mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 15 Packages Wiki Activity Actions

Merge in Splunk Add-On for Unix and Linux version 10.0.0

Browse source
This commit is contained in:
Michael Erdely 2025-02-05 17:18:14 -05:00
parent ce9dada330
commit 17d6163514
Signed by: mike
SSH key fingerprint: SHA256:ukbnfrRMaRYlBZXENtBTyO2jLnql5AA5m+SzZCfYQe0
14 changed files with 461 additions and 294 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
THIRDPARTY
View file

@ -7,9 +7,9 @@
The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-unix-and-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means. The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-unix-and-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means.
Date generated: 2024-7-5 Date generated: 2025-1-31
Revision ID: a08b431842df3cfc234ba3f0675de8898f9ef6ac Revision ID: 79a4b3bf642285d427e11cd81adb8baaf923e0e9
================================================================================ ================================================================================
================================================================================ ================================================================================
@ -55,7 +55,14 @@ No licenses found
================================================================================ ================================================================================
================================================================================
Copyrights
================================================================================
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
Report Generated by FOSSA on 2024-7-5 Report Generated by FOSSA on 2025-1-31

4
VERSION
View file

@ -1,2 +1,2 @@
9.2.0.13 10.0.0.0
9.2.0.13 10.0.0.0

126
app.manifest
View file

@ -1,66 +1,66 @@
{ {
"dependencies": null, "dependencies": null,
"incompatibleApps": null, "incompatibleApps": null,
"info": { "info": {
"author": [ "author": [
{ {
"company": "erdelynet.com", "name": "Michael Erdely",
"email": "mike@erdelynet.com", "email": mike@erdelynet.com,
"name": "erdelynet.com" "company": "erdelynet.com"
} }
], ],
"classification": { "classification": {
"categories": [ "categories": [
"IT Operations", "IT Operations",
"Utilities" "Utilities"
], ],
"developmentStatus": "Production/Stable", "developmentStatus": "Production/Stable",
"intendedAudience": "IT" "intendedAudience": "IT"
},
"commonInformationModels": {
"Authentication": "=4.20.2",
"Change": "=4.20.2",
"Endpoint": "=4.20.2",
"Inventory": "=4.20.2",
"Network Sessions": "=4.20.2",
"Performance": "=4.20.2"
},
"description": "Technical Add-on for Unix and Linux",
"id": {
"group": null,
"name": "TA-nix",
"version": "9.2.0.13"
},
"license": {
"name": "Splunk Software License Agreement",
"text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"uri": "http://www.splunk.com/view/SP-CAAAAFA"
},
"privacyPolicy": {
"name": null,
"text": null,
"uri": null
},
"releaseDate": null,
"releaseNotes": {
"name": "README",
"text": "./README.txt",
"uri": "https://git.erdelynet.com/mike/TA-nix/docs/ReleaseNotes.md"
},
"title": "Technical Add-on for Unix and Linux"
}, },
"inputGroups": null, "commonInformationModels": {
"platformRequirements": null, "Authentication": "==4.20.2",
"schemaVersion": "2.0.0", "Change": "==4.20.2",
"supportedDeployments": [ "Endpoint": "==4.20.2",
"_standalone", "Inventory": "==4.20.2",
"_distributed", "Network Sessions": "==6.0.2",
"_search_head_clustering" "Performance": "==4.20.2"
], },
"targetWorkloads": [ "description": "Technical Add-on for Unix and Linux",
"_search_heads", "id": {
"_forwarders", "group": null,
"_indexers" "name": "TA-unix",
], "version": "10.0.0.0"
"tasks": null },
"license": {
"name": "Splunk Software License Agreement",
"text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"uri": "http://www.splunk.com/view/SP-CAAAAFA"
},
"privacyPolicy": {
"name": null,
"text": null,
"uri": null
},
"releaseDate": null,
"releaseNotes": {
"name": "README",
"text": "./README.txt",
"uri": "https://git.erdelynet.com/mike/TA-unix/docs/ReleaseNotes.md"
},
"title": "Technical Add-on for Unix and Linux"
},
"inputGroups": null,
"platformRequirements": null,
"schemaVersion": "2.0.0",
"supportedDeployments": [
"_standalone",
"_distributed",
"_search_head_clustering"
],
"targetWorkloads": [
"_search_heads",
"_forwarders",
"_indexers"
],
"tasks": null
} }

