Merge in Splunk Add-On for Unix and Linux version 10.0.0

2025-02-05 17:18:14 -05:00 · 2025-02-05 17:18:14 -05:00 · 17d6163514
commit 17d6163514
parent ce9dada330
14 changed files with 461 additions and 294 deletions
--- a/default/app.conf
+++ b/default/app.conf
@ -7,7 +7,7 @@
 [install]
 is_configured = false
 state = enabled
-build = 1720176219
+build = 1738793362

 [ui]
 setup_view = ta_nix_configuration
@ -17,7 +17,7 @@ docs_section_override = AddOns:released

 [launcher]
 author = Michael Erdely
-version = 9.2.0.13
+version = 10.0.0.0
 description = Technical Add-on for Unix and Linux

 #[package]
@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux

 [id]
 name = TA-unix
-version = 9.2.0.13
+version = 10.0.0.0

--- a/default/eventtypes.conf
+++ b/default/eventtypes.conf
@ -233,12 +233,21 @@ search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not
 search = eventtype=nix_ta_data  "pam_rhosts_auth" AND "allowed to"
 #tags = application authentication remote

+## sshd-session
+[sshd_session_start]
+search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Failed password for" OR "Connection closed by invalid user" OR "Unable to negotiate" OR "session opened for user" OR "banner exchange" OR "Could not get shadow information" OR "Accepted password")
+#tags = network session start
+
+[sshd_session_end]
+search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Read error from remote host" OR "Connection timed out" OR "Disconnected from user" OR "Connection closed by" OR "session closed for user") AND NOT "Connection closed by invalid user"
+#tags = network session end
+
 ## sshd
 [sshd_authentication]
 # osx sshd authentication error
 # Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
 # Apr  2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=host
-search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT")
+search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") AND NOT sourcetype=linux_secure
 #tags = authentication remote

 [ssh_login_postponed]
@ -246,7 +255,7 @@ search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed
 # no tags assigned to this eventtype

 [ssh_open]
-search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from)
+search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) AND NOT sourcetype=linux_secure
 #tags = communicate connect

 # example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246
@ -577,7 +586,7 @@ search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*"

 ###### ADDED FROM UNIX APP ######
 [failed_login]
-search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure"  OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for"
+search = eventtype=nix_ta_data ("failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for") AND NOT sourcetype=linux_secure
 #tags = authentication

 [Failed_SU]
--- a/default/props.conf
+++ b/default/props.conf
@ -112,10 +112,12 @@ TRANSFORMS-vmstat-metric-dimensions=eval_dimensions
 METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat

 [cpu_metric]
-SHOULD_LINEMERGE=false
-LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
+# Timestamp extraction settings
+TIME_PREFIX = ^
+TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z
+MAX_TIMESTAMP_LOOKAHEAD = 25
+
 TRUNCATE=1000000
-DATETIME_CONFIG = CURRENT
 KV_MODE = none
 INDEXED_EXTRACTIONS = CSV
 FIELD_DELIMITER=whitespace
@ -174,10 +176,16 @@ METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps
 ## Scripted Event Inputs
 #########################
 [cpu]
-SHOULD_LINEMERGE=false
-LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
+LINE_BREAKER=([\r\n]+)Datetime\s+
+EVENT_BREAKER=([\r\n]+)Datetime\s+
+
+# Timestamp extraction settings
+TIME_PREFIX = \n
+TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z
+
+EVENT_BREAKER_ENABLE=true
+SHOULD_LINEMERGE = false
 TRUNCATE=1000000
-DATETIME_CONFIG = CURRENT
 KV_MODE = multi
 FIELDALIAS-dest_for_cpu = host as dest
 FIELDALIAS-src_for_cpu = host as src
@ -570,19 +578,6 @@ FIELDALIAS-dest = host as dest
 # from forwarders on which the older scripts are still in use should
 # be able to search new and old data seamlessly.

-###### Global ######
-# [source::...(linux.*|sample.*.linux)]
-# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen
-
-# [source::...(osx.*|sample.*.osx)]
-# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen
-
-# [source::...(solaris.*|sample.*.solaris)]
-# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen
-
-# [source::...sample.*.unix]
-# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen
-
 ## support for linux only
 [Linux:SELinuxConfig]
 EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules"
@ -655,9 +650,10 @@ FIELDALIAS-dest = host as dest

 [source::...Unix:Version]
 SHOULD_LINEMERGE = false
-FIELDALIAS-family_for_nix_version = os_name as family
+EVAL-description = "script"
+EVAL-family = coalesce(kernel_name, os_name)
 LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range
-FIELDALIAS-version_for_nix_version = os_release as version
+EVAL-version = if(isnotnull(kernel_version),os_version,os_release)
 FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture
 EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null())
 EVAL-vendor_product = if(isnotnull(os_name),os_name,null())
@ -745,13 +741,16 @@ EVENT_BREAKER_ENABLE = true

