mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 15 Packages Wiki Activity Actions

Import Splunk Add-On for Unix and Linux version 9.2.0

Browse source
This commit is contained in:
Michael Erdely 2024-12-24 23:51:57 -05:00
commit 92ac2630a1
Signed by: mike
SSH key fingerprint: SHA256:ukbnfrRMaRYlBZXENtBTyO2jLnql5AA5m+SzZCfYQe0
77 changed files with 11487 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

208
LICENSES/Apache-2.0.txt Normal file
View file

@ -0,0 +1,208 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION,
AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution
as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright
owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities
that control, are controlled by, or are under common control with that entity.
For the purposes of this definition, "control" means (i) the power, direct
or indirect, to cause the direction or management of such entity, whether
by contract or otherwise, or (ii) ownership of fifty percent (50%) or more
of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions
granted by this License.
"Source" form shall mean the preferred form for making modifications, including
but not limited to software source code, documentation source, and configuration
files.
"Object" form shall mean any form resulting from mechanical transformation
or translation of a Source form, including but not limited to compiled object
code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form,
made available under the License, as indicated by a copyright notice that
is included in or attached to the work (an example is provided in the Appendix
below).
"Derivative Works" shall mean any work, whether in Source or Object form,
that is based on (or derived from) the Work and for which the editorial revisions,
annotations, elaborations, or other modifications represent, as a whole, an
original work of authorship. For the purposes of this License, Derivative
Works shall not include works that remain separable from, or merely link (or
bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version
of the Work and any modifications or additions to that Work or Derivative
Works thereof, that is intentionally submitted to Licensor for inclusion in
the Work by the copyright owner or by an individual or Legal Entity authorized
to submit on behalf of the copyright owner. For the purposes of this definition,
"submitted" means any form of electronic, verbal, or written communication
sent to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems, and
issue tracking systems that are managed by, or on behalf of, the Licensor
for the purpose of discussing and improving the Work, but excluding communication
that is conspicuously marked or otherwise designated in writing by the copyright
owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
of whom a Contribution has been received by Licensor and subsequently incorporated
within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this
License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive,
no-charge, royalty-free, irrevocable copyright license to reproduce, prepare
Derivative Works of, publicly display, publicly perform, sublicense, and distribute
the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License,
each Contributor hereby grants to You a perpetual, worldwide, non-exclusive,
no-charge, royalty-free, irrevocable (except as stated in this section) patent
license to make, have made, use, offer to sell, sell, import, and otherwise
transfer the Work, where such license applies only to those patent claims
licensable by such Contributor that are necessarily infringed by their Contribution(s)
alone or by combination of their Contribution(s) with the Work to which such
Contribution(s) was submitted. If You institute patent litigation against
any entity (including a cross-claim or counterclaim in a lawsuit) alleging
that the Work or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses granted to You
under this License for that Work shall terminate as of the date such litigation
is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or
Derivative Works thereof in any medium, with or without modifications, and
in Source or Object form, provided that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy
of this License; and
(b) You must cause any modified files to carry prominent notices stating that
You changed the files; and
(c) You must retain, in the Source form of any Derivative Works that You distribute,
all copyright, patent, trademark, and attribution notices from the Source
form of the Work, excluding those notices that do not pertain to any part
of the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its distribution,
then any Derivative Works that You distribute must include a readable copy
of the attribution notices contained within such NOTICE file, excluding those
notices that do not pertain to any part of the Derivative Works, in at least
one of the following places: within a NOTICE text file distributed as part
of the Derivative Works; within the Source form or documentation, if provided
along with the Derivative Works; or, within a display generated by the Derivative
Works, if and wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and do not modify the
License. You may add Your own attribution notices within Derivative Works
that You distribute, alongside or as an addendum to the NOTICE text from the
Work, provided that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and may provide
additional or different license terms and conditions for use, reproduction,
or distribution of Your modifications, or for any such Derivative Works as
a whole, provided Your use, reproduction, and distribution of the Work otherwise
complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any
Contribution intentionally submitted for inclusion in the Work by You to the
Licensor shall be under the terms and conditions of this License, without
any additional terms or conditions. Notwithstanding the above, nothing herein
shall supersede or modify the terms of any separate license agreement you
may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names,
trademarks, service marks, or product names of the Licensor, except as required
for reasonable and customary use in describing the origin of the Work and
reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to
in writing, Licensor provides the Work (and each Contributor provides its
Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied, including, without limitation, any warranties
or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR
A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness
of using or redistributing the Work and assume any risks associated with Your
exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, whether
in tort (including negligence), contract, or otherwise, unless required by
applicable law (such as deliberate and grossly negligent acts) or agreed to
in writing, shall any Contributor be liable to You for damages, including
any direct, indirect, special, incidental, or consequential damages of any
character arising as a result of this License or out of the use or inability
to use the Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all other commercial
damages or losses), even if such Contributor has been advised of the possibility
of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work
or Derivative Works thereof, You may choose to offer, and charge a fee for,
acceptance of support, warranty, indemnity, or other liability obligations
and/or rights consistent with this License. However, in accepting such obligations,
You may act only on Your own behalf and on Your sole responsibility, not on
behalf of any other Contributor, and only if You agree to indemnify, defend,
and hold each Contributor harmless for any liability incurred by, or claims
asserted against, such Contributor by reason of your accepting any such warranty
or additional liability. END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following boilerplate
notice, with the fields enclosed by brackets "[]" replaced with your own identifying
information. (Don't include the brackets!) The text should be enclosed in
the appropriate comment syntax for the file format. We also recommend that
a file or class name and description of purpose be included on the same "printed
page" as the copyright notice for easier identification within third-party
archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