143
bin/cpu.sh
View file

@ -7,9 +7,9 @@
assertHaveCommand column assertHaveCommand column
HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle' HEADER='Datetime CPU pctUser pctNice pctSystem pctIowait pctIdle'
HEADERIZE="BEGIN {print \"$HEADER\"}" HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s %9s %9s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}' PRINTF='{printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}'
if [ "$KERNEL" = "Linux" ] ; then if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand sar queryHaveCommand sar
@ -17,19 +17,32 @@ if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand mpstat queryHaveCommand mpstat
FOUND_MPSTAT=$? FOUND_MPSTAT=$?
if [ $FOUND_SAR -eq 0 ] ; then if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -P ALL 1 1' CMD='sar -P ALL 2 5'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}' FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}'
elif [ $FOUND_MPSTAT -eq 0 ] ; then elif [ $FOUND_MPSTAT -eq 0 ] ; then
CMD='mpstat -P ALL 1 1' CMD='mpstat -P ALL 2 5'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}' FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}'
else else
failLackMultipleCommands sar mpstat failLackMultipleCommands sar mpstat
fi fi
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}' FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}'
PRINTF='{
if ($0 ~ /all/) {
print header;
printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle;
} else {
printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle;
}
}'
$CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" | column -t
echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
exit
elif [ "$KERNEL" = "SunOS" ] ; then elif [ "$KERNEL" = "SunOS" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r' CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r'
else else
@ -37,9 +50,9 @@ elif [ "$KERNEL" = "SunOS" ] ; then
fi fi
assertHaveCommand "$CMD" assertHaveCommand "$CMD"
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='($1=="CPU") {exit 1}' FILTER='($1=="CPU") {exit 1}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}' FORMAT='{datetime="'"$formatted_date"'"; cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}'
elif [ "$KERNEL" = "AIX" ] ; then elif [ "$KERNEL" = "AIX" ] ; then
queryHaveCommand mpstat queryHaveCommand mpstat
queryHaveCommand lparstat queryHaveCommand lparstat
@ -78,46 +91,72 @@ elif [ "$KERNEL" = "AIX" ] ; then
DEFINE="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity" DEFINE="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity"
# Get cpu stats using mpstat command and manipulate the output for adding extra fields # Get cpu stats using mpstat command and manipulate the output for adding extra fields
CMD='mpstat -a 1 1' CMD='mpstat -a 2 5'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='BEGIN {flag = 0}
FORMAT='
function get_current_time() {
# Use "date" to fetch the current time and store it in a variable
command = "date +\"%m/%d/%y_%H:%M:%S_%Z\"";
command | getline datetime;
close(command);
return datetime;
}
BEGIN {
flag = 0;
header = "";
}
{ {
if($0 ~ /System configuration|^$/) {next} if($0 ~ /System configuration|^$/) {next}
if($1 ~ /^-+$/ && header != "") {
print header;
next;
}
if($0 ~ /cpu / && flag == 1) {next}
if(flag == 1) if(flag == 1)
{ {
# Prepend extra field values from lparstat # Prepend extra field values from lparstat
for(i=NF+4; i>=4; i--) for(i=NF+5; i>=5; i--)
{ {
$i = $(i-3); $i = $(i-4);
} }
if($0 ~ /ALL/) if($0 ~ /ALL/)
{ {
$1 = CPUPool; $1 = get_current_time();
$2 = OnlineVirtualCPUs; $2 = CPUPool;
$3 = EntitledCapacity; $3 = OnlineVirtualCPUs;
$4 = EntitledCapacity;
} }
else else
{ {
$1 = "-"; $1 = get_current_time();
$2 = "-"; $2 = "-";
$3 = "-"; $3 = "-";
$4 = "-";
} }
} }
if($0 ~ /cpu /) if($0 ~ /cpu /)
{ {
# Prepend extra field headers from lparstat # Prepend extra field headers from lparstat
for(i=NF+4; i>=4; i--) for(i=NF+5; i>=5; i--)
{ {
$i = $(i-3); $i = $(i-4);
} }
$1 = "CPUPool"; $1 = "Datetime";
$2 = "OnlineVirtualCPUs"; $2 = "CPUPool";
$3 = "EntitledCapacity"; $3 = "OnlineVirtualCPUs";
$4 = "EntitledCapacity";
flag = 1; flag = 1;
header = $1;
for (i = 2; i <= NF; i++) {
header = header sprintf("%21s ", $i);
}
} }
for(i=1; i<=NF; i++) printf $1;
for(i=2; i<=NF; i++)
{ {
printf "%17s ", $i; printf "%21s ", $i;
} }
print ""; print "";
}' }'
@ -126,28 +165,46 @@ elif [ "$KERNEL" = "AIX" ] ; then
echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST" echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST"
exit exit
elif [ "$KERNEL" = "Darwin" ] ; then elif [ "$KERNEL" = "Darwin" ] ; then
HEADER='CPU pctUser pctSystem pctIdle' HEADER='Datetime CPU pctUser pctSystem pctIdle'
HEADERIZE="BEGIN {print \"$HEADER\"}" HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s \n", cpu, pctUser, pctSystem, pctIdle}' PRINTF='{printf "%-28s %-3s %9s %9s %9s \n", datetime, cpu, pctUser, pctSystem, pctIdle}'
# top command here is used to get a single instance of cpu metrics # top command here is used to get a single instance of cpu metrics
CMD='top -l 1' CMD='top -l 5 -s 2'
assertHaveCommand "$CMD" assertHaveCommand "$CMD"
# FILTER here skips all the rows that doesn't match "CPU". # FILTER here skips all the rows that doesn't match "CPU".
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='($1 !~ "CPU") {next;}' FILTER='($1 !~ "CPU") {next;}'
# FORMAT here removes '%'in the end of the metrics. # FORMAT here removes '%'in the end of the metrics.
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) { FORMAT='
sub(char_to_remove, "", string); function get_current_time() {
return string; # Use "date" to fetch the current time and store it in a variable
} command = "date +\"%m/%d/%y_%H:%M:%S_%Z\"";
{ command | getline datetime;
cpu="all"; close(command);
pctUser = remove_char($3, "%"); return datetime;
pctSystem = remove_char($5, "%"); }
pctIdle = remove_char($7, "%"); function remove_char(string, char_to_remove) {
}' sub(char_to_remove, "", string);
return string;
}
{
datetime=get_current_time();
cpu="all";
pctUser = remove_char($3, "%");
pctSystem = remove_char($5, "%");
pctIdle = remove_char($7, "%");
}'
PRINTF='{
print header;
printf "%-28s %-3s %9s %9s %9s \n", datetime, cpu, pctUser, pctSystem, pctIdle;
}'
$CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" | column -t
echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
exit
elif [ "$KERNEL" = "OpenBSD" ] ; then elif [ "$KERNEL" = "OpenBSD" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
CMD='eval top -1 -b; top -b' CMD='eval top -1 -b; top -b'
assertHaveCommand "$CMD" assertHaveCommand "$CMD"
# shellcheck disable=SC2016 # shellcheck disable=SC2016
@ -159,6 +216,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then
else if ($1 ~ /^CPU[0-9]+$/) else if ($1 ~ /^CPU[0-9]+$/)
cpu=substr($1,4); cpu=substr($1,4);
else cpu=0; else cpu=0;
datetime="'"$formatted_date"'";
pctUser=substr($3,1,length($3)-1); pctUser=substr($3,1,length($3)-1);
pctNice=substr($5,1,length($5)-1); pctNice=substr($5,1,length($5)-1);
pctSystem=substr($7,1,length($7)-1); pctSystem=substr($7,1,length($7)-1);
@ -166,6 +224,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then
pctIdle=substr($13,1,length($13)-1); pctIdle=substr($13,1,length($13)-1);
}' }'
elif [ "$KERNEL" = "FreeBSD" ] ; then elif [ "$KERNEL" = "FreeBSD" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
CMD='eval top -P -d2 c; top -d2 c' CMD='eval top -P -d2 c; top -d2 c'
assertHaveCommand "$CMD" assertHaveCommand "$CMD"
# shellcheck disable=SC2016 # shellcheck disable=SC2016
@ -175,6 +234,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
sub(char_to_remove, "", string); sub(char_to_remove, "", string);
return string; return string;
} }
{
datetime="'"$formatted_date"'";
}
{ {
if ($1 == "CPU:") { if ($1 == "CPU:") {
cpu = "all"; cpu = "all";
@ -189,15 +251,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
pctIdle = remove_char($(NF-1), "%"); pctIdle = remove_char($(NF-1), "%");
pctIowait = "0.0"; pctIowait = "0.0";
}' }'
elif [ "$KERNEL" = "HP-UX" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -M 1 1 ALL'
fi
FILTER='/HP-UX|^$|%/ {next}'
# shellcheck disable=SC2016
FORMAT='{k=0; if(5<NF) k=1} {cpu=$(1+k); pctUser=$(2+k); pctNice="0"; pctSystem=$(3+k); pctIowait=$(4+k); pctIdle=$(5+k)}'
fi fi
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER" | column -t $CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER" | column -t