 ## Event extractions by type
 EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app)
-REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
+REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, sshd-session-login-failed, sshd-session-login-accepted, sshd-session-invalid-user, sshd-session-connection-close, sshd-session-key-negotiation-failed, sshd-session-banner-exchange-failed, sshd-session-shadow-info-error, sshd-session-read-error-timeout, sshd-session-disconnect, sshd-session-closed-for-user, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, sshd-session-pam_unix_authentication_success, linux_secure_pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
 EVAL-action = if(app="su" AND isnull(action),"success",action)
 REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
 REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail
 REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
 REPORT-routing = iptables
-EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
+EVAL-signature = if(isnotnull(inbound_interface), "firewall", signature)
+EVAL-user_role = if(authentication_service=="pam_unix" AND user=="root", "administator", null())
+EVAL-src = if(authentication_service=="pam_unix" AND signature=="session opened for user" AND app=="sudo", dest, src)
+EVAL-dest_dns = if((process == "sshd-session" OR process == "sshd") AND (action == "blocked" OR action == "started" OR action == "ended"), dest, null())

 REPORT-dest_for_linux_secure = loghost_as_dest
 LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
@ -803,3 +802,6 @@ SHOULD_LINEMERGE = false
 TIME_PREFIX = audit\(
 MAX_TIMESTAMP_LOOKAHEAD=23
 MAX_DAYS_AGO=3650
+EXTRACT-proctitle = .*proctitle=(?<proctitle>.*)$
+EXTRACT-execve_command = .*type=EXECVE.*a0=(?<execve_command>.*)$
+EVAL-execve_command = replace(execve_command, "a\d+=", "")
--- a/default/tags.conf
+++ b/default/tags.conf
@ -262,6 +262,18 @@ authentication = enabled
 remote = enabled

 ## sshd
+
+## Network_Sessions
+[eventtype=sshd_session_start]
+network = enabled
+session = enabled
+start = enabled
+
+[eventtype=sshd_session_end]
+network = enabled
+session = enabled
+end = enabled
+
 [eventtype=sshd_authentication]
 authentication = enabled
 remote = enabled
@ -834,8 +846,6 @@ system = enabled
 version = enabled
 inventory = enabled
 oshost = enabled
-cpu = enabled
-memory = enabled


 ## VSFTDP Config
--- a/default/transforms.conf
+++ b/default/transforms.conf
@ -201,7 +201,7 @@ INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm,
 INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB)

 [extract_cpu_metric_field]
-INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU)
+INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0")

 [metric-schema:extract_metrics_iostat]
 METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address
@ -294,25 +294,85 @@ FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs
 REGEX = exe=.*\/(\S+)\"
 FORMAT = command::$1

+## Network_Sessions
+
+# SSHD evnets for OpenSSH >= v9.8
+# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2
+# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2]
+[sshd-session-login-failed]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(failed\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
+FORMAT = action::"blocked" src_ip::$3 user::$2 signature::$1
+
+# Jan  3 17:21:42 host sshd-session[1187]: Accepted password for devuser from 1X.XX.XX.XX port 1234 ssh2
+[sshd-session-login-accepted]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Accepted\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
+FORMAT = action::"started" signature::$1 user::$2 src_ip::$3
+
+# Jan  3 10:07:28 host sshd-session[147610]: Connection closed by invalid user ubuntu 1X.XX.XX.XX port 1234 [preauth]
+[sshd-session-invalid-user]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed\s+by\s+invalid user).*?(\S+)\s+.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
+FORMAT = action::"blocked" signature::$1 user::$2 src_ip::$3
+
+# Jan  3 10:07:28 host sshd-session[147610]: Connection closed by 1X.XX.XX.XX port 1234
+[sshd-session-connection-close]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed)\s+by\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
+FORMAT = action::"ended" signature::$1 src_ip::$2
+
+# Jan 3 09:54:47 host sshd-session[146590]: Unable to negotiate with 1X.XX.XX.XX port 1234: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
+[sshd-session-key-negotiation-failed]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Unable\s+to\s+negotiate\s+with\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+no\s+matching\s+host\s+key\s+type\s+found
+FORMAT = action::"blocked" signature::"Unable to negotiate: no matching host key type found" src_ip::$1
+
+# Jan 3 07:08:37 host sshd-session[133482]: banner exchange: Connection from 1X.XX.XX.XX port 1234: invalid format
+[sshd-session-banner-exchange-failed]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+banner\s+exchange\s*:\s+.*?\S+\s+from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s*invalid\s+format
+FORMAT = action::"blocked" signature::"banner exchange: invalid format" src_ip::$1
+
+# Jan  2 18:13:08 host sshd-session[8962]: error: Could not get shadow information for NOUSER
+[sshd-session-shadow-info-error]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+error:\s+(Could\s+not\s+get\s+shadow\s+information)\s+for\s+(\S+)
+FORMAT = action::"blocked" signature::$1 user::$2
+
+# Jan  3 05:46:01 host sshd-session[125949]: pam_unix(sshd:session): session opened for user ec2-user(uid=1000) by ec2-user(uid=0)
+[sshd-session-pam_unix_authentication_success]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
+FORMAT = action::"started" signature::$1 user::$2 user_id::$3 src_user::$4 src_user_id::$5
+
+# Jan  3 05:46:01 host sshd-session[125949]: Read error from remote host 1X.XX.XX.XX port 1234: Connection timed out
+[sshd-session-read-error-timeout]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Read\s+error\s+from\s+remote\s+host\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+(Connection\s+timed\s+out)
+FORMAT = action::"ended" src_ip::$1 signature::$2
+
+# Jan  3 11:15:07 host sshd-session[226274]: Disconnected from user devuser 1X.XX.XX.XX port 1234
+[sshd-session-disconnect]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?i)(Disconnected\s+from\s+user).*?(\S+)\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
+FORMAT = action::"ended" signature::$1 user::$2 src_ip::$3
+
+# Jan  3 10:07:28 host sshd-session[147610]: pam_unix(sshd:session): session closed for user ec2-user
+[sshd-session-closed-for-user]
+REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+closed\s+for\s+user)\s+([^\s\(]+)$
+FORMAT = action::"ended" signature::$1 user::$2