400
LICENSES/LicenseRef-Splunk-8-2021.txt Normal file
View file

@ -0,0 +1,400 @@
SPLUNK GENERAL TERMS
Last Updated: August 12, 2021
These Splunk General Terms (“General Terms”) between Splunk Inc., a Delaware corporation, with its principal place of business at 270 Brannan Street, San Francisco, California 94107, U.S.A (“Splunk” or “we” or “us” or “our”) and you (“Customer” or “you” or “your”) apply to the purchase of licenses and subscriptions for Splunks Offerings. By clicking on the appropriate button, or by downloading, installing, accessing or using the Offerings, you agree to these General Terms. If you are entering into these General Terms on behalf of Customer, you represent that you have the authority to bind Customer. If you do not agree to these General Terms, or if you are not authorized to accept the General Terms on behalf of the Customer, do not download, install, access, or use any of the Offerings.
See the General Terms Definitions Exhibit attached for definitions of capitalized terms not defined herein.
1. License Rights
(A) General Rights. You have the nonexclusive, worldwide, nontransferable and nonsublicensable right, subject to payment of applicable Fees and compliance with the terms of these General Terms, to use your Purchased Offerings for your Internal Business Purposes during the Term and up to the Capacity purchased.
(B) Copies for On-Premises Products. You have the right to make a reasonable number of copies of On-Premises Products for archival and back-up purposes.
(C) Splunk Extensions. You may use Splunk Extensions solely in connection with the applicable Purchased Offering subject to the same terms and conditions for that Offering (including with respect to Term) and payment of any Fees associated with the Splunk Extensions. Some Splunk Extensions may be made available under license terms that provide broader rights than the license rights you have to the applicable underlying Offering (e.g., if the Extension is Open Source Software). These broader rights will apply to that Splunk Extension. Splunk Extensions may be installed on Hosted Services pursuant to our instructions.
(D) Trials, Evaluations, Beta and Free Licenses.
(i) Trials and Evaluations. Offerings provided for trials and evaluations are provided at no charge, and their use will be for a limited duration.
(ii) Beta Licenses. Some Offerings and features may be available to you as a preview, or as an alpha, beta or other pre-release version (each, a “Beta Offering”). All rights for Beta Offerings are solely for internal testing and evaluation. Your use of a Beta Offering will be for the term specified by us, and if no term is specified, then for the earlier of one year from the start date of the Beta Offering or when that version of the Beta Offering becomes generally available. We may discontinue the Beta Offering at any time and may decide not to make any of the features and functionality generally available.
(iii) Free Licenses. From time to time, we may make certain Offerings available for full use (i.e., not subject to limited evaluation purposes) at no charge. These free Offerings may have limited features, functions, and other technical limitations.
(iv) Donated Offerings. Donated Offerings are free limited Offerings donated to qualifying Nonprofits under a Splunk donation program. By procuring and making use of a Donated Offering, you hereby represent and warrant that you are a lawfully organized Nonprofit, and you agree to provide verification of your nonprofit status to Splunk upon request. At Splunks request, you agree: (a) to publish a press release and case study on your use of the Donated Offering; and (b) to be interviewed for the production of a Splunk customer video that will accompany the press release and case study. Splunk will draft and edit all content in collaboration with you and will obtain your edits and written approval (email is sufficient) prior to publication, and such approval will not be unreasonably withheld. You will allow Splunk to reference your Nonprofit and leading spokespeople in press releases with your written approval (email is sufficient). Splunk may use your name and logo on sales presentations, websites, and other marketing collateral without your prior approval.
(E) Test and Development Licenses. For Offerings identified as “Test and Development” Offerings on your Order, you only have the right to use those Offerings up to the applicable Capacity on a non-production system for non-production uses, including product migration testing or pre-production staging, or testing new data sources, types, or use cases. Test and Development Offerings may not be used for any revenue generation, commercial activity, or other productive business or purpose.
(F) Limitations. Notwithstanding anything to the contrary in these General Terms, we do not provide maintenance and support, warranties, service level commitments, or indemnification for Test and Development Offerings, trials, evaluations, or free or Beta Offerings.
2. Purchasing Through Authorized Resellers, Digital Marketplaces, and Splunk Affiliates
(A) Authorized Resellers and Digital Marketplaces. If you purchase Offerings through a Splunk authorized reseller or Digital Marketplace, these General Terms will govern those Offerings. Your payment obligations for the Purchased Offerings will be with the authorized reseller or Digital Marketplace, as applicable, not Splunk. You will have no direct Fee payment obligations to Splunk for those Offerings. However, in the event that you fail to pay the Digital Marketplace for your Purchased Offerings, Splunk retains the right to enforce your payment obligations and collect directly from you.
Any terms agreed to between you and the authorized reseller that are in addition to these General Terms are solely between you and the authorized reseller and Digital Marketplace, as applicable. No agreement between you and an authorized reseller or Digital Marketplace is binding on Splunk or will have any force or effect with respect to the rights in, or the operation, use or provision of, the Offerings.
(B) Splunk Affiliate Distributors. Splunk has appointed certain Splunk Affiliates as its non-exclusive distributors of the Offerings (each, a “Splunk Affiliate Distributor”). Each Splunk Affiliate Distributor is authorized by Splunk to negotiate and enter into Orders with Customers. Where a purchase from Splunk is offered by a Splunk Affiliate Distributor, Customer will issue Orders, and make payments, to the Splunk Affiliate Distributor which issued the quote for the Offering. Each Order will be deemed a separate contract between Customer and the relevant Splunk Affiliate Distributor and will be subject to these General Terms. For the avoidance of doubt, Customer agrees that: (i) the total liability of Splunk under these General Terms as set forth in Section 22 (Limitation of Liability) states the overall combined liability of Splunk and Splunk Affiliate Distributors; (ii) the entering into Orders by a Splunk Affiliate Distributor will not be deemed to expand Splunk and its Affiliates overall responsibilities or liability under these General Terms; and (iii) Customer will have no right to recover more than once from the same event.
3. Your Contractors and Third-Party Providers
You may permit your authorized consultants, contractors, and agents (“Third-Party Providers”) to access and use your Purchased Offerings, but only on your behalf in connection with providing services to you, and subject to the terms and conditions of these General Terms. Any access or use by a Third-Party Provider will be subject to the same limitations and restrictions that apply to you under these General Terms, and you will be responsible for any Third-Party Providers actions relating to their use of the Offering. The aggregate use by you and all of your Third-Party Providers must not exceed the Capacity purchased, and nothing in this Section is intended to or will be deemed to increase such Capacity.
4. Hosted Services and Specific Offering Terms
(A) Service Levels. When you purchase Hosted Services as a Purchased Offering, we will make the applicable Hosted Services available to you during the Term in accordance with these General Terms. The Service Level Schedules (as identified in the Specific Offering Terms referenced in Section 4(F) below) and associated remedies will apply to the availability and uptime of the applicable Hosted Service. If applicable, service credits will be available for downtime in accordance with the Service Level Schedule.
(B) Connections. You are responsible for obtaining and maintaining all telecommunications, broadband and computer equipment and services needed to access and use Hosted Services, and for paying all associated charges.
(C) Your Responsibility for Data Protection. You are responsible for: (i) selecting from the security configurations and security options made available by Splunk in connection with a Hosted Service; (ii) taking additional measures outside of the Hosted Service to the extent the Hosted Service Offering does not provide the controls that may be required or desired by you; and (iii) routine archiving and backing up of Customer Content. You agree to notify Splunk promptly if you believe that an unauthorized third party may be using your accounts or if your account information is lost or stolen.
(D) Refund Upon Termination for Splunks Breach. If a Hosted Service is terminated by you for Splunks uncured material breach in accordance with these General Terms, Splunk will refund you any prepaid subscription fees covering the remainder of the Term after the effective date of termination.
(E) Return of Customer Content. Customer Content may be retrieved by you and removed from the Hosted Services in accordance with the applicable Documentation. We will make the Customer Content available on the Hosted Services for thirty (30) days after termination of a subscription for your retrieval. After that thirty (30) day period, we will have no obligation to maintain the storage of your Customer Content, and you hereby authorize us thereafter to, and we will, unless legally prohibited, delete all remaining Customer Content. If you require assistance in connection with migration of your Customer Content, depending on the nature of the request, we may require a mutually agreed upon fee for assistance.
(F) Specific Offering Terms. Specific security controls and certifications, data policies, service descriptions, Service Level Schedules and other terms specific to a Hosted Service and other Offerings (“Specific Offering Terms”) are set forth here: www.splunk.com/SpecificTerms, and will apply, and be deemed incorporated herein by reference.
5. Support and Maintenance
The specific Support Program included with a Purchased Offering will be identified in the applicable Order. Splunk will provide the purchased level of support and maintenance services in accordance with the terms of the Support Exhibit attached to these General Terms.
6. Configuration and Implementation Services
Splunk offers standard services to implement and configure your Purchased Offerings. These services are purchased under an Order and are subject to the payment of the Fees therein and the terms of the Configuration and Implementation Services Exhibit attached to these General Terms.
7. Data Protection for Personal Data
Splunk will follow globally recognized data protection principles and industry-leading standards for the security of personal data. Splunk will comply with the requirements and obligations set forth in Splunks Data Protection Addendum (“DPA”), located at https://www.splunk.com/en_us/legal/splunk-dpa.html, which includes standard terms for the processing of personal data (including, as applicable, personal data in a Hosted Service).
8. Security
(A) Security for Hosted Services: Standard Environment. Splunk will implement industry leading security safeguards for the protection of Customer Confidential Information, including Customer Content transferred to and stored within the Hosted Services. These safeguards include commercially reasonable administrative, technical, and organizational measures to protect Customer Content against destruction, loss, alteration, unauthorized disclosure, or unauthorized access, including such things as information security policies and procedures, security awareness training, threat and vulnerability management, incident response and breach notification, and vendor risk management. Splunks technical safeguards are further described in the Splunk Cloud Platform Security Addendum (“SC-SA”), located at https://www.splunk.com/en_us/legal/splunk-cloud-security-addendum.html, and the Observability Suite Security Addendum (“OS-SA”), located at https://www.splunk.com/en_us/legal/splunk-observability-security-addendum.html, as applicable, and are incorporated herein by reference.
(B) Security for Hosted Services: Premium HIPAA Environment. For Hosted Services Offerings provisioned in Splunk Cloud Platforms Premium HIPAA environment (as specified in an Order), in addition to the protections under the SC-SA and these General Terms, Splunk will comply with the requirements and obligations set forth in Splunk Business Associate Agreement found here: https://www.splunk.com/en_us/legal/splunk-baa.html.
(C) Additional Security for Other Hosted Services. From time to time, Splunk may offer custom security safeguards for unique Hosted Services offerings. Any such security safeguards will be as set forth in the applicable Documentation and Specific Offering Terms.
(D) Security for On Premises Offerings. Splunk will implement industry leading security safeguards for the protection of Splunks IT systems, products, facilities and assets, and any Customer Confidential Information accessed or processed therein, e.g., customer account information, support tickets (“Corporate Security Controls”). Splunks Corporate Security Controls include such things as information security policies and procedures, security awareness training, physical and environmental access controls, threat and vulnerability management, incident response and breach notification, and vendor risk management. Splunks Corporate Security Controls are further described in Splunks Information Security Addendum (“ISA”), located at https://www.splunk.com/en_us/legal/information-security-addendum.html and are incorporated herein by reference.
(E) Product Development Security. Splunk will follow secure software development practices and applies an industry standard, risk-based approach to its software development lifecycle (“SDLC”), which includes, as applicable, such things as performing security architecture reviews, open source security scans, virus detection, dynamic application security testing, network vulnerability scans and external penetration testing in the development environment. Product-specific information about the SDLC in our Offerings is detailed more fully in the ISA. Splunks Product Security Portal, located at https://www.splunk.com/en_us/product-security.html, contains detailed information about Splunks program for managing and communicating product vulnerabilities. Splunk categorizes product vulnerabilities in accordance with the Common Vulnerability Scoring System (“Medium,” “High,” or “Critical”) and uses commercially reasonable efforts to remediate vulnerabilities depending on their severity level in accordance with industry standards.
(F) Maintaining Protections. Notwithstanding anything to contrary in these General Terms, or any policy or terms referenced herein via hyperlink (or any update thereto), Splunk may not, during a Term materially diminish the security protections set forth in these General Terms, any Specific Offering Terms, or the applicable security addendum.
9. Use Restrictions
Except as expressly permitted in an Order, these General Terms or our Documentation, you agree not to (nor allow any user or Third Party Provider to): (a) reverse engineer (except to the extent specifically permitted by statutory law), decompile, disassemble or otherwise attempt to discover source code or underlying structures, ideas or algorithms of any Offering; (b) modify, translate or create derivative works based on the Offerings; (c) use an Offering for service bureau purposes, or for any purpose other than your own Internal Business Purposes; (d) resell, transfer or distribute any Offering; (e) access or use any Offering in order to monitor its availability, performance, or functionality for competitive purposes; (f) attempt to disable or circumvent any license key or other technological mechanisms or measures intended to prevent, limit or control use or copying of, or access to, Offerings; (g) separately use any of the applicable features and functionalities of the Offerings with external applications or code not furnished by Splunk or any data not processed by the Offering; (h) exceed the Capacity purchased or (i) use any Offering in violation of all applicable laws and regulations (including but not limited to any applicable privacy and intellectual property laws).
10. Our Ethics, Compliance and Corporate Responsibility
(A) Ethics and Corporate Responsibility. Splunk is committed to acting ethically and in compliance with applicable law, and we have policies and guidelines in place to provide awareness of, and compliance with, the laws and regulations that apply to our business globally. We are committed to ethical business conduct, and we use diligent efforts to perform in accordance with the highest global ethical principles, as described in the Splunk Code of Conduct and Ethics found here: https://investors.splunk.com/code-business-conduct-and-ethics-1.
(B) Anti-Corruption. We implement and maintain programs for compliance with applicable anti-corruption and anti-bribery laws. Splunk policy prohibits the offering or soliciting of any illegal or improper bribe, kickback, payment, gift, or thing of value to or from any of your employees or agents in connection with these General Terms. If we learn of any violation of the above, we will use reasonable efforts to promptly notify you at the main contact address provided by you to Splunk.
(C) Export. We certify that Splunk is not on any of the relevant U.S. or EU government lists of prohibited persons, including the Treasury Departments List of Specially Designated Nationals and the Commerce Departments List of Denied Persons or Entity List. Export information regarding our Offerings, including our export control classifications for our Offerings, is found here: https://www.splunk.com/en_us/legal/export-controls.html.
11. Usage Data
From time to time, Splunk may collect Usage Data generated as a by-product of your use of Offerings (e.g., technical information about your operating environment and sessions, systems architecture, page loads and views, product versions, number and type of searches, number of users, source type and format). Usage Data does not include Customer Content. We collect Usage Data for a variety of reasons, such as to identify, understand, and anticipate performance issues and the factors that affect them, to provide updates and personalized experiences to customers, and to improve the Splunk Offerings. Details on Splunks Usage Data collection practices are set forth in Splunk's Privacy Policy found here: https://www.splunk.com/en_us/legal/privacy/privacy-policy.html.
12. Capacity and Usage Verification
(A) Certification and Verification. At Splunks request, you will furnish Splunk a certification signed by your authorized representative verifying that your use of the Purchased Offering is in accordance with these General Terms and the applicable Order. For On-Premises Products, we may also ask you from time to time, but not more frequently than once per calendar period, to cooperate with us to verify usage and adherence to purchased Capacities. If Splunk requests a verification process, you agree to provide Splunk reasonable access to the On-Premises Product installed at your facility (or as hosted by your Third-Party Provider). If Splunk does any verification, it will be performed with as little interference as possible to your use of the On-Premises Product and your business operations. Splunk will comply with your (or your Third-Party Providers) reasonable security procedures.
(B) Overages. If a verification or usage report reveals that you have exceeded the purchased Capacity or usage rights for your Purchased Offering (e.g., used as a service bureau) during the period reviewed, then we will have the right to invoice you using the applicable Fees at list price then in effect, which will be payable in accordance with these General Terms. Without limiting Splunks foregoing rights, with respect to Hosted Services, Splunk may work with you to reduce usage so that it conforms to the applicable usage limit, and we will in good faith discuss options to right size your subscription as appropriate. Notwithstanding anything to the contrary herein, Splunk will have the right to directly invoice you for overages, regardless of whether you purchased the Purchased Offering from an authorized reseller or Digital Marketplace. See the Specific Offering Terms for any additional information related to overages for a Hosted Service.
13. Our Use of Open Source
Certain Offerings may contain Open Source Software. Splunk makes available in the applicable Documentation a list of Open Source Software incorporated in our On-Premises Products as required by the respective Open Source Software licenses. Any Open Source Software that is delivered as part of your Offering and which may not be removed or used separately from the Offering is covered by the warranty, support and indemnification provisions applicable to the Offering. Some of the Open Source Software may have additional terms that apply to the use of the Offering (e.g., the obligation for us to provide attribution of the specific licensor), and those terms will be included in the Documentation; however, these terms will not (a) impose any additional restrictions on your use of the Offering, or (b) negate or amend any of our responsibilities with respect to the Offering.
14. Splunk Developer Tools and Customer Extensions
Splunk makes Splunk Developer Tools available to you so you can develop Extensions for use with your Purchased Offerings (Extensions that you develop, “Customer Extensions”).
You have a nonexclusive, worldwide, nontransferable, nonsublicensable right, subject to the terms of these General Terms, to use Splunk Developer Tools to develop your Customer Extensions, including to support interoperability between the Offering and your system or environment. Splunk proprietary legends or notices contained in the Splunk Developer Tools may not be removed or altered when used in or with your Customer Extension. You retain title to your Customer Extensions, subject to Splunks ownership in our Offerings and any materials and technology provided by Splunk in connection with the Splunk Developer Tools. You agree to assume full responsibility for the performance and distribution of Customer Extensions.
15. Third Party Products, Third-Party Extensions, Third-Party Content and Unsupported Splunk Extensions
(A) Third-Party Extensions on Splunkbase. Splunk makes Extensions developed and/or made available by a third-party on Splunkbase (“Third-Party Extension”) available for download or access as a convenience to its customers. Splunk makes no promises or guarantees related to any Third-Party Extension, including the accuracy, integrity, quality, or security of the Third-Party Extension. Nothing in these General Terms or on Splunkbase will be deemed to be a representation or warranty by Splunk with respect to any Third-Party Extension, even if a particular Third-Party Extension is identified as “certified” or “validated” for use with an Offering. We may, in our reasonable discretion, block or disable access to any Third-Party Extension at any time. Your use of a Third-Party Extension is at your own risk and may be subject to any additional terms, conditions, and policies applicable to that Third-Party Extension (such as license terms, terms of service, or privacy policies of the providers of such Third-Party Extension). Third-Party Extensions may be installed on Hosted Services pursuant to our instructions.
(B) Third-Party Content. Hosted Services may contain features or functions that enable interoperation with Third-Party Content that you, in your sole discretion, choose to add to a Hosted Service. You may be required to obtain access separately to such Third-Party Content from the respective providers, and you may be required to grant Splunk access to your accounts with such providers to the extent necessary for Splunk to allow the interoperation with the Hosted Service. By requesting or allowing Splunk to enable access to such Third-Party Content in connection with the Hosted Services, you certify that you are authorized under the providers terms to allow such access. If you install or enable (or direct or otherwise authorize Splunk to install or enable) Third-Party Content for use with a Hosted Service where the interoperation includes access by the third-party provider to your Customer Content, you hereby authorize Splunk to allow the provider of such Third-Party Content to access Customer Content as necessary for the interoperation. You agree that Splunk is not responsible or liable for disclosure, modification or deletion of Customer Content resulting from access to Customer Content by such Third-Party Content, nor is Splunk liable for any damages or downtime that you may incur or any impact on your experience of the Hosted Service, directly or indirectly, as a result of your use of and/or reliance upon, any Third-Party Content, sites or resources.
(C) Splunk As a Reseller. When you purchase third party products ("Third Party Products") from Splunk as specified in an Order (which products shall include third party software, but not any support which Splunk itself has contracted to provide), the following provision applies. Splunk acts solely as a reseller of Third Party Products, which are fulfilled by the relevant third party vendor ("Third Party Vendor"), and the purchase and use of Third Party Products is subject solely to the terms, conditions and policies made available by such Third Party Vendor. Consequently, Splunk makes no representation or warranty of any kind regarding the Third Party Products, whether express, implied, statutory or otherwise, and specifically disclaims all implied terms, conditions and warranties (including as to quality, performance, availability, fitness for a particular purpose or non-infringement) to the maximum extent permitted by applicable law. You will bring any claim in relation to Third Party Products against the applicable Third Party Vendor directly. In no event will Splunk be liable to you for any claim, loss or damage arising out of the use, operation or availability of Third Party Product (whether such liability arises in contract, negligence, tort, or otherwise).
(D) Unsupported Splunk Extensions. The Service Level Schedule commitments for any applicable Hosted Services will not apply to Splunk Extensions labeled on Splunkbase as “Not Supported.” You agree that Splunk is not responsible for any impact on your experience of a Hosted Service, as a result of your installation and/or use of any “Not Supported” Splunk Extensions, and that your sole remedy will be to remove the “Not Supported” Splunk Extension from the applicable Hosted Service. Further, some Splunk Extensions may not be compatible or certified for use with that Hosted Service (e.g., only specific Splunk Extensions are validated for our FedRAMP authorized environment for Splunk Cloud Platform). Please refer to the applicable Documentation for more information related to the Splunk Extensions compatible with your specific Purchased Offering.
16. Your Compliance
(A) Lawful Use of Offerings. When you access and use an Offering, you are responsible for complying with all laws, rules, and regulations applicable to your access and use. This includes being responsible for your Customer Content and users, for your users compliance with these General Terms, and the accuracy, lawful use of, and the means by which you acquired your Customer Content. You may not transmit and/or store PHI Data, PCI Data or ITAR Data within a Hosted Services unless you have specifically purchased a Purchased Offering for that applicable regulated Hosted Services environment (as identified in an Order).
(B) Registration. You agree to provide accurate and complete information when you register for and use any Offering and agree to keep this information current. Each person who uses any Offering must have a separate username and password. For Hosted Services, you must provide a valid email address for each person authorized to use your Hosted Services, and you may only have one person per username and password. Splunk may reasonably require additional information in connection with certain Offerings (e.g., technical information necessary for your connection to a Hosted Service), and you will provide this information as reasonably requested by Splunk. You are responsible for securing, protecting, and maintaining the confidentiality of your account usernames, passwords and access tokens.
(C) Export Compliance. You will comply with all applicable export laws and regulations of the United States and any other country (“Export Laws”) where your users use any of the Offerings. You certify that you are not on any of the relevant U.S. government lists of prohibited persons, including the Treasury Departments List of Specially Designated Nationals and the Commerce Departments List of Denied Persons or Entity List. You will not export, re-export, ship, transfer or otherwise use the Offerings in any country subject to an embargo or other sanction by the United States, including, without limitation, Iran, Syria, Cuba, the Crimea Region of Ukraine, Sudan and North Korea, and you will not use any Offering for any purpose prohibited by the Export Laws.
(D) GovCloud Services. If you access or use any Hosted Services in the specially isolated Amazon Web Services (“AWS”) GovCloud (US) region (including without limitation any Hosted Services that are provisioned in a FedRAMP authorized environment), you represent and warrant that users will only access the Hosted Services in the AWS GovCloud (US) region if users: (i) are “US Person(s)” as defined under ITAR (see 22 CFR part 120.15); (ii) have and will maintain a valid Directorate of Defense Trade Controls registration, if required by ITAR; (iii) are not subject to export control restrictions under US export control laws and regulations (i.e., users are not denied or debarred parties or otherwise subject to sanctions); and (iv) maintain an effective compliance program to ensure compliance with applicable US export control laws and regulations, including ITAR, as applicable. If you access or use any Hosted Services in an IL5 authorized environment, you further represent and warrant that only users who are US citizens will access the Hosted Services. You are responsible for verifying that any user accessing Customer Content in the Hosted Services in the AWS GovCloud (US) region is eligible to access such Customer Content. The Hosted Services in the AWS GovCloud (US) region may not be used to process or store classified data. You will be responsible for all sanitization costs incurred by Splunk if users introduce classified data into the Hosted Services in the AWS GovCloud (US) region. For selected FedRAMP authorized regions, you may be required to execute additional addendums to this agreement prior to provisioning of Hosted Services.
(E) Acceptable Use. Without limiting any terms under these General Terms, you will also abide by our Hosted Services acceptable use policy: https://www.splunk.com/view/SP-CAAAMB6.
17. Confidentiality
(A) Confidential Information. Each party will protect the Confidential Information of the other. Accordingly, Receiving Party agrees to: (i) protect the Disclosing Partys Confidential Information using the same degree of care (but in no event less than reasonable care) that it uses to protect its own Confidential Information of a similar nature; (ii) limit use of Disclosing Partys Confidential Information for purposes consistent with these General Terms, and (iii) use commercially reasonable efforts to limit access to Disclosing Partys Confidential Information to its employees, contractors and agents or those of its Affiliates who have a bona fide need to access such Confidential Information for purposes consistent with these General Terms and who are subject to confidentiality obligations no less stringent than those herein.
(B) Compelled Disclosure of Confidential Information. Notwithstanding the foregoing terms, the Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law enforcement agencies or regulators to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled to disclose the Disclosing Partys Confidential Information as part of a civil proceeding to which the Disclosing Party is a Party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.
18. Payment
The payment terms below only apply when you purchase Offerings directly from Splunk. When you purchase from an authorized reseller or Digital Marketplace, the payment terms are between you and the authorized reseller or Digital Marketplace. However, a breach of your payment obligations for an Offering with a Digital Marketplace will be deemed a breach of this Section 18.
(A) Fees. You agree to pay all Fees specified in the Orders. Fees are non-cancelable and non-refundable, except as otherwise expressly set forth in these General Terms. Without limiting any of our other rights or remedies herein, overdue charges may accrue interest monthly at the rate of 1.5% of the then-outstanding unpaid balance, or the maximum rate permitted by law, whichever is lower. Fees are due and payable either within 30 days from the date of Splunks invoice or as otherwise stated in the Order.
(B) Credit Cards. If you pay by credit, or debit card you: (i) will provide Splunk or its designated third-party payment processor with valid credit or debit card information; and (i) hereby authorize Splunk or its designated third-party payment processor to charge such credit or debit card for all items listed in the applicable Order. Such charges must be paid in advance or in accordance with any different billing frequency stated in the applicable Order. You are responsible for providing complete and accurate billing and contact information and notifying Splunk in a timely manner of any changes to such information.
(C) Taxes. All Fees quoted are exclusive of applicable taxes and duties, including any applicable sales and use tax. You are responsible for paying any taxes or similar government assessments (including, without limitation, value-added, sales, use or withholding taxes). We will be solely responsible for taxes assessable against us based on our net income, property, and employees.
19. Splunks Warranties
(A) Relationship to Applicable Law. We will not seek to limit our liability, or any of your warranties, rights and remedies, to the extent the limits are not permitted by applicable law (e.g., warranties, remedies or liabilities that cannot be excluded by applicable law).
(B) General Corporate Warranty. Splunk warrants that it has the legal power and authority to enter into these General Terms.
(C) Hosted Services Warranty. Splunk warrants that during the applicable Term: (i) Splunk will not materially decrease the overall functionality of the Hosted Services; and (ii) the Hosted Services will perform materially in accordance with the applicable Documentation. Our sole and exclusive liability, and your sole and exclusive remedy for any breach of these warranties, will be your right to terminate the applicable Hosted Services Purchased Offering, and we will refund to you any prepaid but unused Fees for the remainder of the Term.
(D) On-Premises Product Warranty. Splunk warrants that for a period of ninety (90) days from the Delivery of an On-Premises Product, the On-Premises Product will substantially perform the material functions described in the applicable Documentation for such On-Premises Product, when used in accordance with the applicable Documentation. Splunks sole liability, and your sole remedy, for any failure of the On-Premises Product to conform to the foregoing warranty, is for Splunk to do one of the following (at Splunks sole option and discretion) (i) modify, or provide an Enhancement for, the On-Premises Product so that it conforms to the foregoing warranty, (ii) replace your copy of the On-Premises Product with a copy that conforms to the foregoing warranty, or (iii) terminate the Purchased Offering with respect to the non-conforming On-Premises Product and refund the Fees paid by you for such non-conforming On-Premises Product.
(E) Disclaimer of Implied Warranties. Except as expressly set forth above, the Offerings are provided “as is” with no warranties or representations whatsoever express or implied. Splunk and its suppliers and licensors disclaim all warranties and representations, including any implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, noninfringement, or quiet enjoyment, and any warranties arising out of course of dealing or trade usage. Splunk does not warrant that use of Offerings will be uninterrupted, error free or secure, or that all defects will be corrected.
20. Ownership
(A) Offerings. As between you and Splunk, Splunk owns and reserves all right, title, and interest in and to the Offerings, developer tools and other Splunk materials, including all intellectual property rights therein. We retain rights in anything delivered or developed by us or on our behalf under these General Terms. No rights are granted to you other than as expressly set forth in these General Terms.
(B) Customer Content. You own and reserve all right, title and interest in your Customer Content. By sending Customer Content to a Hosted Service, you grant us a worldwide, royalty free, non-exclusive license to access and use the Customer Content for purposes of providing you the Hosted Service.
(C) Feedback. You have no obligation to provide us with ideas for improvement, suggestions, or other feedback (collectively, “Feedback”) in connection with an Offering, unless otherwise expressly set forth in the applicable Order. If, however, you provide any Feedback, you hereby grant to Splunk a non-exclusive, transferable, irrevocable, worldwide, royalty-free license (with rights to sublicense) to make, use, sell, offer to sell, reproduce, modify, distribute, make available, publicly display and perform, disclose and otherwise commercially exploit the Feedback.
21. Term and Termination
(A) Term and Renewal. These General Terms will commence upon the Effective Date and will remain in effect until the expiration of all applicable Purchased Offerings, unless earlier terminated pursuant to this Section. Termination of a specific Purchased Offering will not affect the Term of any other Purchased Offering. Termination of these General Terms will have the effect of terminating all Purchased Offerings. Grounds for terminating a Purchased Offering (e.g., for non-payment), that are specific to the Purchased Offering, will not be grounds to terminate Purchased Offerings where no breach exists. Unless indicated otherwise in an Order, the Term of a Purchased Offering (and these General Terms) will automatically renew for an additional period of time equal to the length of the preceding Term, unless one party notifies the other of its intent not to renew at least one (1) day in advance of the expiration of the Term or then-current renewal period.
(B) Termination. Either party may terminate these General Terms, or any Purchased Offering, by written notice to the other party in the event of a material breach of these General Terms, or the specific terms associated with that Purchased Offering, that is not cured within thirty (30) days of receipt of the notice. Upon any expiration or termination of a Purchased Offering, the rights and licenses granted to you for that Purchased Offering will automatically terminate, and you agree to immediately (i) cease using and accessing the Offering, (ii) return or destroy all copies of any On-Premises Products and other Splunk materials and Splunk Confidential Information in your possession or control, and (iii) upon our request, certify in writing the completion of such return or destruction. Upon termination of these General Terms or any Purchased Offering, Splunk will have no obligation to refund any Fees or other amounts received from you during the Term. Notwithstanding any early termination above, except for your termination for our uncured material breach, you will still be required to pay all Fees payable under an Order.
(C) Survival. The termination or expiration of these General Terms will not affect any provisions herein which by their nature survive termination or expiration, including the provisions that deal with the following subject matters: definitions, ownership of intellectual property, confidentiality, payment obligations, effect of termination, limitation of liability, privacy, and the “Miscellaneous” section in these General Terms.
(D) Suspension of Service. In the event of a material breach or threatened material breach of this Agreement, Splunk may, without limiting its other rights and remedies, suspend your use of the Hosted Service until such breach is cured or Splunk reasonably believes there is no longer a threat, provided that, we will give you at least five (5) days prior notice before suspension. Suspension of a Hosted Service will have no impact on the duration of the Term of the Purchased Offering, or the associated Fees owed.
22. Limitation of Liability
In no event will the aggregate liability of either party, together with any of its Affiliates, arising out of or related to any Purchased Offering exceed the total amount paid by you for that Purchased Offering in the twelve (12) months preceding the first incident out of which the liability arose. However, the foregoing limitation will not limit your obligations under the “Payment” section above and will not be deemed to limit your rights to any service level credits under any applicable Service Level Schedule. Furthermore, the cap above will not be deemed to limit Splunks right to recover amounts for your use of an Offering in excess of the Capacity purchased or use outside of Internal Business Purposes.
In no event will either party or its Affiliates have any liability arising out of or related to these General Terms for any lost profits, revenues, goodwill, or indirect, special, incidental, consequential, cover, business interruption or punitive damages.
The foregoing limitations will apply whether the action is in contract or tort and regardless of the theory of liability, even if a party or its Affiliates have been advised of the possibility of such damages or if a partys or its Affiliates remedy otherwise fails of its essential purpose.
The limitation of liability herein will not apply to a partys infringement of the other partys intellectual property rights, indemnification obligations, or the fraud, gross negligence or willful misconduct of a party.
The foregoing disclaimers of damages will also not apply to the extent prohibited by law. Some jurisdictions do not allow the exclusion or limitation of certain damages. To the extent such a law applies to you, some or all of the exclusions or limitations set forth above may not apply to you, and you may have additional rights.
23. Indemnity
(A) Our Indemnification to You. Splunk will defend and indemnify you, and pay all damages (including attorneys fees and costs) awarded against you, or that are agreed to in a settlement, to the extent a claim, demand, suit or proceeding is made or brought against you or your Affiliates by a third party (including those brought by a government entity) alleging that a Purchased Offering infringes or misappropriates such third partys patent, copyright, trademark or trade secret (a “Customer Claim”). Splunk will have no obligation under the foregoing provision to the extent a Customer Claim arises from your breach of these General Terms, your Customer Content, Third-Party Extension, or the combination of the Offering with: (i) Customer Content; (ii) Third-Party Extensions; (iii) any software other than software provided by Splunk; or (iv) any hardware or equipment. However, Splunk will indemnify against combination claims to the extent (y) the combined software is necessary for the normal operation of the Purchased Offering (e.g., an operating system), or (z) the Purchased Offering provides substantially all the essential elements of the asserted infringement or misappropriation claim. Splunk may in its sole discretion and at no cost to you: (1) modify any Purchased Offering so that it no longer infringes or misappropriates a third party right, (2) obtain a license for your continued use of the Purchased Offering, in accordance with these General Terms, or (3) terminate the Purchased Offering and refund to you any prepaid fees covering the unexpired Term.
(B) Your Indemnification to Us. Unless expressly prohibited by applicable law, you will defend and indemnify us, and pay all damages (including attorneys fees and costs) awarded against Splunk, or that are agreed to in a settlement, to the extent a claim, demand, suit or proceeding is made or brought against Splunk or its Affiliates by a third party (including those brought by a government entity) that: (i) alleges that your Customer Content or Customer Extensions infringes or misappropriates such third partys patent, copyright, trademark or trade secret, or violates another right of a third party; or (ii) alleges that your Customer Content or your use of any Offering violates applicable law or regulation.
(C) Mutual Indemnity. Each party will defend, indemnify and pay all damages (including attorneys fees and costs) awarded against the other party, or that are agreed to in a settlement to the extent that an action brought against the other party by a third party is based upon a claim for bodily injury (including death) to any person, or damage to tangible property resulting from the negligent acts or willful misconduct of the indemnifying party or its personnel hereunder, and will pay any reasonable, direct, out-of-pocket costs, damages and reasonable attorneys fees attributable to such claim that are awarded against the indemnified party (or are payable in settlement by the indemnified party).
(D) Process for Indemnification. The indemnification obligations above are subject to the party seeking indemnification to: (i) provide the other party with prompt written notice of the specific claim; (ii) give the indemnifying party sole control of the defense and settlement of the claim (except that the indemnifying party may not settle any claim that requires any action or forbearance on the indemnified partys part without their prior consent, which will not unreasonably withhold or delay); and (iii) gives the indemnifying party all reasonable assistance, at such partys expense.
24. Updates to Offerings
Our Offerings and policies may be updated over the course of our relationship. From time to time, Splunk may update or modify an Offering and our policies, provided that: (a) the change and modification applies to all customers generally, and are not targeted to any particular customer; (b) no such change or modification will impose additional fees on you during the applicable Term or additional restrictions on your use of the Offering, (c) no such change will override or supersede the allocation of risk between us under these General Terms, including without limitation the terms under Sections 22 (Limitation of Liability) and 23 (Indemnity); (d) no such change or modification will materially reduce the security protections or overall functionality of the applicable Offering; and (e) any such change or modification will apply only prospectively, and will not apply to any breach or dispute that arose between the parties prior to the effective date of the change or modification. In the event of any conflict between these General Terms and the policies incorporated herein by reference, these General Terms will control.
25. Governing Law
These General Terms will be governed by and construed in accordance with the laws of the State of California, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any legal action or proceeding arising under these General Terms will be brought exclusively in the federal or state courts located in the Northern District of California and the parties hereby consent to personal jurisdiction and venue therein. Splunk may seek injunctive or other relief in any state, federal, or national court of competent jurisdiction for any actual or alleged infringement of intellectual property or other proprietary rights of Splunk, its Affiliates, or any third party.
Neither the Uniform Computer Information Transactions Act nor the United Nations Convention for the International Sale of Goods will apply to these General Terms.
26. Use of Customer Name
You agree that we may add your name to our customer list and identify you as a Splunk customer on Splunks websites. Any further public use of your name in connection with Splunk marketing activities (e.g., press releases) will require your prior approval.
27. Miscellaneous
(A) Different Terms. Splunk expressly rejects terms or conditions in any Customer purchase order or other similar document that are different from or additional to the terms and conditions set forth in these General Terms. Such different or additional terms and conditions will not become a part of the agreement between the parties notwithstanding any subsequent acknowledgement, invoice or license key that Splunk may issue.
(B) No Future Functionality. You agree that your purchase of any Offering is not contingent on the delivery of any future functionality or features, or dependent on any oral or written statements made by Splunk regarding future functionality or features.
(C) Notices. Except as otherwise specified in these General Terms, all notices related to these General Terms will be sent in writing to the addresses set forth in the applicable Order, or to such other address as may be specified by either party to the other party, and will be effective upon (i) personal delivery, (ii) the second business day after mailing, or (c), except for notices of termination or an indemnifiable claim (“Legal Notices”), which shall clearly be identifiable as Legal Notices, the day of sending by email. Billing-related notices to Customer will be addressed to the relevant billing contact designated by Customer. All other notices to Customer will be addressed to the relevant system administrator designated by Customer.
(D) Assignment. Neither party may assign, delegate, or transfer these General Terms, in whole or in part, by agreement, operation of law or otherwise without the prior written consent of the other party, however Splunk may assign these General Terms in whole or in part to an Affiliate or in connection with an internal reorganization or a merger, acquisition, or sale of all or substantially all of Splunks assets to which these General Terms relates. Any attempt to assign these General Terms other than as permitted herein will be null and void. Subject to the foregoing, these General Terms will bind and inure to the benefit of the parties permitted successors and assigns.
(E) U.S. Government Use Terms. Splunk provides Offerings for U.S. federal government end use solely in accordance with the following: Government technical data and rights related to Offerings include only those rights customarily provided to the public as defined in these General Terms. This customary commercial license is provided in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Computer Software) and, for Department of Defense transactions, DFARS 252.227-7015 (Technical DataCommercial Items) and DFARS 227.7202-3 (Rights in Commercial Computer Software or Commercial Computer Software Documentation). If a government agency has a need for rights not conveyed under these terms, it must negotiate with Splunk to determine if there are acceptable terms for transferring such rights, and a mutually acceptable written addendum specifically conveying such rights must be included in any applicable contract or agreement.
(F) Waiver; Severability. The waiver by either party of a breach of or a default under these General Terms will not be effective unless in writing. The failure by either party to enforce any provisions of these General Terms will not constitute a waiver of any other right hereunder or of any subsequent enforcement of that or any other provisions. If a court of competent jurisdiction holds any provision of these General Terms invalid or unenforceable, the remaining provisions of these General Terms will remain in full force and effect, and the provision affected will be construed so as to be enforceable to the maximum extent permissible by law.
(G) Integration; Entire Agreement. These General Terms along with any additional terms incorporated herein by reference, constitute the complete and exclusive understanding and agreement between the parties and supersedes any and all prior or contemporaneous agreements, communications and understandings, written or oral, relating to their subject matter. Except as otherwise expressly set forth herein, any waiver, modification, or amendment of any provision of these General Terms will be effective only if in writing and signed by duly authorized representatives of both parties.
(H) Force Majeure. Neither party or its Affiliates, subsidiaries, officers, directors, employees, agents, partners and licensors will (except for the obligation to make any payments) be liable for any delay or failure to perform any obligation under these General Terms where the delay or failure results from any cause beyond their reasonable control, including, without limitation, acts of God, labor disputes or other industrial disturbances, electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockades, embargoes, riots, acts or orders of government, acts of terrorism, or war.
(I) Independent Contractors; No Third-Party Beneficiaries. The parties are independent contractors. These General Terms do not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. There are no third-party beneficiaries of these General Terms. Neither party has the authority to bind or act on behalf of the other party in any capacity or circumstance whether by contract or otherwise.
General Terms Definitions Exhibit
“Affiliates” means a corporation, partnership or other entity controlling, controlled by or under common control with such party, but only so long as such control continues to exist. For purposes of this definition, “control” means ownership, directly or indirectly, of greater than fifty percent (50%) of the voting rights in such entity (or, in the case of a noncorporate entity, equivalent rights).
“Capacity” means the measurement of usage of an Offering (e.g., aggregate daily volume of data indexed, specific source type rights, number of search and compute units, number of monitored accounts, virtual CPUs, user seats, use cases, storage capacity, etc.) that is purchased for an Offering, as set forth in the applicable Order. The Capacities for each of our Offerings can be found here: https://www.splunk.com/en_us/legal/licensed-capacity.html.
“CCPA” means the California Consumer Privacy Act of 2018.
“Confidential Information” means all nonpublic information disclosed by a party ("Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as “confidential” or that, given the nature of the information or circumstances surrounding its disclosure, should reasonably be understood to be confidential. Notwithstanding the foregoing, “Confidential Information” does not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party.
“Content Subscription” means the right of Customer to receive content applicable to an Offering (e.g., models, templates, searches, playbooks, rules and configurations, as described in the relevant Documentation) on a periodic basis over the applicable Term. Content Subscriptions are purchased as an add-on service and are identified in an Order.
“Customer Content” means any data that is ingested by or on behalf of you into an Offering from your internal data sources.
“Delivery” means the date of Splunks initial delivery of the license key for the applicable Offering or, for Hosted Services, the date Splunk makes the applicable Offering available to you for access and use.
“Digital Marketplace” means an online or electronic marketplace operated or controlled by a third party where Splunk has authorized the marketing and distribution of its Offerings.
“Documentation” means the online user guides, documentation and help and training materials published on Splunks website (such as at https://docs.splunk.com/Documentation) or accessible through the applicable Offering, as may be updated by Splunk from time to time.
“Enhancements” means any updates, upgrades, releases, fixes, enhancements, or modifications to a Purchased Offering made generally commercially available by Splunk to its customers under the terms and conditions in the Support Exhibit.
“Extension” means any separately downloadable or accessible suite, configuration file, add-on, technical add-on, plug-in, example module, command, function, playbook, content or application that extends the features or functionality of the applicable Offering.
“Fees” means the fees that are applicable to an Offering, as identified in the Order.
“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) as updated, amended or replaced from time to time.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, and supplemented by the Health Information Technology for Economic and Clinical Health Act.
“Hosted Service” means a technology service hosted by or on behalf of Splunk and provided to you.
“Internal Business Purpose” means your use of an Offering for your own internal business operations, based on the analysis, monitoring or processing of your data from your systems, networks, and devices. Such use does not include use on a service bureau basis or otherwise to provide services to, or process data for, any third party, or otherwise use to monitor or service the systems, networks and devices of third parties.
“ITAR Data” means information protected by the International Traffic in Arms Regulations.
“Nonprofit” means a U.S. Federal 501(c)(3), tax-exempt, nonprofit corporation or association (or other nonprofit entity organized in accordance with the laws of where your nonprofit entity is registered) that has qualified for a free, donated Offering in connection with a Splunk donation program.
“Offerings” means the products, services, and other offerings that Splunk makes generally available, including without limitation On-Premises Products, Hosted Services, Support Programs, Content Subscriptions and Configuration and Implementation Services.
“On-Premises Product” means the Splunk software that is delivered to you and deployed and operated by you or on your behalf on hardware designated by you, and any Enhancements made available to you by Splunk.
“Open Source Software” means software that is licensed under a license approved by the Open Source Initiative or similar freeware license, with terms requiring that such software code be (i) disclosed or distributed in source code or object code form, (ii) licensed for the purpose of making derivative works, and/or (iii) redistributed under the same license terms.
“Orders” means Splunks quote or ordering document (including online order form) accepted by you via your purchase order or other ordering document submitted to Splunk (directly or indirectly through an authorized reseller or Digital Marketplace) to order Offerings, which references the Offering, Capacity, pricing and other applicable terms set forth in an applicable Splunk quote or ordering document. Orders do not include the terms of any preprinted terms on your purchase order or other terms on a purchase order that are additional or inconsistent with the terms of these General Terms.
“PCI Data” means credit card information within the scope of the Payment Card Industry Data Security Standard.
“PHI Data” means any protected health data, as defined under HIPAA.
“Purchased Offerings” means the services, subscriptions and licenses to Offerings that are acquired by you under Orders, whether directly or through an authorized reseller or Digital Marketplace.
“Service Level Schedule” means a Splunk policy that applies to the availability and uptime of a Hosted Service and which, if applicable, offers service credits as set forth therein.
“Splunkbase” means Splunks online directory of or platform for Extensions, currently located at https://splunkbase.splunk.com and any and all successors, replacements, new versions, derivatives, updates and upgrades and any other similar platform(s) owned and/or controlled by Splunk.
“Splunk Developer Tool” means the standard application programming interface, configurations, software development kits, libraries, command line interface tools, other tooling (including scaffolding and data generation tools), integrated development environment plug-ins or extensions, code examples, tutorials, reference guides and other related materials identified and provided by Splunk to facilitate or enable the creation of Extensions or otherwise support interoperability between the Software and your system or environment.
“Splunk Extensions” means Extensions made available through Splunkbase that are identified on Splunkbase as built by Splunk (and not by any third party).
“Support Programs” are the Support Programs offered by Splunk and identified here: https://www.splunk.com/en_us/support-and-services/support-programs.html.
“Term” means the duration of your subscription or license to the applicable Offering that starts and ends on the date listed on the applicable Order. If no start date is specified in an Order, the start date will be the Delivery date of the Offering.
“Third-Party Content” means information, data, technology, or materials made available to you by any third party that you license and add to a Hosted Service or direct Splunk to install in connection with a Hosted Service. Third-Party Content includes but is not limited to, Third-Party Extensions, web-based or offline software applications, data service or content that are provided by third parties.
“Usage Data” means data generated from the usage, configuration, deployment, access, and performance of an Offering. For example, this may include such things as information about your operating environment, such as your network and systems architecture, or sessions, such as page loads and session views, duration, or interactions, errors, number of searches, source types and format (e.g., json, xml, csv), ingest volume, number of active and licensed users, or search concurrency. Usage Data does not include Customer Content.
Support Exhibit to Splunk General Terms
This Support Exhibit forms a part of the Splunk General Terms and governs your purchase, and Splunks provision of Support Services.
1. Support Programs
Support Programs purchased as part of a Purchased Offering will be identified in your applicable Order. Splunk will provide you the level of Support Services described under the purchased Support Program, subject to your payment of applicable Fees. “Support Programs” are the Support Programs offered by Splunk and identified here: https://www.splunk.com/en_us/support-and-services/support-programs.html.
2. Support Services
“Support Services” include technical support for your Purchased Offerings, and, when available, the provision of Enhancements for your Purchased Offerings, subject to the Support Policy described below. Technical support under a Support Program is available via web portal, and certain Support Programs also make support available via telephone. Support Services will be delivered by a member of Splunks technical support team during the regional hours of operation applicable under the Support Program. Support Services are delivered in English unless you are in a location where we have made localized Support Services available.
3. Support Policy
Our Support Policy, provided here: https://www.splunk.com/en_us/legal/splunk-software-support-policy.html (“Support Policy”) describes the duration of our Support Services for certain Splunk On-Premises Products and other policies associated with our Support Services.
As we release new versions for our Offerings, we discontinue Support Services for certain older versions. Our Support Policy sets forth the schedule for the duration of support, and end of support, for Offering versions. The current versions of our Offerings that are supported under our Support Policy and will be our “Supported Versions” herein. The Support Policy may not apply to Hosted Services, and the product and services version we make available as our Hosted Services will be deemed Supported Versions herein.
4. Case Priority
Each Support Program offers different support levels for your case priority levels. When submitting a case, you will select the priority for initial response by logging the case online, in accordance with the priority guidelines set forth under your Support Program. When the case is received, we may in good faith change the priority if the issue does not conform to the criteria for the selected priority. When that happens, we will provide you with notice (electronic or otherwise) of such change.
5. Exclusions
We will have no obligation to provide support for issues caused by any of the following (each, a “Customer Generated Error”): (i) modifications to an Offering not made by Splunk; (ii) use of an Offering other than as authorized in the General Terms or as provided in the applicable Documentation; (iii) damage to the machine on which an On-Premises Product is installed; (iv) use of a version of an Offering other than the Supported Version; (vi) third-party products that are not expressly noted in the Documentation as supported by Splunk; or (vi) conflicts related to replacing or installing hardware, drivers, and software that are not expressly supported by Splunk and described in the applicable Documentation. If we determine that support requested by you is for an issue caused by a Customer Generated Error, we will notify you of that fact as soon as reasonably possible under the circumstances. If you agree that we should provide support for the Customer Generated Error via a confirming email, then we will have the right to invoice you at our then-current time and materials rates for any such support provided by us.
6. Support for Splunk Extensions
Only Splunk Extensions that are labeled as “Splunk Supported” on Splunkbase, or other Splunk-branded marketplace, are eligible for support, and this support is limited. For those labeled Splunk Supported, we will provide an initial response and acknowledgement in accordance with the P3 terms that are applicable in the applicable Support Program, and Enhancements may be made available. No other terms of a Support Program will apply to a Splunk Application. For those labeled as “Not Supported,” Splunk will have no support obligations.
7. Authorized Support Contacts
You are entitled to have a certain number of Support Contacts under each Support Program. “Support Contacts” means the individual(s) specified by you that are authorized to submit support cases.
The number of Support Contacts will be based on the Capacity of the Offering purchased, and the applicable Support Program. The number of Support Contacts will be set forth in customers entitlement information on the Splunk support portal.
We only take support requests from, and communicate with, your Support Contacts in connection with support cases. We strongly recommend that your Support Contact(s) are trained on the applicable Offering. In order to designate Support Contacts, you must provide the individuals primary email address and Splunk.com login ID.
8. Defect Resolution
Should we determine that an Offering has a defect, we will, at our sole option, repair the defect in the version of the Offering that you are then currently using or instruct you to install a newer version of the Offering with that defect repaired. We reserve the right to provide you with a workaround in lieu of fixing a defect should we in our sole judgment determine that it is more effective to do so.
9. Your Assistance
Should you report a purported defect or error in an Offering, we may require you to provide us with the following information: (a) a general description of your operating environment; (b) a list of all hardware components, operating systems and networks; (c) a reproducible test case; and (d) any log files, trace and systems files. Your failure to provide this information may prevent us from identifying and fixing that purported defect.
10. Changes to Support Programs
You acknowledge that, subject to the Support Policy, and subject to any commitment we have during the Term, we have the right to discontinue the manufacture, development, sale or support of any Offering, at any time, in our sole discretion. We further reserve the right to alter Support Programs from time to time, using reasonable discretion, but in no event will such alterations, during the Term of any Order, result in diminished Support Services from the level of your applicable purchased Support Program.
Configuration and Implementation Services
Exhibit to Splunk General Terms
This Configuration and Implementation Services Exhibit forms a part of the Splunk General Terms and governs your purchase, and Splunks provision of Configuration and Implementation Services.
Capitalized terms below are defined in the General Terms, this Exhibit or in the Definition Exhibit attached to this Exhibit.
1. Services and Statements of Work
We will perform the C&I Services for you that are set forth in the applicable Statements of Work. You will pay the Fees under each Statement of Work in accordance with these General Terms, or otherwise as we may expressly agree in the applicable Statement of Work.
In each Statement of Work, we will designate our primary point of contact for you for all matters relating to the applicable C&I Services (which we may change from time to time upon notice).
2. Our Personnel
(A) Qualifications. The Personnel we assign to perform the C&I Services will be qualified, skilled, experienced and otherwise fit for the performance of the C&I Services. If you, in your reasonable judgement, determine that Personnel assigned to your project are unfit, we will in good faith discuss alternatives, and we will replace Personnel as reasonably necessary. You acknowledge that any replacement may cause delay in the performance of the C&I Services.
(B) Personnel Conduct. Our Personnel are subject to our Splunk Code of Conduct and Ethics https://investors.splunk.com/code-business-conduct-and-ethics-1, which includes, without limitation, an obligation to comply with our policies on protecting customer information, prohibitions on illegal drugs and any impaired job performance, avoiding conflicts of interest, and acting ethically at all times. We also background check our employees, per the Section below.
(C) Use of Subcontractors. We reserve the right to use subcontractors in performance of the C&I Services, provided: (a) any subcontractor we use meets the requirements herein and conditions of these General Terms and the Statement of Work; (b) we will be responsible for the subcontractors compliance with the terms herein and the Statement of Work; and (c) upon your request or inquiry, we will identify any subcontractor that we are using, or plan to use, for C&I Services, and will cooperate in good faith to provide you with all relevant information regarding such subcontractors.
(D) No Employee Benefits. We acknowledge and agree that our Personnel are not eligible for or entitled to receive any compensation, benefits, or other incidents of employment that you make available to your employees. We are solely responsible for all employment related taxes, expenses, withholdings, and other similar statutory obligations arising out of the relationship between us and our Personnel and the performance of C&I Services by such Personnel.
3. Our Background Checks, Security and Compliance Obligations
(A) Compliance with Your Security Program. While on your premises, our Personnel will comply with your security practices and procedures generally prescribed by you for onsite visitors and service providers. However, any requirement that is in addition to the compliance requirements set forth in this Schedule (e.g., background checks that are different from the background checks described herein) must be expressly set forth in a Statement of Work. We agree to discuss in good faith any condition or requirement you may have for our Personnel that are different from standard policies, however any additional requirement may delay C&I Services and must be vetted and implemented by mutual agreement of the parties and expressly set forth in a Statement of Work. Splunk does not guarantee that it will be able to meet any additional requested requirements.
(B) Our Security Practices. We implement and follow an enterprise security program, with the policies, plans, and procedures set forth here www.splunk.com/prof-serv-isa. Our Personnel will be subject to the data protection and confidentiality obligations set forth in these General Terms with respect to any of your data that we may have access to in connection with the C&I Services.
(C) Background Checks. For U.S.-based projects, we will not assign an employee to perform C&I Services under a Statement of Work unless we have run the following background check on the employee: Criminal Felony & Misdemeanor; SSN Validation; Federal Criminal; SSN Trace; Employment Report Three (3) Employers; Education Report One (1) Institution; Global Sanctions & Enforcement; Prohibited Parties; Widescreen Plus National Criminal Search.
(D) Permissions for Access. In the event you require any Personnel to sign any waivers, releases, or other documents as a condition to gain access to your premises for performance of the C&I Services (“Access Documents”), you agree: (a) that Personnel who will be required to sign Access Documents will sign on behalf of Splunk; (b) that any additional or conflicting terms in Access Documents with these General Terms will have no effect; and (c) you will pursue any claims for breach of any terms in the Access Documents against Splunk and not the individual signing.
4. Your Materials
We will have no rights in or to any Customer Materials, however you grant us the right to use Customer Materials in order to provide the C&I Services. Nothing in these General Terms will deemed to transfer to us any ownership of Customer Materials.
5. C&I Services Materials and Customizations Unique to You
(A) C&I Services Materials. The C&I Services we perform (e.g., configuration of our Offerings), and the C&I Services Materials we offer, create, and deliver to you in connection with the C&I Services, are generally applicable to our business, and therefore we require the right to be able to re-use the C&I Services Materials we create for one customer in connection with all of our customers. For the avoidance of doubt, our use of the C&I Services Materials created for you in connection with C&I Services will comply with our ongoing obligations and restrictions with respect to your Customer Materials and your Confidential Information, and we will not identify you in any way in connection with our further use of such C&I Services Materials.
(B) Customer Owned Work Product. However, in the unlikely event that the parties agree that C&I Services Materials for a project are custom work product unique to your business, and not applicable to other customers generally, we will transfer ownership to those agreed C&I Services Materials to you under the applicable Statement of Work. C&I Services Materials must be expressly identified as “Customer Owned Work Product” under a Statement of Work for ownership to pass to you. Subject to payment of applicable Fees under the Statement of Work, we hereby assign to you all rights, title and interest (including all Intellectual Property Rights therein) in and to all C&I Services Materials identified as Customer Owned Work Product (but excluding all Splunk Preexisting IP incorporated into the Customer Owned Work Product). At your request and expense, we will assist and cooperate with you in all reasonable respects and will execute documents and take such further acts reasonably requested by you to enable you to acquire, transfer, maintain, perfect, and enforce your ownership rights in such Customer Owned Work Product.
(C) Our Ownership. Subject to your ownership rights in Customer Owned Work Product and Customer Materials, we will own all rights in and to all C&I Services Materials.
(D) License Rights. For those C&I Services Materials that are not Customer Owned Work Product, you will have the right to access and use those C&I Services Materials in connection with your applicable Offerings, and those rights will be of the same scope and duration as your rights to the underlying Offering.
6. C&I Services Warranty
We warrant that the C&I Services will be performed in a good and workmanlike manner consistent with applicable industry standards. This warranty will be in effect for a period of thirty (30) days from the completion of any C&I Services. As your sole and exclusive remedy and our entire liability for any breach of the foregoing warranty, we will, at our option and expense, promptly re-perform any C&I Services that fail to meet this warranty or refund to you the fees paid for the non-conforming C&I Services.
7. Your Cooperation
You acknowledge that your timely provision of (and our access to) your facilities, equipment, assistance, cooperation, data, information and materials from your officers, agents, and employees (the “Cooperation”) is essential to Splunks performance of the C&I Services. We will not be liable for any delay or deficiency in performing the C&I Services if you do not provide the necessary Cooperation. As part of the Cooperation, you will (1) designate a project manager or technical lead to liaise with us while we perform the C&I Services; (2) allocate and engage additional resources as may be required to assist us in performing the C&I Services; and (3) making available to us any data, information and any other materials reasonably required by us to perform the C&I Services, including any data, information or materials specifically identified in the Statement of Work.
8. Insurance
Throughout any period of C&I Services we perform for you, we will maintain insurance policies in the types and amounts described below at our own expense:
(i) Commercial General Liability Insurance with a limit of not less than $1,000,000 per occurrence and a general aggregate limit of not less than $2,000,000.
(ii) Business Auto Insurance with a limit of not less than $1,000,000 combined single limit. Such Insurance will cover liability arising out of “hired and non-owned” automobiles.
(iii) Workers Compensation Insurance as required by workers compensation, occupational disease and occupational health and safety laws, statutes, and regulations.
(iv) Technology Errors & Omissions Insurance with a limit of not less than $3,000,000 per occurrence and general aggregate.
(v) Umbrella/Excess Insurance with a limit of not less than $3,000,000 per occurrence and general aggregate.
9. Change Order Process
You may submit written requests to us to change the scope of C&I Services described in a Statement of Work (each such request, a “Change Order Request”). If we elect to consider a Change Order Request, then we will promptly notify you if we believe that the Change Order Request requires an adjustment to the fees or to the schedule for the performance of the C&I Services. In such event, the parties will negotiate in good faith a reasonable and equitable adjustment to the fees and/or schedule, as applicable. We will continue to perform C&I Services pursuant to the existing Statement of Work and will have no obligation to perform any Change Order Request unless and until the parties have agreed in writing to such an equitable adjustment.
10. Expenses
Unless otherwise specified in the Statement of Work, we will not charge you for our expenses we incur in connection with a Statement of Work. Our daily C&I Services rates are inclusive of any expenses. In the event the parties agree that expenses are reimbursable under a Statement of Work, we will mutually agree on any travel policy and any required documentation for reimbursement.
11. Prepaid C&I Services
Unless otherwise expressly stated in a Statement of Work, all prepaid C&I Services must be redeemed within twelve (12) months from the date of purchase/invoice. At the end of the twelve (12) month term, any remaining pre-paid unused C&I Services will expire; no refunds will be provided for any remaining pre-paid unused C&I Services. Unless otherwise specifically stated in a Statement of Work, Education is invoiced and payable in advance.
Configuration and Implementation Services Definitions Exhibit
“C&I Services” means the services outlined in the Statement of Work.
“C&I Services Materials” means the materials and other deliverables that are provided to you as part of the C&I Services, and any materials, technology, know-how and other innovations of any kind that we or our Personnel may create or reduce to practice in the course of performing the C&I Services, including without limitation all improvements or modifications to our proprietary technology, and all Intellectual Property Rights therein.
“Customer Materials” means the data, information, and materials you provide to us in connection with your use of the C&I Services.
“Fees” means the fees that are applicable to the C&I Services, as identified in the Statement of Work.
“Intellectual Property Rights” means all worldwide intellectual property rights, including copyrights and other rights in works of authorship; rights in trademarks, trade names, and other designations of source or origin; rights in trade secrets and confidential information; and patents and patent applications.
“Personnel” means any employee, consultant, contractor, or subcontractor of Splunk.
“Splunk Preexisting IP” means, with respect to any C&I Services Materials, all associated Splunk technology and all Intellectual Property Rights created or acquired: (a) prior to the date of the Statement of Work that includes such C&I Services Materials, or (b) after the date of such Statement of Work but independently of the C&I Services provided under such Statement of Work.
“Statement of Work” means the statements of work and/or any and all applicable Orders, that describe the specific services to be performed by Splunk, including any materials and deliverables to be delivered by Splunk.

