mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 16 Packages Wiki Activity Actions

Merge in Splunk Add-On for Unix and Linux version 10.0.0

Browse source
This commit is contained in:
Michael Erdely 2025-02-05 17:18:14 -05:00
parent ce9dada330
commit 17d6163514
Signed by: mike
SSH key fingerprint: SHA256:ukbnfrRMaRYlBZXENtBTyO2jLnql5AA5m+SzZCfYQe0
14 changed files with 461 additions and 294 deletions
Download patch file Download diff file Expand all files Collapse all files

48
default/props.conf
View file

@ -112,10 +112,12 @@ TRANSFORMS-vmstat-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat
[cpu_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
# Timestamp extraction settings
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
@ -174,10 +176,16 @@ METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps
## Scripted Event Inputs
#########################
[cpu]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
LINE_BREAKER=([\r\n]+)Datetime\s+
EVENT_BREAKER=([\r\n]+)Datetime\s+
# Timestamp extraction settings
TIME_PREFIX = \n
TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z
EVENT_BREAKER_ENABLE=true
SHOULD_LINEMERGE = false
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_for_cpu = host as dest
FIELDALIAS-src_for_cpu = host as src
@ -570,19 +578,6 @@ FIELDALIAS-dest = host as dest
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Global ######
# [source::...(linux.*|sample.*.linux)]
# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen
# [source::...(osx.*|sample.*.osx)]
# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen
# [source::...(solaris.*|sample.*.solaris)]
# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen
# [source::...sample.*.unix]
# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen
## support for linux only
[Linux:SELinuxConfig]
EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules"
@ -655,9 +650,10 @@ FIELDALIAS-dest = host as dest
[source::...Unix:Version]
SHOULD_LINEMERGE = false
FIELDALIAS-family_for_nix_version = os_name as family
EVAL-description = "script"
EVAL-family = coalesce(kernel_name, os_name)
LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range
FIELDALIAS-version_for_nix_version = os_release as version
EVAL-version = if(isnotnull(kernel_version),os_version,os_release)
FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture
EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null())
EVAL-vendor_product = if(isnotnull(os_name),os_name,null())
@ -745,13 +741,16 @@ EVENT_BREAKER_ENABLE = true
## Event extractions by type
EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app)
REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, sshd-session-login-failed, sshd-session-login-accepted, sshd-session-invalid-user, sshd-session-connection-close, sshd-session-key-negotiation-failed, sshd-session-banner-exchange-failed, sshd-session-shadow-info-error, sshd-session-read-error-timeout, sshd-session-disconnect, sshd-session-closed-for-user, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, sshd-session-pam_unix_authentication_success, linux_secure_pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
EVAL-signature = if(isnotnull(inbound_interface), "firewall", signature)
EVAL-user_role = if(authentication_service=="pam_unix" AND user=="root", "administator", null())
EVAL-src = if(authentication_service=="pam_unix" AND signature=="session opened for user" AND app=="sudo", dest, src)
EVAL-dest_dns = if((process == "sshd-session" OR process == "sshd") AND (action == "blocked" OR action == "started" OR action == "ended"), dest, null())
REPORT-dest_for_linux_secure = loghost_as_dest
LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
@ -803,3 +802,6 @@ SHOULD_LINEMERGE = false
TIME_PREFIX = audit\(
MAX_TIMESTAMP_LOOKAHEAD=23
MAX_DAYS_AGO=3650
EXTRACT-proctitle = .*proctitle=(?<proctitle>.*)$
EXTRACT-execve_command = .*type=EXECVE.*a0=(?<execve_command>.*)$
EVAL-execve_command = replace(execve_command, "a\d+=", "")