130
bin/cpu_metric.sh
View file

@ -8,9 +8,9 @@
assertHaveCommand column assertHaveCommand column
HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle OSName OS_version IP_address' HEADER='Datetime pctUser pctNice pctSystem pctIowait pctIdle OSName OS_version IP_address CPU'
HEADERIZE="BEGIN {print \"$HEADER\"}" HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle, OSName, OS_version, IP_address}' PRINTF='{printf "%-28s %9s %9s %9s %9s %9s %-35s %15s %-16s %-3s\n", datetime, pctUser, pctNice, pctSystem, pctIowait, pctIdle, OSName, OS_version, IP_address,cpu}'
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}' FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}'
if [ "$KERNEL" = "Linux" ] ; then if [ "$KERNEL" = "Linux" ] ; then
@ -24,19 +24,20 @@ if [ "$KERNEL" = "Linux" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')" DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
fi fi
if [ $FOUND_SAR -eq 0 ] ; then if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -P ALL 1 1' CMD='sar -P ALL 2 5'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
elif [ $FOUND_MPSTAT -eq 0 ] ; then elif [ $FOUND_MPSTAT -eq 0 ] ; then
CMD='mpstat -P ALL 1 1' CMD='mpstat -P ALL 2 5'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
else else
failLackMultipleCommands sar mpstat failLackMultipleCommands sar mpstat
fi fi
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}' FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}'
elif [ "$KERNEL" = "SunOS" ] ; then elif [ "$KERNEL" = "SunOS" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r' CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r'
else else
@ -47,7 +48,7 @@ elif [ "$KERNEL" = "SunOS" ] ; then
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='($1=="CPU") {exit 1}' FILTER='($1=="CPU") {exit 1}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' FORMAT='{datetime="'"$formatted_date"'"; cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
elif [ "$KERNEL" = "AIX" ] ; then elif [ "$KERNEL" = "AIX" ] ; then
queryHaveCommand mpstat queryHaveCommand mpstat
queryHaveCommand lparstat queryHaveCommand lparstat
@ -87,52 +88,66 @@ elif [ "$KERNEL" = "AIX" ] ; then
DEFINE_LPARSTAT_FIELDS="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity" DEFINE_LPARSTAT_FIELDS="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity"
# Get cpu stats using mpstat command and manipulate the output for adding extra fields # Get cpu stats using mpstat command and manipulate the output for adding extra fields
CMD='mpstat -a 1 1' CMD='mpstat -a 2 5'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='BEGIN {flag = 0}
FORMAT='
function get_current_time() {
# Use "date" to fetch the current time and store it in a variable
command = "date +\"%m/%d/%y_%H:%M:%S_%Z\"";
command | getline datetime;
close(command);
return datetime;
}
$1 ~ /^-+$/ { next }
BEGIN {flag = 0}
{ {
if($0 ~ /System configuration|^$/) {next} if($0 ~ /System configuration|^$/) {next}
if($0 ~ /cpu / && flag == 1) {next}
if(flag == 1) if(flag == 1)
{ {
for(i=NF+7; i>=7; i--) for(i=NF+8; i>=8; i--)
{ {
$i = $(i-6); $i = $(i-7);
} }
# Prepend OSName, OS_version, IP_address values # Prepend Datetime, OSName, OS_version, IP_address values
$1 = OSName; $1 = get_current_time();
$2 = OSVersion/1000; $2 = OSName;
$3 = IP_address; $3 = OSVersion/1000;
$4 = IP_address;
# Prepend lparstat field values # Prepend lparstat field values
if($0 ~ /ALL/) if($0 ~ /ALL/)
{ {
$4 = CPUPool; $5 = CPUPool;
$5 = OnlineVirtualCPUs; $6 = OnlineVirtualCPUs;
$6 = EntitledCapacity; $7 = EntitledCapacity;
} }
else else
{ {
$4 = "-";
$5 = "-"; $5 = "-";
$6 = "-"; $6 = "-";
$7 = "-";
} }
} }
if($0 ~ /cpu /) if($0 ~ /cpu /)
{ {
for(i=NF+7; i>=7; i--) for(i=NF+8; i>=8; i--)
{ {
$i = $(i-6); $i = $(i-7);
} }
# Prepend OSName, OS_version, IP_address headers # Prepend Datetime, OSName, OS_version, IP_address headers
$1 = "OSName"; $1 = "Datetime";
$2 = "OS_version"; $2 = "OSName";
$3 = "IP_address"; $3 = "OS_version";
$4 = "IP_address";
# Prepend lparstat field headers # Prepend lparstat field headers
$4 = "CPUPool"; $5 = "CPUPool";
$5 = "OnlineVirtualCPUs"; $6 = "OnlineVirtualCPUs";
$6 = "EntitledCapacity"; $7 = "EntitledCapacity";
flag = 1; flag = 1;
} }
for(i=1; i<=NF; i++) printf $1;
for(i=2; i<=NF; i++)
{ {
