supportedDeployments": [ - "_standalone", - "_distributed", - "_search_head_clustering" - ], - "targetWorkloads": [ - "_search_heads", - "_forwarders", - "_indexers" - ], - "tasks": null + "commonInformationModels": { + "Authentication": "==4.20.2", + "Change": "==4.20.2", + "Endpoint": "==4.20.2", + "Inventory": "==4.20.2", + "Network Sessions": "==6.0.2", + "Performance": "==4.20.2" + }, + "description": "Technical Add-on for Unix and Linux", + "id": { + "group": null, + "name": "TA-unix", + "version": "10.0.0.0" + }, + "license": { + "name": "Splunk Software License Agreement", + "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "uri": "http://www.splunk.com/view/SP-CAAAAFA" + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseDate": null, + "releaseNotes": { + "name": "README", + "text": "./README.txt", + "uri": "https://git.erdelynet.com/mike/TA-unix/docs/ReleaseNotes.md" + }, + "title": "Technical Add-on for Unix and Linux" + }, + "inputGroups": null, + "platformRequirements": null, + "schemaVersion": "2.0.0", + "supportedDeployments": [ + "_standalone", + "_distributed", + "_search_head_clustering" + ], + "targetWorkloads": [ + "_search_heads", + "_forwarders", + "_indexers" + ], + "tasks": null } diff --git a/bin/cpu.sh b/bin/cpu.sh index 92f6698..6e13cff 100755 --- a/bin/cpu.sh +++ b/bin/cpu.sh @@ -7,9 +7,9 @@ assertHaveCommand column -HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle' +HEADER='Datetime CPU pctUser pctNice pctSystem pctIowait pctIdle' HEADERIZE="BEGIN {print \"$HEADER\"}" -PRINTF='{printf "%-3s %9s %9s %9s %9s %9s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}' +PRINTF='{printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}' if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand sar @@ -17,19 +17,32 @@ if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand mpstat FOUND_MPSTAT=$? if [ $FOUND_SAR -eq 0 ] ; then - CMD='sar -P ALL 1 1' + CMD='sar -P ALL 2 5' # shellcheck disable=SC2016 - FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}' + FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}' elif [ $FOUND_MPSTAT -eq 0 ] ; then - CMD='mpstat -P ALL 1 1' + CMD='mpstat -P ALL 2 5' # shellcheck disable=SC2016 - FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}' + FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}' else failLackMultipleCommands sar mpstat fi # shellcheck disable=SC2016 FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}' + + PRINTF='{ + if ($0 ~ /all/) { + print header; + printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle; + } else { + printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle; + } + }' + $CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" | column -t + echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" + exit elif [ "$KERNEL" = "SunOS" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r' else @@ -37,9 +50,9 @@ elif [ "$KERNEL" = "SunOS" ] ; then fi assertHaveCommand "$CMD" # shellcheck disable=SC2016 - FILTER='($1=="CPU") {exit 1}' + FILTER='($1=="CPU") {exit 1}' # shellcheck disable=SC2016 - FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}' + FORMAT='{datetime="'"$formatted_date"'"; cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}' elif [ "$KERNEL" = "AIX" ] ; then queryHaveCommand mpstat queryHaveCommand lparstat @@ -78,46 +91,72 @@ elif [ "$KERNEL" = "AIX" ] ; then DEFINE="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity" # Get cpu stats using mpstat command and manipulate the output for adding extra fields - CMD='mpstat -a 1 1' + CMD='mpstat -a 2 5' # shellcheck disable=SC2016 - FORMAT='BEGIN {flag = 0} + + FORMAT=' + function get_current_time() { + # Use "date" to fetch the current time and store it in a variable + command = "date +\"%m/%d/%y_%H:%M:%S_%Z\""; + command | getline datetime; + close(command); + return datetime; + } + BEGIN { + flag = 0; + header = ""; + } { if($0 ~ /System configuration|^$/) {next} + if($1 ~ /^-+$/ && header != "") { + print header; + next; + } + if($0 ~ /cpu / && flag == 1) {next} if(flag == 1) { # Prepend