mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 15 Packages Wiki Activity Actions

Merge in Splunk Add-On for Unix and Linux version 10.0.0

Browse source
This commit is contained in:
Michael Erdely 2025-02-05 17:18:14 -05:00
parent ce9dada330
commit 17d6163514
Signed by: mike
SSH key fingerprint: SHA256:ukbnfrRMaRYlBZXENtBTyO2jLnql5AA5m+SzZCfYQe0
14 changed files with 461 additions and 294 deletions
Download patch file Download diff file Expand all files Collapse all files

119
default/transforms.conf
View file

@ -201,7 +201,7 @@ INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm,
INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB)
[extract_cpu_metric_field]
INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU)
INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0")
[metric-schema:extract_metrics_iostat]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address
@ -294,25 +294,85 @@ FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs
REGEX = exe=.*\/(\S+)\"
FORMAT = command::$1
## Network_Sessions
# SSHD evnets for OpenSSH >= v9.8
# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2
# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2]
[sshd-session-login-failed]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(failed\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"blocked" src_ip::$3 user::$2 signature::$1
# Jan 3 17:21:42 host sshd-session[1187]: Accepted password for devuser from 1X.XX.XX.XX port 1234 ssh2
[sshd-session-login-accepted]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Accepted\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"started" signature::$1 user::$2 src_ip::$3
# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by invalid user ubuntu 1X.XX.XX.XX port 1234 [preauth]
[sshd-session-invalid-user]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed\s+by\s+invalid user).*?(\S+)\s+.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"blocked" signature::$1 user::$2 src_ip::$3
# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by 1X.XX.XX.XX port 1234
[sshd-session-connection-close]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed)\s+by\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"ended" signature::$1 src_ip::$2
# Jan 3 09:54:47 host sshd-session[146590]: Unable to negotiate with 1X.XX.XX.XX port 1234: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
[sshd-session-key-negotiation-failed]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Unable\s+to\s+negotiate\s+with\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+no\s+matching\s+host\s+key\s+type\s+found
FORMAT = action::"blocked" signature::"Unable to negotiate: no matching host key type found" src_ip::$1
# Jan 3 07:08:37 host sshd-session[133482]: banner exchange: Connection from 1X.XX.XX.XX port 1234: invalid format
[sshd-session-banner-exchange-failed]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+banner\s+exchange\s*:\s+.*?\S+\s+from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s*invalid\s+format
FORMAT = action::"blocked" signature::"banner exchange: invalid format" src_ip::$1
# Jan 2 18:13:08 host sshd-session[8962]: error: Could not get shadow information for NOUSER
[sshd-session-shadow-info-error]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+error:\s+(Could\s+not\s+get\s+shadow\s+information)\s+for\s+(\S+)
FORMAT = action::"blocked" signature::$1 user::$2
# Jan 3 05:46:01 host sshd-session[125949]: pam_unix(sshd:session): session opened for user ec2-user(uid=1000) by ec2-user(uid=0)
[sshd-session-pam_unix_authentication_success]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
FORMAT = action::"started" signature::$1 user::$2 user_id::$3 src_user::$4 src_user_id::$5
# Jan 3 05:46:01 host sshd-session[125949]: Read error from remote host 1X.XX.XX.XX port 1234: Connection timed out
[sshd-session-read-error-timeout]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Read\s+error\s+from\s+remote\s+host\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+(Connection\s+timed\s+out)
FORMAT = action::"ended" src_ip::$1 signature::$2
# Jan 3 11:15:07 host sshd-session[226274]: Disconnected from user devuser 1X.XX.XX.XX port 1234
[sshd-session-disconnect]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?i)(Disconnected\s+from\s+user).*?(\S+)\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"ended" signature::$1 user::$2 src_ip::$3
# Jan 3 10:07:28 host sshd-session[147610]: pam_unix(sshd:session): session closed for user ec2-user
[sshd-session-closed-for-user]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+closed\s+for\s+user)\s+([^\s\(]+)$
FORMAT = action::"ended" signature::$1 user::$2
## Authentication
# Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2
# Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2
[ssh-login-accepted]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))?
FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5
# Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX
# Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2
# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2
# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2]
[ssh-login-failed]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5
# Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX
[ssh-invalid-user]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5
@ -330,8 +390,9 @@ REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(?
FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX:XXX:XX:XXX:XXX:XXX port 123123:11: disconnected by user
[ssh-disconnect]
REGEX = (Received disconnect) from ([^\s]+):
REGEX = (Received disconnect) from ([^\s]+:[a-fA-F0-9.]+|::|[\d.]+)
FORMAT = name::$1 src_ip::$2
[sshd_authentication_kerberos_success]
@ -358,6 +419,10 @@ FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2
REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6
[linux_secure_pam_unix_authentication_success]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
FORMAT = app::"$1" signature::$2 authentication_service::"pam_unix" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 src_user_type::"user" user_type::"user"
[passwd-auth-failure]
REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure)
FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure"
@ -476,26 +541,6 @@ FORMAT = signature::$1
##
[force_host_for_linux_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-001
[force_host_for_osx_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-002
[force_host_for_solaris_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-003
[force_host_for_unix_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-004
## Service
[nix_linux_service_startmode_lookup]
filename = nix_linux_service_startmodes.csv
@ -504,10 +549,6 @@ filename = nix_linux_service_startmodes.csv
[nix_da_update_status_lookup]
filename = nix_da_update_status.csv
[Description_for_installedupdates]
REGEX = ^Description=([^\r\n]+)
FORMAT = Description::$1
## Version
[nix_da_version_range_lookup]
filename = nix_da_version_ranges.csv
@ -515,24 +556,4 @@ filename = nix_da_version_ranges.csv
[nix_linux_audit_action_lookup]
filename = nix_linux_audit_action_object_category.csv
[force_host_for_linux_cpu]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_memory]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_io]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_disk]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
###### END CONTENT IMPORTED FROM TA-deploymentapps ######