printf "%17s ", $i; printf "%17s ", $i;
} }
@ -143,11 +158,11 @@ elif [ "$KERNEL" = "AIX" ] ; then
echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST" echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST"
exit exit
elif [ "$KERNEL" = "Darwin" ] ; then elif [ "$KERNEL" = "Darwin" ] ; then
HEADER='CPU pctUser pctSystem pctIdle OSName OS_version IP_address' HEADER='Datetime pctUser pctSystem pctIdle OSName OS_version IP_address CPU'
HEADERIZE="BEGIN {print \"$HEADER\"}" HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address}' PRINTF='{printf "%-28s %9s %9s %9s %-35s %15s %-16s %-3s\n", datetime, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address, cpu}'
# top command here is used to get a single instance of cpu metrics # top command here is used to get a single instance of cpu metrics
CMD='top -l 1' CMD='top -l 5 -s 2'
assertHaveCommand "$CMD" assertHaveCommand "$CMD"
# FILTER here skips all the rows that doesn't match "CPU". # FILTER here skips all the rows that doesn't match "CPU".
# shellcheck disable=SC2016 # shellcheck disable=SC2016
@ -156,20 +171,30 @@ elif [ "$KERNEL" = "Darwin" ] ; then
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# FORMAT here removes '%'in the end of the metrics. # FORMAT here removes '%'in the end of the metrics.
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) { FORMAT='
sub(char_to_remove, "", string); function get_current_time() {
return string; # Use "date" to fetch the current time and store it in a variable
} command = "date +\"%m/%d/%y_%H:%M:%S_%Z\"";
{ command | getline datetime;
cpu="all"; close(command);
pctUser = remove_char($3, "%"); return datetime;
pctSystem = remove_char($5, "%"); }
pctIdle = remove_char($7, "%"); function remove_char(string, char_to_remove) {
OSName=OSName; sub(char_to_remove, "", string);
OS_version=OS_version; return string;
IP_address=IP_address; }
}' {
datetime=get_current_time();
cpu="all";
pctUser = remove_char($3, "%");
pctSystem = remove_char($5, "%");
pctIdle = remove_char($7, "%");
OSName=OSName;
OS_version=OS_version;
IP_address=IP_address;
}'
elif [ "$KERNEL" = "OpenBSD" ] ; then elif [ "$KERNEL" = "OpenBSD" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
CMD='eval top -1 -b; top -b' CMD='eval top -1 -b; top -b'
assertHaveCommand "$CMD" assertHaveCommand "$CMD"
# shellcheck disable=SC2016 # shellcheck disable=SC2016
@ -183,6 +208,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then
else if ($1 ~ /^CPU[0-9]+$/) else if ($1 ~ /^CPU[0-9]+$/)
cpu=substr($1,4); cpu=substr($1,4);
else cpu=0; else cpu=0;
datetime="'"$formatted_date"'";
pctUser=substr($3,1,length($3)-1); pctUser=substr($3,1,length($3)-1);
pctNice=substr($5,1,length($5)-1); pctNice=substr($5,1,length($5)-1);
pctSystem=substr($7,1,length($7)-1); pctSystem=substr($7,1,length($7)-1);
@ -190,6 +216,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then
pctIdle=substr($13,1,length($13)-1); pctIdle=substr($13,1,length($13)-1);
}' }'
elif [ "$KERNEL" = "FreeBSD" ] ; then elif [ "$KERNEL" = "FreeBSD" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
CMD='eval top -P -d2 c; top -d2 c' CMD='eval top -P -d2 c; top -d2 c'
assertHaveCommand "$CMD" assertHaveCommand "$CMD"
# shellcheck disable=SC2016 # shellcheck disable=SC2016
@ -201,6 +228,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
sub(char_to_remove, "", string); sub(char_to_remove, "", string);
return string; return string;
} }
{
datetime="'"$formatted_date"'";
}
{ {
if ($1 == "CPU:") { if ($1 == "CPU:") {
cpu = "all"; cpu = "all";
@ -218,16 +248,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
OS_version=OS_version; OS_version=OS_version;
IP_address=IP_address; IP_address=IP_address;
}' }'
elif [ "$KERNEL" = "HP-UX" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -M 1 1 ALL'
fi
FILTER='/HP-UX|^$|%/ {next}'
# shellcheck disable=SC2016
FORMAT='{k=0; if(5<NF) k=1} {cpu=$(1+k); pctUser=$(2+k); pctNice="0"; pctSystem=$(3+k); pctIowait=$(4+k); pctIdle=$(5+k); OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
fi fi
# shellcheck disable=SC2086 # shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $FILTER $FORMAT $FILL_DIMENSIONS $PRINTF" header="$HEADER" | column -t $CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $FILTER $FORMAT $FILL_DIMENSIONS $PRINTF" header="$HEADER" | column -t