extra field values from lparstat - for(i=NF+4; i>=4; i--) + for(i=NF+5; i>=5; i--) { - $i = $(i-3); + $i = $(i-4); } if($0 ~ /ALL/) { - $1 = CPUPool; - $2 = OnlineVirtualCPUs; - $3 = EntitledCapacity; + $1 = get_current_time(); + $2 = CPUPool; + $3 = OnlineVirtualCPUs; + $4 = EntitledCapacity; } else { - $1 = "-"; + $1 = get_current_time(); $2 = "-"; $3 = "-"; + $4 = "-"; } } if($0 ~ /cpu /) { # Prepend extra field headers from lparstat - for(i=NF+4; i>=4; i--) + for(i=NF+5; i>=5; i--) { - $i = $(i-3); + $i = $(i-4); } - $1 = "CPUPool"; - $2 = "OnlineVirtualCPUs"; - $3 = "EntitledCapacity"; + $1 = "Datetime"; + $2 = "CPUPool"; + $3 = "OnlineVirtualCPUs"; + $4 = "EntitledCapacity"; flag = 1; + + header = $1; + for (i = 2; i <= NF; i++) { + header = header sprintf("%21s ", $i); + } } - for(i=1; i<=NF; i++) + printf $1; + for(i=2; i<=NF; i++) { - printf "%17s ", $i; + printf "%21s ", $i; } print ""; }' @@ -126,28 +165,46 @@ elif [ "$KERNEL" = "AIX" ] ; then echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST" exit elif [ "$KERNEL" = "Darwin" ] ; then - HEADER='CPU pctUser pctSystem pctIdle' + HEADER='Datetime CPU pctUser pctSystem pctIdle' HEADERIZE="BEGIN {print \"$HEADER\"}" - PRINTF='{printf "%-3s %9s %9s %9s \n", cpu, pctUser, pctSystem, pctIdle}' + PRINTF='{printf "%-28s %-3s %9s %9s %9s \n", datetime, cpu, pctUser, pctSystem, pctIdle}' # top command here is used to get a single instance of cpu metrics - CMD='top -l 1' + CMD='top -l 5 -s 2' assertHaveCommand "$CMD" # FILTER here skips all the rows that doesn't match "CPU". # shellcheck disable=SC2016 FILTER='($1 !~ "CPU") {next;}' # FORMAT here removes '%'in the end of the metrics. # shellcheck disable=SC2016 - FORMAT='function remove_char(string, char_to_remove) { - sub(char_to_remove, "", string); - return string; - } - { - cpu="all"; - pctUser = remove_char($3, "%"); - pctSystem = remove_char($5, "%"); - pctIdle = remove_char($7, "%"); - }' + FORMAT=' + function get_current_time() { + # Use "date" to fetch the current time and store it in a variable + command = "date +\"%m/%d/%y_%H:%M:%S_%Z\""; + command | getline datetime; + close(command); + return datetime; + } + function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + datetime=get_current_time(); + cpu="all"; + pctUser = remove_char($3, "%"); + pctSystem = remove_char($5, "%"); + pctIdle = remove_char($7, "%"); + }' + PRINTF='{ + print header; + printf "%-28s %-3s %9s %9s %9s \n", datetime, cpu, pctUser, pctSystem, pctIdle; + }' + + $CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" | column -t + echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" + exit elif [ "$KERNEL" = "OpenBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -1 -b; top -b' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -159,6 +216,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then else if ($1 ~ /^CPU[0-9]+$/) cpu=substr($1,4); else cpu=0; + datetime="'"$formatted_date"'"; pctUser=substr($3,1,length($3)-1); pctNice=substr($5,1,length($5)-1); pctSystem=substr($7,1,length($7)-1); @@ -166,6 +224,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then pctIdle=substr($13,1,length($13)-1); }' elif [ "$KERNEL" = "FreeBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -175,6 +234,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then sub(char_to_remove, "", string); return string; } + { + datetime="'"$formatted_date"'"; + } { if ($1 == "CPU:") { cpu = "all"; @@ -189,15 +251,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then pctIdle = remove_char($(NF-1), "%"); pctIowait = "0.0"; }' -elif [ "$KERNEL" = "HP-UX" ] ; then - queryHaveCommand sar - FOUND_SAR=$? - if [ $FOUND_SAR -eq 0 ] ; then - CMD='sar -M 1 1 ALL' - fi - FILTER='/HP-UX|^$|%/ {next}' - # shellcheck disable=SC2016 - FORMAT='{k=0; if(5=7; i--) + for(i=NF+8; i>=8; i--) { - $i = $(i-6); + $i = $(i-7); } - # Prepend OSName, OS_version, IP_address values - $1 = OSName; - $2 = OSVersion/1000; - $3 = IP_address; + # Prepend Datetime, OSName, OS_version, IP_address values + $1 = get_current_time(); + $2 = OSName; + $3 = OSVersion/1000; + $4 = IP_address; # Prepend lparstat field values if($0 ~ /ALL/) { - $4 = CPUPool; - $5 = OnlineVirtualCPUs; - $6 = EntitledCapacity; + $5 = CPUPool; + $6 = OnlineVirtualCPUs; + $7 = EntitledCapacity; } else { - $4 = "-"; $5 = "-"; $6 = "-"; + $7 = "-"; } } if($0 ~ /cpu /) { - for(i=NF+7; i>=7; i--) + for(i=NF+8; i>=8; i--) { - $i = $(i-6); + $i = $(i-7); } - # Prepend OSName, OS_version, IP_address headers - $1 = "OSName"; - $2 = "OS_version"; - $3 = "IP_address"; + # Prepend Datetime, OSName, OS_version, IP_address headers + $1 = "Datetime"; + $2 = "OSName"; + $3 = "OS_version"; + $4 = "IP_address"; # Prepend lparstat field headers - $4 = "CPUPool"; - $5 = "OnlineVirtualCPUs"; - $6 = "EntitledCapacity"; + $5 = "CPUPool"; + $6 = "OnlineVirtualCPUs"; + $7 = "EntitledCapacity"; flag = 1; } - for(i=1; i<=NF; i++) + printf $1; + for(i=2; i<=NF; i++) { printf "%17s ", $i; } @@ -143,11 +158,11 @@ elif [ "$KERNEL" = "AIX" ] ; then echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST" exit elif [ "$KERNEL" = "Darwin" ] ; then - HEADER='CPU pctUser pctSystem pctIdle OSName OS_version IP_address' + HEADER='Datetime pctUser pctSystem pctIdle OSName OS_version IP_address CPU' HEADERIZE="BEGIN {print \"$HEADER\"}" - PRINTF='{printf "%-3s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address}' + PRINTF='{printf "%-28s %9s %9s %9s %-35s %15s %-16s %-3s\n", datetime, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address, cpu}' # top command here is used to get a single instance of cpu metrics - CMD='top -l 1' + CMD='top -l 5 -s 2' assertHaveCommand "$CMD" # FILTER here skips all the rows that doesn't match "CPU". # shellcheck disable=SC2016 @@ -156,20 +171,30 @@ elif [ "$KERNEL" = "Darwin" ] ; then DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" # FORMAT here removes '%'in the end of the metrics. # shellcheck disable=SC2016 - FORMAT='function remove_char(string, char_to_remove) { - sub(char_to_remove, "", string); - return string; - } - { - cpu="all"; - pctUser = remove_char($3, "%"); - pctSystem = remove_char($5, "%"); - pctIdle = remove_char($7, "%"); - OSName=OSName; - OS_version=OS_version; - IP_address=IP_address; - }' + FORMAT=' + function get_current_time() { + # Use "date" to fetch the current time and store it in a variable + command = "date +\"%m/%d/%y_%H:%M:%S_%Z\""; + command | getline datetime; + close(command); + return datetime; + } + function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + datetime=get_current_time(); + cpu="all"; + pctUser = remove_char($3, "%"); + pctSystem = remove_char($5, "%"); + pctIdle = remove_char($7, "%"); + OSName=OSName; + OS_version=OS_version; + IP_address=IP_address; + }' elif [ "$KERNEL" = "OpenBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -1 -b; top -b' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -183,6 +208,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then else if ($1 ~ /^CPU[0-9]+$/) cpu=substr($1,4); else cpu=0; + datetime="'"$formatted_date"'"; pctUser=substr($3,1,length($3)-1); pctNice=substr($5,1,length($5)-1); pctSystem=substr($7,1,length($7)-1); @@ -190,6 +216,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then pctIdle=substr($13,1,length($13)-1); }' elif [ "$KERNEL" = "FreeBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -201,6 +228,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then sub(char_to_remove, "", string); return string; } + { + datetime="'"$formatted_date"'"; + } { if ($1 == "CPU:") { cpu = "all"; @@ -218,16 +248,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then OS_version=OS_version; IP_address=IP_address; }' -elif [ "$KERNEL" = "HP-UX" ] ; then - queryHaveCommand sar - FOUND_SAR=$? - DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" - if [ $FOUND_SAR -eq 0 ] ; then - CMD='sar -M 1 1 ALL' - fi - FILTER='/HP-UX|^$|%/ {next}' - # shellcheck disable=SC2016 - FORMAT='{k=0; if(5> "$TEE_DEST" +$CMD1 | tee -a "$TEE_DEST" -$CMD2 | tee -a "$TEE_DEST" echo "Cmd2 = [$CMD2]" >> "$TEE_DEST" +if [ "$KERNEL" = "Darwin" ] && [ $FOUND_SNTP -eq 0 ] ; then + TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_time_error_tmpfile + OUTPUT=$($CMD2 2>$TMP_ERROR_FILTER_FILE) + + if grep -q "Timeout" < $TMP_ERROR_FILTER_FILE; then + LAST_LINE=$(echo "$OUTPUT" | tail -n 1) + if [[ "$LAST_LINE" == *"$SERVER"* ]]; then + echo "$LAST_LINE" | tee -a "$TEE_DEST" + fi + cat $TMP_ERROR_FILTER_FILE >> $TEE_DEST + echo "$OUTPUT" >> "$TEE_DEST" + rm $TMP_ERROR_FILTER_FILE 2>/dev/null + elif grep -vq "Timeout" < $TMP_ERROR_FILTER_FILE; then + cat $TMP_ERROR_FILTER_FILE >&2 + echo "$OUTPUT" >> "$TEE_DEST" + rm $TMP_ERROR_FILTER_FILE 2>/dev/null + else + echo "$OUTPUT" | tee -a "$TEE_DEST" + fi +else + $CMD2 | tee -a "$TEE_DEST" +fi diff --git a/bin/version.sh b/bin/version.sh index cddefda..9023cc7 100755 --- a/bin/version.sh +++ b/bin/version.sh @@ -5,68 +5,62 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -PRINTF='END {printf "%s %s %s %s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, KERN_REL, OS_NAME, KERN_VER, OS_REL, OS_VER, DISTRO}' +PRINTF='END {printf "%s %s %s %s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER, KERNEL_NAME, KERNEL_VERSION, KERNEL_RELEASE}' if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand date assertHaveCommand uname - [ -f /etc/os-release ] && . /etc/os-release - machine_arch=$(uname -p) - os_release=$(uname -r) - os_version=$(uname -v) - distro_name=Linux - [ -n "$NAME" ] && distro_name=$NAME - [ -n "$VERSION_ID" ] && os_release=$VERSION_ID - [ -n "$VERSION_ID" ] && os_version=$VERSION_ID - [ -r /etc/debian_version ] && grep -Eq "^[0-9.]+$" /etc/debian_version && os_release=$(cat /etc/debian_version) - [ "$BUILD_ID" = "rolling" ] && os_release=rolling - [ "$BUILD_ID" = "rolling" ] && os_version=rolling - which dpkg > /dev/null 2>&1 && machine_arch=$(dpkg --print-architecture) - [ "$NAME" = "Arch Linux" -o "$NAME" = "Arch Linux ARM" ] && machine_arch=$(uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/") - - CMD="eval date ; echo $distro_name ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; echo $machine_arch; echo $os_release; echo $os_version" -elif [ "$KERNEL" = "Darwin" ] ; then - assertHaveCommand date - assertHaveCommand uname - assertHaveCommand sw_vers - os_release=$(sw_vers --productVersion) - CMD="eval date ; echo MacOS ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p; echo $os_release; echo $os_release" + VERSION=$(grep "^VERSION=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -) + NAME=$(grep "^NAME=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -) + VERSION_ID=$(grep "^VERSION_ID=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -) + MACHINE_ARCH=$(uname -p) + which dpkg > /dev/null 2>&1 && MACHINE_ARCH=$(dpkg --print-architecture) + which pacman > /dev/null 2>&1 && MACHINE_ARCH=$(uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/") && VERSION=rolling && VERSION_ID=rolling + CMD="eval date ; eval uname -m ; echo \"$VERSION\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; echo \"$MACHINE_ARCH\" ; eval uname -s ; eval uname -v ; eval uname -r" elif [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then assertHaveCommand date assertHaveCommand uname - CMD='eval date ; echo $KERNEL ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p;' + CMD='eval date ; eval uname -m ; eval uname -r ; echo $KERNEL ; eval uname -r; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r;' +elif [ "$KERNEL" = "Darwin" ] ; then + # Darwin-macos uses sw_vers for os version, name and release switch. + assertHaveCommand date + assertHaveCommand uname + VERSION=$(sw_vers -BuildVersion) + NAME=$(sw_vers -productName) + VERSION_ID=$(sw_vers -ProductVersion) + CMD="eval date ; eval uname -m ; echo \"$VERSION_ID ($VERSION)\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r" elif [ "$KERNEL" = "HP-UX" ] ; then # HP-UX lacks -p switch. assertHaveCommand date assertHaveCommand uname - CMD='eval date ; echo HP-UX ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v' + CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v' elif [ "$KERNEL" = "AIX" ] ; then # AIX uses oslevel for version