4
README.txt Normal file
View file

@ -0,0 +1,4 @@
Splunk Add-on for Unix and Linux
Copyright (C) 2024 Splunk Inc. All Rights Reserved.
For documentation, see: https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/

12
README/restmap.conf.spec Normal file
View file

@ -0,0 +1,12 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[script:<uniqueName>]
python.version = {default|python|python2|python3}
* For Splunk 8.0.x and Python scripts only, selects which Python version to use.
* Either "default" or "python" select the system-wide default Python version.
* Optional.
* Default: not set; uses the system-wide Python version.

61
THIRDPARTY Normal file
View file

@ -0,0 +1,61 @@
================================================================================
================================================================================
Third-Party Software for splunk-add-on-for-unix-and-linux
--------------------------------------------------------------------------------
The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-unix-and-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means.
Date generated: 2024-7-5
Revision ID: a08b431842df3cfc234ba3f0675de8898f9ef6ac
================================================================================
================================================================================
================================================================================
Declared License
================================================================================
No declared license found for splunk-add-on-for-unix-and-linux
================================================================================
First Party Licenses
================================================================================
No licenses found
================================================================================
Dependencies
================================================================================
================================================================================
License
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Report Generated by FOSSA on 2024-7-5

2
VERSION Normal file
View file

@ -0,0 +1,2 @@
9.2.0
9.2.0

66
app.manifest Normal file
View file

@ -0,0 +1,66 @@
{
"dependencies": null,
"incompatibleApps": null,
"info": {
"author": [
{
"company": "Splunk, Inc.",
"email": "support@splunk.com",
"name": "Splunk, Inc."
}
],
"classification": {
"categories": [
"IT Operations",
"Utilities"
],
"developmentStatus": "Production/Stable",
"intendedAudience": "IT"
},
"commonInformationModels": {
"Authentication": "=4.20.2",
"Change": "=4.20.2",
"Endpoint": "=4.20.2",
"Inventory": "=4.20.2",
"Network Sessions": "=4.20.2",
"Performance": "=4.20.2"
},
"description": "Splunk Add-on for Unix and Linux",
"id": {
"group": null,
"name": "Splunk_TA_nix",
"version": "9.2.0"
},
"license": {
"name": "Splunk Software License Agreement",
"text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"uri": "http://www.splunk.com/view/SP-CAAAAFA"
},
"privacyPolicy": {
"name": null,
"text": null,
"uri": null
},
"releaseDate": null,
"releaseNotes": {
"name": "README",
"text": "./README.txt",
"uri": "https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes"
},
"title": "Splunk Add-on for Unix and Linux"
},
"inputGroups": null,
"platformRequirements": null,
"schemaVersion": "2.0.0",
"supportedDeployments": [
"_standalone",
"_distributed",
"_search_head_clustering"
],
"targetWorkloads": [
"_search_heads",
"_forwarders",
"_indexers"
],
"tasks": null
}

BIN
appserver/static/appIcon.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.3 KiB

19
appserver/static/components/js_sdk_extensions/common.js Normal file
View file

@ -0,0 +1,19 @@
/*
* SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
* SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*
*/
define([], function () {
var utils_namespaceFromProperties = function (props) {
return {
owner: props.acl.owner,
app: props.acl.app,
sharing: props.acl.sharing
}
}
return {
utils_namespaceFromProperties: utils_namespaceFromProperties
}
})

54
appserver/static/components/js_sdk_extensions/monitor_inputs.js Normal file
View file

@ -0,0 +1,54 @@
/*
* SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
* SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*
*/
define([
'splunkjs/ready!', // for splunkjs global
'./common'
], function (mvc, sdkx_common) {
var root = {
Entity: splunkjs.Service.Entity,
Collection: splunkjs.Service.Collection
}
var utils_namespaceFromProperties = sdkx_common.utils_namespaceFromProperties
// -------------------------------------------------------------------------
// JS SDK Extension: Monitor Inputs
var Paths = {
monitorInputs: 'data/inputs/monitor'
}
root.MonitorInput = root.Entity.extend({
path: function () {
return Paths.monitorInputs + '/' + encodeURIComponent(this.name)
},
init: function (service, name, namespace) {
this.name = name
this._super(service, this.path(), namespace)
}
})
root.MonitorInputs = root.Collection.extend({
path: function () {
return Paths.monitorInputs
},
instantiateEntity: function (props) {
var entityNamespace = utils_namespaceFromProperties(props)
return new root.MonitorInput(this.service, props.name, entityNamespace)
},
init: function (service, namespace) {
this._super(service, this.path(), namespace)
}
})
// -------------------------------------------------------------------------
return root
})

68
appserver/static/components/js_sdk_extensions/scripted_inputs.js Normal file
View file

@ -0,0 +1,68 @@
/*
* SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
* SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*
*/
define([
'splunkjs/ready!', // for splunkjs global
'./common'
], function (mvc, sdkx_common) {
var root = {
Entity: splunkjs.Service.Entity,
Collection: splunkjs.Service.Collection
}
var utils_namespaceFromProperties = sdkx_common.utils_namespaceFromProperties
// -------------------------------------------------------------------------
// JS SDK Extension: Scripted Inputs
var Paths = {
scriptedInputs: 'data/inputs/script'
}
root.ScriptedInput = root.Entity.extend({
path: function () {
// Approximate path - accepts reads only
// ex: data/inputs/script/%2FApplications%2Fsplunk_622light_unix%2Fetc%2Fapps%2FSplunk_TA_nix%2Fbin%2Fcpu.sh
return Paths.monitorInputs + '/' + encodeURIComponent(this.name)
},
init: function (service, name, namespace) {
this.name = name
this._super(service, this.path(), namespace)
},
_load: function (properties) {
this._super(properties)
// HACK: Patch path to be canonical version to enable updates
//
// Canonical path - accepts reads and updates
// ex: data/inputs/script/.%252Fbin%252Fcpu.sh
if (this.state().id) {
this.qualifiedPath = this.state().id.match(/\/servicesNS\/.*$/)[0]
}
}
})
root.ScriptedInputs = root.Collection.extend({
path: function () {
return Paths.scriptedInputs
},
instantiateEntity: function (props) {
var entityNamespace = utils_namespaceFromProperties(props)
return new root.ScriptedInput(this.service, props.name, entityNamespace)
},
init: function (service, namespace) {
this._super(service, this.path(), namespace)
}
})
// -------------------------------------------------------------------------
return root
})

64
appserver/static/setup.css Normal file
View file

@ -0,0 +1,64 @@
/*
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*/
/* Hide Simple XML dashboard controls: Edit, Export PDF, Print */
.dashboard-view-controls {
display: none !important;
}
#overview {
max-width: 500px;
text-align: justify;
}
.error-box {
display: none;
color: white;
background-color: #d85d3c; /* red */
padding: 0.5em;
margin-bottom: 1em;
}
.input-table th {
text-align: left;
}
.input-table th,
.input-table td {
padding: 0 10px 0 10px;
}
.input-table input[type='radio'] {
margin: 4px; /* override with symmetric margins */
}
.input-table .interval-field {
width: 4em; /* narrower than default */
text-align: right; /* make the numbers line up */
padding: 2px; /* reduce from default of 4 */
height: 30px; /* reduce height */
margin-top: 12.5px; /* inline with index dropdown */
}
#btn-bar {
margin-top: 1em; /* separate from table */
}
#btn-bar #save-btn {
padding-left: 3em;
padding-right: 3em; /* made it wider */
}
#index-selection .splunk-dropdown {
max-width: 50%; /* fix the width of dropdown */
width: 300px; /* default width of dropdown */
margin-left: 0; /* remove left margin for inlinement */
height: 30px; /* reduce height */
}
.table-header {
width: 150px;
}

314
appserver/static/setup.js Normal file
View file

@ -0,0 +1,314 @@
/*
* SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
* SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*
*/
require([
'splunkjs/ready!',
'splunkjs/mvc/simplexml/ready!',
'underscore',
'jquery',
'../app/Splunk_TA_nix/components/js_sdk_extensions/scripted_inputs',
'../app/Splunk_TA_nix/components/js_sdk_extensions/monitor_inputs'
], function (mvc, ignored, _, $, sdkx_scripted_inputs, sdkx_monitor_inputs) {
var ScriptedInputs = sdkx_scripted_inputs.ScriptedInputs
var MonitorInputs = sdkx_monitor_inputs.MonitorInputs
var service = mvc.createService()
var cleaned_data = {}
// -------------------------------------------------------------------------
// Prerequisite Checks
// Error if running on unrecognized unix
//
service.get('/services/SetupService', cleaned_data, function (err, response) {
if (err) {
console.error('Problem fetching data', err)
} else if (response.status === 200) {
var isRecognizedUnix = JSON.parse(response.data)
if (!isRecognizedUnix) {
$('#not-unix-error').show()
$('#save-btn').addClass('disabled')
}
} else {
console.error('Problem checking whether splunkweb is running on Unix.')
}
})
// -------------------------------------------------------------------------
// Populate Tables
var INPUT_ROW_TEMPLATE = _.template(
'<tr class="input" data-fullname="<%- fullname %>">\n' +
' <td><%- name %></td>\n' +
' <td><input class="enable-btn" type="radio" name="<%- name %>" <% if (enabled) { %>checked="checked"<% } %> /></td>\n' +
' <td><input class="disable-btn" type="radio" name="<%- name %>" <% if (!enabled) { %>checked="checked"<% } %> /></td>\n' +
'<% if (interval != -1) { %>\n' +
' <td><input class="interval-field" type="number" value="<%- interval %>" /></td>\n' +
'<% } %>\n' +
'<% if (index != -1) { %>\n' +
' <% if (index == "") { %>\n' +
' <td>' +
' <splunk-search-dropdown name="metric_index_selector" id="index-selection" label-field="title" value-field="title" search="| rest services/data/indexes datatype=metric | dedup title | search title!=_* | table title"/>' +
' </td>\n' +
' <% }else { %>\n' +
' <td>' +
' <splunk-search-dropdown name="metric_index_selector" id="index-selection" label-field="title" value-field="title" value="<%- index %>" search="| rest services/data/indexes datatype=metric | dedup title | search title!=_* | table title"/>' +
' </td>\n' +
' <% } %>\n' +
'<% } %>\n' +
'</tr>\n'
)
// Populate monitor input table
var monitorInputs = {}
new MonitorInputs(service, {
owner: '-',
app: 'Splunk_TA_nix',
sharing: 'app'
}).fetch(function (err, inputs) {
var inputsList = _.filter(inputs.list(), function (input) {
return input.namespace.app === 'Splunk_TA_nix'
})
_.each(inputsList, function (input) {
$('#monitor-input-table').append(
$(
INPUT_ROW_TEMPLATE({
fullname: input.name,
name: input.name,
enabled: !input.properties().disabled,
interval: -1,
index: -1
})
)
)
monitorInputs[input.name] = input
})
})
// Populate scripted Event inputs table
var scriptedMetricInputs = {}
new ScriptedInputs(service, {
owner: '-',
app: 'Splunk_TA_nix',
sharing: 'app'
}).fetch(function (err, inputs) {
var inputsList = _.filter(inputs.list(), function (input) {
var input_name = input.name
.substring(input.name.lastIndexOf('/') + 1)
.split('_')
return (
input.namespace.app === 'Splunk_TA_nix' &&
input_name[input_name.length - 1] === 'metric.sh'
)
})
_.each(inputsList, function (input) {
$('#scripted-metric-input-table').append(
$(
INPUT_ROW_TEMPLATE({
fullname: input.name,
name: input.name.substring(input.name.lastIndexOf('/') + 1),
enabled: !input.properties().disabled,
interval: input.properties().interval,
index:
input.properties().index === 'default'
? ''
: input.properties().index
})
)
)
scriptedMetricInputs[input.name] = input
})
})
// Populate scripted Event inputs table
var scriptedEventInputs = {}
new ScriptedInputs(service, {
owner: '-',
app: 'Splunk_TA_nix',
sharing: 'app'
}).fetch(function (err, inputs) {
var inputsList = _.filter(inputs.list(), function (input) {
var input_name = input.name
.substring(input.name.lastIndexOf('/') + 1)
.split('_')
return (
input.namespace.app === 'Splunk_TA_nix' &&
input_name[input_name.length - 1] !== 'metric.sh'
)
})
_.each(inputsList, function (input) {
$('#scripted-event-input-table').append(
$(
INPUT_ROW_TEMPLATE({
fullname: input.name,
name: input.name.substring(input.name.lastIndexOf('/') + 1),
enabled: !input.properties().disabled,
interval: input.properties().interval,
index: -1
})
)
)
scriptedEventInputs[input.name] = input
})
})
// -------------------------------------------------------------------------
// Buttons
// Enable All button
$('.enable-all-btn').click(function (e) {
e.preventDefault()
var table = $(e.target).closest('.input-table')
$('.input .enable-btn', table).prop('checked', true)
})
// Disable All button
$('.disable-all-btn').click(function (e) {
e.preventDefault()
var table = $(e.target).closest('.input-table')
$('.input .disable-btn', table).prop('checked', true)
})
// Save button
$('#save-btn').click(function (e) {
e.preventDefault()
if ($('#save-btn').hasClass('disabled')) {
return
}
var savesPending = 0
var saveErrors = []
// Save monitor inputs
_.each($('#monitor-input-table .input'), function (inputElem) {
var fullname = $(inputElem).data('fullname')
var enabled = $('.enable-btn', inputElem).prop('checked')
var input = monitorInputs[fullname]
savesPending += 1
input.update(
{
disabled: !enabled
},
saveDone
)
})
var invalidIndex = 0 // invalid index flag
var invalidInterval = 0 // invalid interval flag
var numbers = /^[0-9]+$/
// Save scripted Metric inputs
_.each($('#scripted-metric-input-table .input'), function (inputElem) {
var fullname = $(inputElem).data('fullname')
var enabled = $('.enable-btn', inputElem).prop('checked')
var interval = $('.interval-field', inputElem).val()
var index = $('#index-selection', inputElem)[0].innerText
// Handling internationalization transalation due to ticket ADDON-30736
if (
index.includes('...') ||
index.includes('Search produced no results.')
) {
index = enabled === true ? index : '' // Setting index="" if input is disable, so it allows to save.
if (enabled) {
invalidIndex = 1
}
}
if (!interval.match(numbers)) {
// Check for the interval, Interval must contain only numeric values
if (interval.charAt(0) === '-' || interval.includes('.')) {
interval = 'invalid'
}
invalidInterval = 1
}
var input = scriptedMetricInputs[fullname]
savesPending += 1
input.update(
{
disabled: !enabled,
interval: interval,
index: index
},
saveDone
)
})
// Save scripted Event inputs
_.each($('#scripted-event-input-table .input'), function (inputElem) {
var fullname = $(inputElem).data('fullname')
var enabled = $('.enable-btn', inputElem).prop('checked')
var interval = $('.interval-field', inputElem).val()
if (!interval.match(numbers)) {
if (interval.charAt(0) === '-' || interval.includes('.')) {
interval = 'invalid'
}
invalidInterval = 1
}
var input = scriptedEventInputs[fullname]
savesPending += 1
input.update(
{
disabled: !enabled,
interval: interval
},
saveDone
)
})
//Set is_configured=true in app.conf
service.post('/services/SetupService', cleaned_data, function (
err,
response
) {
if (err) {
console.log('Error saving configuration in app.conf')
}
})
// After saves are completed...
function saveDone (err) {
$('#index-not-selected-error').hide()
$('#generic-save-error').hide()
$('#invalid-interval-error').hide()
if (err) {
saveErrors.push(err)
}
savesPending -= 1
if (savesPending > 0) {
return
}
if (saveErrors.length === 0) {
// Save successful. Provide feedback in form of page reload.
window.location.reload()
} else {
// invalid index or interval failure
if (invalidIndex || invalidInterval) {
if (invalidInterval) {
invalidInterval = 0
// invalid interval failure
$('#invalid-interval-error').show()
}
if (invalidIndex) {
invalidIndex = 0
// invalid index failure
$('#index-not-selected-error').show()
}
} else {
// Unexpected failure.
$('#generic-save-error').show()
}
// (Allow Support to debug if necessary.)
console.log('Errors while saving inputs:')
console.log(saveErrors)
}
}
})
})

34
appserver/static/setup_cloud.js Normal file
View file

@ -0,0 +1,34 @@
/*
* SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
* SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*
*/
require([
'splunkjs/ready!',
'jquery'
], function (mvc, $) {
var service = mvc.createService()
var cleaned_data = {}
// Save button
$('#save-btn').click(function (e) {
e.preventDefault()
if ($('#save-btn').hasClass('disabled')) {
return
}
//Set is_configured=true in app.conf
service.post('/services/SetupService', cleaned_data, function (
err,
response
) {
if (err) {
console.log('Error saving configuration in app.conf')
}
else {
// Save successful. Provide feedback in form of page reload.
window.location.reload()
}
})
})
})

92
bin/bandwidth.sh Executable file
View file

@ -0,0 +1,92 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# jscpd:ignore-start
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Name rxPackets_PS txPackets_PS rxKB_PS txKB_PS'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%s %s %s %s %s\n", Name, rxPackets_PS, txPackets_PS, rxKB_PS, txKB_PS}'
# Note: For FreeBSD, bsdsar package needs to be installed. Output matches linux equivalent
if [ "$KERNEL" = "Linux" ] ; then
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
FILTER='($0 !~ "Average" || $0 ~ "sar" || $2 ~ "lo|IFACE") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$4; rxKB_PS=$5; txKB_PS=$6}'
elif [ "$KERNEL" = "SunOS" ] ; then
if [ "$SOLARIS_10" = "true" ] ; then
CMD='netstat -i 1 2'
FILTER='(NR==2||NR==3){next}'
# shellcheck disable=SC2016
EXTRACT_NAME='NR==1 {for (i=0; i< NF/3 -1; i++) { name[i]=$(i*3 + 2); location[name[i]]=i }}'
# shellcheck disable=SC2016
EXTRACT_FIELDS=' NR==4 { for (each in name){ printf "%s %s %s %s %s\n",name[each], $(5*location[name[each]]+1), $(5*location[name[each]]+3), "<n/a>","<n/a>"; }}'
PRINTF=''
FORMAT="$EXTRACT_NAME $EXTRACT_FIELDS"
elif [ "$SOLARIS_11" = "true" ] ; then
if ! dlstat 1 1 > /dev/null 2>&1 ; then
CMD='netstat -i 1 2'
FILTER='(NR==2||NR==3){next}'
# shellcheck disable=SC2016
EXTRACT_NAME='NR==1 {for (i=0; i< NF/3 -1; i++) { name[i]=$(i*3 + 2); location[name[i]]=i }}'
# shellcheck disable=SC2016
EXTRACT_FIELDS=' NR==4 { for (each in name){ printf "%s %s %s %s %s\n",name[each], $(5*location[name[each]]+1), $(5*location[name[each]]+3), "<n/a>","<n/a>"; }}'
PRINTF=''
FORMAT="$EXTRACT_NAME $EXTRACT_FIELDS"
else
CMD='dlstat 1 2'
FILTER='(NR==1||NR==2){next}'
# shellcheck disable=SC2016
FORMAT='
function to_kbps(KBPS_param){
if(KBPS_param ~ /[Kk]$/){ sub(/[A-Za-z]/,"",KBPS_param); return(KBPS_param); }
else if(KBPS_param ~ /[Gg]$/){ sub(/[A-Za-z]/,"",KBPS_param); return(KBPS_param*1024*1024); }
else if(KBPS_param ~ /[Mm]$/){ sub(/[A-Za-z]/,"",KBPS_param); return(KBPS_param*1024); }
sub(/[a-zA-Z]/,"",KBPS_param); return(KBPS_param/1024);
}
{Name=$1; rxPackets_PS=$2; txPackets_PS=$4; rxKB_PS=to_kbps($3); txKB_PS=to_kbps($5);}'
fi
else
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
FILTER='($0 ~ "Time|sar| lo") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$2; rxPackets_PS=$5; txPackets_PS=$6; rxKB_PS=$3; txKB_PS=$4}'
fi
elif [ "$KERNEL" = "AIX" ] ; then
# Sample output: http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.performance/nestat_in.htm
CMD='eval netstat -i -Z; sleep 1; netstat -in'
# shellcheck disable=SC2016
FILTER='($0 ~ "Name|sar|lo") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS="?"; txKB_PS="?"}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
FILTER='($0 !~ "Average" || $0 ~ "sar" || $2~/lo[0-9]|IFACE/) {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$6/1024}'
elif [ "$KERNEL" = "HP-UX" ] ; then
# Sample output: http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02263324
CMD='netstat -i 1 2'
# shellcheck disable=SC2016
FILTER='($0 ~ "Name|sar| lo") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS=?; txKB_PS=?}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
FILTER='($0 !~ "Average" || $0 ~ "sar" || $2 ~ "lo|IFACE") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$4; rxKB_PS=$5; txKB_PS=$6}'
fi
assertHaveCommand "$CMD"
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
# jscpd:ignore-end

138
bin/common.sh Executable file
View file

@ -0,0 +1,138 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1000-SC9999 # Reason: This script is used in all the scripts and any change in this script would require a higher effort in testing all the scripts. Hence ignoring whole file.
# # # we don't want to point OS's utilities -- e.g. ntpdate(1) -- to libraries which Splunk bundles in SPLUNK_HOME/lib/
unset LD_PRELOAD LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH
# # # NIX-203 - set LANG env variable set to en_US to avoid parsing problems in other locales
EngLocale=`locale -a | grep -i "en_US.utf"`
if [ ! -z "$EngLocale" ]; then
LC_ALL=`echo $EngLocale | awk 'NR==1 {printf $1}'`
export LC_ALL
fi
# # # are we in debug mode?
if [ $# -ge 1 -a "x$1" = "x--debug" ] ; then
DEBUG=1
TEE_DEST=`dirname $0`/debug--`basename $0`--`date | sed 's/ /_/g;s/:/-/g'`
else
DEBUG=0
TEE_DEST=/dev/null
fi
DMESG_FILE=/var/log/dmesg
OS_FILE=/etc/os-release
# # # what OS is this?
KERNEL=`uname -s`
# # # what is the Kernel version?
KERNEL_RELEASE=`uname -r`
# # # assert we are in a supported OS
AWK=awk
case "x$KERNEL" in
"xLinux")
if [ -e $OS_FILE ]; then
UBUNTU_MAJOR_VERSION=`awk -F'[".]' '/VERSION_ID=/ {print $2} ' $OS_FILE`;
OS_ID=$(awk -F'=' ' /ID_LIKE=/ {print $2}' $OS_FILE)
else
UBUNTU_MAJOR_VERSION="";
echo "$OS_FILE does not exist. UBUNTU_MAJOR_VERSION will be empty." > $TEE_DEST
fi
# # # enable check for OS versions, if needed later
if [ -e /etc/debian_version ]; then DEBIAN=true; else DEBIAN=false; fi
# # # /sbin/ is often absent in non-root users' PATH, and we want it for ifconfig(8)
PATH=$PATH:/sbin/
;;
"xSunOS")
# # # enable check for OS versions, if needed later
if [ `uname -r` = "5.8" ]; then SOLARIS_8=true; else SOLARIS_8=false; fi
if [ `uname -r` = "5.9" ]; then SOLARIS_9=true; else SOLARIS_9=false; fi
if [ `uname -r` = "5.10" ]; then SOLARIS_10=true; else SOLARIS_10=false; fi
if [ `uname -r` = "5.11" ]; then SOLARIS_11=true; else SOLARIS_11=false; fi
# # # eschew the antedeluvial awk
AWK=nawk
;;
"xDarwin")
OSX_MINOR_VERSION=`sw_vers | sed -En '/ProductVersion/ s/^[^.]+\.([0-9]+)(\.[^.])?$/\1/p'`
OSX_MAJOR_VERSION=`sw_vers | sed -En '/ProductVersion/ s/^[^0-9]+([0-9]+)\.[0-9]+(\.[^.]+)?$/\1/p'`
# OSX_GE_SNOW_LEOPARD is for backward compatiblity.
# Recommend that new code just use $OSX_MINOR_VERSION directly.
if [ "$OSX_MAJOR_VERSION" == 10 ] && [ "$OSX_MINOR_VERSION" -ge 6 ]; then
OSX_GE_SNOW_LEOPARD=true;
else
OSX_GE_SNOW_LEOPARD=false;
fi
;;
"xFreeBSD")
;;
"xAIX")
;;
"xHP-UX")
;;
*)
echo "UNIX flavor [$KERNEL] unsupported for Splunk *NIX App, quitting" > $TEE_DEST
exit 1
;;
esac
# # # check for presence of required commands; we do not assume that which(1) exists, and roll our own
queryHaveCommand () # returns 0 if found, 1 if not
{
[ "x$1" = "xeval" ] && shift
for directory in `echo $PATH | sed 's/:/ /g'`
do
[ -x $directory/$1 ] && return 0
done
return 1
}
failLackCommand ()
{
echo "Not found command [$1] on this host, quitting" > $TEE_DEST
exit 1
}
failLackMultipleCommands ()
{
echo "Not found any of commands [$*] on this host, quitting" > $TEE_DEST
exit 1
}
assertHaveCommand ()
{
queryHaveCommand $1
if [ $? -eq 1 ] ; then
failLackCommand $1
fi
}
assertHaveCommandGivenPath ()
{
[ "x$1" = "xeval" ] && shift
[ -x $1 ] && return
echo "Not found commandGivenPath [$1] on this host, quitting" > $TEE_DEST
exit 1
}
failUnsupportedScript ()
{
echo "UNIX flavor [$KERNEL] unsupported for this script, quitting" > $TEE_DEST
exit 0
}
assertInvokerIsSuperuser ()
{
[ `id -u` -eq 0 ] && return
echo "Must be superuser to run this script, quitting" > $TEE_DEST
exit 1
}
# # # check for presence of a few basic commands ubiquitous in our scripts
assertHaveCommand $AWK
assertHaveCommand egrep

184
bin/cpu.sh Executable file
View file

@ -0,0 +1,184 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s %9s %9s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}'
if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
queryHaveCommand mpstat
FOUND_MPSTAT=$?
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -P ALL 1 1'
# shellcheck disable=SC2016
FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}'
elif [ $FOUND_MPSTAT -eq 0 ] ; then
CMD='mpstat -P ALL 1 1'
# shellcheck disable=SC2016
FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}'
else
failLackMultipleCommands sar mpstat
fi
# shellcheck disable=SC2016
FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}'
elif [ "$KERNEL" = "SunOS" ] ; then
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r'
else
CMD='eval mpstat -aq -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -q -p 1 2 | tail -r'
fi
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($1=="CPU") {exit 1}'
# shellcheck disable=SC2016
FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}'
elif [ "$KERNEL" = "AIX" ] ; then
queryHaveCommand mpstat
queryHaveCommand lparstat
FOUND_MPSTAT=$?
FOUND_LPARSTAT=$?
if [ $FOUND_MPSTAT -eq 0 ] && [ $FOUND_LPARSTAT -eq 0 ] ; then
# Get extra fields from lparstat
COUNT=$(lparstat | grep " app" | wc -l)
if [ $COUNT -gt 0 ] ; then
# Fetch value from "app" column of lparstat output
FETCH_APP_COL_NUM='BEGIN {app_col_num = 8}
{
if($0 ~ /System configuration|^$/) {next}
if($0 ~ / app/)
{
for(i=1; i<=NF; i++)
{
if($i == "app")
{
app_col_num = i;
break;
}
}
print app_col_num;
exit 0;
}
}'
APP_COL_NUM=$(lparstat | awk "$FETCH_APP_COL_NUM")
CPUPool=$(lparstat | tail -1 | awk -v APP_COL_NUM=$APP_COL_NUM -F " " '{print $APP_COL_NUM}')
else
CPUPool=0
fi
# Fetch other required fields from lparstat output
OnlineVirtualCPUs=$(lparstat -i | grep "Online Virtual CPUs" | awk -F " " '{print $NF}')
EntitledCapacity=$(lparstat -i | grep "Entitled Capacity " | awk -F " " '{print $NF}')
DEFINE="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity"
# Get cpu stats using mpstat command and manipulate the output for adding extra fields
CMD='mpstat -a 1 1'
# shellcheck disable=SC2016
FORMAT='BEGIN {flag = 0}
{
if($0 ~ /System configuration|^$/) {next}
if(flag == 1)
{
# Prepend extra field values from lparstat
for(i=NF+4; i>=4; i--)
{
$i = $(i-3);
}
if($0 ~ /ALL/)
{
$1 = CPUPool;
$2 = OnlineVirtualCPUs;
$3 = EntitledCapacity;
}
else
{
$1 = "-";
$2 = "-";
$3 = "-";
}
}
if($0 ~ /cpu /)
{
# Prepend extra field headers from lparstat
for(i=NF+4; i>=4; i--)
{
$i = $(i-3);
}
$1 = "CPUPool";
$2 = "OnlineVirtualCPUs";
$3 = "EntitledCapacity";
flag = 1;
}
for(i=1; i<=NF; i++)
{
printf "%17s ", $i;
}
print "";
}'
fi
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST"
exit
elif [ "$KERNEL" = "Darwin" ] ; then
HEADER='CPU pctUser pctSystem pctIdle'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s \n", cpu, pctUser, pctSystem, pctIdle}'
# top command here is used to get a single instance of cpu metrics
CMD='top -l 1'
assertHaveCommand "$CMD"
# FILTER here skips all the rows that doesn't match "CPU".
# shellcheck disable=SC2016
FILTER='($1 !~ "CPU") {next;}'
# FORMAT here removes '%'in the end of the metrics.
# shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) {
sub(char_to_remove, "", string);
return string;
}
{
cpu="all";
pctUser = remove_char($3, "%");
pctSystem = remove_char($5, "%");
pctIdle = remove_char($7, "%");
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='eval top -P -d2 c; top -d2 c'
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($1 !~ "CPU") { next; }'
# shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) {
sub(char_to_remove, "", string);
return string;
}
{
if ($1 == "CPU:") {
cpu = "all";
} else {
cpu = remove_char($2, ":");
}
}
{
pctUser = remove_char($(NF-9), "%");
pctNice = remove_char($(NF-7), "%");
pctSystem = remove_char($(NF-5), "%");
pctIdle = remove_char($(NF-1), "%");
pctIowait = "0.0";
}'
elif [ "$KERNEL" = "HP-UX" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -M 1 1 ALL'
fi
FILTER='/HP-UX|^$|%/ {next}'
# shellcheck disable=SC2016
FORMAT='{k=0; if(5<NF) k=1} {cpu=$(1+k); pctUser=$(2+k); pctNice="0"; pctSystem=$(3+k); pctIowait=$(4+k); pctIdle=$(5+k)}'
fi
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

211
bin/cpu_metric.sh Executable file
View file

@ -0,0 +1,211 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle OSName OS_version IP_address'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle, OSName, OS_version, IP_address}'
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}'
if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
queryHaveCommand mpstat
FOUND_MPSTAT=$?
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)"
fi
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -P ALL 1 1'
# shellcheck disable=SC2016
FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
elif [ $FOUND_MPSTAT -eq 0 ] ; then
CMD='mpstat -P ALL 1 1'
# shellcheck disable=SC2016
FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
else
failLackMultipleCommands sar mpstat
fi
# shellcheck disable=SC2016
FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}'
elif [ "$KERNEL" = "SunOS" ] ; then
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r'
else
CMD='eval mpstat -aq -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -q -p 1 2 | tail -r'
fi
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($1=="CPU") {exit 1}'
# shellcheck disable=SC2016
FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
elif [ "$KERNEL" = "AIX" ] ; then
queryHaveCommand mpstat
queryHaveCommand lparstat
FOUND_MPSTAT=$?
FOUND_LPARSTAT=$?
DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
if [ $FOUND_MPSTAT -eq 0 ] && [ $FOUND_LPARSTAT -eq 0 ] ; then
# Get extra fields from lparstat
COUNT=$(lparstat | grep " app" | wc -l)
if [ $COUNT -gt 0 ] ; then
# Fetch value from "app" column of lparstat output
FETCH_APP_COL_NUM='BEGIN {app_col_num = 8}
{
if($0 ~ /System configuration|^$/) {next}
if($0 ~ / app/)
{
for(i=1; i<=NF; i++)
{
if($i == "app")
{
app_col_num = i;
break;
}
}
print app_col_num;
exit 0;
}
}'
APP_COL_NUM=$(lparstat | awk "$FETCH_APP_COL_NUM")
CPUPool=$(lparstat | tail -1 | awk -v APP_COL_NUM=$APP_COL_NUM -F " " '{print $APP_COL_NUM}')
else
CPUPool=0
fi
# Fetch other required fields from lparstat output
OnlineVirtualCPUs=$(lparstat -i | grep "Online Virtual CPUs" | awk -F " " '{print $NF}')
EntitledCapacity=$(lparstat -i | grep "Entitled Capacity " | awk -F " " '{print $NF}')
DEFINE_LPARSTAT_FIELDS="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity"
# Get cpu stats using mpstat command and manipulate the output for adding extra fields
CMD='mpstat -a 1 1'
# shellcheck disable=SC2016
FORMAT='BEGIN {flag = 0}
{
if($0 ~ /System configuration|^$/) {next}
if(flag == 1)
{
for(i=NF+7; i>=7; i--)
{
$i = $(i-6);
}
# Prepend OSName, OS_version, IP_address values
$1 = OSName;
$2 = OSVersion/1000;
$3 = IP_address;
# Prepend lparstat field values
if($0 ~ /ALL/)
{
$4 = CPUPool;
$5 = OnlineVirtualCPUs;
$6 = EntitledCapacity;
}
else
{
$4 = "-";
$5 = "-";
$6 = "-";
}
}
if($0 ~ /cpu /)
{
for(i=NF+7; i>=7; i--)
{
$i = $(i-6);
}
# Prepend OSName, OS_version, IP_address headers
$1 = "OSName";
$2 = "OS_version";
$3 = "IP_address";
# Prepend lparstat field headers
$4 = "CPUPool";
$5 = "OnlineVirtualCPUs";
$6 = "EntitledCapacity";
flag = 1;
}
for(i=1; i<=NF; i++)
{
printf "%17s ", $i;
}
print "";
}'
fi
$CMD | tee "$TEE_DEST" | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS "$FORMAT $FILL_DIMENSIONS"
echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST"
exit
elif [ "$KERNEL" = "Darwin" ] ; then
HEADER='CPU pctUser pctSystem pctIdle OSName OS_version IP_address'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address}'
# top command here is used to get a single instance of cpu metrics
CMD='top -l 1'
assertHaveCommand "$CMD"
# FILTER here skips all the rows that doesn't match "CPU".
# shellcheck disable=SC2016
FILTER='($1 !~ "CPU") {next;}'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# FORMAT here removes '%'in the end of the metrics.
# shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) {
sub(char_to_remove, "", string);
return string;
}
{
cpu="all";
pctUser = remove_char($3, "%");
pctSystem = remove_char($5, "%");
pctIdle = remove_char($7, "%");
OSName=OSName;
OS_version=OS_version;
IP_address=IP_address;
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='eval top -P -d2 c; top -d2 c'
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($1 !~ "CPU") { next; }'
# shellcheck disable=SC2016
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) {
sub(char_to_remove, "", string);
return string;
}
{
if ($1 == "CPU:") {
cpu = "all";
} else {
cpu = remove_char($2, ":");
}
}
{
pctUser = remove_char($(NF-9), "%");
pctNice = remove_char($(NF-7), "%");
pctSystem = remove_char($(NF-5), "%");
pctIdle = remove_char($(NF-1), "%");
pctIowait = "0.0";
OSName=OSName;
OS_version=OS_version;
IP_address=IP_address;
}'
elif [ "$KERNEL" = "HP-UX" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -M 1 1 ALL'
fi
FILTER='/HP-UX|^$|%/ {next}'
# shellcheck disable=SC2016
FORMAT='{k=0; if(5<NF) k=1} {cpu=$(1+k); pctUser=$(2+k); pctNice="0"; pctSystem=$(3+k); pctIowait=$(4+k); pctIdle=$(5+k); OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
fi
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $FILTER $FORMAT $FILL_DIMENSIONS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $FILTER $FORMAT $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >>"$TEE_DEST"