46
bin/lastlog.sh
View file

@ -5,22 +5,35 @@
# shellcheck disable=SC1091 # shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh . "$(dirname "$0")"/common.sh
HEADER='USERNAME FROM LATEST' HEADER='USERNAME FROM LATEST DURATION'
HEADERIZE="BEGIN {print \"$HEADER\"}" HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-30s %-30.30s %-s\n", username, from, latest}' PRINTF='{printf "%-30s %-30.30s %-30.30s %-s\n", username, from, latest, duration}'
if [ "$KERNEL" = "Linux" ] ; then if [ "$KERNEL" = "Linux" ] ; then
CMD='last -iw' CMD='last -iw'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' # Extracts duration values from the 10th column of the `last` command output.
# If the session is `still running` or `still logged in`, "N/A" is set as the default value.
# This approach is applied to all supported kernels in the script.
FORMAT='{
username = $1;
from = (NF>=10) ? $3 : "<console>";
latest = (NF >= 10 && ($7 == "gone" || $8 == "gone" || $9 == "gone")) ? $(NF-7) " " $(NF-6) " " $(NF-5) " " $(NF-4) : $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3);
duration = (NF >= 10 && $10 != "still" && $10 != "logged" && $10 != "running" && $10 != "in" && $10 != "" && $10 != "gone" && $10 != "no" && $10 != "logout") ? $10 : "N/A";
}'
elif [ "$KERNEL" = "SunOS" ] ; then elif [ "$KERNEL" = "SunOS" ] ; then
CMD='last -n 999' CMD='last -n 999'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' FORMAT='{
username = $1;
from = (NF>=10) ? $3 : "<console>";
latest = (NF >= 10 && ($7 == "gone" || $8 == "gone" || $9 == "gone")) ? $(NF-7) " " $(NF-6) " " $(NF-5) " " $(NF-4) : $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3);
duration = (NF >= 10 && $10 != "still" && $10 != "logged" && $10 != "running" && $10 != "in" && $10 != "" && $10 != "gone" && $10 != "no" && $10 != "logout") ? $10 : "N/A";
}'
elif [ "$KERNEL" = "AIX" ] ; then elif [ "$KERNEL" = "AIX" ] ; then
failUnsupportedScript failUnsupportedScript
elif [ "$KERNEL" = "Darwin" ] ; then elif [ "$KERNEL" = "Darwin" ] ; then
@ -28,13 +41,23 @@ elif [ "$KERNEL" = "Darwin" ] ; then
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{username = $1; from = ($0 !~ / /) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' FORMAT='{
username = $1;
from = ($0 !~ / /) ? $3 : "<console>";
latest = (NF >= 10 && ($7 == "gone" || $8 == "gone" || $9 == "gone")) ? $(NF-7) " " $(NF-6) " " $(NF-5) " " $(NF-4) : $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3);
duration = (NF >= 10 && $10 != "still" && $10 != "logged" && $10 != "running" && $10 != "in" && $10 != "" && $10 != "gone" && $10 != "no" && $10 != "logout") ? $10 : "N/A";
}'
elif [ "$KERNEL" = "OpenBSD" ] ; then elif [ "$KERNEL" = "OpenBSD" ] ; then
CMD='last' CMD='last'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' FORMAT='{
username = $1;
from = (NF>=10) ? $3 : "<console>";
latest = (NF >= 10 && ($7 == "gone" || $8 == "gone" || $9 == "gone")) ? $(NF-7) " " $(NF-6) " " $(NF-5) " " $(NF-4) : $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3);
duration = (NF >= 10 && $10 != "still" && $10 != "logged" && $10 != "running" && $10 != "in" && $10 != "" && $10 != "gone" && $10 != "no" && $10 != "logout") ? $10 : "N/A";
}'
elif [ "$KERNEL" = "HP-UX" ] ; then elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='lastb -Rx' CMD='lastb -Rx'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
@ -42,9 +65,16 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FILTER='{if ($1 == "BTMPS_FILE") next; if (NF==0) next; if (NF<=6) next;}' FILTER='{if ($1 == "BTMPS_FILE") next; if (NF==0) next; if (NF<=6) next;}'
elif [ "$KERNEL" = "FreeBSD" ] ; then elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='lastlogin' CMD='last -w'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==8) ? $3 : "<console>"; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $(NF-1) " " $NF}' FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016
FORMAT='{
username = $1;
from = (NF>=10) ? $3 : "<console>";
latest = (NF >= 10 && ($7 == "gone" || $8 == "gone" || $9 == "gone")) ? $(NF-7) " " $(NF-6) " " $(NF-5) " " $(NF-4) : $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3);
duration = (NF >= 10 && $10 != "still" && $10 != "logged" && $10 != "running" && $10 != "in" && $10 != "" && $10 != "gone" && $10 != "no" && $10 != "logout") ? $10 : "N/A";
}'
fi fi
assertHaveCommand $CMD assertHaveCommand $CMD

6
bin/nfsiostat.sh
View file

@ -46,11 +46,11 @@ if [ "$KERNEL" = "Linux" ] ; then
fi fi
# Below condition is added to handle the case of Ubuntu OS # Below condition is added to handle the case of Ubuntu OS
if [ -e $OS_FILE ] && (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q ubuntu); if [ -e "$OS_FILE" ] && (awk -F'=' '/ID=/ {print $2}' "$OS_FILE" | grep -Eq 'rocky|ubuntu|almalinux|ol');
then then
# shellcheck disable=SC2016 # shellcheck disable=SC2016
OS_RELEASE=$($AWK -F= '/VERSION_ID=/ {print $2}' $OS_FILE) OS_RELEASE=$(awk -F= '/^ID=/ {gsub(/"/, "", $2); id=$2} /^VERSION_ID=/ {gsub(/"/, "", $2); ver=$2} END {print id ":" ver}' "$OS_FILE")
if [ "$OS_RELEASE" = "\"18.04\"" ] || [ "$OS_RELEASE" = "\"20.04\"" ] || [ "$OS_RELEASE" = "\"22.04\"" ] ; then # Ubuntu 18.04, 20.04 and 22.04 if [ "$OS_RELEASE" = "ubuntu:18.04" ] || [ "$OS_RELEASE" = "ubuntu:20.04" ] || [ "$OS_RELEASE" = "ubuntu:22.04" ] || [ "$OS_RELEASE" = "rocky:9.5" ] || [ "$OS_RELEASE" = "almalinux:9.5" ] || [ "$OS_RELEASE" = "ol:8.9" ] ; then # Ubuntu 18.04, 20.04 and 22.04 # Rocky or AlmaLinux 9.5 # Oracle Linux 8.9
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{ FORMAT='{
if (NR%10==2){ if (NR%10==2){

25
bin/time.sh
View file

@ -62,8 +62,29 @@ CMD1='date'
assertHaveCommand $CMD1 assertHaveCommand $CMD1
assertHaveCommand "$CMD2" assertHaveCommand "$CMD2"
$CMD1 | tee -a "$TEE_DEST"
echo "Cmd1 = [$CMD1]" >> "$TEE_DEST" echo "Cmd1 = [$CMD1]" >> "$TEE_DEST"
$CMD1 | tee -a "$TEE_DEST"
$CMD2 | tee -a "$TEE_DEST"
echo "Cmd2 = [$CMD2]" >> "$TEE_DEST" echo "Cmd2 = [$CMD2]" >> "$TEE_DEST"
if [ "$KERNEL" = "Darwin" ] && [ $FOUND_SNTP -eq 0 ] ; then
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_time_error_tmpfile
OUTPUT=$($CMD2 2>$TMP_ERROR_FILTER_FILE)
if grep -q "Timeout" < $TMP_ERROR_FILTER_FILE; then
LAST_LINE=$(echo "$OUTPUT" | tail -n 1)
if [[ "$LAST_LINE" == *"$SERVER"* ]]; then
echo "$LAST_LINE" | tee -a "$TEE_DEST"
fi
cat $TMP_ERROR_FILTER_FILE >> $TEE_DEST
echo "$OUTPUT" >> "$TEE_DEST"
rm $TMP_ERROR_FILTER_FILE 2>/dev/null
elif grep -vq "Timeout" < $TMP_ERROR_FILTER_FILE; then
cat $TMP_ERROR_FILTER_FILE >&2
echo "$OUTPUT" >> "$TEE_DEST"
rm $TMP_ERROR_FILTER_FILE 2>/dev/null
else
echo "$OUTPUT" | tee -a "$TEE_DEST"
fi
else
$CMD2 | tee -a "$TEE_DEST"
fi