and release switch. assertHaveCommand date assertHaveCommand uname - CMD='eval date ; echo AIX ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel -s' + CMD='eval date ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel ; eval uname -m ; eval uname -s ; eval uname -v; eval uname -r' fi # Get the date. # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' # shellcheck disable=SC2016 -PARSE_1='NR==2 {DISTRO="distro_name=\"" $0 "\""}' +PARSE_1='NR==2 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_2='NR==3 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}' +PARSE_2='NR==3 {OS_REL="os_release=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_3='NR==4 {OS_REL="os_release=\"" $0 "\"";KERN_REL="kernel_release=\"" $0 "\""}' +PARSE_3='NR==4 {OS_NAME="os_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_4='NR==5 {OS_NAME="os_name=\"" $0 "\""}' +PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_5='NR==6 {OS_VER="os_version=\"" $0 "\"";KERN_VER="kernel_version=\"" $0 "\""}' +PARSE_5='NR==6 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_6='NR==7 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' +PARSE_6='NR==7 {KERNEL_NAME="kernel_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_7='NR==8 {OS_REL="os_release=\"" $0 "\""}' +PARSE_7='NR==8 {KERNEL_VERSION="kernel_version=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_8='NR==9 {OS_VER="os_version=\"" $0 "\""}' +PARSE_8='NR==9 {KERNEL_RELEASE="kernel_release=\"" $0 "\""}' MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8" diff --git a/default/app.conf b/default/app.conf index 41c30da..2f0a003 100644 --- a/default/app.conf +++ b/default/app.conf @@ -7,7 +7,7 @@ [install] is_configured = false state = enabled -build = 1720176219 +build = 1738793362 [ui] setup_view = ta_nix_configuration @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.13 +version = 10.0.0.0 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.13 +version = 10.0.0.0 diff --git a/default/eventtypes.conf b/default/eventtypes.conf index 45efebe..9b4820b 100644 --- a/default/eventtypes.conf +++ b/default/eventtypes.conf @@ -233,12 +233,21 @@ search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to" #tags = application authentication remote +## sshd-session +[sshd_session_start] +search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Failed password for" OR "Connection closed by invalid user" OR "Unable to negotiate" OR "session opened for user" OR "banner exchange" OR "Could not get shadow information" OR "Accepted password") +#tags = network session start + +[sshd_session_end] +search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Read error from remote host" OR "Connection timed out" OR "Disconnected from user" OR "Connection closed by" OR "session closed for user") AND NOT "Connection closed by invalid user" +#tags = network session end + ## sshd [sshd_authentication] # osx sshd authentication error # Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1 # Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host -search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") +search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") AND NOT sourcetype=linux_secure #tags = authentication remote [ssh_login_postponed] @@ -246,7 +255,7 @@ search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed # no tags assigned to this eventtype [ssh_open] -search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) +search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) AND NOT sourcetype=linux_secure #tags = communicate connect # example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246 @@ -577,7 +586,7 @@ search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*" ###### ADDED FROM UNIX APP ###### [failed_login] -search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for" +search = eventtype=nix_ta_data ("failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for") AND NOT sourcetype=linux_secure #tags = authentication [Failed_SU] diff --git a/default/props.conf b/default/props.conf index 417652d..1ca0fc8 