mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 16 Packages Wiki Activity Actions

Merge in Splunk Add-On for Unix and Linux version 10.0.0

Browse source
This commit is contained in:
Michael Erdely 2025-02-05 17:18:14 -05:00
parent ce9dada330
commit 17d6163514
Signed by: mike
SSH key fingerprint: SHA256:ukbnfrRMaRYlBZXENtBTyO2jLnql5AA5m+SzZCfYQe0
14 changed files with 461 additions and 294 deletions
Download patch file Download diff file Expand all files Collapse all files

15
default/eventtypes.conf
View file

@ -233,12 +233,21 @@ search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not
search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to"
#tags = application authentication remote
## sshd-session
[sshd_session_start]
search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Failed password for" OR "Connection closed by invalid user" OR "Unable to negotiate" OR "session opened for user" OR "banner exchange" OR "Could not get shadow information" OR "Accepted password")
#tags = network session start
[sshd_session_end]
search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Read error from remote host" OR "Connection timed out" OR "Disconnected from user" OR "Connection closed by" OR "session closed for user") AND NOT "Connection closed by invalid user"
#tags = network session end
## sshd
[sshd_authentication]
# osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
# Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host
search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT")
search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") AND NOT sourcetype=linux_secure
#tags = authentication remote
[ssh_login_postponed]
@ -246,7 +255,7 @@ search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed
# no tags assigned to this eventtype
[ssh_open]
search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from)
search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) AND NOT sourcetype=linux_secure
#tags = communicate connect
# example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246
@ -577,7 +586,7 @@ search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*"
###### ADDED FROM UNIX APP ######
[failed_login]
search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for"
search = eventtype=nix_ta_data ("failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for") AND NOT sourcetype=linux_secure
#tags = authentication
[Failed_SU]