60
bin/version.sh
View file

@ -5,68 +5,62 @@
# shellcheck disable=SC1091 # shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh . "$(dirname "$0")"/common.sh
PRINTF='END {printf "%s %s %s %s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, KERN_REL, OS_NAME, KERN_VER, OS_REL, OS_VER, DISTRO}' PRINTF='END {printf "%s %s %s %s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER, KERNEL_NAME, KERNEL_VERSION, KERNEL_RELEASE}'
if [ "$KERNEL" = "Linux" ] ; then if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand date assertHaveCommand date
assertHaveCommand uname assertHaveCommand uname
[ -f /etc/os-release ] && . /etc/os-release VERSION=$(grep "^VERSION=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -)
machine_arch=$(uname -p) NAME=$(grep "^NAME=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -)
os_release=$(uname -r) VERSION_ID=$(grep "^VERSION_ID=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -)
os_version=$(uname -v) MACHINE_ARCH=$(uname -p)
distro_name=Linux which dpkg > /dev/null 2>&1 && MACHINE_ARCH=$(dpkg --print-architecture)
[ -n "$NAME" ] && distro_name=$NAME which pacman > /dev/null 2>&1 && MACHINE_ARCH=$(uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/") && VERSION=rolling && VERSION_ID=rolling
[ -n "$VERSION_ID" ] && os_release=$VERSION_ID CMD="eval date ; eval uname -m ; echo \"$VERSION\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; echo \"$MACHINE_ARCH\" ; eval uname -s ; eval uname -v ; eval uname -r"
[ -n "$VERSION_ID" ] && os_version=$VERSION_ID
[ -r /etc/debian_version ] && grep -Eq "^[0-9.]+$" /etc/debian_version && os_release=$(cat /etc/debian_version)
[ "$BUILD_ID" = "rolling" ] && os_release=rolling
[ "$BUILD_ID" = "rolling" ] && os_version=rolling
which dpkg > /dev/null 2>&1 && machine_arch=$(dpkg --print-architecture)
[ "$NAME" = "Arch Linux" -o "$NAME" = "Arch Linux ARM" ] && machine_arch=$(uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/")
CMD="eval date ; echo $distro_name ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; echo $machine_arch; echo $os_release; echo $os_version"
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand date
assertHaveCommand uname
assertHaveCommand sw_vers
os_release=$(sw_vers --productVersion)
CMD="eval date ; echo MacOS ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p; echo $os_release; echo $os_release"
elif [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then elif [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then
assertHaveCommand date assertHaveCommand date
assertHaveCommand uname assertHaveCommand uname
CMD='eval date ; echo $KERNEL ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p;' CMD='eval date ; eval uname -m ; eval uname -r ; echo $KERNEL ; eval uname -r; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r;'
elif [ "$KERNEL" = "Darwin" ] ; then
# Darwin-macos uses sw_vers for os version, name and release switch.
assertHaveCommand date
assertHaveCommand uname
VERSION=$(sw_vers -BuildVersion)
NAME=$(sw_vers -productName)
VERSION_ID=$(sw_vers -ProductVersion)
CMD="eval date ; eval uname -m ; echo \"$VERSION_ID ($VERSION)\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r"
elif [ "$KERNEL" = "HP-UX" ] ; then elif [ "$KERNEL" = "HP-UX" ] ; then
# HP-UX lacks -p switch. # HP-UX lacks -p switch.
assertHaveCommand date assertHaveCommand date
assertHaveCommand uname assertHaveCommand uname
CMD='eval date ; echo HP-UX ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v' CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v'
elif [ "$KERNEL" = "AIX" ] ; then elif [ "$KERNEL" = "AIX" ] ; then
# AIX uses oslevel for version and release switch. # AIX uses oslevel for version and release switch.
assertHaveCommand date assertHaveCommand date
assertHaveCommand uname assertHaveCommand uname
CMD='eval date ; echo AIX ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel -s' CMD='eval date ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel ; eval uname -m ; eval uname -s ; eval uname -v; eval uname -r'
fi fi
# Get the date. # Get the date.
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}' PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_1='NR==2 {DISTRO="distro_name=\"" $0 "\""}' PARSE_1='NR==2 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_2='NR==3 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}' PARSE_2='NR==3 {OS_REL="os_release=\"" $0 "\""}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_3='NR==4 {OS_REL="os_release=\"" $0 "\"";KERN_REL="kernel_release=\"" $0 "\""}' PARSE_3='NR==4 {OS_NAME="os_name=\"" $0 "\""}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_4='NR==5 {OS_NAME="os_name=\"" $0 "\""}' PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\""}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_5='NR==6 {OS_VER="os_version=\"" $0 "\"";KERN_VER="kernel_version=\"" $0 "\""}' PARSE_5='NR==6 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_6='NR==7 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' PARSE_6='NR==7 {KERNEL_NAME="kernel_name=\"" $0 "\""}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_7='NR==8 {OS_REL="os_release=\"" $0 "\""}' PARSE_7='NR==8 {KERNEL_VERSION="kernel_version=\"" $0 "\""}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_8='NR==9 {OS_VER="os_version=\"" $0 "\""}' PARSE_8='NR==9 {KERNEL_RELEASE="kernel_release=\"" $0 "\""}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8" MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8"

6
default/app.conf
View file

@ -7,7 +7,7 @@
[install] [install]
is_configured = false is_configured = false
state = enabled state = enabled
build = 1720176219 build = 1738793362
[ui] [ui]
setup_view = ta_nix_configuration setup_view = ta_nix_configuration
@ -17,7 +17,7 @@ docs_section_override = AddOns:released
[launcher] [launcher]
author = Michael Erdely author = Michael Erdely
version = 9.2.0.13 version = 10.0.0.0
description = Technical Add-on for Unix and Linux description = Technical Add-on for Unix and Linux
#[package] #[package]
@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux
[id] [id]
name = TA-unix name = TA-unix
version = 9.2.0.13 version = 10.0.0.0