100644 --- a/default/props.conf +++ b/default/props.conf @@ -112,10 +112,12 @@ TRANSFORMS-vmstat-metric-dimensions=eval_dimensions METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat [cpu_metric] -SHOULD_LINEMERGE=false -LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +# Timestamp extraction settings +TIME_PREFIX = ^ +TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z +MAX_TIMESTAMP_LOOKAHEAD = 25 + TRUNCATE=1000000 -DATETIME_CONFIG = CURRENT KV_MODE = none INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER=whitespace @@ -174,10 +176,16 @@ METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps ## Scripted Event Inputs ######################### [cpu] -SHOULD_LINEMERGE=false -LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +LINE_BREAKER=([\r\n]+)Datetime\s+ +EVENT_BREAKER=([\r\n]+)Datetime\s+ + +# Timestamp extraction settings +TIME_PREFIX = \n +TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z + +EVENT_BREAKER_ENABLE=true +SHOULD_LINEMERGE = false TRUNCATE=1000000 -DATETIME_CONFIG = CURRENT KV_MODE = multi FIELDALIAS-dest_for_cpu = host as dest FIELDALIAS-src_for_cpu = host as src @@ -570,19 +578,6 @@ FIELDALIAS-dest = host as dest # from forwarders on which the older scripts are still in use should # be able to search new and old data seamlessly. -###### Global ###### -# [source::...(linux.*|sample.*.linux)] -# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen - -# [source::...(osx.*|sample.*.osx)] -# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen - -# [source::...(solaris.*|sample.*.solaris)] -# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen - -# [source::...sample.*.unix] -# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen - ## support for linux only [Linux:SELinuxConfig] EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules" @@ -655,9 +650,10 @@ FIELDALIAS-dest = host as dest [source::...Unix:Version] SHOULD_LINEMERGE = false -FIELDALIAS-family_for_nix_version = os_name as family +EVAL-description = "script" +EVAL-family = coalesce(kernel_name, os_name) LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range -FIELDALIAS-version_for_nix_version = os_release as version +EVAL-version = if(isnotnull(kernel_version),os_version,os_release) FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null()) EVAL-vendor_product = if(isnotnull(os_name),os_name,null()) @@ -745,13 +741,16 @@ EVENT_BREAKER_ENABLE = true ## Event extractions by type EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app) -REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication +REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, sshd-session-login-failed, sshd-session-login-accepted, sshd-session-invalid-user, sshd-session-connection-close, sshd-session-key-negotiation-failed, sshd-session-banner-exchange-failed, sshd-session-shadow-info-error, sshd-session-read-error-timeout, sshd-session-disconnect, sshd-session-closed-for-user, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, sshd-session-pam_unix_authentication_success, linux_secure_pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication EVAL-action = if(app="su" AND isnull(action),"success",action) REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf REPORT-routing = iptables -EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) +EVAL-signature = if(isnotnull(inbound_interface), "firewall", signature) +EVAL-user_role = if(authentication_service=="pam_unix" AND user=="root", "administator", null()) +EVAL-src = if(authentication_service=="pam_unix" AND signature=="session opened for user" AND app=="sudo", dest, src) +EVAL-dest_dns = if((process == "sshd-session" OR process == "sshd") AND (action == "blocked" OR action == "started" OR action == "ended"), dest, null()) REPORT-dest_for_linux_secure = loghost_as_dest LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action @@ -803,3 +802,6 @@ SHOULD_LINEMERGE = false TIME_PREFIX = audit\( MAX_TIMESTAMP_LOOKAHEAD=23 MAX_DAYS_AGO=3650 +EXTRACT-proctitle = .*proctitle=(?.*)$ +EXTRACT-execve_command = .*type=EXECVE.*a0=(?.