318
bin/df.sh Executable file
View file

@ -0,0 +1,318 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# jscpd:ignore-start
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand df
CMD='df -h --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
# shellcheck disable=SC2016
FILTER_POST='/(devtmpfs|tmpfs)/ {next}'
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("Mounted on","MountedOn",$0);
}
match($0,/^(.*[^ ]) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+%|-) +(.*)$/,a);
if (length(a) != 0)
{ printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", a[1],a[2],a[3],a[4],a[5],a[6],a[7],a[8],a[9],a[10],a[11];}
}'
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/bin/df
CMD_1='eval /usr/bin/df -n ; /usr/bin/df -g'
CMD_2='/usr/bin/df -h'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Filters out Inode info from df -g output -> inodes = Value just before "total files" & ifree = Value just before "free files"
# shellcheck disable=SC2016
INODE_FILTER='
/^\// {key=$1}
{
for(i=1;i<=NF;i++)
{
if($i == "total" && $(i+1) == "files")
{
inodes=$(i-1)
}
if($i == "free" && $(i+1) == "files")
{
ifree=$(i-1)
}
}
}
{if(NR%5==0) sub("\\(.*\\)?", "", key); print "INODE:" key, inodes, ifree}'
CMD="${CMD_1} | ${AWK} '${INODE_FILTER}'; ${CMD_2}"
FILTER_PRE='/libc_psr/ {next}'
#Maps fsType and inode info from the output of INODE_FILTER
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/INODE:/ {MoInodes[$1] = $2; MoIFree[$1] = $3;} /: / {
for(i=1;i<=NF;i++){
if($i ~ /^\/.*/)
keyCol=i;
else if($i ~ /[a-zA-Z0-9]/)
valueCol=i;
}
if($keyCol ~ /^\/.*:/)
fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol;
else
fsTypes[$keyCol]=$valueCol;
}'
#Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
for(i=1;i<=NF;i++){
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="IUsed";
$(NF+1)="IFree";
$(NF+1)="IUsePct";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=MoInodes["INODE:"$mountedCol];
$(NF+1)=MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol];
$(NF+1)=MoIFree["INODE:"$mountedCol];
if(MoInodes["INODE:"$mountedCol]>0)
{
$(NF+1)=int(((MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol])*100)/MoInodes["INODE:"$mountedCol])"%";
}
else
{
$(NF+1)="0";
}
print $0;
}
}
}'
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/bin/df
CMD='eval /usr/sysv/bin/df -n ; /usr/bin/df -kP -F %u %f %z %l %n %p %m'
# Normalize Size, Used and Avail columns
# shellcheck disable=SC2016
NORMALIZE='
function fromKB(KB) {
MB = KB/1024;
if (MB<1024) return MB "M";
GB = MB/1024;
if (GB<1024) return GB "G";
TB = GB/1024; return TB "T"
}
{
if($0 ~ /^Filesystem.*/){
for(i=1;i<=NF;i++){
if($i=="1024-blocks") {sizeCol=i; sizeFlag=1;}
if($i=="Used") {usedCol=i; usedFlag=1;}
if($i=="Available") {availCol=i; availFlag=1;}
}
}
if(!($0 ~ /^Filesystem.*/) && sizeFlag==1)
$sizeCol=fromKB($sizeCol);
if(!($0 ~ /^Filesystem.*/) && usedFlag==1)
$usedCol=fromKB($usedCol);
if(!($0 ~ /^Filesystem.*/) && availFlag==1)
$availCol=fromKB($availCol);
}'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/: / {
for(i=1;i<=NF;i++){
if($i ~ /^\/.*/)
keyCol=i;
else if($i ~ /[a-zA-Z0-9]/)
valueCol=i;
}
if($keyCol ~ /^\/.*:/)
fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol;
else
fsTypes[$keyCol]=$valueCol;
}'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%Iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="Iused") iusedCol=i;
if($i=="Ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
print $0;
}
}
}'
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand df
assertHaveCommand fstyp
CMD='df -Pk'
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='{c="fstyp " $1; c | getline ft; close(c);}'
# shellcheck disable=SC2016
HEADER='Filesystem\tType\tSize\tUsed\tAvail\tUsePct\tINodes\tIUsed\tIFree\tIUsePct\tMountedOn'
# shellcheck disable=SC2016
HEADERIZE='/^Filesystem/ {print header; next}'
# shellcheck disable=SC2016
FORMAT='{size=$2; used=$3; avail=$4; usePct=$5; mountedOn=$6; $2=ft; $3=size; $4=used; $5=avail; $6=usePct; $7=mountedOn}'
# shellcheck disable=SC2016
FILTER_POST='($2 ~ /^(tmpfs)$/) {next}'
# shellcheck disable=SC2016
PRINTF='{printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11}'
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nocddafs,autofs,devfs,fdesc,nfs; df -h -T nocddafs,autofs,devfs,fdesc,nfs'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
fsTypes[key]=value;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /^\/dev\/.*s[0-9]+$/){
sub("^/dev/", "", $i);
sub("s[0-9]+$", "", $i);
}
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
print $0;
}
}
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ih -t nodevfs,nonfs,noswap,nocd9660'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
fsTypes[key]=value;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
print $0;
}
}
}'
fi
# jscpd:ignore-end
$CMD | tee "$TEE_DEST" | $AWK "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

364
bin/df_metric.sh Executable file
View file

@ -0,0 +1,364 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2016
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?";length(IPv6_Address) || IPv6_Address = "?"}'
# jscpd:ignore-start
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand df
CMD='df -k --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target'
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
fi
BEGIN='BEGIN { OFS = "\t" }'
FORMAT='{OSName=OSName;OS_version=OS_version;IP_address=IP_address;IPv6_Address=IPv6_Address}'
# shellcheck disable=SC2016
FILTER_POST='/(devtmpfs|tmpfs)/ {next}'
# shellcheck disable=SC2016
PRINTF='
function rem_pcent(val)
{
if(substr(val, length(val), 1)=="%")
{val=substr(val, 1, length(val)-1); return val}
}
{
if($0 ~ /^Filesystem.*/){
sub("Mounted on","MountedOn",$0);
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
match($0,/^(.*[^ ]) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+%|-) +(.*)$/,a);
if (length(a) != 0)
{ printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", a[1], a[2], a[3], a[4], a[5], rem_pcent(a[6]), a[7], a[8], a[9], rem_pcent(a[10]), a[11], OSName, OS_version, IP_address, IPv6_Address}
}'
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/bin/df
CMD_1='eval /usr/bin/df -n; /usr/bin/df -g'
CMD_2='/usr/bin/df -k'
#Filters out Inode info from df -g output -> inodes = Value just before "total files" & ifree = Value just before "free files"
# shellcheck disable=SC2016
INODE_FILTER='
/^\// {key=$1}
{
for(i=1;i<=NF;i++)
{
if($i == "total" && $(i+1) == "files")
{
inodes=$(i-1)
}
if($i == "free" && $(i+1) == "files")
{
ifree=$(i-1)
}
}
}
{if(NR%5==0) sub("\\(.*\\)?", "", key); print "INODE:" key, inodes, ifree}'
CMD="${CMD_1} | ${AWK} '${INODE_FILTER}'; ${CMD_2}"
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
FILTER_PRE='/libc_psr/ {next}'
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType and inode info from the output of INODE_FILTER
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/INODE:/ {MoInodes[$1] = $2; MoIFree[$1] = $3;} /: / {
for(i=1;i<=NF;i++){
if($i ~ /^\/.*/)
keyCol=i;
else if($i ~ /[a-zA-Z0-9]/)
valueCol=i;
}
if($keyCol ~ /^\/.*:/)
fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol;
else
fsTypes[$keyCol]=$valueCol;
}'
#Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
for(i=1;i<=NF;i++){
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="IUsed";
$(NF+1)="IFree";
$(NF+1)="IUsePct";
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /.*\%$/)
$i=substr($i, 1, length($i)-1);
if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=MoInodes["INODE:"$mountedCol];
$(NF+1)=MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol];
$(NF+1)=MoIFree["INODE:"$mountedCol];
if(MoInodes["INODE:"$mountedCol]>0)
{
$(NF+1)=int(((MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol])*100)/MoInodes["INODE:"$mountedCol]);
}
else
{
$(NF+1)="0";
}
$(NF+1)=OSName;
$(NF+1)=OS_version;
$(NF+1)=IP_address;
$(NF+1)=IPv6_Address;
print $0;
}
}
}'
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/bin/df
CMD='eval /usr/sysv/bin/df -n ; /usr/bin/df -kP -F %u %f %z %l %n %p %m'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/: / {
for(i=1;i<=NF;i++){
if($i ~ /^\/.*/)
keyCol=i;
else if($i ~ /[a-zA-Z0-9]/)
valueCol=i;
}
if($keyCol ~ /^\/.*:/)
fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol;
else
fsTypes[$keyCol]=$valueCol;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%Iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="Iused") iusedCol=i;
if($i=="Ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /.*\%$/)
$i=substr($i, 1, length($i)-1);
if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
$(NF+1)=OSName;
OS_version=OSVersion/1000;
$(NF+1)=OS_version;
$(NF+1)=IP_address;
$(NF+1)=IPv6_Address;
print $0;
}
}
}'
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand df
assertHaveCommand fstyp
CMD='df -Pk'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
HEADER='Filesystem\tType\tSize\tUsed\tAvail\tUsePct\tINodes\tIUsed\tIFree\tIUsePct\tOSName\tOS_version\tIP_address\tMountedOn'
# shellcheck disable=SC2016
HEADERIZE='/^Filesystem/ {print header; next}'
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='{c="fstyp " $1; c | getline ft; close(c);}'
# shellcheck disable=SC2016
FORMAT='{size=$2; used=$3; avail=$4; usePct=$5; mountedOn=$6; $2=ft; $3=size; $4=used; $5=avail; if(substr(usePct,length(usePct),1)=="%") $6=substr(usePct, 1, length(usePct)-1); else $6=usePct; $7=mountedOn; OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
# shellcheck disable=SC2016
FILTER_POST='($2 ~ /^(tmpfs)$/) {next}'
# shellcheck disable=SC2016
PRINTF='{printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, OSName, OS_version, IP_address, $11}'
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nocddafs,autofs,devfs,fdesc,nfs; df -k -T nocddafs,autofs,devfs,fdesc,nfs'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
fsTypes[key]=value;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /.*\%$/)
$i=substr($i, 1, length($i)-1);
if($i ~ /^\/dev\/.*s[0-9]+$/){
sub("^/dev/", "", $i);
sub("s[0-9]+$", "", $i);
}
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
$(NF+1)=OSName;
$(NF+1)=OS_version;
$(NF+1)=IP_address;
$(NF+1)=IPv6_Address;
print $0;
}
}
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ik -t nodevfs,nonfs,noswap,nocd9660'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
fsTypes[key]=value;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /.*\%$/)
$i=substr($i, 1, length($i)-1);
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
$(NF+1)=OSName;
$(NF+1)=OS_version;
$(NF+1)=IP_address;
$(NF+1)=IPv6_Address;
print $0;
}
}
}'
fi
# jscpd:ignore-end
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >>"$TEE_DEST"

225
bin/hardware.sh Executable file
View file

@ -0,0 +1,225 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2016
FORMAT='{key = $1; if (NF == 1) {value = "<notAvailable>"} else {value = $2; for (i=3; i <= NF; i++) value = value " " $i}}'
PRINTF='{printf("%-20s %-s\n", key, value)}'
if [ "$KERNEL" = "Linux" ] ; then
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_hardware_error_tmpfile # For filtering out lshw warning from stderr
queryHaveCommand ip
FOUND_IP=$?
# CPUs
CPU_TYPE=$(awk -F: '/model name/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST")
CPU_CACHE=$(awk -F: '/cache size/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST")
CPU_COUNT=$(grep -c processor /proc/cpuinfo 2>>"$TEE_DEST")
# HDs
# shellcheck disable=SC2010
for deviceBasename in $(ls /sys/block | grep -E -v '^(dm|md|ram|sr|loop)')
do
DEVICE="/sys/block/$deviceBasename" HARD_DRIVES="$HARD_DRIVES $deviceBasename"
if [ -e "$DEVICE"/device/model ] ; then HARD_DRIVES="$HARD_DRIVES ($(sed 's/ *$//' "$DEVICE"/device/model))"; fi
if [ -e "$DEVICE"/size ] ; then HARD_DRIVES="$HARD_DRIVES $((($(cat "$DEVICE"/size)*512)/(1024*1024*1024))) GB; "; fi
done
# NICs
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
OS_FILE=/etc/os-release
if [ -f /proc/sys/kernel/dmesg_restrict ]; then
DMESG_RESTRICT_VALUE=$(cat "/proc/sys/kernel/dmesg_restrict" 2>/dev/null)
else
DMESG_RESTRICT_VALUE=1
fi
if echo "$OS_ID" | grep -qi suse; then
assertHaveCommandGivenPath /usr/sbin/hwinfo
NIC_TYPE=$(/usr/sbin/hwinfo --netcard --short | awk '{$1=""; sub(/^ */, "", $0); print $0}')
elif [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
NIC_TYPE=$(cat "$DMESG_FILE" | awk '/Ethernet/ {sub("[^a-zA-Z]*Ethernet.*$", ""); sub("^[^:]*: ", ""); print; exit}')
elif [ $DMESG_RESTRICT_VALUE -eq 0 ] ; then
NIC_TYPE=$(dmesg | awk '/Ethernet/ {sub("[^a-zA-Z]*Ethernet.*$", ""); sub("^[^:]*: ", ""); print; exit}')
else
NIC_TYPE=""
fi
if [ -z "$NIC_TYPE" ] ; then
assertHaveCommand lshw
PARSE_1='/^\s+product: / {
product = $2;
for (i=3; i<=NF; i++) product = product " " $i
}
/^\s+vendor: / {
vendor = $2;
for (i=3; i<=NF; i++) vendor = vendor " " $i
printf "%s, %s\n", vendor, product;
exit
}'
NIC_TYPE=$(lshw -class network 2>$TMP_ERROR_FILTER_FILE | awk "$PARSE_1")
# shellcheck disable=SC2086
grep -v "you should run this program as super-user" < $TMP_ERROR_FILTER_FILE 1>&2
# shellcheck disable=SC2086
rm $TMP_ERROR_FILTER_FILE 2>/dev/null
fi
if [ $FOUND_IP -eq 0 ]; then
NIC_COUNT=$(ip a | awk '!length() || $2 ~/lo/ || /^ / {next} {ct++} END {print ct}')
else
assertHaveCommand ifconfig
NIC_COUNT=$(ifconfig | awk '!length() || /^( |lo)/ {next} {ct++} END {print ct}')
fi
# memory
MEMORY_REAL=$(awk -F: '/MemTotal/ {print $2; exit}' /proc/meminfo 2>>"$TEE_DEST")
MEMORY_SWAP=$(awk -F: '/SwapTotal/ {print $2; exit}' /proc/meminfo 2>>"$TEE_DEST")
elif [ "$KERNEL" = "SunOS" ] ; then
UNAME_PLATFORM=$(uname -i)
assertHaveCommand mpstat
assertHaveCommand iostat
assertHaveCommand dmesg
assertHaveCommandGivenPath /usr/sbin/prtconf
assertHaveCommandGivenPath /usr/sbin/swap
# CPUs and NIC count
if [ -x /usr/sbin/prtdiag ] ; then
if [ "$SOLARIS_10" = "true" ] || [ "$SOLARIS_11" = "true" ] ; then
# shellcheck disable=SC2016
CPU_TYPE=$(/usr/sbin/prtdiag | $AWK 'BEGIN {leftToSkip=-1} /Processor Sockets/ {leftToSkip=3; next} (leftToSkip>0) {leftToSkip-=1; next} (!leftToSkip) {sub("[0-9]$", "", $0); sub(" CPU socket #$", "", $0); print $0; exit}')
else
# shellcheck disable=SC2016
CPU_TYPE=$(/usr/sbin/prtdiag | $AWK 'BEGIN {leftToSkip=-1} /Processor Sockets/ {leftToSkip=3; next} (leftToSkip>0) {leftToSkip-=1; next} (!leftToSkip) {sub("[0-9]$", "", $0); sub(" [A-Za-z]+ ?$", "", $0); print $0; exit}')
fi
NIC_COUNT=$(/usr/sbin/prtdiag | grep -c NIC)
elif [ -x /usr/platform/"$UNAME_PLATFORM"/sbin/prtdiag ]; then
# shellcheck disable=SC2016
CPU_TYPE=$(/usr/platform/"$UNAME_PLATFORM"/sbin/prtdiag | $AWK 'BEGIN {leftToSkip=-1} /Processor Sockets/ {leftToSkip=3; next} (leftToSkip>0) {leftToSkip-=1; next} (!leftToSkip) {sub("[0-9]$", "", $0); sub(" [A-Za-z]+ ?$", "", $0); print $0; exit}')
NIC_COUNT=$(/usr/platform/"$UNAME_PLATFORM"/sbin/prtdiag | grep -c NIC)
else
echo "Not found commandGivenPath [ /usr/sbin/prtdiag or /usr/platform/$UNAME_PLATFORM/sbin/prtdiag ] on this host, quitting" >> "$TEE_DEST"
exit 1
fi
# shellcheck disable=SC2016
CPU_CACHE=$(/usr/sbin/prtconf -v | $AWK 'function hexToDecKB (hex, digitsAll, idx, curDigit, dec) {sub("^value=", "", hex); for (idx=1; idx<=length(hex); idx++) {curDigit = index("0123456789abcdef", substr(hex,idx,1)); dec=(16*dec)+curDigit-1} if (debug) printf "hexToDec:%s->%d ", hex, dec; dec /= 1024; return dec} BEGIN {L2=L1i=L1d=0} (L2) {strL2=$1; L2=0} /l2-cache-size/ {L2=1} (L1i) {strL1i=$1; L1i=0} /l1-icache-size/ {L1i=1} (L1d) {strL1d=$1; L1d=0} /l1-dcache-size/ {L1d=1} END {if (debug) printf "strL2:%s strL1i:%s strL1d:%s ", strL2, strL1i, strL1d; nL2=hexToDecKB(strL2); nL1=hexToDecKB(strL1i)+hexToDecKB(strL1d); printf "L1:%dKB L2:%dKB", nL1, nL2}' debug="$DEBUG")
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
CPU_COUNT=$(mpstat | grep -cv CPU)
else
CPU_COUNT=$(mpstat -q | grep -cv CPU)
fi
# # # that gives # of cores; `/usr/sbin/psrinfo -p` gives # of chips
# HDs
# shellcheck disable=SC2016
HARD_DRIVES=$(iostat -E | $AWK '/Soft Errors:/ {name=$1} /^Vendor:/ {info = $2 " " $4} /^Size:/ {sizeGB=0+$2; if (sizeGB>0) drives[name]=info " " $2} END {for (d in drives) printf("%s %s; ", d, drives[d])}')
# NICs
NIC_TYPE=$(dmesg | grep 'mac address' | sed -n 's/^.*] [a-z]*[0-9]*: //;s/mac address .*$//;p' | uniq)
# memory
MEMORY_REAL=$(/usr/sbin/prtconf | awk '/^Memory size:/ {print $3 " MB"; exit}')
# shellcheck disable=SC2016
MEMORY_SWAP=$(/usr/sbin/swap -s | $AWK '{used=0+$(NF-3); free=0+$(NF-1); total=(used+free)/1024; print int(total) " MB"}')
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sbin/prtconf
assertHaveCommandGivenPath /usr/sbin/lsattr
assertHaveCommandGivenPath /usr/sbin/lsdev
assertHaveCommandGivenPath /usr/sbin/lscfg
assertHaveCommandGivenPath /usr/sbin/lspv
assertHaveCommandGivenPath /usr/sbin/lsps
# CPUs
# shellcheck disable=SC2016
CPU_TYPE=$(/usr/sbin/prtconf | $AWK -F: '/^Processor Type:/{type=$2} /^Processor Clock Speed:/ {clock=$2}END {printf("%s %s",type,clock)}')
# shellcheck disable=SC2016
CPU_CACHE=$(/usr/sbin/lsattr -EHl L2cache0 | $AWK '/^size/{print "L2:" $2 " KB" }')
CPU_COUNT=$(/usr/sbin/lsdev -Cc processor | grep -c proc)
# HDs
HDD_NAME=$(/usr/sbin/lsdev -Cc disk | awk '{print $1}')
HARD_DRIVES=""
for disk in $HDD_NAME
do
# shellcheck disable=SC2016
HARD_INFO=$(/usr/sbin/lscfg -vpl "$disk" | $AWK -F . '/Manufacturer/ {name = $NF } /Machine Type and Model/ {info = $(NF)} END {printf("%s %s", name, info)}')
ACTIVE_STATUS=$(/usr/sbin/lspv | awk -v pat="$disk" '$0~pat{print $NF}')
VOLUME_GROUP=$(/usr/sbin/lspv | awk -v pat="$disk" '$0~pat{print $3}')
if [ "${ACTIVE_STATUS}" != "active" ] || [ "${VOLUME_GROUP}" = "None" ]; then # lspv cannot get disk-size as disk is inactive or not in any volume group
HARD_MB=$(getconf DISK_SIZE /dev/"$disk")" MB"
else
HARD_MB=$(/usr/sbin/lspv -L "$disk" | awk -F \( '{print $2}'| awk '/VG DESCRIPTORS/{print $1" MB"}')
fi
HARD_DRIVES="$HARD_DRIVES$disk $HARD_INFO $HARD_MB; "
done
# NICs
NIC_TYPE=$(/usr/sbin/lsdev -Cc adapter | grep ent | awk -F" " '{print $1" "$3"; "}')
NIC_COUNT=$(/usr/sbin/lsdev -Cc adapter | grep -c ent)
# memory
# shellcheck disable=SC2016
MEMORY_REAL=$(/usr/sbin/lsattr -EHl mem0 | $AWK '/^size/ {print $2 " MB"}')
# shellcheck disable=SC2016
MEMORY_SWAP=$(/usr/sbin/lsps -s | $AWK -F MB '/MB/ {print $1" MB"}')
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand sysctl
assertHaveCommand df
assertHaveCommand system_profiler
assertHaveCommand ifconfig
# CPUs
CPU_TYPE=$(sysctl machdep.cpu.brand_string | sed -E 's/^.*: //;s/[ ]+/ /g')
CPU_CACHE=$(sysctl hw.cachesize | awk '{L1=$3/1024; L2=$4/(1024*1024); printf "L1:%d KB; L2:%d MB", L1, L2}')
CPU_COUNT=$(sysctl hw.ncpu | sed 's/^.*: //')
# HDs
HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}')
# NICs
NIC_TYPE=$(system_profiler SPNetworkDataType | awk '/Media Subtype:/ {print $3; exit}')
NIC_COUNT=$(ifconfig | grep -c 'supported media:.*baseT')
# memory
MEMORY_REAL=$(sysctl hw.memsize | awk '{print $2/(1024*1024) " MB"}')
MEMORY_SWAP=$(sysctl vm.swapusage | awk '{print 0+$4 " MB"}')
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ioscan
assertHaveCommand iostat
assertHaveCommand lanscan
assertHaveCommand machinfo
assertHaveCommand swapinfo
OUTPUT=$(machinfo)
CPU_TYPE=$(echo "$OUTPUT" | awk '/processor family/ { for(i=4; i<=NF; i++) printf("%s ", $i); exit}')
CPU_CACHE=$(echo "$OUTPUT" | awk '/L[123]/ {cache+=$5} END {print cache " KB"}')
CPU_COUNT=$(echo "$OUTPUT" | awk '/CPUs/ {print $5; exit}')
HARD_DRIVES=$(iostat 2 1 | wc -l)
# shellcheck disable=SC2307,2003
HARD_DRIVES=$(expr "$HARD_DRIVES"-4)
NIC_COUNT=$(lanscan -i | wc -l)
NIC_TYPE=$(ioscan -u | grep lan | awk 'NF>2 {for(i=3; i<=NF; i++) printf("%s", $i); exit}')
OUTPUT=$(swapinfo -tm)
MEMORY_REAL=$(echo "$OUTPUT" | awk '$1=="memory" {print $2 " MB"; exit}')
MEMORY_SWAP=$(echo "$OUTPUT" | awk '$1=="dev" {print $2 " MB"; exit}')
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand sysctl
assertHaveCommand df
assertHaveCommand ifconfig
assertHaveCommand dmesg
assertHaveCommand top
# CPUs
CPU_TYPE=$(sysctl hw.model | sed 's/^.*: //')
CPU_CACHE=
CPU_COUNT=$(sysctl hw.ncpu | sed 's/^.*: //')
# HDs
HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}')
# NICs
IFACE_NAME=$(ifconfig -a | awk '!/^[a-z]/ {next} /LOOPBACK/ {next} {print $1}' | head -1)
NIC_TYPE=$(dmesg | awk '(index($0, iface) && index($0, " port ")) {sub("^.*<", ""); sub(">.*$", ""); print $0}' iface="$IFACE_NAME" | head -1)
NIC_COUNT=$(ifconfig -a | grep -c media)
# memory
MEMORY_REAL=$(sysctl hw.physmem | awk '{print $2/(1024*1024) "MB"}')
MEMORY_SWAP=$(top -Sb 0 | awk '/^Swap: / {print $2 "B"}')
fi
formatAndPrint ()
{
# shellcheck disable=SC2086
echo $1 | awk "$FORMAT $PRINTF"
}
formatAndPrint "KEY VALUE"
formatAndPrint "CPU_TYPE $CPU_TYPE"
formatAndPrint "CPU_CACHE $CPU_CACHE"
formatAndPrint "CPU_COUNT $CPU_COUNT"
formatAndPrint "HARD_DRIVES $HARD_DRIVES"
formatAndPrint "NIC_TYPE $NIC_TYPE"
formatAndPrint "NIC_COUNT $NIC_COUNT"
formatAndPrint "MEMORY_REAL $MEMORY_REAL"
formatAndPrint "MEMORY_SWAP $MEMORY_SWAP"