15
default/eventtypes.conf
View file

@ -233,12 +233,21 @@ search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not
search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to" search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to"
#tags = application authentication remote #tags = application authentication remote
## sshd-session
[sshd_session_start]
search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Failed password for" OR "Connection closed by invalid user" OR "Unable to negotiate" OR "session opened for user" OR "banner exchange" OR "Could not get shadow information" OR "Accepted password")
#tags = network session start
[sshd_session_end]
search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Read error from remote host" OR "Connection timed out" OR "Disconnected from user" OR "Connection closed by" OR "session closed for user") AND NOT "Connection closed by invalid user"
#tags = network session end
## sshd ## sshd
[sshd_authentication] [sshd_authentication]
# osx sshd authentication error # osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1 # Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
# Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host # Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host
search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") AND NOT sourcetype=linux_secure
#tags = authentication remote #tags = authentication remote
[ssh_login_postponed] [ssh_login_postponed]
@ -246,7 +255,7 @@ search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed
# no tags assigned to this eventtype # no tags assigned to this eventtype
[ssh_open] [ssh_open]
search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) AND NOT sourcetype=linux_secure
#tags = communicate connect #tags = communicate connect
# example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246 # example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246
@ -577,7 +586,7 @@ search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*"
###### ADDED FROM UNIX APP ###### ###### ADDED FROM UNIX APP ######
[failed_login] [failed_login]
search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for" search = eventtype=nix_ta_data ("failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for") AND NOT sourcetype=linux_secure
#tags = authentication #tags = authentication
[Failed_SU] [Failed_SU]

48
default/props.conf
View file

@ -112,10 +112,12 @@ TRANSFORMS-vmstat-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat
[cpu_metric] [cpu_metric]
SHOULD_LINEMERGE=false # Timestamp extraction settings
LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE=1000000 TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none KV_MODE = none
INDEXED_EXTRACTIONS = CSV INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace FIELD_DELIMITER=whitespace
@ -174,10 +176,16 @@ METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps
## Scripted Event Inputs ## Scripted Event Inputs
######################### #########################
[cpu] [cpu]
SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)Datetime\s+
LINE_BREAKER=(^$|[\r\n]+[\r\n]+) EVENT_BREAKER=([\r\n]+)Datetime\s+
# Timestamp extraction settings
TIME_PREFIX = \n
TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z
EVENT_BREAKER_ENABLE=true
SHOULD_LINEMERGE = false
TRUNCATE=1000000 TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi KV_MODE = multi
FIELDALIAS-dest_for_cpu = host as dest FIELDALIAS-dest_for_cpu = host as dest
FIELDALIAS-src_for_cpu = host as src FIELDALIAS-src_for_cpu = host as src
@ -570,19 +578,6 @@ FIELDALIAS-dest = host as dest
# from forwarders on which the older scripts are still in use should # from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly. # be able to search new and old data seamlessly.
###### Global ######
# [source::...(linux.*|sample.*.linux)]
# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen
# [source::...(osx.*|sample.*.osx)]
# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen
# [source::...(solaris.*|sample.*.solaris)]
# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen
# [source::...sample.*.unix]
# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen
## support for linux only ## support for linux only
[Linux:SELinuxConfig] [Linux:SELinuxConfig]
EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules" EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules"
@ -655,9 +650,10 @@ FIELDALIAS-dest = host as dest
[source::...Unix:Version] [source::...Unix:Version]
SHOULD_LINEMERGE = false SHOULD_LINEMERGE = false
FIELDALIAS-family_for_nix_version = os_name as family EVAL-description = "script"
EVAL-family = coalesce(kernel_name, os_name)
LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range
FIELDALIAS-version_for_nix_version = os_release as version EVAL-version = if(isnotnull(kernel_version),os_version,os_release)
FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture
EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null()) EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null())
EVAL-vendor_product = if(isnotnull(os_name),os_name,null()) EVAL-vendor_product = if(isnotnull(os_name),os_name,null())
@ -745,13 +741,16 @@ EVENT_BREAKER_ENABLE = true
## Event extractions by type ## Event extractions by type
EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app) EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app)
REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, sshd-session-login-failed, sshd-session-login-accepted, sshd-session-invalid-user, sshd-session-connection-close, sshd-session-key-negotiation-failed, sshd-session-banner-exchange-failed, sshd-session-shadow-info-error, sshd-session-read-error-timeout, sshd-session-disconnect, sshd-session-closed-for-user, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, sshd-session-pam_unix_authentication_success, linux_secure_pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action) EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) EVAL-signature = if(isnotnull(inbound_interface), "firewall", signature)
EVAL-user_role = if(authentication_service=="pam_unix" AND user=="root", "administator", null())
EVAL-src = if(authentication_service=="pam_unix" AND signature=="session opened for user" AND app=="sudo", dest, src)
EVAL-dest_dns = if((process == "sshd-session" OR process == "sshd") AND (action == "blocked" OR action == "started" OR action == "ended"), dest, null())
REPORT-dest_for_linux_secure = loghost_as_dest REPORT-dest_for_linux_secure = loghost_as_dest
LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
@ -803,3 +802,6 @@ SHOULD_LINEMERGE = false
TIME_PREFIX = audit\( TIME_PREFIX = audit\(
MAX_TIMESTAMP_LOOKAHEAD=23 MAX_TIMESTAMP_LOOKAHEAD=23
MAX_DAYS_AGO=3650 MAX_DAYS_AGO=3650
EXTRACT-proctitle = .*proctitle=(?<proctitle>.*)$
EXTRACT-execve_command = .*type=EXECVE.*a0=(?<execve_command>.*)$
EVAL-execve_command = replace(execve_command, "a\d+=", "")

14
default/tags.conf
View file

@ -262,6 +262,18 @@ authentication = enabled
remote = enabled remote = enabled
## sshd ## sshd
## Network_Sessions
[eventtype=sshd_session_start]
network = enabled
session = enabled
start = enabled
[eventtype=sshd_session_end]
network = enabled
session = enabled
end = enabled
[eventtype=sshd_authentication] [eventtype=sshd_authentication]
authentication = enabled authentication = enabled
remote = enabled remote = enabled
@ -834,8 +846,6 @@ system = enabled
version = enabled version = enabled
inventory = enabled inventory = enabled
oshost = enabled oshost = enabled
cpu = enabled
memory = enabled
## VSFTDP Config ## VSFTDP Config