*)$ +EVAL-execve_command = replace(execve_command, "a\d+=", "") diff --git a/default/tags.conf b/default/tags.conf index 3e38c29..6130cb3 100644 --- a/default/tags.conf +++ b/default/tags.conf @@ -262,6 +262,18 @@ authentication = enabled remote = enabled ## sshd + +## Network_Sessions +[eventtype=sshd_session_start] +network = enabled +session = enabled +start = enabled + +[eventtype=sshd_session_end] +network = enabled +session = enabled +end = enabled + [eventtype=sshd_authentication] authentication = enabled remote = enabled @@ -834,8 +846,6 @@ system = enabled version = enabled inventory = enabled oshost = enabled -cpu = enabled -memory = enabled ## VSFTDP Config diff --git a/default/transforms.conf b/default/transforms.conf index 7039cf3..f246b72 100644 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -201,7 +201,7 @@ INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm, INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB) [extract_cpu_metric_field] -INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU) +INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0") [metric-schema:extract_metrics_iostat] METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address @@ -294,25 +294,85 @@ FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs REGEX = exe=.*\/(\S+)\" FORMAT = command::$1 +## Network_Sessions + +# SSHD evnets for OpenSSH >= v9.8 +# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2 +# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2] +[sshd-session-login-failed] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(failed\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"blocked" src_ip::$3 user::$2 signature::$1 + +# Jan 3 17:21:42 host sshd-session[1187]: Accepted password for devuser from 1X.XX.XX.XX port 1234 ssh2 +[sshd-session-login-accepted] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Accepted\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"started" signature::$1 user::$2 src_ip::$3 + +# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by invalid user ubuntu 1X.XX.XX.XX port 1234 [preauth] +[sshd-session-invalid-user] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed\s+by\s+invalid user).*?(\S+)\s+.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"blocked" signature::$1 user::$2 src_ip::$3 + +# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by 1X.XX.XX.XX port 1234 +[sshd-session-connection-close] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed)\s+by\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"ended" signature::$1 src_ip::$2 + +# Jan 3 09:54:47 host sshd-session[146590]: Unable to negotiate with 1X.XX.XX.XX port 1234: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth] +[sshd-session-key-negotiation-failed] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Unable\s+to\s+negotiate\s+with\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+no\s+matching\s+host\s+key\s+type\s+found +FORMAT = action::"blocked" signature::"Unable to negotiate: no matching host key type found" src_ip::$1 + +# Jan 3 07:08:37 host sshd-session[133482]: banner exchange: Connection from 1X.XX.XX.XX port 1234: invalid format +[sshd-session-banner-exchange-failed] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+banner\s+exchange\s*:\s+.*?\S+\s+from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s*invalid\s+format +FORMAT = action::"blocked" signature::"banner exchange: invalid format" src_ip::$1 + +# Jan 2 18:13:08 host sshd-session[8962]: error: Could not get shadow information for NOUSER +[sshd-session-shadow-info-error] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+error:\s+(Could\s+not\s+get\s+shadow\s+information)\s+for\s+(\S+) +FORMAT = action::"blocked" signature::$1 user::$2 + +# Jan 3 05:46:01 host sshd-session[125949]: pam_unix(sshd:session): session opened for user ec2-user(uid=1000) by ec2-user(uid=0) +[sshd-session-pam_unix_authentication_success] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? +FORMAT = action::"started" signature::$1 user::$2 user_id::$3 src_user::$4 src_user_id::$5 + +# Jan 3 05:46:01 host sshd-session[125949]: Read error from remote host 1X.XX.XX.XX port 1234: Connection timed out +[sshd-session-read-error-timeout] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Read\s+error\s+from\s+remote\s+host\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+(Connection\s+timed\s+out) +FORMAT = action::"ended" src_ip::$1 signature::$2 + +# Jan 3 11:15:07 host sshd-session[226274]: Disconnected from user devuser 1X.XX.XX.XX port 1234 +[sshd-session-disconnect] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?i)(Disconnected\s+from\s+user).