528
bin/interfaces.sh Executable file
View file

@ -0,0 +1,528 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# jscpd:ignore-start
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex'
FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}'
if [ "$KERNEL" = "Linux" ] ; then
OS_FILE=/etc/os-release
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex}'
queryHaveCommand ip
FOUND_IP=$?
if [ $FOUND_IP -eq 0 ]; then
CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# shellcheck disable=SC2016
CMD='eval ip addr show $iface; ip -s link show'
# shellcheck disable=SC2016
GET_IPv4='{if ($0 ~ /inet /) {split($2, a, " "); IPv4 = a[1]}}'
# shellcheck disable=SC2016
GET_IPv6='{if ($0 ~ /inet6 /) { IPv6 = $2 }}'
# shellcheck disable=SC2016
GET_TXbytes='{
if($0 ~ /TX: /){
tx_row_count=NR+1;
for(i=1;i<=NF;i++){
if($i=="bytes"){
TX_bytes_column=i;
}
else if($i=="errors"){
TX_errors_column=i;
}
else if($i=="dropped"){
TX_dropped_column=i;
}
else if($i=="collsns"){
TX_collsns_column=i;
}
}
next;
}
if(NR==tx_row_count){
(TX_bytes_column == "") ? TXbytes = 0 : TXbytes = $(TX_bytes_column - 1);
(TX_errors_column == "") ? TXerrors = "<n/a>" : TXerrors = $(TX_errors_column - 1);
(TX_dropped_column == "") ? TXdropped = "<n/a>" : TXdropped = $(TX_dropped_column - 1);
(TX_collsns_column == "") ? collisions = 0 : collisions = $(TX_collsns_column - 1);
}
}'
# shellcheck disable=SC2016
GET_RXbytes='{
if($0 ~ /RX: /){
rx_row_count=NR+1;
for(i=1;i<=NF;i++){
if($i=="bytes"){
RX_bytes_column=i;
}
else if($i=="errors"){
RX_errors_column=i;
}
else if($i=="dropped"){
RX_dropped_column=i;
}
}next;
}
if(NR==rx_row_count){
(RX_bytes_column == "") ? RXbytes = 0 : RXbytes = $(RX_bytes_column - 1);
(RX_errors_column == "") ? RXerrors = "<n/a>" : RXerrors = $(RX_errors_column - 1);
(RX_dropped_column == "") ? RXdropped = "<n/a>" : RXdropped = $(RX_dropped_column - 1);
}
}'
else
assertHaveCommand ifconfig
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval ifconfig | tee $TEE_DEST | grep 'Link encap:\|mtu' | grep -Ev lo | tee -a $TEE_DEST | cut -d' ' -f1 | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
CMD='ifconfig'
# shellcheck disable=SC2016
GET_IPv4='{if ($0 ~ /inet addr:/) {split($2, a, ":"); IPv4 = a[2]} else if ($0 ~ /inet /) {IPv4 = $2}}'
# shellcheck disable=SC2016
GET_IPv6='{if ($0 ~ /inet6 addr:/) { IPv6 = $3 } else if ($0 ~ /inet6 /) { IPv6 = $2 }}'
# shellcheck disable=SC2016
GET_COLLISIONS='{
if ($0 ~ /collisions:/){
for(i=1;i<=NF;i++){
if($i ~ /collisions:/){
collisions_col_no = i;
break;
}
}
if(collisions_col_no==""){
collisions=0;
}
else
split($collisions_col_no, a, ":");
collisions=a[2];
}
else if($0 ~ /collisions /){
for(i=1;i<=NF;i++){
if($i=="collisions"){
collisions_column=i+1;
}
}
(collisions_column != "") ? collisions = $collisions_column : collisions = 0;
}
}'
# shellcheck disable=SC2016
GET_RXbytes='{
if ($0 ~ /RX bytes:/){
for(i=1;i<=NF;i++){
if($i ~ /bytes:/){
rxbytes_col_no = i;
break;
}
}
if(rxbytes_col_no==""){
RXbytes=0;
}
else
split($rxbytes_col_no, a, ":");
RXbytes=a[2];
}
else if($0 ~ /RX/ && $0 ~ /bytes/){
for(i=1;i<=NF;i++){
if($i=="bytes"){
RXbytes_column=i+1;
row = NR;
}
}
if(NR == row){
if(RXbytes_column != ""){
RXbytes = $RXbytes_column;
}
else
RXbytes = 0;
}
}
}'
# shellcheck disable=SC2016
GET_RXerrors='{
if ($0 ~ /RX packets:/){
for(i=1;i<=NF;i++){
if($i ~ /errors:/){
rxerrors_col_no = i;
}
else if($i ~ /dropped:/){
rxdropped_col_no = i;
}
}
if(rxerrors_col_no != ""){
split($rxerrors_col_no, a, ":");
RXerrors=a[2];
}
else
RXerrors="<n/a>";
if(rxdropped_col_no != ""){
split($rxdropped_col_no, b, ":");
RXdropped=b[2];
}
else
RXdropped="<n/a>";
}
else if($0 ~ /RX/ && ($0 ~ /errors/)){
for(i=1;i<=NF;i++){
if($i=="errors"){
RXerrors_column=i+1;
}
if($i=="dropped"){
RXdropped_column=i+1;
}
}
(RXerrors_column != "") ? RXerrors=$RXerrors_column : RXerrors = "<n/a>";
(RXdropped_column != "") ? RXdropped = $RXdropped_column : RXdropped = "<n/a>";
}
}'
# shellcheck disable=SC2016
GET_TXbytes='{
if ($0 ~ /TX bytes:/){
for(i=1;i<=NF;i++){
if($i ~ /bytes:/){
txbytes_col_no = i;
}
}
if(txbytes_col_no==""){
TXbytes=0;
}
else
split($txbytes_col_no, a, ":");
TXbytes=a[2];
}
else if($0 ~ /TX/ && $0 ~ /bytes/){
for(i=1;i<=NF;i++){
if($i=="bytes"){
TXbytes_column=i+1;
row = NR;
}
}
if(NR == row){
if(TXbytes_column != ""){
TXbytes = $TXbytes_column;
}
else
TXbytes = 0;
}
}
}'
# shellcheck disable=SC2016
GET_TXerrors='{
if ($0 ~ /TX packets:/){
for(i=1;i<=NF;i++){
if($i ~ /errors:/){
txerrors_col_no = i;
}
if($i ~ /dropped:/){
txdropped_col_no = i;
}
}
if(txerrors_col_no != ""){
split($txerrors_col_no, a, ":");
TXerrors=a[2];
}
else
TXerrors="<n/a>";
if(txdropped_col_no != ""){
split($txdropped_col_no, b, ":");
TXdropped=b[2];
}
else
TXdropped="<n/a>";
}
else if($0 ~ /TX/ && $0 ~ /errors/){
for(i=1;i<=NF;i++){
if($i=="errors"){
TXerrors_column=i+1;
}
if($i=="dropped"){
TXdropped_column=i+1;
}
}
(TXerrors_column != "") ? TXerrors = $TXerrors_column : TXerrors = "<n/a>";
(TXdropped_column != "") ? TXdropped = $TXdropped_column : TXdropped = "<n/a>";
}
}'
fi
GET_ALL="$GET_IPv4 $GET_IPv6 $GET_COLLISIONS $GET_RXbytes $GET_RXerrors $GET_TXbytes $GET_TXerrors"
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; length(TXdropped) || TXdropped = "<n/a>";length(RXdropped) || RXdropped = "<n/a>"; length(IPv4) || IPv4 = "<n/a>"; length(IPv6) || IPv6= "<n/a>"}'
BEGIN='BEGIN {RXbytes = TXbytes = collisions = 0}'
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
if [ -r /sys/class/net/"$iface"/duplex ]; then
DUPLEX=$(cat /sys/class/net/"$iface"/duplex 2>/dev/null || echo 'error')
if [ "$DUPLEX" != 'error' ]; then
DUPLEX=$(echo "$DUPLEX" | sed 's/./\u&/')
if [ -r /sys/class/net/"$iface"/speed ]; then
SPEED=$(cat /sys/class/net/"$iface"/speed 2>/dev/null || echo 'error')
[ -n "$SPEED" ] && [ "$SPEED" != 'error' ] && SPEED="${SPEED}Mb/s"
else
# For SLES, making use of ethtool as dmesg requires root privilege.
if echo "$OS_ID" | grep -qi suse; then
assertHaveCommandGivenPath /usr/sbin/ethtool
SPEED=$(/usr/sbin/ethtool $iface 2>/dev/null | awk '/Speed: +[0-9]+Mb\/s/ {print gensub(/[[:space:]]*Speed: +/, "", 1)}')
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
elif [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
else
assertHaveCommand dmesg
SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
fi
fi
else
DUPLEX=""
fi
fi
if [ "$DUPLEX" = "" ] || [ "$SPEED" = "" ] ; then
if echo "$OS_ID" | grep -qi suse; then
assertHaveCommandGivenPath /usr/sbin/ethtool
if [ "$DUPLEX" = "" ] ; then
DUPLEX=$(/usr/sbin/ethtool $iface 2>/dev/null | awk '/Duplex: +[A-Za-z]+/ {print gensub(/[[:space:]]*Duplex: +/, "", 1)}')
fi
if [ "$SPEED" = "" ] ; then
SPEED=$(/usr/sbin/ethtool $iface 2>/dev/null | awk '/Speed: +[0-9]+Mb\/s/ {print gensub(/[[:space:]]*Speed: +/, "", 1)}')
fi
else
assertHaveCommand dmesg
# Get Duplex only if still null
if [ "$DUPLEX" = "" ] ; then
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
DUPLEX=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d')
else
DUPLEX=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d')
fi
fi
# Get Speed only if still null
if [ "$SPEED" = "" ] ; then
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
else
SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
fi
fi
fi
fi
if [ $FOUND_IP -eq 0 ]; then
# shellcheck disable=SC2016
GET_MAC='{if ($0 ~ /ether /) { mac = $2 }}'
elif [ -r /sys/class/net/"$iface"/address ]; then
MAC=$(cat /sys/class/net/"$iface"/address)
else
# shellcheck disable=SC2016
GET_MAC='{if ($0 ~ /ether /) { mac = $2; } else if ( NR == 1 ) { mac = $5; }}'
fi
if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then
$CMD "$iface" | tee -a "$TEE_DEST" | awk "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC"
echo "Cmd = [$CMD $iface]; | awk '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST"
else
echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST"
fi
done
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommand kstat
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# shellcheck disable=SC2016
GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX='($1=="collisions") {collisions=$2} ($1=="duplex" || $1=="link_duplex") {duplex=$2} ($1=="rbytes") {RXbytes=$2} ($1=="obytes") {TXbytes=$2} ($1=="ierrors") {RXerrors=$2} ($1=="oerrors") {TXerrors=$2} ($1=="ifspeed") {speed=$2; speed/=1000000; speed=speed "Mb/s"}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_MAC='{if ($1 == "ether") {split($2, submac, ":"); mac=sprintf("%02s:%02s:%02s:%02s:%02s:%02s", submac[1], submac[2], submac[3], submac[4], submac[5], submac[6])}}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX $GET_IP $GET_MAC $FILL_BLANKS"
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST"
NODE=$(uname -n)
# shellcheck disable=SC2050
if [ SOLARIS_8 = false ] && [ SOLARIS_9 = false ] ; then
CMD_DESCRIBE_INTERFACE="eval kstat -c net -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
else
CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
fi
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommandGivenPath /usr/bin/netstat
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask|inet6|tcp_sendspace' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# shellcheck disable=SC2016
GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS='($1=="Single"){collisions_s=$4} ($1=="Multiple"){collisions=collisions_s+$4} ($1=="Bytes:") {RXbytes=$4 ; TXbytes=$2} ($1=="Media" && $3=="Running:") {speed=$4"Mb/s" ; duplex=$6} ($1="Transmit" && $2="Errors:") {TXerrors=$3 ; RXerrors=$6}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_MAC='/^Hardware Address:/{mac=$3}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS $GET_IP $GET_MAC $FILL_BLANKS"
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST"
NODE=$(uname -n)
CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -u'
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /status: active/ {print iface}'
# shellcheck disable=SC2016
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "ether" && mac = $2}'
# shellcheck disable=SC2016
GET_IPv4='{$1 == "inet" && IPv4 = $2}'
# shellcheck disable=SC2016
GET_IPv6='{if ($1 == "inet6") {sub("%.*$", "", $2);IPv6 = $2}}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='{if ($1 == "media:") {gsub("[^0-9]", "", $3); speed=$3 "Mb/s"; sub("-duplex.*", "", $4); sub("<", "", $4); duplex=$4}}'
# shellcheck disable=SC2016
GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{
if ($0 ~ /Name/)
{
for (i=1; i<=NF; i++)
{
if ($i == "Address") {address_column = i;}
else if ($i == "Ibytes") {ibytes_column = i;}
else if ($i == "Ierrs") {ierrs_column = i;}
else if ($i == "Obytes") {obytes_column = i;}
else if ($i == "Oerrs") {oerrs_column = i;}
else if ($i == "Coll") {coll_column = i;}
}
flag = 1;
}
if(flag == 1){
if ($address_column == mac)
{
(ibytes_column == "") ? RXbytes = "<n/a>" : RXbytes = $(ibytes_column);
(ierrs_column == "") ? RXerrors = "<n/a>" : RXerrors = $(ierrs_column);
(obytes_column == "") ? TXbytes = "<n/a>" : TXbytes = $(obytes_column);
(oerrs_column == "") ? TXerrors = "<n/a>" : TXerrors = $(oerrs_column);
(coll_column == "") ? collisions = "<n/a>" : collisions = $(coll_column);
}
}
}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_MAC $GET_IPv4 $GET_IPv6 $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS"
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ifconfig
assertHaveCommand lanadmin
assertHaveCommand lanscan
assertHaveCommand netstat
CMD='lanscan'
# shellcheck disable=SC2016
LANSCAN_AWK='/^Hardware/ {next} /^Path/ {next} {mac=$2; ifnum=$3; ifstate=$4; name=$5; type=$8}'
# shellcheck disable=SC2016
GET_IP4='{c="netstat -niwf inet | grep "name; c | getline; close(c); if (NF==10) {next} mtu=$2; IPv4=$4; RXbytes=$5; RXerrors=$6; TXbytes=$7; TXerrors=$8; collisions=$9}'
# shellcheck disable=SC2016
GET_IP6='{c="netstat -niwf inet6 | grep "name" "; c| getline; close(c); IPv6=$3}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='{c="lanadmin -x "ifnum ; c | getline; close(c); if (NF==4) speed=$3"Mb/s"; sub("\-.*", "", $4); duplex=tolower($4)}'
PRINTF='{printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
echo "$out"
fi
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -a'
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/LOOPBACK/ {next} !/RUNNING/ {next} /^[a-z0-9]+: / {sub(":$", "", $1); print $1}'
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "ether" && mac = $2}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='/media: / {sub("\134(", "", $4); speed=$4; sub("-duplex.*", "", $5); sub("<", "", $5); duplex=$5}'
# shellcheck disable=SC2016
GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{
if ($0 ~ /Name/)
{
for (i=1; i<=NF; i++)
{
if ($i == "Address") {address_column = i;}
else if ($i == "Ibytes") {ibytes_column = i;}
else if ($i == "Ierrs") {ierrs_column = i;}
else if ($i == "Obytes") {obytes_column = i;}
else if ($i == "Oerrs") {oerrs_column = i;}
else if ($i == "Coll") {coll_column = i;}
}
flag = 1;
}
if(flag == 1){
if ($address_column == mac)
{
(ibytes_column == "") ? RXbytes = "<n/a>" : RXbytes = $(ibytes_column);
(ierrs_column == "") ? RXerrors = "<n/a>" : RXerrors = $(ierrs_column);
(obytes_column == "") ? TXbytes = "<n/a>" : TXbytes = $(obytes_column);
(oerrs_column == "") ? TXerrors = "<n/a>" : TXerrors = $(oerrs_column);
(coll_column == "") ? collisions = "<n/a>" : collisions = $(coll_column);
}
}
}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_MAC $GET_IP $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS"
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
fi
# jscpd:ignore-end

547
bin/interfaces_metric.sh Executable file
View file

@ -0,0 +1,547 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# jscpd:ignore-start
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex OSName OS_version IP_address IPv6_Address'
FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s %-35s %15s %-16s %-42s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex, OSName, OS_version, IP_address, IPv6_Address}'
if [ "$KERNEL" = "Linux" ] ; then
OS_FILE=/etc/os-release
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex OSName OS_version IP_address IPv6_Address'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s %-35s %15s %-16s %-42s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex, OSName, OS_version, IP_address, IPv6_Address}'
queryHaveCommand ip
FOUND_IP=$?
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
fi
if [ $FOUND_IP -eq 0 ]; then
CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# shellcheck disable=SC2016
CMD='eval ip addr show $iface; ip -s link show'
# shellcheck disable=SC2016
GET_IPv4='{if ($0 ~ /inet /) {split($2, a, " "); IPv4 = a[1]}}'
# shellcheck disable=SC2016
GET_IPv6='{if ($0 ~ /inet6 /) { IPv6 = $2 }}'
# shellcheck disable=SC2016
GET_TXbytes='{
if($0 ~ /TX: /){
tx_row_count=NR+1;
for(i=1;i<=NF;i++){
if($i=="bytes"){
TX_bytes_column=i;
}
else if($i=="errors"){
TX_errors_column=i;
}
else if($i=="dropped"){
TX_dropped_column=i;
}
else if($i=="collsns"){
TX_collsns_column=i;
}
}
next;
}
if(NR==tx_row_count){
(TX_bytes_column == "") ? TXbytes = 0 : TXbytes = $(TX_bytes_column - 1);
(TX_errors_column == "") ? TXerrors = "<n/a>" : TXerrors = $(TX_errors_column - 1);
(TX_dropped_column == "") ? TXdropped = "<n/a>" : TXdropped = $(TX_dropped_column - 1);
(TX_collsns_column == "") ? collisions = 0 : collisions = $(TX_collsns_column - 1);
}
}'
# shellcheck disable=SC2016
GET_RXbytes='{
if($0 ~ /RX: /){
rx_row_count=NR+1;
for(i=1;i<=NF;i++){
if($i=="bytes"){
RX_bytes_column=i;
}
else if($i=="errors"){
RX_errors_column=i;
}
else if($i=="dropped"){
RX_dropped_column=i;
}
}next;
}
if(NR==rx_row_count){
(RX_bytes_column == "") ? RXbytes = 0 : RXbytes = $(RX_bytes_column - 1);
(RX_errors_column == "") ? RXerrors = "<n/a>" : RXerrors = $(RX_errors_column - 1);
(RX_dropped_column == "") ? RXdropped = "<n/a>" : RXdropped = $(RX_dropped_column - 1);
}
}'
else
assertHaveCommand ifconfig
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval ifconfig | tee $TEE_DEST | grep 'Link encap:\|mtu' | grep -Ev lo | tee -a $TEE_DEST | cut -d' ' -f1 | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
CMD='ifconfig'
# shellcheck disable=SC2016
GET_IPv4='{if ($0 ~ /inet addr:/) {split($2, a, ":"); IPv4 = a[2]} else if ($0 ~ /inet /) {IPv4 = $2}}'
# shellcheck disable=SC2016
GET_IPv6='{if ($0 ~ /inet6 addr:/) { IPv6 = $3 } else if ($0 ~ /inet6 /) { IPv6 = $2 }}'
# shellcheck disable=SC2016
GET_COLLISIONS='{
if ($0 ~ /collisions:/){
for(i=1;i<=NF;i++){
if($i ~ /collisions:/){
collisions_col_no = i;
break;
}
}
if(collisions_col_no==""){
collisions=0;
}
else
split($collisions_col_no, a, ":");
collisions=a[2];
}
else if($0 ~ /collisions /){
for(i=1;i<=NF;i++){
if($i=="collisions"){
collisions_column=i+1;
}
}
(collisions_column != "") ? collisions = $collisions_column : collisions = 0;
}
}'
# shellcheck disable=SC2016
GET_RXbytes='{
if ($0 ~ /RX bytes:/){
for(i=1;i<=NF;i++){
if($i ~ /bytes:/){
rxbytes_col_no = i;
break;
}
}
if(rxbytes_col_no==""){
RXbytes=0;
}
else
split($rxbytes_col_no, a, ":");
RXbytes=a[2];
}
else if($0 ~ /RX/ && $0 ~ /bytes/){
for(i=1;i<=NF;i++){
if($i=="bytes"){
RXbytes_column=i+1;
row = NR;
}
}
if(NR == row){
if(RXbytes_column != ""){
RXbytes = $RXbytes_column;
}
else
RXbytes = 0;
}
}
}'
# shellcheck disable=SC2016
GET_RXerrors='{
if ($0 ~ /RX packets:/){
for(i=1;i<=NF;i++){
if($i ~ /errors:/){
rxerrors_col_no = i;
}
else if($i ~ /dropped:/){
rxdropped_col_no = i;
}
}
if(rxerrors_col_no != ""){
split($rxerrors_col_no, a, ":");
RXerrors=a[2];
}
else
RXerrors="<n/a>";
if(rxdropped_col_no != ""){
split($rxdropped_col_no, b, ":");
RXdropped=b[2];
}
else
RXdropped="<n/a>";
}
else if($0 ~ /RX/ && ($0 ~ /errors/)){
for(i=1;i<=NF;i++){
if($i=="errors"){
RXerrors_column=i+1;
}
if($i=="dropped"){
RXdropped_column=i+1;
}
}
(RXerrors_column != "") ? RXerrors=$RXerrors_column : RXerrors = "<n/a>";
(RXdropped_column != "") ? RXdropped = $RXdropped_column : RXdropped = "<n/a>";
}
}'
# shellcheck disable=SC2016
GET_TXbytes='{
if ($0 ~ /TX bytes:/){
for(i=1;i<=NF;i++){
if($i ~ /bytes:/){
txbytes_col_no = i;
}
}
if(txbytes_col_no==""){
TXbytes=0;
}
else
split($txbytes_col_no, a, ":");
TXbytes=a[2];
}
else if($0 ~ /TX/ && $0 ~ /bytes/){
for(i=1;i<=NF;i++){
if($i=="bytes"){
TXbytes_column=i+1;
row = NR;
}
}
if(NR == row){
if(TXbytes_column != ""){
TXbytes = $TXbytes_column;
}
else
TXbytes = 0;
}
}
}'
# shellcheck disable=SC2016
GET_TXerrors='{
if ($0 ~ /TX packets:/){
for(i=1;i<=NF;i++){
if($i ~ /errors:/){
txerrors_col_no = i;
}
if($i ~ /dropped:/){
txdropped_col_no = i;
}
}
if(txerrors_col_no != ""){
split($txerrors_col_no, a, ":");
TXerrors=a[2];
}
else
TXerrors="<n/a>";
if(txdropped_col_no != ""){
split($txdropped_col_no, b, ":");
TXdropped=b[2];
}
else
TXdropped="<n/a>";
}
else if($0 ~ /TX/ && $0 ~ /errors/){
for(i=1;i<=NF;i++){
if($i=="errors"){
TXerrors_column=i+1;
}
if($i=="dropped"){
TXdropped_column=i+1;
}
}
(TXerrors_column != "") ? TXerrors = $TXerrors_column : TXerrors = "<n/a>";
(TXdropped_column != "") ? TXdropped = $TXdropped_column : TXdropped = "<n/a>";
}
}'
fi
GET_ALL="$GET_IPv4 $GET_IPv6 $GET_COLLISIONS $GET_RXbytes $GET_RXerrors $GET_TXbytes $GET_TXerrors"
FILL_BLANKS='{length(TXdropped) || TXdropped = "<n/a>";length(RXdropped) || RXdropped = "<n/a>";length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; length(IPv4) || IPv4 = "<n/a>"; length(IPv6) || IPv6= "<n/a>"}'
BEGIN='BEGIN {RXbytes = RXerrors = RXdropped = TXbytes = TXerrors = TXdropped = collisions = 0}'
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
if [ -r /sys/class/net/"$iface"/duplex ]; then
DUPLEX=$(cat /sys/class/net/"$iface"/duplex 2>/dev/null || echo 'error')
if [ "$DUPLEX" != 'error' ]; then
DUPLEX=$(echo "$DUPLEX" | sed 's/./\u&/')
if [ -r /sys/class/net/"$iface"/speed ]; then
SPEED=$(cat /sys/class/net/"$iface"/speed 2>/dev/null || echo 'error')
[ -n "$SPEED" ] && [ "$SPEED" != 'error' ] && SPEED="${SPEED}Mb/s"
else
# For SLES, dmesg is accesbile only by the root user, thus using ethtool
if echo "$OS_ID" | grep -qi suse; then
assertHaveCommandGivenPath /usr/sbin/ethtool
SPEED=$(/usr/sbin/ethtool $iface 2>/dev/null | awk '/Speed: +[0-9]+Mb\/s/ {print gensub(/[[:space:]]*Speed: +/, "", 1)}')
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
elif [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
else
assertHaveCommand dmesg
SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
fi
fi
else
DUPLEX=""
fi
fi
if [ "$DUPLEX" = "" ] || [ "$SPEED" = "" ] ; then
# Get Duplex only if still null
if [ "$DUPLEX" = "" ] ; then
if echo "$OS_ID" | grep -qi suse; then
assertHaveCommandGivenPath /usr/sbin/ethtool
DUPLEX=$(/usr/sbin/ethtool $iface 2>/dev/null | awk '/Duplex: +[A-Za-z]+/ {print gensub(/[[:space:]]*Duplex: +/, "", 1)}')
elif [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
DUPLEX=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d')
else
assertHaveCommand dmesg
DUPLEX=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d')
fi
fi
# Get Speed only if still null
if [ "$SPEED" = "" ] ; then
if echo "$OS_ID" | grep -qi suse; then
assertHaveCommandGivenPath /usr/sbin/ethtool
SPEED=$(/usr/sbin/ethtool $iface 2>/dev/null | awk '/Speed: +[0-9]+Mb\/s/ {print gensub(/[[:space:]]*Speed: +/, "", 1)}')
elif [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
else
assertHaveCommand dmesg
SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
fi
fi
fi
if [ $FOUND_IP -eq 0 ]; then
# shellcheck disable=SC2016
GET_MAC='{if ($0 ~ /ether /) { mac = $2 }}'
elif [ -r /sys/class/net/"$iface"/address ]; then
MAC=$(cat /sys/class/net/"$iface"/address)
else
# shellcheck disable=SC2016
GET_MAC='{if ($0 ~ /ether /) { mac = $2; } else if ( NR == 1 ) { mac = $5; }}'
fi
if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then
# shellcheck disable=SC2086
$CMD "$iface" | tee -a "$TEE_DEST" | awk $DEFINE "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC"
echo "Cmd = [$CMD $iface]; | awk $DEFINE '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST"
else
echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST"
fi
done
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommand kstat
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX='($1=="collisions") {collisions=$2} ($1=="duplex" || $1=="link_duplex") {duplex=$2} ($1=="rbytes") {RXbytes=$2} ($1=="obytes") {TXbytes=$2} ($1=="ierrors") {RXerrors=$2} ($1=="oerrors") {TXerrors=$2} ($1=="ifspeed") {speed=$2; speed/=1000000; speed=speed "Mb/s"}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_MAC='{if ($1 == "ether") {split($2, submac, ":"); mac=sprintf("%02s:%02s:%02s:%02s:%02s:%02s", submac[1], submac[2], submac[3], submac[4], submac[5], submac[6])}}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>";IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX $GET_IP $GET_MAC $FILL_BLANKS"
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST"
NODE=$(uname -n)
# shellcheck disable=SC2050
if [ SOLARIS_8 = false ] && [ SOLARIS_9 = false ] ; then
CMD_DESCRIBE_INTERFACE="eval kstat -c net -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
else
CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
fi
# shellcheck disable=SC2086
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommandGivenPath /usr/bin/netstat
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask|inet6|tcp_sendspace' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS='($1=="Single"){collisions_s=$4} ($1=="Multiple"){collisions=collisions_s+$4} ($1=="Bytes:") {RXbytes=$4 ; TXbytes=$2} ($1=="Media" && $3=="Running:") {speed=$4"Mb/s" ; duplex=$6} ($1="Transmit" && $2="Errors:") {TXerrors=$3 ; RXerrors=$6}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_MAC='/^Hardware Address:/{mac=$3}'
GET_OS_VERSION='{OS_version=OSVersion/1000}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS $GET_IP $GET_MAC $GET_OS_VERSION $FILL_BLANKS"
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST"
NODE=$(uname -n)
CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface"
# shellcheck disable=SC2086
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -u'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /status: active/ {print iface}'
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "ether" && mac = $2}'
# shellcheck disable=SC2016
GET_IPv4='{$1 == "inet" && IPv4 = $2}'
# shellcheck disable=SC2016
GET_IPv6='{if ($1 == "inet6") {sub("%.*$", "", $2);IPv6 = $2}}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='{if ($1 == "media:") {gsub("[^0-9]", "", $3); speed=$3 "Mb/s"; sub("-duplex.*", "", $4); sub("<", "", $4); duplex=$4}}'
# shellcheck disable=SC2016
GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{
if ($0 ~ /Name/)
{
for (i=1; i<=NF; i++)
{
if ($i == "Address") {address_column = i;}
else if ($i == "Ibytes") {ibytes_column = i;}
else if ($i == "Ierrs") {ierrs_column = i;}
else if ($i == "Obytes") {obytes_column = i;}
else if ($i == "Oerrs") {oerrs_column = i;}
else if ($i == "Coll") {coll_column = i;}
}
flag = 1;
}
if(flag == 1){
if ($address_column == mac)
{
(ibytes_column == "") ? RXbytes = "<n/a>" : RXbytes = $(ibytes_column);
(ierrs_column == "") ? RXerrors = "<n/a>" : RXerrors = $(ierrs_column);
(obytes_column == "") ? TXbytes = "<n/a>" : TXbytes = $(obytes_column);
(oerrs_column == "") ? TXerrors = "<n/a>" : TXerrors = $(oerrs_column);
(coll_column == "") ? collisions = "<n/a>" : collisions = $(coll_column);
}
}
}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_MAC $GET_IPv4 $GET_IPv6 $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS"
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
# shellcheck disable=SC2086
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ifconfig
assertHaveCommand lanadmin
assertHaveCommand lanscan
assertHaveCommand netstat
CMD='lanscan'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
LANSCAN_AWK='/^Hardware/ {next} /^Path/ {next} {mac=$2; ifnum=$3; ifstate=$4; name=$5; type=$8}'
# shellcheck disable=SC2016
GET_IP4='{c="netstat -niwf inet | grep "name; c | getline; close(c); if (NF==10) {next} mtu=$2; IPv4=$4; RXbytes=$5; RXerrors=$6; TXbytes=$7; TXerrors=$8; collisions=$9}'
# shellcheck disable=SC2016
GET_IP6='{c="netstat -niwf inet6 | grep "name" "; c| getline; close(c); IPv6=$3}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='{c="lanadmin -x "ifnum ; c | getline; close(c); if (NF==4) speed=$3"Mb/s"; sub("\-.*", "", $4); duplex=tolower($4)}'
PRINTF='{printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s %-35s %15s %-16s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex, OSName, OS_version, IP_address}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?";length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
echo "$out"
fi
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -a'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/LOOPBACK/ {next} !/RUNNING/ {next} /^[a-z0-9]+: / {sub(":$", "", $1); print $1}'
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "ether" && mac = $2}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='/media: / {sub("\134(", "", $4); speed=$4; sub("-duplex.*", "", $5); sub("<", "", $5); duplex=$5}'
# shellcheck disable=SC2016
GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{
if ($0 ~ /Name/)
{
for (i=1; i<=NF; i++)
{
if ($i == "Address") {address_column = i;}
else if ($i == "Ibytes") {ibytes_column = i;}
else if ($i == "Ierrs") {ierrs_column = i;}
else if ($i == "Obytes") {obytes_column = i;}
else if ($i == "Oerrs") {oerrs_column = i;}
else if ($i == "Coll") {coll_column = i;}
}
flag = 1;
}
if(flag == 1){
if ($address_column == mac)
{
(ibytes_column == "") ? RXbytes = "<n/a>" : RXbytes = $(ibytes_column);
(ierrs_column == "") ? RXerrors = "<n/a>" : RXerrors = $(ierrs_column);
(obytes_column == "") ? TXbytes = "<n/a>" : TXbytes = $(obytes_column);
(oerrs_column == "") ? TXerrors = "<n/a>" : TXerrors = $(oerrs_column);
(coll_column == "") ? collisions = "<n/a>" : collisions = $(coll_column);
}
}
}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_MAC $GET_IP $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS"
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
# shellcheck disable=SC2086
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
fi
# jscpd:ignore-end

52
bin/iostat.sh Executable file
View file

@ -0,0 +1,52 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# suggested command for testing reads: $ find / -type f 2>/dev/null | xargs wc &> /dev/null &
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
if [ "$KERNEL" = "Linux" ] ; then
CMD='iostat -xky 1 1'
assertHaveCommand "$CMD"
# considers the device, r/s and w/s columns and returns output of the first interval
FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f'
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='iostat -xn 1 2'
assertHaveCommand "$CMD"
# considers the device, r/s and w/s columns and returns output of the second interval
FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2'
elif [ "$KERNEL" = "AIX" ] ; then
CMD='iostat 1 2'
assertHaveCommand "$CMD"
# considers the disks, kb_read and kb_wrtn columns and returns output of the second interval
FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='iostat -x -c 2'
assertHaveCommand "$CMD"
# considers the device, r/s and w/s columns and returns output of the second interval
FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD="eval $SPLUNK_HOME/bin/darwin_disk_stats ; sleep 2; echo Pause; $SPLUNK_HOME/bin/darwin_disk_stats"
# shellcheck disable=SC2086
assertHaveCommandGivenPath $CMD
# shellcheck disable=SC2016
HEADER='Device rReq_PS wReq_PS rKB_PS wKB_PS avgWaitMillis avgSvcMillis bandwUtilPct'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-10s %11s %11s %12s %12s %13s %13s %13s\n", device, rReq_PS, wReq_PS, rKB_PS, wKB_PS, avgWaitMillis, avgSvcMillis, bandwUtilPct}'
# shellcheck disable=SC2016
FILTER='BEGIN {FS="|"; after=0} /^Pause$/ {after=1; next} !/Bytes|Operations/ {next} {devices[$1]=$1; values[after,$1,$2]=$3; next}'
FORMAT='avgSvcMillis=bandwUtilPct="?";'
FUNC1='function getDeltaPS(disk, metric) {delta=values[1,disk,metric]-values[0,disk,metric]; return delta/2.0}'
# Calculates the latency by pulling the read and write latency fields from darwin__disk_stats and evaluating their sum
LATENCY='function getLatency(disk) {read=getDeltaPS(disk,"Latency Time (Read)"); write=getDeltaPS(disk,"Latency Time (Write)"); return expr read + write;}'
FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}'
SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}"
$CMD | tee "$TEE_DEST" | awk "$SCRIPT" header="$HEADER"
echo "Cmd = [$CMD]; | awk '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST"
exit 0
fi
$CMD | tee "$TEE_DEST" | $AWK "$FILTER"
echo "Cmd = [$CMD]; | $AWK '$FILTER'" >> "$TEE_DEST"

67
bin/iostat_metric.sh Executable file
View file

@ -0,0 +1,67 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# suggested command for testing reads: $ find / -type f 2>/dev/null | xargs wc &> /dev/null &
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
if [ "$KERNEL" = "Linux" ] ; then
CMD='iostat -xky 1 1'
assertHaveCommand "$CMD"
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)"
fi
FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f'
# shellcheck disable=SC2016
PRINTF='{if ($0~/Device/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version, IP_address}}'
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='iostat -xn 1 2'
# jscpd:ignore-start
assertHaveCommand "$CMD"
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2'
# shellcheck disable=SC2016
PRINTF='{if ($0~/device/ && /r\/s/ && /w\/s/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version, IP_address}}'
# jscpd:ignore-end
elif [ "$KERNEL" = "AIX" ] ; then
CMD='iostat 1 2'
assertHaveCommand "$CMD"
DEFINE="-v OSName=$(uname -s) -v OS_version=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2'
# shellcheck disable=SC2016
PRINTF='{if ($0~/Disks/ && /Kb_read/ && /Kb_wrtn/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version/1000, IP_address}}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='iostat -x -c 2'
assertHaveCommand "$CMD"
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2'
# shellcheck disable=SC2016
PRINTF='{if ($0~/device/ && /r\/s/ && /w\/s/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version, IP_address}}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD="eval $SPLUNK_HOME/bin/darwin_disk_stats ; sleep 2; echo Pause; $SPLUNK_HOME/bin/darwin_disk_stats"
# shellcheck disable=SC2086
assertHaveCommandGivenPath $CMD
HEADER='Device rReq_PS wReq_PS rKB_PS wKB_PS avgWaitMillis avgSvcMillis bandwUtilPct OSName OS_version IP_address'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-10s %11s %11s %12s %12s %13s %13s %13s %-35s %15s %-16s\n", device, rReq_PS, wReq_PS, rKB_PS, wKB_PS, avgWaitMillis, avgSvcMillis, bandwUtilPct, OSName, OS_version, IP_address}'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
FILTER='BEGIN {FS="|"; after=0} /^Pause$/ {after=1; next} !/Bytes|Operations/ {next} {devices[$1]=$1; values[after,$1,$2]=$3; next}'
FORMAT='{avgSvcMillis=bandwUtilPct="?";OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
FUNC1='function getDeltaPS(disk, metric) {delta=values[1,disk,metric]-values[0,disk,metric]; return delta/2.0}'
# Calculates the latency by pulling the read and write latency fields from darwin__disk_stats and evaluating their sum
LATENCY='function getLatency(disk) {read=getDeltaPS(disk,"Latency Time (Read)"); write=getDeltaPS(disk,"Latency Time (Write)"); return expr read + write;}'
FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}'
SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}"
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | awk $DEFINE "$SCRIPT" header="$HEADER"
echo "Cmd = [$CMD]; | awk $DEFINE '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST"
exit 0
fi
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FILTER $PRINTF"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$FILTER'" >> "$TEE_DEST"

53
bin/lastlog.sh Executable file
View file

@ -0,0 +1,53 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='USERNAME FROM LATEST'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-30s %-30.30s %-s\n", username, from, latest}'
if [ "$KERNEL" = "Linux" ] ; then
CMD='last -iw'
# shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='last -n 999'
# shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'
elif [ "$KERNEL" = "AIX" ] ; then
failUnsupportedScript
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='last -99'
# shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = ($0 !~ / /) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='lastb -Rx'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = ($2=="console") ? $2 : $3; latest = $(NF-3) " " $(NF-2)" " $(NF-1)}'
# shellcheck disable=SC2016
FILTER='{if ($1 == "BTMPS_FILE") next; if (NF==0) next; if (NF<=6) next;}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='lastlogin'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==8) ? $3 : "<console>"; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $(NF-1) " " $NF}'
fi
assertHaveCommand $CMD
out=$($CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 1 ]; then
echo "$out"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
else
echo "No data is present" >> "$TEE_DEST"
fi

74
bin/lsof.sh Executable file
View file

@ -0,0 +1,74 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand lsof
CMD='lsof -nPs +c 0'
# shellcheck disable=SC2016
FILTER='/Permission denied|NOFD|unknown/ {next}'
if [[ "$KERNEL" = "Linux" ]] || [[ "$KERNEL" = "HP-UX" ]] || [[ "$KERNEL" = "Darwin" ]] || [[ "$KERNEL" = "FreeBSD" ]] ; then
if [ "$KERNEL" = "Darwin" ] ; then
# shellcheck disable=SC2016
FILTER='/KQUEUE|PIPE|PSXSEM/ {next}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
if [[ $KERNEL_RELEASE =~ 11.* ]] || [[ $KERNEL_RELEASE =~ 12.* ]] || [[ $KERNEL_RELEASE =~ 13.* ]]; then
# empty condition to allow the execution of script as is
echo > /dev/null
else
failUnsupportedScript
fi
fi
else
failUnsupportedScript
fi
PARSE_0='NR == 1 {
# Extract positions and headers from the first line
for (i = 1; i <= NF; i++) {
positions[i] = index($0, $i)
headers[i] = length($i)
if (i == NF) {
printf "%s", $i
}
else {
printf "%10s ", $i
}
}
printf "\n"
next
}'
PARSE_1='{
id = 1
for (i = 1; i <= length(positions); i++) {
if (i == length(positions)) {
field = substr($0, positions[i])
} else {
field = substr($0, positions[i], headers[i])
}
if (field ~ /^ *$/) {
field = "?"
id--
} else {
field = $id
}
id = id + 1
if (i == length(positions)) {
printf "%s", field
}
else {
printf "%10s ", field
}
}
printf "\n"
}
'
assertHaveCommand "$CMD"
# shellcheck disable=SC2094
$CMD 2>"$TEE_DEST" | tee "$TEE_DEST" | awk "$FILTER $PARSE_0 $PARSE_1"
echo "Cmd = [$CMD 2>$TEE_DEST]; | awk -v positions=\"$positions\" -v headers=\"$headers\" \"$FILTER $PRINTF\"" >> "$TEE_DEST"