119
default/transforms.conf
View file

@ -201,7 +201,7 @@ INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm,
INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB) INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB)
[extract_cpu_metric_field] [extract_cpu_metric_field]
INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU) INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0")
[metric-schema:extract_metrics_iostat] [metric-schema:extract_metrics_iostat]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address
@ -294,25 +294,85 @@ FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs
REGEX = exe=.*\/(\S+)\" REGEX = exe=.*\/(\S+)\"
FORMAT = command::$1 FORMAT = command::$1
## Network_Sessions
# SSHD evnets for OpenSSH >= v9.8
# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2
# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2]
[sshd-session-login-failed]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(failed\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"blocked" src_ip::$3 user::$2 signature::$1
# Jan 3 17:21:42 host sshd-session[1187]: Accepted password for devuser from 1X.XX.XX.XX port 1234 ssh2
[sshd-session-login-accepted]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Accepted\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"started" signature::$1 user::$2 src_ip::$3
# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by invalid user ubuntu 1X.XX.XX.XX port 1234 [preauth]
[sshd-session-invalid-user]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed\s+by\s+invalid user).*?(\S+)\s+.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"blocked" signature::$1 user::$2 src_ip::$3
# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by 1X.XX.XX.XX port 1234
[sshd-session-connection-close]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed)\s+by\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"ended" signature::$1 src_ip::$2
# Jan 3 09:54:47 host sshd-session[146590]: Unable to negotiate with 1X.XX.XX.XX port 1234: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
[sshd-session-key-negotiation-failed]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Unable\s+to\s+negotiate\s+with\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+no\s+matching\s+host\s+key\s+type\s+found
FORMAT = action::"blocked" signature::"Unable to negotiate: no matching host key type found" src_ip::$1
# Jan 3 07:08:37 host sshd-session[133482]: banner exchange: Connection from 1X.XX.XX.XX port 1234: invalid format
[sshd-session-banner-exchange-failed]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+banner\s+exchange\s*:\s+.*?\S+\s+from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s*invalid\s+format
FORMAT = action::"blocked" signature::"banner exchange: invalid format" src_ip::$1
# Jan 2 18:13:08 host sshd-session[8962]: error: Could not get shadow information for NOUSER
[sshd-session-shadow-info-error]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+error:\s+(Could\s+not\s+get\s+shadow\s+information)\s+for\s+(\S+)
FORMAT = action::"blocked" signature::$1 user::$2
# Jan 3 05:46:01 host sshd-session[125949]: pam_unix(sshd:session): session opened for user ec2-user(uid=1000) by ec2-user(uid=0)
[sshd-session-pam_unix_authentication_success]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
FORMAT = action::"started" signature::$1 user::$2 user_id::$3 src_user::$4 src_user_id::$5
# Jan 3 05:46:01 host sshd-session[125949]: Read error from remote host 1X.XX.XX.XX port 1234: Connection timed out
[sshd-session-read-error-timeout]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Read\s+error\s+from\s+remote\s+host\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+(Connection\s+timed\s+out)
FORMAT = action::"ended" src_ip::$1 signature::$2
# Jan 3 11:15:07 host sshd-session[226274]: Disconnected from user devuser 1X.XX.XX.XX port 1234
[sshd-session-disconnect]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?i)(Disconnected\s+from\s+user).*?(\S+)\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))
FORMAT = action::"ended" signature::$1 user::$2 src_ip::$3
# Jan 3 10:07:28 host sshd-session[147610]: pam_unix(sshd:session): session closed for user ec2-user
[sshd-session-closed-for-user]
REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+closed\s+for\s+user)\s+([^\s\(]+)$
FORMAT = action::"ended" signature::$1 user::$2
## Authentication ## Authentication
# Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2 # Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2
# Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2 # Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2
[ssh-login-accepted] [ssh-login-accepted]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))?
FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5 FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5
# Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX # Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX
# Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2 # Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2
# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2
# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2]
[ssh-login-failed] [ssh-login-failed]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5 FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5
# Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2 # Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX # Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX
[ssh-invalid-user] [ssh-invalid-user]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5 FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5
@ -330,8 +390,9 @@ REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(?
FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4 FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye # Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX:XXX:XX:XXX:XXX:XXX port 123123:11: disconnected by user
[ssh-disconnect] [ssh-disconnect]
REGEX = (Received disconnect) from ([^\s]+): REGEX = (Received disconnect) from ([^\s]+:[a-fA-F0-9.]+|::|[\d.]+)
FORMAT = name::$1 src_ip::$2 FORMAT = name::$1 src_ip::$2
[sshd_authentication_kerberos_success] [sshd_authentication_kerberos_success]
@ -358,6 +419,10 @@ FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2
REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6
[linux_secure_pam_unix_authentication_success]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
FORMAT = app::"$1" signature::$2 authentication_service::"pam_unix" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 src_user_type::"user" user_type::"user"
[passwd-auth-failure] [passwd-auth-failure]
REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure) REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure)
FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure" FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure"
@ -476,26 +541,6 @@ FORMAT = signature::$1
## ##
[force_host_for_linux_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-001
[force_host_for_osx_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-002
[force_host_for_solaris_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-003
[force_host_for_unix_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-004
## Service ## Service
[nix_linux_service_startmode_lookup] [nix_linux_service_startmode_lookup]
filename = nix_linux_service_startmodes.csv filename = nix_linux_service_startmodes.csv
@ -504,10 +549,6 @@ filename = nix_linux_service_startmodes.csv
[nix_da_update_status_lookup] [nix_da_update_status_lookup]
filename = nix_da_update_status.csv filename = nix_da_update_status.csv
[Description_for_installedupdates]
REGEX = ^Description=([^\r\n]+)
FORMAT = Description::$1
## Version ## Version
[nix_da_version_range_lookup] [nix_da_version_range_lookup]
filename = nix_da_version_ranges.csv filename = nix_da_version_ranges.csv
@ -515,24 +556,4 @@ filename = nix_da_version_ranges.csv
[nix_linux_audit_action_lookup] [nix_linux_audit_action_lookup]
filename = nix_linux_audit_action_object_category.csv filename = nix_linux_audit_action_object_category.csv
[force_host_for_linux_cpu]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_memory]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_io]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_disk]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
###### END CONTENT IMPORTED FROM TA-deploymentapps ###### ###### END CONTENT IMPORTED FROM TA-deploymentapps ######