 ## Authentication

 # Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2
 # Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2
 [ssh-login-accepted]
-REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
+REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))?
 FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5

 # Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX
 # Nov  5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2
+# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2
+# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2]
 [ssh-login-failed]
-REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
+REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))?
 FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5

 # Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2
 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX
 [ssh-invalid-user]
-REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
+REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))?
 FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5


@ -330,8 +390,9 @@ REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(?
 FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4

 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye
+# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX:XXX:XX:XXX:XXX:XXX port 123123:11: disconnected by user
 [ssh-disconnect]
-REGEX = (Received disconnect) from ([^\s]+):
+REGEX = (Received disconnect) from ([^\s]+:[a-fA-F0-9.]+|::|[\d.]+)
 FORMAT = name::$1 src_ip::$2

 [sshd_authentication_kerberos_success]
@ -358,6 +419,10 @@ FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2
 REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
 FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6

+[linux_secure_pam_unix_authentication_success]
+REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
+FORMAT = app::"$1" signature::$2 authentication_service::"pam_unix" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 src_user_type::"user" user_type::"user"
+
 [passwd-auth-failure]
 REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure)
 FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure"
@ -476,26 +541,6 @@ FORMAT = signature::$1

 ##

-[force_host_for_linux_eventgen]
-DEST_KEY = MetaData:Host
-REGEX = .
-FORMAT = host::ACME-001
-
-[force_host_for_osx_eventgen]
-DEST_KEY = MetaData:Host
-REGEX = .
-FORMAT = host::ACME-002
-
-[force_host_for_solaris_eventgen]
-DEST_KEY = MetaData:Host
-REGEX = .
-FORMAT = host::ACME-003
-
-[force_host_for_unix_eventgen]
-DEST_KEY = MetaData:Host
-REGEX = .
-FORMAT = host::ACME-004
-
 ## Service
 [nix_linux_service_startmode_lookup]
 filename = nix_linux_service_startmodes.csv
@ -504,10 +549,6 @@ filename = nix_linux_service_startmodes.csv
 [nix_da_update_status_lookup]
 filename = nix_da_update_status.csv

-[Description_for_installedupdates]
-REGEX = ^Description=([^\r\n]+)
-FORMAT = Description::$1
-
 ## Version
 [nix_da_version_range_lookup]
 filename = nix_da_version_ranges.csv
@ -515,24 +556,4 @@ filename = nix_da_version_ranges.csv
 [nix_linux_audit_action_lookup]
 filename = nix_linux_audit_action_object_category.csv

-[force_host_for_linux_cpu]
-DEST_KEY=MetaData:Host
-REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
-FORMAT=host::$1
-
-[force_host_for_linux_memory]
-DEST_KEY=MetaData:Host
-REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
-FORMAT=host::$1
-
-[force_host_for_linux_io]
-DEST_KEY=MetaData:Host
-REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
-FORMAT=host::$1
-
-[force_host_for_linux_disk]
-DEST_KEY=MetaData:Host
-REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
-FORMAT=host::$1
-
 ###### END CONTENT IMPORTED FROM TA-deploymentapps ######