52
bin/netstat.sh Executable file
View file

@ -0,0 +1,52 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Proto Recv-Q Send-Q LocalAddress ForeignAddress State'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
PRINTF='{printf "%-5s %6s %6s %-30.30s %-30.30s %-s\n", $1, $2, $3, $4, $5, $6}'
# shellcheck disable=SC2016
FILL_BLANKS='($1=="udp") {$6="<n/a>"}'
if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand ss
FOUND_SS=$?
if [ $FOUND_SS -eq 0 ] ; then
CMD='eval ss -antu 2>/dev/null | egrep "tcp|udp"'
# shellcheck disable=SC2016
FORMAT='{ state=$2; $2=$3; $3=$4; $4=$5; $5=$6; $6=state}'
else
CMD='eval netstat -aenp 2>/dev/null | egrep "tcp|udp"'
fi
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='netstat -an -f inet -f inet6'
FIGURE_SECTION='NR==1 {inUDP=1;inTCP=0} /^TCP: IPv/ {inUDP=0;inTCP=1} /^SCTP:/ {exit}'
FILTER='/: IPv|Local Address|^$|^-----/ {next}'
# shellcheck disable=SC2016
FORMAT_UDP='(inUDP) {localAddr=$1; $1="udp"; $2=$3=0; $4=localAddr; $5="*.*"}'
# shellcheck disable=SC2016
FORMAT_TCP='(inTCP) {localAddr=$1; foreignAddr=$2; sendQ=$4; recvQ=$6; state=$7; $1="tcp"; $2=recvQ; $3=sendQ; $4=localAddr; $5=foreignAddr; $6=state}'
FORMAT="$FORMAT_UDP $FORMAT_TCP"
elif [ "$KERNEL" = "AIX" ] ; then
CMD='eval netstat -an 2>/dev/null | egrep "tcp|udp"'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='eval netstat -anW | egrep "tcp|udp"'
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1)}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='eval netstat -an | egrep "tcp|udp"'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2089
CMD='eval netstat -an | egrep "tcp|udp"'
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1)}'
fi
assertHaveCommand "$CMD"
# shellcheck disable=SC2090
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $FILTER $FORMAT $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $FILTER $FORMAT $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

199
bin/nfsiostat.sh Executable file
View file

@ -0,0 +1,199 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Mount Path r_op/s w_op/s r_KB/s w_KB/s rpc_backlog r_avg_RTT w_avg_RTT r_avg_exe w_avg_exe'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# We can have the multiple mounts for the nfs. So we have to parse mount separately.
# For CentOS and RHEL the number of lines for each mount is 9, while for the ubuntu it is 22
# due to the bug mentioned in this link. https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1584719
# So, we are handling the case of Ubuntu separately.
# When awk iterates through each line, using modulo operator we are checking the line number
# And extracting the particular value from that line and assigning it to the variable
# which we will use when the output of modulo is 0 as it will be the last line of that mount.
# We are also removing last character in the line "path=substr($4, 1, length($4)-1)"
# as last character of the path is ":"
if [ "$KERNEL" = "Linux" ] ; then
OS_FILE=/etc/os-release
if echo "$OS_ID" | grep -qi suse; then
CMD='/usr/sbin/nfsiostat'
assertHaveCommandGivenPath $CMD
else
CMD='nfsiostat'
assertHaveCommand $CMD
fi
no_of_lines=$($CMD| wc -l)
# If there are no mount, exit
if [ "$no_of_lines" -eq 1 ];
then
$CMD >> "$TEE_DEST"
exit 1
fi
# Below condition is added to handle the case of Ubuntu OS
if [ -e $OS_FILE ] && (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q ubuntu);
then
# shellcheck disable=SC2016
OS_RELEASE=$($AWK -F= '/VERSION_ID=/ {print $2}' $OS_FILE)
if [ "$OS_RELEASE" = "\"18.04\"" ] || [ "$OS_RELEASE" = "\"20.04\"" ] || [ "$OS_RELEASE" = "\"22.04\"" ] ; then # Ubuntu 18.04, 20.04 and 22.04
# shellcheck disable=SC2016
FORMAT='{
if (NR%10==2){
echo "device"
device=$1
path=substr($4, 1, length($4)-1)
}
else if (NR%10==5){
rpc_backlog=$2
}
else if (NR%10==8){
r_op_s=$1
r_kb_s=$2
r_avg_rtt=$6
r_avg_exe=$7
}
else if (NR%10==0){
w_op_s=$1
w_kb_s=$2
w_avg_rtt=$6
w_avg_exe=$7
printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe
}
}'
else
# shellcheck disable=SC2016
FORMAT='{
if (NR%22==2){
echo "device"
device=$1
path=substr($4, 1, length($4)-1)
}
else if (NR%22==6){
rpc_backlog=$1
}
else if (NR%22==9){
r_op_s=$1
}
else if (NR%22==10){
r_kb_s=$1
}
else if (NR%22==13){
r_avg_rtt=$1
}
else if (NR%22==14){
r_avg_exe=$1
}
else if (NR%22==17){
w_op_s=$1
}
else if (NR%22==18){
w_kb_s=$1
}
else if (NR%22==21){
w_avg_rtt=$1
}
else if (NR%22==0){
w_avg_exe=$1
printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe
}
}'
fi
# For SUSE OS
elif echo "$OS_ID" | grep -qi suse;
then
FORMAT='{
if (NR%10==2){
device=$1
path=substr($4, 1, length($4)-1)
}
else if (NR%10==5){
rpc_backlog=$2
}
else if (NR%10==8){
r_op_s=$1
r_kb_s=$2
r_avg_rtt=$6
r_avg_exe=$7
}
else if (NR%10==0){
w_op_s=$1
w_kb_s=$2
w_avg_rtt=$6
w_avg_exe=$7
printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe
}
}'
# For CentOS and RHEL
else
#For RHEL 8.x
if [ -e $OS_FILE ] && ( ( (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q rhel) && (awk -F'=' '/VERSION_ID=/ {print $2}' $OS_FILE | grep -Eq 8.7\|8.6\|8.5\|8.4\|8.3\|9) ) || ( (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q cent) && (awk -F'=' '/VERSION_ID=/ {print $2}' $OS_FILE | grep -Eq 8) ) );
then
# shellcheck disable=SC2016
FORMAT='{
if (NR%10==2){
device=$1
path=substr($4, 1, length($4)-1)
}
else if (NR%10==5){
rpc_backlog=$2
}
else if (NR%10==8){
r_op_s=$1
r_kb_s=$2
r_avg_rtt=$6
r_avg_exe=$7
}
else if (NR%10==0){
w_op_s=$1
w_kb_s=$2
w_avg_rtt=$6
w_avg_exe=$7
printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe
}
}'
else
# shellcheck disable=SC2016
FORMAT='{
if (NR%9==2){
device=$1
path=substr($4, 1, length($4)-1)
}
else if (NR%9==5){
rpc_backlog=$2
}
else if (NR%9==7){
r_op_s=$1
r_kb_s=$2
r_avg_rtt=$6
r_avg_exe=$7
}
else if (NR%9==0){
w_op_s=$1
w_kb_s=$2
w_avg_rtt=$6
w_avg_exe=$7
printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe
}
}'
fi
fi
$CMD | tee "$TEE_DEST" | awk "$HEADERIZE $FORMAT" | column -t
echo "Cmd = [$CMD]; | awk '$HEADERIZE $FORMAT' header=\"$HEADER\"" >> "$TEE_DEST"
else
failUnsupportedScript
fi

66
bin/openPorts.sh Executable file
View file

@ -0,0 +1,66 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# a similar effect can be accomplished with: "nc -z 127.0.0.1 1-32768", and "nc -zu 127.0.0.1 1-32768"
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Proto Port'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-5s %5d\n", proto, port}'
# shellcheck disable=SC2016
FILTER_INACTIVE='($NF ~ /^CLOSE/) {next}'
if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand ss
FOUND_SS=$?
if [ $FOUND_SS -eq 0 ] ; then
CMD='eval ss -lnut | egrep "^tcp|^udp"'
# shellcheck disable=SC2016
FORMAT='{proto=$1; sub("^.*:", "", $5); port=$5}'
else
CMD='eval netstat -ln | egrep "^tcp|^udp"'
# shellcheck disable=SC2016
FORMAT='{proto=$1; sub("^.*:", "", $4); port=$4}'
fi
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='netstat -an -f inet -f inet6'
FIGURE_SECTION='BEGIN {inUDP=1;inTCP=0} /^TCP: IPv/ {inUDP=0;inTCP=1} /^SCTP:/ {exit}'
FILTER='/: IPv|Local Address|^$|^-----/ {next} (! port) {next}'
# shellcheck disable=SC2016
FORMAT='{if (inUDP) proto="udp"; if (inTCP) proto="tcp"; sub("^.*[^0-9]", "", $1); port=$1}'
elif [ "$KERNEL" = "AIX" ] ; then
CMD='eval netstat -an | egrep "^tcp|^udp"'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}'
# shellcheck disable=SC2016
FILTER='{if ($4 == "") next}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='eval netstat -ln | egrep "^tcp|^udp"'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}'
# shellcheck disable=SC2016
FILTER='{if ($4 == "") next}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='eval netstat -an | egrep "^tcp|^udp"'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}'
# shellcheck disable=SC2016
FILTER='{if ($4 == "") next}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2089
CMD='eval netstat -ln | egrep "^tcp|^udp"'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}'
fi
assertHaveCommand "$CMD"
# shellcheck disable=SC2090
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $FORMAT $FILTER $FILTER_INACTIVE $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $FORMAT $FILTER $FILTER_INACTIVE $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

125
bin/openPortsEnhanced.sh Executable file
View file

@ -0,0 +1,125 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# In AWK scripts in this file, the following are true:
# FULLTEXT is used to capture the output for SHA256 checksum generation.
# SPLUNKD is used to determine Splunk service status.
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand date
assertHaveCommand lsof
if [ -f /usr/sbin/lsof ] ; then
LSOF=/usr/sbin/lsof
elif [ -f /usr/bin/lsof ] ; then
# shellcheck disable=SC2034
LSOF=/usr/bin/lsof
fi
# shellcheck disable=SC2016
CMD='eval date ; ${LSOF} -i -P -n +c 0'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}'
# Only base the file hash on the listening ports, not on
# open connections.
# shellcheck disable=SC2016
PARSE_1='/LISTEN|[Uu][Dd][Pp]/ {
FULLTEXT = FULLTEXT $0 "\n"
idx=match($0, /\(LISTEN\)/)
if (idx>0) {
DATA=substr($0, 0, idx-1)
} else {
DATA=$0
}
fields = split(DATA, portarr)
# This compensates for varying field counts.
if (fields == 9) {
hostfields = split(portarr[9], hostarr, ":")
TRANSPORT="transport=" portarr[8]
} else if (fields == 8) {
hostfields = split(portarr[8], hostarr, ":")
TRANSPORT="transport=" portarr[7]
}
if (hostfields == 2 && hostarr[2] ~ /[0-9][0-9]*/) {
DESTIP="dest_ip=" hostarr[1]
DESTPORT="dest_port=" hostarr[2]
APP="app=" portarr[1]
PID="pid=" portarr[2]
USER="user=" portarr[3]
FD="fd=" portarr[4]
IPVERSION="ip_version=" substr(portarr[5],index(portarr[5],"v")+1)
DVCID="dvc_id=" portarr[6]
#printf "MATCH: %s\n", $0
printf "%s %s %s %s %s %s %s %s %s %s\n", DATE, APP, DESTIP, DESTPORT, PID, USER, FD, IPVERSION, DVCID, TRANSPORT
} else {
#printf "NOMATCH: %s\n", $0
;
}
}'
MASSAGE="$PARSE_0 $PARSE_1"
# Send the collected full text to openssl; this avoids any timing discrepancies
# between when the information is collected and when we process it.
# shellcheck disable=SC2016
POSTPROCESS='END {
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommand date
assertHaveCommand netstat
CMD='eval date ; netstat -an -f inet -f inet6'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}'
# shellcheck disable=SC2016
PARSE_1='/^[Tt][Cc][Pp]|[Uu][Dd][Pp]/ {
split($0, protoarr, ":")
TRANSPORT="transport=" protoarr[1]
IPVERSION="ip_version=" substr(protoarr[2],index(protoarr[2],"v")+1)
next
}'
# shellcheck disable=SC2016
PARSE_3='NR>1 && $0 !~ /Local|^-|^$/ {
FULLTEXT = FULLTEXT $0 "\n"
split($0, arr)
num = split(arr[1], hostarr, "\.")
if ( TRANSPORT ~ /[Tt][Cc][Pp]/) {
DESTIP="dest_ip="hostarr[1]
} else {
DESTIP="dest_dns="hostarr[1]
}
DESTPORT=hostarr[num]
for (i=2; i<num; i++) {
DESTIP=DESTIP"."hostarr[i]
}
if ( $0 !~ /[Uu][Nn][Bb][Oo][Uu][Nn][Dd]/ && DESTPORT != "*" ) {
DESTPORT="dest_port="DESTPORT
printf "%s %s %s %s %s \n", DATE, DESTIP, DESTPORT, IPVERSION, TRANSPORT
}
}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_3"
# Send the collected full text to openssl; this avoids any timing discrepancies
# between when the information is collected and when we process it.
# shellcheck disable=SC2016
POSTPROCESS='END {
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
else
# Exits
failUnsupportedScript
fi
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $POSTPROCESS"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $POSTPROCESS'" >> "$TEE_DEST"

67
bin/package.sh Executable file
View file

@ -0,0 +1,67 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='NAME VERSION RELEASE ARCH VENDOR GROUP'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-55.55s %-20.20s %-20.20s %-10.10s %-30.30s %-20s\n", name, version, release, arch, vendor, group}'
CMD='echo There is no flavor-independent command...'
if [ "$KERNEL" = "Linux" ] ; then
if $DEBIAN; then
CMD1="eval dpkg-query -W -f='"
# shellcheck disable=SC2016
CMD2='${Package} ${Version} ${Architecture} ${Homepage}\n'
CMD3="'"
CMD=$CMD1$CMD2$CMD3
# shellcheck disable=SC2016
FORMAT='{name=$1;version=$2;sub("\\.?[^0-9\\.:\\-].*$", "", version); release=$2; sub("^[0-9\\.:\\-]*","",release); if(release=="") {release="?"}; arch=$3; if (NF>3) {sub("^.*:\\/\\/", "", $4); sub("^www\\.", "", $4); sub("\\/.*$", "", $4); vendor=$4} else {vendor="?"} group="?"}'
else
CMD='eval rpm --query --all --queryformat "%-56{name} %-21{version} %-21{release} %-11{arch} %-31{vendor} %-{group}\n"'
# shellcheck disable=SC2016
PRINTF='{print $0}'
fi
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='pkginfo -l'
# shellcheck disable=SC2016
FORMAT='/PKGINST:/ {name=$2 ":"} /NAME:/ {for (i=2;i<=NF;i++) name = name " " $i} /CATEGORY:/ {group=$2} /ARCH:/ {arch=$2} /VERSION:/ {split($2,a,",REV="); version=a[1]; release=a[2]} /VENDOR:/ {vendor=$2; for(i=3;i<=NF;i++) vendor = vendor " " $i}'
SEPARATE_RECORDS='!/^$/ {next} {release = release ? release : "?"}'
elif [ "$KERNEL" = "AIX" ] ; then
CMD='eval lslpp -icq | sed "s,:, ," | sed "s,:.*,,"'
# shellcheck disable=SC2016
FORMAT='{name=$2 ; version=$3 ; vendor=release=arch=group="?"}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='system_profiler SPApplicationsDataType'
FILTER='{ if (NR<3) next}'
# shellcheck disable=SC2016
FORMAT='{gsub("[^\40-\176]", "", $0)} /:$/ {sub("^[ ]*", "", $0); sub(":$", "", $0); name=$0} /Last Modified: / {vendor=""} /Version: / {version=$2} /Kind: / {arch=$2} /Get Info String: / {sub("^.*: ", "", $0); sub("[Aa]ll [Rr]ights.*$", "", $0); sub("^.*[Cc]opyright", "", $0); sub("^[^a-zA-Z_]*[0-9][0-9[0-9][0-9]", "", $0); sub("^[ ]*", "", $0); vendor=$0}'
SEPARATE_RECORDS='!/Location:/ {next} {release = "?"; vendor = vendor ? vendor : "?"; group = "?"}'
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand swlist
CMD='swlist -a revision -a architecture -a vendor_tag'
# shellcheck disable=SC2016
FILTER='/^#/ {next} $1=="" {next}'
# shellcheck disable=SC2016
FORMAT='{release="?"; group="?"; vendor="?"; name=$1; version=$2; arch=$3} NF==4 {vendor=$4}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# the below syntax is valid when using zsh, bash, ksh
if [[ $KERNEL_RELEASE =~ 10.* ]] || [[ $KERNEL_RELEASE =~ 11.* ]] || [[ $KERNEL_RELEASE =~ 12.* ]] || [[ $KERNEL_RELEASE =~ 13.* ]]; then
CMD='eval pkg info --raw --all | grep "^name:\|^version:\|^arch:" | cut -d\" -f2'
HEADER='NAME VERSION ARCH '
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
PRINTF='{ printf "%-50.50s" (NR%3==0 ? RS:FS),$1}'
else
CMD='pkg_info -da'
# shellcheck disable=SC2016
FORMAT='/^Information for / {vendor=""; sub(":$", "", $3); name=$3} /^WWW: / {sub("^.*//", "", $2); sub("/.*$", "", $2); sub("^www\134.", "", $2); vendor=$2} /^$/ {blanks+=1} !/^$/ {blanks=0}'
SEPARATE_RECORDS='(blanks<3) {next} {vendor = vendor ? vendor : "?"; version=release=arch=group="?"}'
fi
fi
assertHaveCommand "$CMD"
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

30
bin/passwd.sh Executable file
View file

@ -0,0 +1,30 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
PRINTF='END {printf "%s %s\n", DATE, FILEHASH}'
# shellcheck disable=SC2034
PASSWD_FILE=/etc/passwd
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "x$KERNEL" != "xHP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand date
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $PASSWD_FILE ; cat $PASSWD_FILE'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
PARSE_1='NR==2 {FILEHASH="file_hash=" $2}'
# Note the inline print in the next PARSE statement.
# Comments are eliminated from the output, but included in FILEHASH.
# shellcheck disable=SC2016
PARSE_2='NR>2 && /^[^#]/ { split($0, arr, ":") ; printf "%s user=%s password=x user_id=%s user_group_id=%s home=%s shell=%s\n", DATE, arr[1], arr[3], arr[4], arr[6], arr[7]}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2"
fi
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST"

81
bin/protocol.sh Executable file
View file

@ -0,0 +1,81 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
CMD='netstat -s'
HEADER=' IPdropped TCPrexmits TCPreorder TCPpktRecv TCPpktSent UDPpktLost UDPunkPort UDPpktRecv UDPpktSent'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='END {printf " %10d %10d %10d %10d %10d %10d %10d %10d %10d\n", IPdropped, TCPrexmits, TCPreorder, TCPpktRecv, TCPpktSent, UDPpktLost, UDPunkPort, UDPpktRecv, UDPpktSent}'
OS_FILE=/etc/os-release
if [ "$KERNEL" = "Linux" ] ; then
if echo "$OS_ID" | grep -qi suse; then
# shellcheck disable=SC2016
CMD='nstat -az'
# shellcheck disable=SC2016
TCPreorder=0
FIGURE_SECTION='/^IpOutDiscards/ {IPdropped=$2} /^TcpInSegs/ {TCPpktRecv=$2} /^TcpOutSegs/ {TCPpktSent=$2} /^TcpRetransSegs/ {TCPrexmits=$2} /^UdpInDatagrams/ {UDPpktRecv=$2} /^UdpNoPorts/ {UDPunkPort=$2} /^UdpInErrors/ {UDPpktLost=$2} /^UdpOutDatagrams/ {UDPpktSent=$2} /^.*Reorder/ {TCPreorder+=$2}'
else
# shellcheck disable=SC2016
FIGURE_SECTION='/^Ip:$/ {inIP=1;inTCP=0;inUDP=0} /^Tcp(Ext)?:$/ {inIP=0;inTCP=1;inUDP=0} /^Udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^Ip:$|^Udp:$|^Tcp(Ext)?:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /outgoing packets dropped/ {IPdropped=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /segments retransmited/ {TCPrexmits=$1} inTCP && /Detected reordering/ {TCPreorder=$3} inTCP && /[0-9] segments received$/ {TCPpktRecv=$1} inTCP && /segments send out/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /packets received/ {UDPpktRecv=$1} inUDP && /packets sent/ {UDPpktSent=$1} inUDP && /packet receive errors/ {UDPpktLost=$1} inUDP && /packets to unknown port received/ {UDPunkPort=$1}'
fi
elif [ "$KERNEL" = "SunOS" ] ; then
# shellcheck disable=SC2016
COMMON='{gsub("=", "", $0)}'
# shellcheck disable=SC2016
SECTION_IP='/ipOutDiscards/ {IPdropped+=$2} /ipOutNoRoutes/ {IPdropped+=$4} /ipv6OutNoRoutes/ {IPdropped+=$2} /ipv6OutDiscards/ {IPdropped+=$4}'
# shellcheck disable=SC2016
SECTION_TCP='/tcpRetransSegs/ {TCPrexmits=$2} /tcpInUnorderSegs/ {TCPreorder=$2} /tcpInSegs/ {TCPpktRecv=$2} /tcpOutSegs/ {TCPpktSent=$4}'
# shellcheck disable=SC2016
SECTION_UDP='/udpOutErrors/ {UDPpktLost=$4} /udpInErrors/ {UDPunkPort=$5} /udpInDatagrams/ {UDPpktRecv=$3} /udpOutDatagrams/ {UDPpktSent=$2}'
elif [ "$KERNEL" = "AIX" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /output packets? (dropped|discarded)/ {IPdropped+=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /data packet.* bytes\) retransmitted$/ {TCPrexmits=$1} inTCP && /out-of-order packets?/ {TCPreorder=$1} inTCP && /packets? received$/ {TCPpktRecv=$1} inTCP && /packets? sent/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /datagrams? received$/ {UDPpktRecv=$1} inUDP && /datagrams? output$/ {UDPpktSent=$1} inUDP && /dropped due to full socket buffers$/ {UDPpktLost=$1} inUDP && /dropped due to no socket$/ {UDPunkPort=$1}'
elif [ "$KERNEL" = "Darwin" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /output packets? (dropped|discarded)/ {IPdropped+=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /data packets? .* retransmitted/ {TCPrexmits=$1} inTCP && /out-of-order packets?/ {TCPreorder=$1} inTCP && /packets? received$/ {TCPpktRecv=$1} inTCP && /packets? sent/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /datagrams? received$/ {UDPpktRecv=$1} inUDP && /datagrams? output$/ {UDPpktSent=$1} inUDP && /dropped due to full socket buffers$/ {UDPpktLost=$1} inUDP && /dropped due to no socket$/ {UDPunkPort=$1}'
elif [ "$KERNEL" = "HP-UX" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp(Ext)?:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp(Ext)?:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /fragments dropped/ {IPdropped=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /retransmited$/ {TCPrexmits=$1} inTCP && /out of order/ {TCPreorder=$1} inTCP && /[0-9] packets received$/ {TCPpktRecv=$1} inTCP && /[0-9] packets sent$/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /packets received/ {UDPpktRecv=$1} inUDP && /packets sent/ {UDPpktSent=$1} inUDP && /packet receive errors/ {UDPpktLost=$1} inUDP && /packets to unknown port received/ {UDPunkPort=$1}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /output packets? (dropped|discarded)/ {IPdropped+=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /data packet.* bytes\) retransmitted$/ {TCPrexmits=$1} inTCP && /out-of-order packets?/ {TCPreorder=$1} inTCP && /packets? received$/ {TCPpktRecv=$1} inTCP && /packets? sent/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /datagrams? received$/ {UDPpktRecv=$1} inUDP && /datagrams? output$/ {UDPpktSent=$1} inUDP && /dropped due to full socket buffers$/ {UDPpktLost=$1} inUDP && /dropped due to no socket$/ {UDPunkPort=$1}'
fi
assertHaveCommand "$CMD"
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

76
bin/ps.sh Executable file
View file

@ -0,0 +1,76 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2166
if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ps
CMD='ps auxww'
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sysv/bin/ps
CMD='/usr/sysv/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args'
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/bin/ps
CMD='/usr/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args'
elif [ "$KERNEL" = "HP-UX" ] ; then
HEADER='USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS'
# shellcheck disable=SC2016
FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args="<noArgs>"; sub("^[^\134[: -]*/", "", $12)}'
# shellcheck disable=SC2016
PRINTF='{if (NR == 1) {print $0} else {printf "%32.32s %6s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %12s %-100.100s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, args}}'
# shellcheck disable=SC2016
HEADERIZE='{NR == 1 && $0 = header}'
assertHaveCommand ps
export UNIX95=1
CMD='ps -e -o ruser,pid,pset,pcpu,time,vsz,tty,state,etime,args'
# shellcheck disable=SC2016
FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args="<noArgs>"; sub("^[\[\]]", "", $11)}'
# shellcheck disable=SC2016
PRINTF='{if (NR == 1) {print $0} else {printf "%-14.14s %6s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %12s %-18.18s %s\n", $1, $2, $3, $4, $5, "?", "?", $6, $7, $8, $9, $10, $11, arg}}'
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
exit
fi
# shellcheck disable=SC2016
# awk logic for adding extra field ARGS with underscore delimiter
ARGS_FORMAT='BEGIN {OFS = " ";} # specify output field separator
{
if (NR == 1) # Add extra header/field ARGS in first (header) row
{
command_column = NF;
$(NF+1) = "ARGS";
}
else
{
# If arguments exist, then append all with underscore delimeter, else specify <noArgs>
if ($(command_column+1) != "")
{
args = $(command_column+1);
for (i=command_column+2; i<=NF; i++)
{
args = args "_" $i;
$i = "";
}
$(command_column+1) = args;
}
else
{
$(command_column+1) = "<noArgs>";
}
# Remove trailing white spaces if any
sub(/[ \t]+$/,"",$0);
}
print;
}'
# Execute the command
$CMD | tee "$TEE_DEST" | $AWK "$ARGS_FORMAT"
echo "Cmd = [$CMD]; $AWK '$ARGS_FORMAT'" >> "$TEE_DEST"

110
bin/ps_metric.sh Executable file
View file

@ -0,0 +1,110 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# jscpd:ignore-start
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2166
if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ps
CMD='ps auxww'
if [ "$KERNEL" = "Linux" ] ; then
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
fi
elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
fi
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sysv/bin/ps
CMD='/usr/sysv/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/bin/ps
CMD='/usr/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
elif [ "$KERNEL" = "HP-UX" ] ; then
HEADER='USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED OSName OS_version IP_address COMMAND ARGS'
# shellcheck disable=SC2016
FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args="<noArgs>"; sub("^[^\134[: -]*/", "", $12);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
# shellcheck disable=SC2016
PRINTF='{if (NR == 1) {print $0} else {printf "%-32.32s %8s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %15s %-35s %15s %-16s %-100.100s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, OSName, OS_version, IP_address, $12, args}}'
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}'
# shellcheck disable=SC2016
HEADERIZE='{NR == 1 && $0 = header}'
assertHaveCommand ps
export UNIX95=1
CMD='ps -e -o ruser,pid,pset,pcpu,time,vsz,tty,state,etime,args'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args="<noArgs>"; sub("^[\[\]]", "", $11);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
# shellcheck disable=SC2016
PRINTF='if (NR == 1) {print $0} else {printf "%-14.14s %6s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %12s %-35s %15s %-16s %-18.18s %s\n", $1, $2, $3, $4, $5, "?", "?", $6, $7, $8, $9, $10, OSName, OS_version, IP_address, $11, arg}}'
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $FILL_DIMENSIONS $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $FILL_DIMENSIONS $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
exit
fi
# shellcheck disable=SC2016
# awk logic for adding extra field ARGS with underscore delimiter and OSName, OS_version, IP_address
FORMAT='BEGIN {OFS = " ";} # specify output field separator
{
if (NR == 1) # Add extra headers/fields - ARGS,OSName,OS_version,IP_address in first (header) row
{
# Replace TIME with CPUTIME to solve field extraction issue (metrics index)
sub("TIME","CPUTIME",$0);
command_column = NF;
$(NF+1) = "ARGS";
$(NF+1) = "OSName";
$(NF+1) = "OS_version";
$(NF+1) = "IP_address";
$(NF+1) = "IPv6_Address";
}
else
{
# If arguments exist, then append all with underscore delimeter, else specify <noArgs>
if ($(command_column+1) != "")
{
args = $(command_column+1);
for (i=command_column+2; i<=NF; i++)
{
args = args "_" $i;
$i = "";
}
$(command_column+1) = args;
}
else
{
$(command_column+1) = "<noArgs>";
}
# Append OSName, OS_version, IP_address values in the last three columns
if (OSName == "") {$(command_column+2) = "?";} else {$(command_column+2) = OSName;}
if (OS_version == "") {$(command_column+3) = "?";} else {$(command_column+3) = OS_version;}
if (IP_address == "") {$(command_column+4) = "?";} else {$(command_column+4) = IP_address;}
if (IPv6_Address == "") {$(command_column+5) = "?";} else {$(command_column+5) = IPv6_Address;}
# Remove trailing white spaces if any
sub(/[ \t]+$/,"",$0);
}
print;
}'
# shellcheck disable=SC2086
# Execute the command
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT"
echo "Cmd = [$CMD]; $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST"
# jscpd:ignore-end

61
bin/rlog.sh Executable file
View file

@ -0,0 +1,61 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
#
# credit for improvement to http://splunk-base.splunk.com/answers/41391/rlogsh-using-too-much-cpu
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios
CURRENT_AUDIT_FILE=/var/log/audit/audit.log # For handling upgrade scenarios
SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_rlog_error_tmpfile # For filering out "no matches" error from stderr
AUDIT_FILE="/var/log/audit/audit.log*"
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand service
assertHaveCommandGivenPath /sbin/ausearch
if [ -n "$(service auditd status 2>/dev/null)" ] && [ "$(service auditd status 2>/dev/null)" ] ; then
CURRENT_TIME=$(date --date="1 seconds ago" "+%x %T") # 1 second ago to avoid data loss
if [ -e "$SEEK_FILE" ] ; then
SEEK_TIME=$(head -1 "$SEEK_FILE")
# shellcheck disable=SC2086
awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -ts $SEEK_TIME -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" < $TMP_ERROR_FILTER_FILE 1>&2
elif [ -e "$OLD_SEEK_FILE" ] ; then
rm -rf "$OLD_SEEK_FILE" # remove previous checkpoint
# start ingesting from the first entry of current audit file
# shellcheck disable=SC2086
awk ' { print } ' $CURRENT_AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" <$TMP_ERROR_FILTER_FILE 1>&2
else
# no checkpoint found
# shellcheck disable=SC2086
awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" <$TMP_ERROR_FILTER_FILE 1>&2
fi
echo "$CURRENT_TIME" > "$SEEK_FILE" # Checkpoint+
else # Added this condition to get error logs
echo "error occured while running 'service auditd status' command in rlog.sh script. Output : $(service auditd status). Command exited with exit code $?" 1>&2
fi
# remove temporary error redirection file if it exists
# shellcheck disable=SC2086
rm $TMP_ERROR_FILTER_FILE 2>/dev/null
elif [ "$KERNEL" = "SunOS" ] ; then
:
elif [ "$KERNEL" = "Darwin" ] ; then
:
elif [ "$KERNEL" = "HP-UX" ] ; then
:
elif [ "$KERNEL" = "FreeBSD" ] ; then
:
fi

56
bin/selinuxChecker.sh Executable file
View file

@ -0,0 +1,56 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_selinux_error_tmpfile # For filtering out awk warning from stderr
PRINTF='END {printf "%s app=selinux %s %s %s %s\n", DATE, FILEHASH, SELINUX, SELINUXTYPE, SETLOCALDEFS}'
if [ "$KERNEL" = "Linux" ] ; then
if [ -f /etc/sysconfig/selinux ] ; then
SELINUX_FILE=/etc/sysconfig/selinux
elif [ -f /etc/selinux/config ] ; then
# shellcheck disable=SC2034
SELINUX_FILE=/etc/selinux/config
else
echo "SELinux not configured." >> "$TEE_DEST"
exit 1
fi
assertHaveCommand cat
# Get file hash
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $SELINUX_FILE ; cat $SELINUX_FILE'
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Try to use cross-platform case-insensitive matching for text. Note
# that "match", "tolower", IGNORECASE and other common awk commands or
# options are actually nawk/gawk extensions so avoid them if possible.
# shellcheck disable=SC2016
PARSE_1='/^[Ss][Ee][Ll][Ii][Nn][Uu][Xx]\=/ { SELINUX="selinux=" substr($0,index($0,"=")+1,length($0)) } '
# shellcheck disable=SC2016
PARSE_2='/^[Ss][Ee][Ll][Ii][Nn][Uu][Xx][Tt][Yy][Pp][Ee]\=/ { SELINUXTYPE="selinuxtype=" substr($0,index($0,"=")+1,length($0)) } '
# shellcheck disable=SC2016
PARSE_3='/^[Ss][Ee][Tt][Ll][Oo][Cc][Aa][Ll][Dd][Ee][Ff][Ss]\=/ { SETLOCALDEFS="setlocaldefs=" substr($0,index($0,"=")+1,length($0)) } '
# shellcheck disable=SC2016
PARSE_4='/^SHA256/ {FILEHASH="file_hash=" $2}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4"
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK "$MESSAGE $PRINTF" 2> $TMP_ERROR_FILTER_FILE
# shellcheck disable=SC2086
grep -v "warning: regexp escape sequence" < $TMP_ERROR_FILTER_FILE 1>&2
# shellcheck disable=SC2086
rm $TMP_ERROR_FILTER_FILE 2>/dev/null
echo "Cmd = [$CMD]; | $AWK '$MESSAGE $PRINTF'" >> "$TEE_DEST"
fi