*?(\S+)\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"ended" signature::$1 user::$2 src_ip::$3 + +# Jan 3 10:07:28 host sshd-session[147610]: pam_unix(sshd:session): session closed for user ec2-user +[sshd-session-closed-for-user] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+closed\s+for\s+user)\s+([^\s\(]+)$ +FORMAT = action::"ended" signature::$1 user::$2 ## Authentication # Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2 # Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2 [ssh-login-accepted] -REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))? FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5 # Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX # Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2 +# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2 +# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2] [ssh-login-failed] -REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))? FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5 # Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX [ssh-invalid-user] -REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))? FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5 @@ -330,8 +390,9 @@ REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(? FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye +# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX:XXX:XX:XXX:XXX:XXX port 123123:11: disconnected by user [ssh-disconnect] -REGEX = (Received disconnect) from ([^\s]+): +REGEX = (Received disconnect) from ([^\s]+:[a-fA-F0-9.]+|::|[\d.]+) FORMAT = name::$1 src_ip::$2 [sshd_authentication_kerberos_success] @@ -358,6 +419,10 @@ FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2 REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 +[linux_secure_pam_unix_authentication_success] +REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? +FORMAT = app::"$1" signature::$2 authentication_service::"pam_unix" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 src_user_type::"user" user_type::"user" + [passwd-auth-failure] REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure) FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure" @@ -476,26 +541,6 @@ FORMAT = signature::$1 ## -[force_host_for_linux_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-001 - -[force_host_for_osx_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-002 - -[force_host_for_solaris_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-003 - -[force_host_for_unix_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-004 - ## Service [nix_linux_service_startmode_lookup] filename = nix_linux_service_startmodes.csv @@ -504,10 +549,6 @@ filename = nix_linux_service_startmodes.csv [nix_da_update_status_lookup] filename = nix_da_update_status.csv -[Description_for_installedupdates] -REGEX = ^Description=([^\r\n]+) -FORMAT = Description::$1 - ## Version [nix_da_version_range_lookup] filename = nix_da_version_ranges.csv @@ -515,24 +556,4 @@ filename = nix_da_version_ranges.csv [nix_linux_audit_action_lookup] filename = nix_linux_audit_action_object_category.csv -[force_host_for_linux_cpu] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - -[force_host_for_linux_memory] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - -[force_host_for_linux_io] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - -[force_host_for_linux_disk] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - ###### END CONTENT IMPORTED FROM TA-deploymentapps ######