196
bin/service.sh Executable file
View file

@ -0,0 +1,196 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# In AWK scripts in this file, the following are true:
# FULLTEXT is used to capture the output for SHA256 checksum generation.
# SPLUNKD is used to determine Splunk service status.
if [ "$KERNEL" = "Linux" ] ; then
if ! queryHaveCommand systemctl; then
assertHaveCommand date
assertHaveCommand chkconfig
CMD='eval date ; /sbin/chkconfig --list'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}'
# shellcheck disable=SC2016
PARSE_1='NR>1 {
FULLTEXT = FULLTEXT $0 "\n"
split($0, ARR)
EVT="app=" ARR[1]
for (i=0 ; i<7 ; i++) {
split(ARR[i+2], STATE, ":")
EVT = EVT " runlevel" i "=" STATE[2]
}
if (ARR[1] ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 }
printf "%s type=chkconfig %s\n", DATE, EVT
}'
MASSAGE="$PARSE_0 $PARSE_1"
# Send the collected full text to openssl; this avoids any timing discrepancies
# between when the information is collected and when we process it.
# shellcheck disable=SC2016
POSTPROCESS='END {
if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE }
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
else
assertHaveCommand systemctl
assertHaveCommand date
# Run the systemctl command to get all units and their state
CMD='eval date; systemctl list-units --type=service --all'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
PARSE_1='
# On header row, get lengths to the fields
NR==2 {
match($0, /^ */); leading=RLENGTH;
match($0, /^.*DESC/); desclen=RLENGTH-4;
FULLTEXT="";
next;
}'
# shellcheck disable=SC2016
PARSE_2='(NR > 2){
# Stop at the empty line
if ( !NF ) { exit; }
# Skip the leading spaces
$0 = substr( $0, leading );
# the description spans fields so catch it seperately
desc=substr( $0, desclen );
FULLTEXT = FULLTEXT $0 "\n"
if ($1 ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 }
printf "%s type=systemctl UNIT=%s, LOADED=%s, ACTIVE=%s, SUB=%s, DESCRIPTION=\"%s\" \n",DATE, $1, $2, $3, $4, desc
}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2"
# shellcheck disable=SC2016
POSTPROCESS='END {
if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE }
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
fi
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommand date
assertHaveCommand svcs
CMD='eval date ; svcs -H -a -o STATE,FMRI'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}'
# shellcheck disable=SC2016
PARSE_1='NR>1 {
STATE="State=\""$1"\""
idx=index($2,":")
STARTNAME="StartName=\""substr($2,0,idx-1)"\""
APP="app=\""substr($2,idx+1)"\""
FULLTEXT=FULLTEXT $0 "\n"
}'
PARSE_2='/^legacy_run/ {
STARTMODE="StartMode=\"Auto\""
}'
PARSE_3='/^online/ {
STARTMODE="StartMode=\"Auto\""
STATE="State=\"Running\""
}'
PARSE_4='/^disabled/ {
STARTMODE="StartMode=\"Disabled\""
STATE="State=\"Stopped\""
}'
INLINE_PRINT='NR>1 && APP!=0 {printf "%s %s %s %s %s\n", DATE, APP, STARTMODE, STARTNAME, STATE}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $INLINE_PRINT"
# Send the collected full text to openssl; this avoids any timing discrepancies
# between when the information is collected and when we process it.
# shellcheck disable=SC2016
POSTPROCESS='END {
if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE }
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand date
assertHaveCommand defaults
assertHaveCommand dscl
assertHaveCommand find
assertHaveCommand ls
# Get startup items
CMD='eval date ; ls -1 /System/Library/StartupItems/ /Library/StartupItems/'
# Get per-user startup items
# shellcheck disable=SC2044
for PLIST_FILE in $(find /Users -name "loginwindow.plist") ; do
CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE
done
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Retrieve path for system startup items
# shellcheck disable=SC2016
PARSE_1='/^\/(System|Library)/ {
split($0, tmparr, ":")
PATH="file_path=\""tmparr[1]
USER=0
START_MODE="StartMode=Auto"
START_TYPE="StartType=startup"
}'
# Retrieve user information for user startup items.
# shellcheck disable=SC2016
PARSE_2='/^\/Users/ {
split($0, tmparr, "/")
USER="user=" tmparr[3]
START_MODE="StartMode=Auto"
START_TYPE="StartType=login"
}'
# Retrieve the path for user startup items.
# shellcheck disable=SC2016
PARSE_3='/[[:blank:]]*Path/ {
split($0, path_arr, "=")
num=split(path_arr[2], app_arr, "/")
split(app_arr[num], app_final, ".")
split(path_arr[2], path_final, "\"")
APP="app=\"" app_final[1] "\""
FILE_PATH="file_path=\"" path_final[2] "\""
# Only print if we find a path.
printf "%s %s %s %s %s %s\n", DATE, APP, START_MODE, START_TYPE, FILE_PATH, USER
# Note that we found splunkd if app matches
if (APP ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 }
}'
# Retrieve the system startup item name from the output of "ls -1"
# shellcheck disable=SC2016
PARSE_4='/^[^\/]/ {
if (NR>1 && USER==0 && NF > 0) {
APP="app=\""$0"\""
PATH=PATH$0"\""
printf "%s %s %s %s %s\n", DATE, APP, START_MODE, START_TYPE, PATH
}
# Note that we found splunkd if app matches
if (APP ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 }
}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4"
POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }'
else
# Exits
failUnsupportedScript
fi
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $POSTPROCESS"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $POSTPROCESS'" >> "$TEE_DEST"

1276
bin/setup.sh Executable file
View file

File diff suppressed because it is too large Load diff

38
bin/setupservice.py Normal file
View file

@ -0,0 +1,38 @@
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
import json
import sys
import splunk
import splunk.bundle as bundle
class SetupService(splunk.rest.BaseRestHandler):
def handle_GET(self):
try:
is_recognized_unix = not sys.platform.startswith("win")
self.response.write(json.dumps(is_recognized_unix))
except Exception as e:
self.response.write(e)
def handle_POST(self):
sessionKey = self.sessionKey
try:
conf = bundle.getConf(
"app", sessionKey, namespace="Splunk_TA_nix", owner="nobody"
)
stanza = conf.stanzas["install"].findKeys("is_configured")
if stanza:
if stanza["is_configured"] == "0" or stanza["is_configured"] == "false":
conf["install"]["is_configured"] = "true"
splunk.rest.simpleRequest(
"/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey
)
else:
conf["install"]["is_configured"] = "true"
splunk.rest.simpleRequest(
"/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey
)
except Exception as e:
self.response.write(e)

98
bin/sshdChecker.sh Executable file
View file

@ -0,0 +1,98 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
SSH_CONFIG_FILE=""
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] ; then
SSH_CONFIG_FILE=/etc/ssh/sshd_config
elif [ "$KERNEL" = "Darwin" ] ; then
SSH_CONFIG_FILE=/etc/sshd_config
else
failUnsupportedScript
fi
FILL_BLANKS='END {
if (SSHD_PROTOCOL == 0) {
SSHD_PROTOCOL=SSHD_DEFAULT_PROTOCOL
}'
PRINTF='{printf "%s app=sshd %s %s\n", DATE, FILEHASH, SSHD_PROTOCOL}}'
if [ "x$SOLARIS_11" != "xtrue" ] ; then
# If $SSH_CONFIG_FILE file exists and is a regular file.
if [ -f "$SSH_CONFIG_FILE" ] ; then
assertHaveCommand cat
# Get file hash
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $SSH_CONFIG_FILE ; cat $SSH_CONFIG_FILE'
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Try to use cross-platform case-insensitive matching for text. Note
# that "match", "tolower", IGNORECASE and other common awk commands or
# options are actually nawk/gawk extensions so avoid them if possible.
# shellcheck disable=SC2016
PARSE_1='/^[Pp][Rr][Oo][Tt][Oo][Cc][Oo][Ll]/ {
split($0, arr)
num = split(arr[2], protocols, ",")
if (num == 2) {
SSHD_PROTOCOL="sshd_protocol=" protocols[1] "/" protocols[2]
} else {
SSHD_PROTOCOL="sshd_protocol=" protocols[1]
}
}'
# shellcheck disable=SC2016
PARSE_2='/^#[[:blank:]]*[Pp][Rr][Oo][Tt][Oo][Cc][Oo][Ll]/ {
num=split($0, arr)
protonum = split(arr[num], protocols, ",")
if (protonum == 2) {
SSHD_DEFAULT_PROTOCOL="sshd_protocol=" protocols[1] "/" protocols[2]
} else {
SSHD_DEFAULT_PROTOCOL="sshd_protocol=" protocols[1]
}
}'
# shellcheck disable=SC2016
PARSE_3='/^SHA256/ {FILEHASH="file_hash=" $2}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3"
else
# shellcheck disable=SC2016
echo "SSHD configuration (file: $SSH_CONFIG_FILE) missing or unreadable." >> "$TEE_DEST"
exit 1
fi
else
if [ -f "$SSH_CONFIG_FILE" ] && [ -r "$SSH_CONFIG_FILE" ] ; then
# Solaris 11 only supports SSH protocol 2.
assertHaveCommand cat
# Get file hash
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $SSH_CONFIG_FILE'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; SSHD_PROTOCOL="sshd_protocol=2"}'
# shellcheck disable=SC2016
PARSE_1='/^SHA256/ {FILEHASH="file_hash=" $2}'
MASSAGE="$PARSE_0 $PARSE_1"
else
echo "SSHD configuration (file: $SSH_CONFIG_FILE) missing or unreadable." >> "$TEE_DEST"
exit 1
fi
fi
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $FILL_BLANKS $PRINTF"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $FILL_BLANKS $PRINTF'" >> "$TEE_DEST"

67
bin/time.sh Executable file
View file

@ -0,0 +1,67 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
queryHaveCommand ntpdate
FOUND_NTPDATE=$?
queryHaveCommand sntp
FOUND_SNTP=$?
getServer ()
{
if [ -f /etc/ntp.conf ] ; then # Linux; FreeBSD; AIX; Mac OS X maybe
CONFIG=/etc/ntp.conf
elif [ -f /etc/inet/ntp.conf ] ; then # Solaris
CONFIG=/etc/inet/ntp.conf
elif [ -f /private/etc/ntp.conf ] ; then # Mac OS X
CONFIG=/private/etc/ntp.conf
else
CONFIG=
fi
SERVER_DEFAULT='0.pool.ntp.org'
if [ "$CONFIG" = "" ] ; then
SERVER=$SERVER_DEFAULT
else
# shellcheck disable=SC2016
SERVER=$($AWK '/^server / {print $2; exit}' "$CONFIG")
SERVER=${SERVER:-$SERVER_DEFAULT}
fi
}
#With ntpdate
if [ $FOUND_NTPDATE -eq 0 ] ; then
echo "Found ntpdate command" >> "$TEE_DEST"
getServer
CMD2="ntpdate -q $SERVER"
echo "CONFIG=$CONFIG, SERVER=$SERVER" >> "$TEE_DEST"
#With sntp
elif [ "$KERNEL" = "Darwin" ] && [ $FOUND_SNTP -eq 0 ] ; then # Mac OS 10.14.6 or higher version
echo "Found sntp command" >> "$TEE_DEST"
getServer
CMD2="sntp $SERVER"
echo "CONFIG=$CONFIG, SERVER=$SERVER" >> "$TEE_DEST"
#With Chrony
else
CMD2="chronyc -n sources"
fi
CMD1='date'
assertHaveCommand $CMD1
assertHaveCommand "$CMD2"
$CMD1 | tee -a "$TEE_DEST"
echo "Cmd1 = [$CMD1]" >> "$TEE_DEST"
$CMD2 | tee -a "$TEE_DEST"
echo "Cmd2 = [$CMD2]" >> "$TEE_DEST"

87
bin/top.sh Executable file
View file

@ -0,0 +1,87 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER=' PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND'
# shellcheck disable=SC2016
PRINTF='{printf "%6s %-14s %4s %4s %6s %6s %6s %2s %6s %6s %12s %-s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12}'
CMD='top'
if [ "$KERNEL" = "Linux" ] ; then
CMD='top -bn 1'
FILTER='{if (NR < 7) next}'
# shellcheck disable=SC2016
HEADERIZE='{NR == 7 && $0 = header}'
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='prstat -n 999 1 1'
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='(NR==1) {next} /^Total:|^$/ {exit}'
# shellcheck disable=SC2016
FORMAT_DOMAIN='{virt=$3; res=$4; stateRaw=$5; pr=$6; ni=$7; cpuTIME=$8; pctCPU=0.0+$9; sub("/.*$", "", $10); command=$10 ? $10 : "<n/a>"}'
SPECIFY_STATES_MAP='BEGIN {map["sleep"]="S"; map["stop"]="T"; map["zombie"]="Z"; map["wait"]="D"; map["cpu"]="R"}'
MAP_STATE='{sub("[0-9]+$", "", stateRaw); state=map[stateRaw]}'
# shellcheck disable=SC2016
FORMAT_RANGE='{$3=pr; $4=ni; $5=virt; $6=res; $7="?"; $8=state; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
FORMAT="$FORMAT_DOMAIN $SPECIFY_STATES_MAP $MAP_STATE $FORMAT_RANGE"
elif [ "$KERNEL" = "AIX" ] ; then
CMD="eval /usr/sysv/bin/ps -eo pid,user,pri,nice,vsz,rss,s,s,pcpu,pmem,time,comm"
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='/PID/{next}'
# shellcheck disable=SC2016
FORMAT='{$7="?" ; sub("A","R",$8)}'
# Substitute ? for temporary [field 7] &
# Substitute R(running) for A(Active) on field 8 in AIX by Jacky Ho, Systex
elif [ "$KERNEL" = "Darwin" ] ; then
if [ "$OSX_MAJOR_VERSION" = 10 ] && [ "$OSX_MINOR_VERSION" -ge 9 ] || [ "$OSX_MAJOR_VERSION" -ge 11 ]; then
# OS X 10.9 does not report rshrd statistic (Resident Shared Address Space Size)
CMD="eval top -F -l 2 -ocpu -Otime -stats pid,username,vsize,rsize,cpu,time,command"
# shellcheck disable=SC2016
FORMAT='{gsub("[+-] ", " "); virt=$3; res=$4; shr="?"; pctCPU=$5; cpuTIME=$6; command=$7; $3="?"; $4="?"; $5=virt; $6=res; $7=shr; $8="?"; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
elif $OSX_GE_SNOW_LEOPARD; then
CMD="eval top -F -l 2 -ocpu -Otime -stats pid,username,vsize,rsize,rshrd,cpu,time,command"
# shellcheck disable=SC2016
FORMAT='{gsub("[+-] ", " "); virt=$3; res=$4; shr=$5; pctCPU=$6; cpuTIME=$7; command=$8; $3="?"; $4="?"; $5=virt; $6=res; $7=shr; $8="?"; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
else
CMD="eval top -F -l 2 -ocpu -Otime -t -R -p '^aaaaa ^nnnnnnnnnnnnnnnnnn ^lllll ^jjjjj ^ccccc ^ddddd ^bbbbbbbbbbbbbbbbbbbbbbbbbbbbb'"
# shellcheck disable=SC2016
FORMAT='{ virt=$3; res=$4; pctCPU=$5; cpuTIME=$6; command=$7; $3="?"; $4="?"; $5=virt; $6=res; $7="?"; $8="?"; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
fi
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='/ %CPU / {reportOrd++; next} {if ((reportOrd < 2) || !length) next}'
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ps
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='/PID/{next}'
export UNIX95=1
CMD='ps -e -o pid,user,pri,nice,vsz,state,pcpu,time,comm'
# shellcheck disable=SC2016
PRINTF='{q="?"; printf "%6s %-14s %4s %4s %6s %6s %6s %2s %6s %6s %12s %-s\n", $1, $2, $3, $4, $5, q, q, $6, $7, q, $8, $9}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
line=$(top -Sb 999 | grep -n -m 1 "PID" | cut -f1 -d:)
CMD='top -Sb 999'
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='(NR<='$line') {next} /^$/ {next}'
# shellcheck disable=SC2016
FORMAT_DOMAIN='{pr=$4; ni=$5; virt=$6; res=$7; stateRaw=$8; cpuTIME=$10; pctCPU=0+$11; command=$12}'
SPECIFY_STATES_MAP='BEGIN {map["SLEEP"]="S"; map["STOP"]="T"; map["ZOMB"]="Z"; map["WAIT"]="D"; map["LOCK"]="D"; map["START"]="R"; map["RUN"]="R"; map["CPU"]="R"}'
MAP_STATE='{sub("[0-9]+$", "", stateRaw); state=map[stateRaw]; state=state ? state : "?"}'
# shellcheck disable=SC2016
FORMAT_RANGE='{$3=pr; $4=ni; $5=virt; $6=res; $7="?"; $8=state; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
FORMAT="$FORMAT_DOMAIN $SPECIFY_STATES_MAP $MAP_STATE $FORMAT_RANGE"
fi
# shellcheck disable=SC2086
assertHaveCommand $CMD
out=$($CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 1 ]; then
echo "$out"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
else
echo "No data is present" >> "$TEE_DEST"
fi

130
bin/update.sh Executable file
View file

@ -0,0 +1,130 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_update_error_tmpfile # For filering out apt warning from stderr
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand date
OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2)
OS_FILE=/etc/os-release
# Ubuntu doesn't have yum installed by default hence apt is being used to get the list of upgradable packages
if [ "$OSName" = "Ubuntu" ]; then
assertHaveCommand apt
assertHaveCommand sed
# sed command here replaces '/, [, ]' with ' '
CMD='eval date ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
PARSE_1='NR>2 { printf "%s package=%s ubuntu_update_stream=%s latest_package_version=%s ubuntu_architecture=%s current_package_version=%s\n", DATE, $1, $2, $3, $4, $7}'
MESSAGE="$PARSE_0 $PARSE_1"
elif echo "$OS_ID" | grep -qi suse; then
assertHaveCommand zypper
# shellcheck disable=SC2016
CMD='eval date ; zypper list-updates'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
PARSE_1='/^[\-+]+/ {header_found = 1; next}'
# shellcheck disable=SC2016
PARSE_2='header_found { gsub(/[[:space:]]*\|[[:space:]]*/, "|"); split($0, arr, /\|/); printf "%s repository=%s package=%s current_package_version=%s latest_package_version=%s sles_architecture=%s\n", DATE, arr[2], arr[3], arr[4], arr[5], arr[6]}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2"
else
assertHaveCommand yum
CMD='eval date ; yum check-update'
# shellcheck disable=SC2016
PARSE_0='NR==1 {
DATE=$0
PROCESS=0
UPDATES["addons"]=0
UPDATES["base"]=0
UPDATES["extras"]=0
UPDATES["updates"]=0
}'
# Skip extraneous text up to first blank line.
# shellcheck disable=SC2016
PARSE_1='NR>1 && PROCESS==0 && $0 ~ /^[[:blank:]]*$|^$/ {
PROCESS=1
}'
# shellcheck disable=SC2016
PARSE_2='NR>1 && PROCESS==1 {
num = split($0, update_array)
if (num == 3) {
# Record the update count
UPDATES[update_array[3]] = UPDATES[update_array[3]]+1
printf "%s package=\"%s\" package_type=\"%s\"\n", DATE, update_array[1], update_array[3]
} else if (num==2 && update_array[1] != "") {
printf "%s package=\"%s\"\n", DATE, update_array[1]
}
}'
PARSE_3='END {
TOTALS=""
for (key in UPDATES) {
TOTALS=TOTALS key "=" UPDATES[key] " "
}
printf "%s %s\n", DATE, TOTALS
}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3"
fi
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand date
assertHaveCommand softwareupdate
CMD='eval date ; softwareupdate -l'
# shellcheck disable=SC2016
PARSE_0='NR==1 {
DATE=$0
PROCESS=0
TOTAL=0
}'
# If the first non-space character is an asterisk, assume this is the name
# of the update. Otherwise, print the update.
# shellcheck disable=SC2016
PARSE_1='NR>1 && PROCESS==1 && $0 !~ /^[[:blank:]]*$/ {
if ( $0 ~ /^[[:blank:]]*\*/ ) {
PACKAGE="package=\"" $2 "\""
RECOMMENDED=""
RESTART=""
TOTAL=TOTAL+1
} else {
if ( $0 ~ /recommended/ ) { RECOMMENDED="is_recommended=\"true\"" }
if ( $0 ~ /restart/ ) { RESTART="restart_required=\"true\"" }
printf "%s %s %s %s\n", DATE, PACKAGE, RECOMMENDED, RESTART
}
}'
# Use sentinel value to skip all text prior to update list.
# shellcheck disable=SC2016
PARSE_2='NR>1 && PROCESS==0 && $0 ~ /found[[:blank:]]the[[:blank:]]following/ {
PROCESS=1
}'
PARSE_3='END {
printf "%s total_updates=%s\n", DATE, TOTAL
}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3"
else
# Exits
failUnsupportedScript
fi
# shellcheck disable=SC2086
$CMD 2> $TMP_ERROR_FILTER_FILE | tee "$TEE_DEST" | $AWK "$MESSAGE"
# shellcheck disable=SC2086
grep -Ev "apt does not have a stable CLI interface|^[[:space:]]*$" < $TMP_ERROR_FILTER_FILE 1>&2
# shellcheck disable=SC2086
rm $TMP_ERROR_FILTER_FILE 2>/dev/null
echo "Cmd = [$CMD]; | $AWK '$MESSAGE'" >> "$TEE_DEST"

52
bin/uptime.sh Executable file
View file

@ -0,0 +1,52 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
PRINTF='END {printf "%s SystemUpTime=%s\n", DATE, UPTIME}'
# On HP-UX the `ps` command will only recognize the `-o` option if
# the `UNIX95` environment variable is set. So do it.
#
# Careful: The `UNIX95` environment variable affects other common
# commands like `cp`.
if [ "$KERNEL" = "HP-UX" ]; then
export UNIX95=1
fi
# This should work for any POSIX-compliant system, but in case it doesn't
# we have left the individual OS names here to be broken out later on.
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "$KERNEL" = "HP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand date
assertHaveCommand ps
CMD='eval date; LC_ALL=POSIX ps -o etime= -p 1'
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Parse timestamp using only POSIX AWK functions. The match, do/while,
# and exponentiation commands may not be available on some systems.
# shellcheck disable=SC2016
PARSE_1='NR==2 {
if (index($1,"-") != 0) {
split($1, array, "-")
UPTIME=86400*array[1]
num=split(array[2], TIME, ":")
} else {
UPTIME=0
num=split($1, TIME, ":")
}
for (i=num; i>0; i--) {
SECS=TIME[i]
for (j=num-i; j>0; j--) {
SECS = SECS * 60
}
UPTIME = UPTIME + SECS
}
}'
MASSAGE="$PARSE_0 $PARSE_1"
fi
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

45
bin/usersWithLoginPrivs.sh Executable file
View file

@ -0,0 +1,45 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='USERNAME\tUID\tGID\tHOME_DIR\tUSER_INFO'
HEADERIZE="BEGIN {print \"$HEADER\"}"
CMD='cat /etc/passwd'
AWK_IFS='-F:'
# shellcheck disable=SC2016
FILTER='($NF !~ /sh$/) {next}'
# shellcheck disable=SC2016
PRINTF='{printf "%s\t%s\t%s\t%s\t%s\n", $1, $3, $4, $6, $5}'
if [ "$KERNEL" = "Linux" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
elif [ "$KERNEL" = "SunOS" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
elif [ "$KERNEL" = "AIX" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
elif [ "$KERNEL" = "HP-UX" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='dscacheutil -q user'
AWK_IFS=''
# shellcheck disable=SC2016
MASSAGE='/^name: / {username = $2} /^uid: / {UID = $2} /^gid: / {GID = $2} /^dir: / {homeDir = $2} /^shell: / {shell = $2} /^gecos: / {userInfo = $2; for (i=3; i<=NF; i++) userInfo = userInfo " " $i} !/^gecos: / {next}'
FILTER='{if (shell !~ /sh$/) next; if (homeDir ~ /^[0-9]+$/) next}'
PRINTF='{printf "%s\t%s\t%s\t%s\t%s\n", username, length(UID) ? UID : "?", length(GID) ? GID : "?", length(homeDir) ? homeDir : "?", userInfo}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
fi
assertHaveCommand "$CMD"
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $AWK_IFS "$HEADERIZE $MASSAGE $FILTER $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $AWK_IFS '$HEADERIZE $MASSAGE $FILTER $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

44
bin/version.sh Executable file
View file

@ -0,0 +1,44 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
PRINTF='END {printf "%s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER}'
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand date
assertHaveCommand uname
CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p'
elif [ "$KERNEL" = "HP-UX" ] ; then
# HP-UX lacks -p switch.
assertHaveCommand date
assertHaveCommand uname
CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v'
elif [ "$KERNEL" = "AIX" ] ; then
# AIX uses oslevel for version and release switch.
assertHaveCommand date
assertHaveCommand uname
CMD='eval date ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel -s'
fi
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
PARSE_1='NR==2 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}'
# shellcheck disable=SC2016
PARSE_2='NR==3 {OS_REL="os_release=\"" $0 "\""}'
# shellcheck disable=SC2016
PARSE_3='NR==4 {OS_NAME="os_name=\"" $0 "\""}'
# shellcheck disable=SC2016
PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\""}'
# shellcheck disable=SC2016
PARSE_5='NR==6 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5"
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST"

181
bin/vmstat.sh Executable file
View file

@ -0,0 +1,181 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine
# the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so
# (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute.
HEADER='memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='END {printf "%10d %10d %10d %10.1f %10.1f %10s %10.1f %10s %10s %10s %10s %10s %10s %10.2f %10.2f %10.2f %10.2f %10.2f\n", memTotalMB, memFreeMB, memUsedMB, memFreePct, memUsedPct, pgPageOut, swapUsedPct, pgSwapOut, cSwitches, interrupts, forks, processes, threads, loadAvg1mi, waitThreads, interrupts_PS, pgPageIn_PS, pgPageOut_PS}'
DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsed ? (100.0*swapUsed)/(swapUsed+swapFree) : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}'
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand vmstat
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2'
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}'
# shellcheck disable=SC2016
PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}'
# shellcheck disable=SC2016
PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr[NR+3]} NR in nr {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$2; pgPageOut_PS=$3}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommand vmstat
assertHaveCommandGivenPath /usr/sbin/swap
assertHaveCommandGivenPath /usr/sbin/prtconf
assertHaveCommand prstat
assertHaveCommand sar
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
# shellcheck disable=SC2016
CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2; '
else
# shellcheck disable=SC2016
CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2'
fi
# shellcheck disable=SC2016
PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==5) {memFreeMB=$5 / 1024}'
# shellcheck disable=SC2016
PARSE_1='(NR==2) {swapUsed=0+$(NF-3); swapFree=0+$(NF-1)}'
# shellcheck disable=SC2016
PARSE_2='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1} / v?forks$/ {forks+=$1}'
# shellcheck disable=SC2016
PARSE_4='/^Total: / {processes=$2; threads=$4; loadAvg1mi=0+$(NF-2)}'
# shellcheck disable=SC2016
PARSE_5='/^CPU_COUNT/ {cpuCount=$2}'
# Sample output: http://opensolarisforum.org/man/man1/sar.html
if [ "$SOLARIS_10" = "true" ] || [ "$SOLARIS_11" = "true" ] ; then
# shellcheck disable=SC2016
PARSE_6='($1 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$3;}'
# shellcheck disable=SC2016
PARSE_7='($3 ~ "ppgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$3}'
else
# shellcheck disable=SC2016
PARSE_6='($3 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$5}'
# shellcheck disable=SC2016
PARSE_7='($3 ~ "pgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$4}'
fi
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE"
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand vmstat
assertHaveCommandGivenPath /usr/sbin/lsps
assertHaveCommandGivenPath /usr/bin/svmon
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; ps -em | wc -l ; /usr/sbin/lsps -s ; vmstat 1 1 | tail -1 ; vmstat -s ; svmon; `dirname $0`/hardware.sh;'
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1-processes }'
# ps -em inclundes processes with there threads ( at least one), so processes must be excluded to count threads #
# shellcheck disable=SC2016
PARSE_1='(NR==5) {swapUsedPercentage=substr( $NF, 1, length($NF)-1 )} (NR==6) {pgPageIn_PS=0+$(NF-13); pgPageOut_PS=0+$(NF-12)}'
# shellcheck disable=SC2016
PARSE_2='/^memory / {memTotalMB=$2 / 256 ; memFreeMB=$4 / 256}'
# shellcheck disable=SC2016
PARSE_3='/paging space page outs$/ {pgPageOut=$1 ; pgSwapOut="?" }'
# no pgSwapOut parameter and can't be monitored in AIX (by Jacky Ho, Systex)
# shellcheck disable=SC2016
PARSE_4='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1 ; forks="?" }'
# shellcheck disable=SC2016
PARSE_5='/^CPU_COUNT/ {cpuCount=$2}'
DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsedPercentage ? swapUsedPercentage : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $DERIVE"
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand /usr/sbin/swapinfo
assertHaveCommand vmstat
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; /usr/sbin/swapinfo -m; vmstat -f; vmstat -s; `dirname $0`/hardware.sh; vmstat 1 2'
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} {threads="?"}'
# shellcheck disable=SC2016
PARSE_1='NR==5 {swapUsed=$3; swapFree=$4}'
# shellcheck disable=SC2016
PARSE_2='/^memory / {memTotalMB=$2; memUsedMB=$3; memFreeMB=$4}'
# shellcheck disable=SC2016
PARSE_3='(NR>=8 && $2=="forks,") {forks=$1}'
# shellcheck disable=SC2016
PARSE_4='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_5='/interrupts$/ {interrupts=$1} /cpu context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# Sample output: http://ibgwww.colorado.edu/~lessem/psyc5112/usail/man/hpux/vmstat.1.html
# shellcheck disable=SC2016
PARSE_7='/^procs/ {nr[NR+3]} NR in nr {pgPageIn_PS=$8; pgPageOut_PS=$9; interrupts_PS=$13}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE"
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand sysctl
assertHaveCommand top
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2'
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/^PhysMem:/ {memFreeMB=toMB($6)+toMB($10)}' # we count "inactive" as "free", since it can be made available w/o a pagein/swapin
# shellcheck disable=SC2016
PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}'
# shellcheck disable=SC2016
PARSE_3='/^VM:/ {pgPageOut=0+$7}'
if $OSX_GE_SNOW_LEOPARD; then
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
else
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}'
fi
# shellcheck disable=SC2016
PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}'
# shellcheck disable=SC2016
PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}'
MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE"
FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='(NR==1) {memTotalMB=$2 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/pager pages paged out$/ {pgPageOut+=$1} /fork\(\) calls$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}'
# shellcheck disable=SC2016
PARSE_2='/load averages:/ {loadAvg1mi=$6} /^[0-9]+ processes: / {processes=$1}'
# shellcheck disable=SC2016
PARSE_3='/^Swap: / {if(NF <= 5){ swapTotal=toMB($2); swapFree=toMB($4); swapUsed=swapTotal-swapFree; } else{ swapUsed=toMB($4); swapFree=toMB($6)}} /^Mem: / {memFreeMB=toMB($4)+toMB($12)}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}'
MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
FILL_BLANKS='END {threads=pgSwapOut="?"}'
fi
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

193
bin/vmstat_metric.sh Executable file
View file

@ -0,0 +1,193 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine
# the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so
# (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute.
HEADER='memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS OSName OS_version IP_address'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='END {printf "%10d %10d %10d %10.1f %10.1f %10s %10.1f %10s %10s %10s %10s %10s %10s %10.2f %10.2f %13.2f %11.2f %12.2f %-35s %15s %-16s\n", memTotalMB, memFreeMB, memUsedMB, memFreePct, memUsedPct, pgPageOut, swapUsedPct, pgSwapOut, cSwitches, interrupts, forks, processes, threads, loadAvg1mi, waitThreads, interrupts_PS, pgPageIn_PS, pgPageOut_PS, OSName, OS_version, IP_address}'
DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsed ? (100.0*swapUsed)/(swapUsed+swapFree) : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}'
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}'
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand vmstat
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2'
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)"
fi
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}'
# shellcheck disable=SC2016
PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}'
# shellcheck disable=SC2016
PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr[NR+3]} NR in nr {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$2; pgPageOut_PS=$3}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommand vmstat
assertHaveCommandGivenPath /usr/sbin/swap
assertHaveCommandGivenPath /usr/sbin/prtconf
assertHaveCommand prstat
assertHaveCommand sar
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
# shellcheck disable=SC2016
CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2; '
else
# shellcheck disable=SC2016
CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2'
fi
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==5) {memFreeMB=$5 / 1024}'
# shellcheck disable=SC2016
PARSE_1='(NR==2) {swapUsed=0+$(NF-3); swapFree=0+$(NF-1)}'
# shellcheck disable=SC2016
PARSE_2='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1} / v?forks$/ {forks+=$1}'
# shellcheck disable=SC2016
PARSE_4='/^Total: / {processes=$2; threads=$4; loadAvg1mi=0+$(NF-2)}'
# shellcheck disable=SC2016
PARSE_5='/^CPU_COUNT/ {cpuCount=$2}'
# Sample output: http://opensolarisforum.org/man/man1/sar.html
if [ "$SOLARIS_10" = "true" ] || [ "$SOLARIS_11" = "true" ] ; then
# shellcheck disable=SC2016
PARSE_6='($1 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$3;}'
# shellcheck disable=SC2016
PARSE_7='($3 ~ "ppgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$3}'
else
# shellcheck disable=SC2016
PARSE_6='($3 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$5}'
# shellcheck disable=SC2016
PARSE_7='($3 ~ "pgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$4}'
fi
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE"
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand vmstat
assertHaveCommandGivenPath /usr/sbin/lsps
assertHaveCommandGivenPath /usr/bin/svmon
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; ps -em | wc -l ; /usr/sbin/lsps -s ; vmstat 1 1 | tail -1 ; vmstat -s ; svmon; `dirname $0`/hardware.sh;'
DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1-processes }'
# ps -em inclundes processes with there threads ( at least one), so processes must be excluded to count threads #
# shellcheck disable=SC2016
PARSE_1='(NR==5) {swapUsedPercentage=substr( $NF, 1, length($NF)-1 )} (NR==6) {pgPageIn_PS=0+$(NF-13); pgPageOut_PS=0+$(NF-12)}'
# shellcheck disable=SC2016
PARSE_2='/^memory / {memTotalMB=$2 / 256 ; memFreeMB=$4 / 256}'
# shellcheck disable=SC2016
PARSE_3='/paging space page outs$/ {pgPageOut=$1 ; pgSwapOut="?" }'
# no pgSwapOut parameter and can't be monitored in AIX (by Jacky Ho, Systex)
# shellcheck disable=SC2016
PARSE_4='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1 ; forks="?" }'
# shellcheck disable=SC2016
PARSE_5='/^CPU_COUNT/ {cpuCount=$2}'
PARSE_6='{OS_version=OSVersion/1000}'
DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsedPercentage ? swapUsedPercentage : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand /usr/sbin/swapinfo
assertHaveCommand vmstat
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; /usr/sbin/swapinfo -m; vmstat -f; vmstat -s; `dirname $0`/hardware.sh; vmstat 1 2'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} {threads="?"}'
# shellcheck disable=SC2016
PARSE_1='NR==5 {swapUsed=$3; swapFree=$4}'
# shellcheck disable=SC2016
PARSE_2='/^memory / {memTotalMB=$2; memUsedMB=$3; memFreeMB=$4}'
# shellcheck disable=SC2016
PARSE_3='(NR>=8 && $2=="forks,") {forks=$1}'
# shellcheck disable=SC2016
PARSE_4='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_5='/interrupts$/ {interrupts=$1} /cpu context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# Sample output: http://ibgwww.colorado.edu/~lessem/psyc5112/usail/man/hpux/vmstat.1.html
# shellcheck disable=SC2016
PARSE_7='/^procs/ {nr[NR+3]} NR in nr {pgPageIn_PS=$8; pgPageOut_PS=$9; interrupts_PS=$13}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE"
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand sysctl
assertHaveCommand top
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/^PhysMem:/ {memFreeMB=toMB($6)+toMB($10)}' # we count "inactive" as "free", since it can be made available w/o a pagein/swapin
# shellcheck disable=SC2016
PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}'
# shellcheck disable=SC2016
PARSE_3='/^VM:/ {pgPageOut=0+$7}'
if $OSX_GE_SNOW_LEOPARD; then
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
else
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}'
fi
# shellcheck disable=SC2016
PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}'
# shellcheck disable=SC2016
PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}'
MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE"
FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='(NR==1) {memTotalMB=$2 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/pager pages paged out$/ {pgPageOut+=$1} /fork\(\) calls$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}'
# shellcheck disable=SC2016
PARSE_2='/load averages:/ {loadAvg1mi=$6} /^[0-9]+ processes: / {processes=$1}'
# shellcheck disable=SC2016
PARSE_3='/^Swap: / {if(NF <= 5){ swapTotal=toMB($2); swapFree=toMB($4); swapUsed=swapTotal-swapFree; } else{ swapUsed=toMB($4); swapFree=toMB($6)}} /^Mem: / {memFreeMB=toMB($4)+toMB($12)}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}'
MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
FILL_BLANKS='END {threads=pgSwapOut="?"}'
fi
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF " header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

65
bin/vsftpdChecker.sh Executable file
View file

@ -0,0 +1,65 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# VSFTPD configuration file format is common to all platforms, but may be in one
# of several locations (and may also be restricted to root).
if [ -f /etc/vsftpd.conf ] ; then
VSFTPD_CONFIG_FILE=/etc/vsftpd.conf
elif [ -f /etc/vsftpd/vsftpd.conf ] ; then
VSFTPD_CONFIG_FILE=/etc/vsftpd/vsftpd.conf
elif [ -f /private/etc/vsftpd.conf ] ; then
# Usually MAC OS X
VSFTPD_CONFIG_FILE=/private/etc/vsftpd.conf
elif [ -f /usr/local/etc/vsftpd.conf ] ; then
# To support MAC OS 10.15
VSFTPD_CONFIG_FILE=/usr/local/etc/vsftpd.conf
fi
# Set the default. If the file is readable and has "anonymous_enable" commented
# out, the default behavior is to ALLOW anonymous FTP. Reset the value of
# anonymous_enable in the output if this is the case
# line, then the allowed protocols will be the default of "2,1".
FILL_BLANKS='END {
if (ANON_DEFAULT != 0) {
ANON_ENABLE=ANON_DEFAULT
}'
PRINTF='{printf "%s app=vsftp %s %s %s\n", DATE, FILEHASH, LOCAL_ENABLE, ANON_ENABLE}}'
# If $VSFTPD_CONFIG_FILE file exists and is a regular file.
if [ -f "$VSFTPD_CONFIG_FILE" ] ; then
assertHaveCommand cat
assertHaveCommand date
# Get file hash
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $VSFTPD_CONFIG_FILE ; cat $VSFTPD_CONFIG_FILE'
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Try to use cross-platform case-insensitive matching for text. Note
# that "match", "tolower", IGNORECASE and other common awk commands or
# options are actually nawk/gawk extensions so avoid them if possible.
# shellcheck disable=SC2016
PARSE_1='/[Ll][Oo][Cc][Aa][Ll][_][Ee][Nn][Aa][Bb][Ll][Ee]/ { split($0, arr, "=") ; LOCAL_ENABLE="local_enable=" arr[2] } '
# shellcheck disable=SC2016
PARSE_2='/^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss][_][Ee][Nn][Aa][Bb][Ll][Ee]/ { split($0, arr, "=") ; ANON_ENABLE="anonymous_enable=" arr[2] } '
# The default behavior is to permit anonymous FTP
PARSE_3='/^[#]+[[:blank:]]*[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss][_][Ee][Nn][Aa][Bb][Ll][Ee]/ { ANON_DEFAULT="anonymous_enable=YES"} '
# shellcheck disable=SC2016
PARSE_4='/^SHA256/ {FILEHASH="file_hash=" $2}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4"
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $FILL_BLANKS $PRINTF"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $FILL_BLANKS $PRINTF'" >> "$TEE_DEST"
else
echo "VSFTPD configuration file not found." >> "$TEE_DEST"
fi

41
bin/who.sh Executable file
View file

@ -0,0 +1,41 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
CMD='who -H'
HEADER='USERNAME LINE HOSTNAME TIME'
# shellcheck disable=SC2016
HEADERIZE='{NR == 1 && $0 = header}'
# shellcheck disable=SC2016
FORMAT='{length(hostname) || hostname=$NF; gsub("[)(]", "",hostname); time=$3; for (i=4; i<=lastTimeColumn; i++) time = time " " $i}'
# shellcheck disable=SC2016
PRINTF='{if (NR == 1) {print $0} else {printf "%-14s %-10s %-40.40s %-s\n", $1,$2,hostname,time}}'
if [ "$KERNEL" = "Linux" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 5) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "SunOS" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "AIX" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='who -HR'
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 5) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "Darwin" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = "<console>"; lastTimeColumn = NF}}'
fi
assertHaveCommand "$CMD"
out=$($CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILL_BLANKS $FORMAT $PRINTF" header="$HEADER")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 1 ]; then
echo "$out"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILL_BLANKS $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
else
echo "No data is present" >> "$TEE_DEST"
fi

30
default/app.conf Normal file
View file

@ -0,0 +1,30 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[install]
is_configured = false
state = enabled
build = 1720176219
[ui]
setup_view = ta_nix_configuration
is_visible = true
label = Splunk Add-on for Unix and Linux
docs_section_override = AddOns:released
[launcher]
author = Splunk, Inc.
version = 9.2.0
description = Splunk Add-on for Unix and Linux
[package]
id = Splunk_TA_nix
check_for_updates = true
[id]
name = Splunk_TA_nix
version = 9.2.0

8
default/data/ui/nav/default.xml Normal file
View file

@ -0,0 +1,8 @@
<!--
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<nav>
<view name="ta_nix_configuration" default='true' />
</nav>

23
default/data/ui/views/ta_nix_configuration.env_cloud.xml Normal file
View file

@ -0,0 +1,23 @@
<!--
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<dashboard script="setup_cloud.js" stylesheet="setup.css" version="1.1">
<label>Splunk Add-on for Unix and Linux: Setup</label>
<row>
<panel>
<html>
<p>Please set up this add-on on your forwarders. Documentation on how to configure this add-on is
<a target="_blank" href="http://docs.splunk.com/Documentation/UnixAddOn/latest/User/DeploytheSplunkAdd-onforUnixandLinuxinadistributedSplunkenvironment">here</a>.
<br/>
Click on below button, if you are getting redirected to this page while editing the add-on's knowledge object.
</p>
<div id="btn-bar">
<input id="save-btn" class="btn btn-primary" type="submit" value="Click me!" />
</div>
</html>
</panel>
</row>
</dashboard>

96
default/data/ui/views/ta_nix_configuration.xml Normal file
View file

@ -0,0 +1,96 @@
<!--
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<!--
|| NOTE: The `isVisible` property is a special Splunk Light only property
|| that prevents this dashboard from appearing on the page:
|| http://localhost:8000/en-US/app/search/dashboards .
|| It has no effect on Splunk Enterprise.
-->
<dashboard script="setup.js" stylesheet="setup.css" isVisible="false" version="1.1">
<label>Splunk Add-on for Unix and Linux: Setup</label>
<row>
<html>
<p id="overview">
The Splunk Add-on for Unix and Linux provides pre-built data inputs to facilitate
Linux and Unix system monitoring using Splunk. Check out the
<a href="http://apps.splunk.com/app/833/" target="_blank">
Splunk for Unix Technical Add-on
</a> page on <a href="http://apps.splunk.com/" target="_blank">Splunkbase</a>
for support information, the latest updates, and more.
</p>
<div id="not-unix-error" class="error-box">
This server is not running a known Unix or Linux operating system.
Install this add-on on Unix or Linux systems only.
</div>
<div>
<h2>File and Directory Inputs:</h2>
<table id="monitor-input-table" class="input-table">
<tr>
<th class="table-header">Name</th>
<th>Enable
<a href="#" class="enable-all-btn">(All)</a>
</th>
<th>Disable
<a href="#" class="disable-all-btn">(All)</a>
</th>
</tr>
<!-- Rows will be inserted here -->
</table>
</div>
<div>
<h2>Scripted Metric Inputs:</h2>
<table id="scripted-metric-input-table" class="input-table">
<tr>
<th class="table-header">Name</th>
<th>Enable
<a href="#" class="enable-all-btn">(All)</a>
</th>
<th>Disable
<a href="#" class="disable-all-btn">(All)</a>
</th>
<th>Interval (sec)</th>
<th>Index</th>
</tr>
<!-- Rows will be inserted here -->
</table>
<h2>Scripted Event Inputs:</h2>
<table id="scripted-event-input-table" class="input-table">
<tr>
<th class="table-header">Name</th>
<th>Enable
<a href="#" class="enable-all-btn">(All)</a>
</th>
<th>Disable
<a href="#" class="disable-all-btn">(All)</a>
</th>
<th>Interval (sec)</th>
</tr>
<!-- Rows will be inserted here -->
</table>
</div>
<div id="generic-save-error" class="error-box">
There was an unexpected problem while saving the inputs.
Please reload the page and try again.
</div>
<div id="index-not-selected-error" class="error-box">
Field 'Index' is empty or invalid for the metric inputs. Change the index or disable the input.
</div>
<div id="invalid-interval-error" class="error-box">
Field 'Interval' must be a positive integer value.
</div>
<div id="btn-bar">
<input id="save-btn" class="btn btn-primary" type="submit" value="Save" />
</div>
</html>
</row>
</dashboard>

722
default/eventtypes.conf Normal file
View file

@ -0,0 +1,722 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[nix_ta_custom_eventtype]
search = NOT *
[nix_ta_data]
search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
###### Globals ######
[nix_security]
search = sourcetype="*_secure"
#tags = os unix
[nix_configs]
search = eventtype=nix_ta_data AND (source="/etc/*" OR source="*.conf" OR source="*.cfg")
[nix_errors]
search = eventtype=nix_ta_data error OR critical OR failure OR fail OR failed OR fatal
#tags = error
###### DHCP ######
[dhcpd_server]
search = sourcetype=dhcpd (DHCPACK OR DHCPNAK OR DHCPRELEASE)
#tags = dhcp network session unix
[dhcpd_start]
search = sourcetype=dhcpd signature=DHCPACK
#tags = start
[dhcpd_unable_unexpected]
search = sourcetype=dhcpd unable OR unexpected
#tags = error
[dhcpd_server_dhcpack]
search = sourcetype=dhcpd DHCPACK
[dhcpd_server_dhcpdiscover]
search = sourcetype=dhcpd DHCPDISCOVER
[dhcpd_server_dhcpoffer]
search = sourcetype=dhcpd DHCPOFFER
[dhcpd_server_dhcprelease]
search = sourcetype=dhcpd DHCPRELEASE
#tags = end
[dhcpd_server_dhcprequest]
search = sourcetype=dhcpd DHCPREQUEST
###### Scripted Inputs ######
## CPU stats
[cpu]
search = sourcetype=cpu
#tags = performance os resource report unix cpu
[cpu_anomalous]
search = sourcetype=cpu PercentSystemTime>90
#tags = enabled
[df]
search = sourcetype=df
#tags = df host check success storage performance
[iostat]
search = sourcetype=iostat
[nfsiostat]
search = sourcetype=nfsiostat
[lsof]
search = sourcetype=lsof
[hardware]
search = sourcetype=hardware
[interfaces]
search = sourcetype=interfaces
# tags = Inventory Network
[lastlog]
search = sourcetype=lastlog
[netstat]
search = sourcetype=netstat
# listening port
[openPorts]
search = sourcetype=openPorts
[package]
search = sourcetype=package
[protocol]
search = sourcetype=protocol
[ps]
search = sourcetype=ps
#tags = process oshost success ps cpu performance
[top]
search = sourcetype=top
[time]
search = sourcetype=time
[usersWithLoginPrivs]
search = sourcetype=usersWithLoginPrivs
[vmstat]
search = sourcetype=vmstat
#tags = performance os avail unix report vmstat resource success memory
[who]
search = sourcetype=who
[bandwidth]
search = sourcetype=bandwidth
###### System Logs ######
#### Account Management
[useradd]
search = eventtype=nix_ta_data useradd user
#tags = account management add change
# Aug 20 20:21:12 host useradd[12811]: new account added - account=splunk, uid=1003, gid=1000, home=/opt/splunk, shell=/bin/false, by=0
[useradd-suse]
search = eventtype=nix_ta_data useradd new account added
#tags = account management add change
[userdel]
search = eventtype=nix_ta_data userdel user
#tags = account management delete change
[groupadd]
search = eventtype=nix_ta_data groupadd group
#tags = account management add change
#Aug 20 20:21:12 host useradd[12811]: account added to group - account=splunk, group=services, gid=33, by=0
[groupadd-suse]
search = eventtype=nix_ta_data useradd account added group
#tags = account management add change
[groupdel]
search = eventtype=nix_ta_data (NOT *deleting-user-from*) (groupdel OR userdel) group
#tags = account management delete change
[linux-password-change]
search = eventtype=nix_ta_data process=passwd password changed
#tags = account management password modify change
#Feb 21 11:24:45 host passwd[17805]: password change failed, pam error 11 - account=root, uid=0, by=0
[linux-password-change-failed]
search = eventtype=nix_ta_data process=passwd password change failed
#tags = account management password modify change
#### acpi
[nix_acpi]
search = eventtype=nix_ta_data ACPI:
#tags = os unix power
#### agpgart
[nix_agpgart]
search = eventtype=nix_ta_data agpgart:
#tags = os unix graphics
#### apm
[nix_apm]
search = eventtype=nix_ta_data apm:
#tags = os unix power
#### auditd
[auditd]
search = sourcetype=auditd
#tags = os unix resource file
[auditd_modify]
search = source=auditd PATH
#tags = modify
#### Authentication
## ksu
[ksu_authentication]
# NOTE: May want to restrict search `ksu` to `cmd="ksu"` to reduce false positives.
search = eventtype=nix_ta_data ksu ("authentication failed" OR authenticated OR (Account authorization (failed OR successful)))
#tags = authentication
## login
[login_authentication]
search = eventtype=nix_ta_data login: "Login failure on"
#tags = authentication
## pam
[pam_unix_authentication]
search = eventtype=nix_ta_data pam_unix (gdm OR sudo OR su) ("authentication failure" OR "session opened")
#tags = authentication
## passwd
#Oct 2 20:45:29 host passwd[15323]: User admin: Authentication failure
[passwd-auth-failure]
search = eventtype=nix_ta_data process=passwd Authentication failure punct="*__::_*_[]:__:__"
#tags = application authentication
## rlogin
[rlogin_too_many_failures]
search = eventtype=nix_ta_data "general syslog msg" "TOO MANY LOGIN TRIES"
#tags = application attack watchlist
## Detects a failed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
[remote_login_failure]
search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not allowed")
#tags = application authentication remote
## Detects a allowed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
[remote_login_allowed]
search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to"
#tags = application authentication remote
## sshd
[sshd_authentication]
# osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
# Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host
search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT")
#tags = authentication remote
[ssh_login_postponed]
search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed
# no tags assigned to this eventtype
[ssh_open]
search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from)
#tags = communicate connect
# example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246
[ssh_close]
search = eventtype=nix_ta_data punct="*__::_*_[]:____*..." OR punct="*__::_*_[]:_(:):_____" OR punct="*__::_*_()[]:_____" sshd (Closing connection to) OR (Connection closed by) OR (session closed)
#tags = access stop logoff
# example = Dec 17 18:31:44 domU-12-31-39-03-01-11 sshd[31792]: Received disconnect from 74.53.187.50: 11: Bye Bye
[ssh_disconnect]
search = eventtype=nix_ta_data punct="*__::_*_[]:___*...:_:__" Bye Received disconnect
#tags = access stop logoff
[ssh_check_pass]
search = eventtype=nix_ta_data sshd check pass user unknown (punct="__*::_*_()[]:__;__" OR punct="*__::_*_[]:_(:):__;__")
#no tags assigned to this eventtype
## su
[su_authentication]
# Example event, from su on CentOS7
# type=USER_AUTH msg=audit(1611753517.687:2310): pid=10012 uid=0 auid=2024 ses=181 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=so1 addr=? terminal=pts/1 res=success'
search = eventtype=nix_ta_data NOT "USER_CMD" ((from to) OR succeeded OR success OR successful OR failed OR failure) (cmd="su" OR ("USER_AUTH" AND exe=*/su*) OR ((NOT BAD) su: from to at))
#tags = authentication
[su_failed]
search = eventtype=nix_ta_data (("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR ("BAD SU "))
#tags = authentication
[su_session]
search = eventtype=nix_ta_data su: session
#tags = session
[su_root_session]
search = eventtype=nix_ta_data su: session root
#tags = session privileged
## Telnet
[wksh_authentication]
search = eventtype=nix_ta_data wksh "HANDLING TELNET CALL"
# no tags assigned to this eventtype
#### automount
[nix_automount]
search = eventtype=nix_ta_data automount punct="::__::_*:_*"
#tags = os unix
#### Config
[nix_config_change]
search = eventtype=nix_ta_data Configuration changed
#tags = os unix host configuration modify
#### Console
[nix_console]
search = eventtype=nix_ta_data Console:
#tags = os unix
#### cron
[nix_cron]
search = eventtype=nix_ta_data cron OR crond punct="::__::_*:_*" NOT Install: NOT Updated: NOT Erased:
#tags = os unix
#### CUPS
[nix_cups_access]
search = eventtype=nix_ta_data punct="_-_-_[//:::_-]_\"_//._/.\"___-_-"
#tags = os unix access printer
[nix_cups_error]
search = eventtype=nix_ta_data punct="_[//:::_-]_*"
#tags = os unix printer
[nix_cups_page]
search = eventtype=nix_ta_data punct="___[//:::_-]___-_"
#tags = os unix printer
#### dhclient
[nix_dhclient]
search = eventtype=nix_ta_data dhclient punct="__::_*:_*" NOT punct="//_::_*:_*." NOT punct="\"///*\"" NOT Rule NOT Name
#tags = os unix
#### DMA
[nix_dma]
search = eventtype=nix_ta_data DMA zone:
#tags = os unix memory access
#### Firewall
# These firewall accept and deny rules are based on iptables logs. For additional firewalls the user must develop a device add
# on and tag their events with these tags
[iptables_firewall_accept]
search = eventtype=nix_ta_data signature=firewall action=PASS OR action=permit
#tags = os unix host firewall communicate success
[iptables_firewall_deny]
search = eventtype=nix_ta_data signature=firewall action=BLOCK OR action=dropped
#tags = os unix host firewall communicate failure
#### FTP
[nix_ftp_xferlog]
search = eventtype=nix_ta_data punct="___*::___...__///*"
#tags = os unix ftp transfer
[nix_ncftpd_logins]
search = eventtype=nix_ta_data ncftpd punct="*__::_*:_*"
#tags = os unix ftp authentication
#### Fingerprinting
[nix_fingerprinting]
search = eventtype=nix_ta_data Client OS detected:
#tags = os unix
#### gconfd
[nix_gconfd]
search = eventtype=nix_ta_data gconfd
#tags = os unix
[nix_gconfd_error]
search = eventtype=nix_ta_data gconfd Error
#tags = error
[nix_gconfd_exiting]
search = eventtype=nix_ta_data gconfd Exiting OR signal
#tags = stop
[nix_gconfd_resolved_address]
search = eventtype=nix_ta_data gconfd Resolved address
[nix_gconfd_starting]
search = eventtype=nix_ta_data gconfd starting
#tags = start
#### gdm
[nix_gdm]
search = eventtype=nix_ta_data gdm punct="*__::_*:_*" NOT scrollkeeper NOT Updated: NOT Installed: NOT Erased: NOT pam*
#tags = os unix
#### gpm
[nix_gpm]
search = eventtype=nix_ta_data gpm NOT Installed: NOT Updated: NOT Erased: NOT user NOT *.rpm punct="*__::_*:_*."
#tags = os unix
#### FreeBSD
[freebsd_refresh_na_answer]
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_-____...#_(_...#)"
#tags = os unix
[freebsd_refresh_retry_exceeded]
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_____...#__(_...#)"
#tags = os unix
#### hald
[nix_hald]
search = eventtype=nix_ta_data hald punct="*__::_*:_*"
#tags = os unix
#### hpiod
[hpiod_Linux_syslog]
search = eventtype=nix_ta_data hpiod punct="*__::_*:_*"
#tags = os unix
#### kernel
[nix_kernel_attached]
search = eventtype=nix_ta_data kernel
#tags = os unix kernel
#### kill
[nix_process_kill]
search = eventtype=nix_ta_data exiting signal 15
#tags = os unix process stop
#### mDNSResponder
[nix_mDNSResponder]
search = eventtype=nix_ta_data mDNSResponder punct="*__::_*:_*"
#tags = os unix dns
#### named
[nix_named1]
search = eventtype=nix_ta_data named punct="*__::_/_[]:__*" OR punct="*__::_..._[]:_*"
#tags = os unix dns
[nix_named2]
search = eventtype=nix_ta_data named punct="*__::_*_[]:__*" NOT punct="__::_*_[]:_____..."
#tags = os unix dns
#### OSX Crash Log
[osx_crash_log]
search = eventtype=nix_ta_data Host Name Date/Time
#tags = os unix error
#### Netlabel
[nix_netlabel]
search = eventtype=nix_ta_data NetLabel:
#tags = os unix kernel
#### PCI
[nix_pci]
search = eventtype=nix_ta_data PCI: NOT BIOS
#tags = os unix
#### Plug-n-play
[nix_pnp]
search = eventtype=nix_ta_data pnp:
#tags = os unix
#### POP3
[nix_popper]
search = eventtype=nix_ta_data popper
#tags = os unix mail
#### postfix
[nix_postfix]
search = eventtype=nix_ta_data postfix punct="*__::_*:_*"
#tags = os unix
#### Prelink
[nix_prelink]
search = eventtype=nix_ta_data /usr/sbin/prelink: OR Prelinking
#tags = os unix
#### RPC
[nix_rpc_statd]
search = eventtype=nix_ta_data rpc.statd
#tags = os unix
#### RPM
[nix_rpm]
search = eventtype=nix_ta_data *.rpm punct="*-*.*."
#tags = os update
#### Runlevel
[nix_runlevel_change]
search = eventtype=nix_ta_data init: punct="*__::_*:_*"
#tags = os unix configuration modify
#### SNMPD
[snmpd]
search = eventtype=nix_ta_data snmpd
#tags = os unix snmp
[snmpd_failure]
search = eventtype=nix_ta_data snmpd SNMPD_*_FAILURE
#tags = failure
#### scrollkeeper
[nix_scrollkeeper]
search = eventtype=nix_ta_data scrollkeeper punct="__::__*"
#tags = os unix
## Shutdown
[nix_halt]
search = eventtype=nix_ta_data shutdown: system halt
#tags = os unix stop
[nix_restart]
search = eventtype=nix_ta_data shutdown: system reboot
#tags = os unix stop
#### smartd
[nix_smartd]
search = eventtype=nix_ta_data smartd punct="*__::_*:_*"
#tags = os unix
#### Time
[nix_timesync]
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR "MS Name/IP address") (("LastRx" AND "stratum") OR "Adjusting system clock" OR "synchronized to" OR "step time server" OR "adjust time server")
#tags = report time synchronize success
[nix_timesync_failure]
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR 506) ("NTP Server Unreachable" OR "Cannot talk to daemon")
#tags = report time synchronize failure
#### Update
[nix_yum_update]
search = eventtype=nix_ta_data yum Updated
#tags = report update success
#### udevd
[nix_udevd]
search = eventtype=nix_ta_data udevd
#tags = os unix kernel
#### USB
[nix_usb]
search = eventtype=nix_ta_data usb*: NOT punct="<>:__*"
#tags = os unix usb
#### userhelper
[nix_userhelper]
search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*"
#tags = os unix
###### ADDED FROM UNIX APP ######
[failed_login]
search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for"
#tags = authentication
[Failed_SU]
search = eventtype=nix_ta_data ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
#tags = authentication
[nix-all-logs]
search = eventtype=nix_ta_data AND (source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog)
###### END FROM UNIX APP ######
###### ADDED FROM TA-deploymentapps ######
###### Scripted Inputs ######
## Global
[aix_scripted_input]
search = sourcetype=AIX:*
#tags = check report
[hpux_scripted_input]
search = sourcetype=HPUX:*
#tags = check report
[linux_scripted_input]
search = sourcetype=Linux:*
#tags = check report
[osx_scripted_input]
search = sourcetype=OSX:*
#tags = check report
[solaris_scripted_input]
search = sourcetype=Solaris:*
#tags = check report
[unix_scripted_input]
search = sourcetype=Unix:*
#tags = check report
## CPUTime
[cputime]
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime
#tags = performance os avail cpu
[cputime_anomalous]
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime PercentSystemTime>90
#tags = anomalous
## Disk
[freediskspace]
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace
#tags = performance os avail disk storage
[freediskspace_anomalous]
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace PercentFreeSpace<10
#tags = anomalous
## Listening Ports
[listeningports]
search = (NOT sourcetype=WMI:ListeningPorts) sourcetype=*:ListeningPorts (NOT file_hash=*)
#tags = os config report
## Local Processes
[localprocesses]
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses
#tags = os avail process
[localprocesses_anomalous]
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses (PercentSystemTime>50 OR PercentMemory>50) NOT app=Total
#tags = anomalous
## Memory
[memory]
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory
#tags = performance os avail memory
[memory_anomalous]
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory mem_free<104857600
#tags = anomalous
## SELinux Config
[selinuxconfig]
search = sourcetype=Linux:SELinuxConfig
#tags = application config selinux
## Service
[service]
search = (NOT sourcetype=WMI:Service) sourcetype=*:Service (NOT file_hash=*)
#tags = os config service report
[service_runlevel_anomalous]
search = sourcetype=*:Service (runlevel0=on OR runlevel6=on)
#tags = anomalous
## SSHD Config
[sshdconfig]
search = sourcetype=*:SSHDConfig
#tags = application config ssh
[sshd_insecure]
search = eventtype=nix_ta_data sshd_protocol=*1*
#tags = insecure
## Update
[update]
search = sourcetype=*:Update
#tags = os info update
[update_status]
search = sourcetype=*:Update NOT total_updates
#tags = status
## Uptime
[uptime]
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime
#tags = os info report uptime performance
[uptime_anomalous]
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime SystemUpTime>2592000
#tags = anomalous
## User Accounts
[useraccounts]
search = sourcetype=*:UserAccounts (NOT file_hash=*)
#tags = (os) config user inventory
[useraccounts_anomalous]
search = sourcetype=*:UserAccounts NOT password=x NOT password=\* (NOT file_hash=*)
#tags = anomalous
## Version
[nix_version]
search = (NOT sourcetype=WMI:Version) sourcetype=*:Version
#tags = os info report system version inventory
## VSFTDP Config
[vsftpd_config]
search = sourcetype=*:VSFTPDConfig
#tags = application config ftp cleartext
[vsftpd_config_anonymous]
search = sourcetype=*:VSFTPDConfig anonymous_enable=YES
#tags = anonymous
###### END FROM TA-deploymentapps ######

270
default/inputs.conf Normal file
View file

@ -0,0 +1,270 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[script://./bin/vmstat_metric.sh]
sourcetype = vmstat_metric
source = vmstat
interval = 60
disabled = 1
[script://./bin/iostat_metric.sh]
sourcetype = iostat_metric
source = iostat
interval = 60
disabled = 1
[script://./bin/ps_metric.sh]
sourcetype = ps_metric
source = ps
interval = 30
disabled = 1
[script://./bin/df_metric.sh]
sourcetype = df_metric
source = df
interval = 300
disabled = 1
[script://./bin/interfaces_metric.sh]
sourcetype = interfaces_metric
source = interfaces
interval = 60
disabled = 1
[script://./bin/cpu_metric.sh]
sourcetype = cpu_metric
source = cpu
interval = 30
disabled = 1
################################################
############### Event Inputs ###################
################################################
[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1
[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
disabled = 1
[script://./bin/nfsiostat.sh]
interval = 60
sourcetype = nfsiostat
source = nfsiostat
disabled = 1
[script://./bin/ps.sh]
interval = 30
sourcetype = ps
source = ps
disabled = 1
[script://./bin/top.sh]
interval = 60
sourcetype = top
source = top
disabled = 1
[script://./bin/netstat.sh]
interval = 60
sourcetype = netstat
source = netstat
disabled = 1
[script://./bin/bandwidth.sh]
interval = 60
sourcetype = bandwidth
source = bandwidth
disabled = 1
[script://./bin/protocol.sh]
interval = 60
sourcetype = protocol
source = protocol
disabled = 1
[script://./bin/openPorts.sh]
interval = 300
sourcetype = openPorts
source = openPorts
disabled = 1
[script://./bin/time.sh]
interval = 21600
sourcetype = time
source = time
disabled = 1
[script://./bin/lsof.sh]
interval = 600
sourcetype = lsof
source = lsof
disabled = 1
[script://./bin/df.sh]
interval = 300
sourcetype = df
source = df
disabled = 1
# Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
disabled = 1
# Lists users who could login (i.e., they are assigned a login shell)
[script://./bin/usersWithLoginPrivs.sh]
sourcetype = usersWithLoginPrivs
source = usersWithLoginPrivs
interval = 3600
disabled = 1
# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 1
# Shows stats per link-level Etherner interface (simply, NIC)
[script://./bin/interfaces.sh]
sourcetype = interfaces
source = interfaces
interval = 60
disabled = 1
# Shows stats per CPU (useful for SMP machines)
[script://./bin/cpu.sh]
sourcetype = cpu
source = cpu
interval = 30
disabled = 1
# This script reads the auditd logs translated with ausearch
[script://./bin/rlog.sh]
sourcetype = auditd
source = auditd
interval = 60
disabled = 1
# Run package management tool collect installed packages
[script://./bin/package.sh]
sourcetype = package
source = package
interval = 3600
disabled = 1
[script://./bin/hardware.sh]
sourcetype = hardware
source = hardware
interval = 36000
disabled = 1
[monitor:///Library/Logs]
disabled = 1
[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 1
[monitor:///var/adm]
whitelist=(\.log$|messages)
disabled = 1
[monitor:///etc]
whitelist=(\.(conf|cfg|ini|init|cf|cnf|profile|rc|rules|tab|login)$|(config|shrc|tab|policy)$|^ifcfg)
disabled = 1
### bash history
[monitor:///root/.bash_history]
disabled = true
sourcetype = bash_history
[monitor:///home/*/.bash_history]
disabled = true
sourcetype = bash_history
##### Added for ES support
# Note that because the UNIX app uses a single script to retrieve information
# from multiple OS flavors, and is intended to run on Universal Forwarders,
# it is not possible to differentiate between OS flavors by assigning
# different sourcetypes for each OS flavor (e.g. Linux:SSHDConfig), as was
# the practice in the older deployment-apps included with ES. Instead,
# sourcetypes are prefixed with the generic "Unix".
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/openPortsEnhanced.sh]
disabled = true
interval = 3600
source = Unix:ListeningPorts
sourcetype = Unix:ListeningPorts
[script://./bin/passwd.sh]
disabled = true
interval = 3600
source = Unix:UserAccounts
sourcetype = Unix:UserAccounts
# Only applicable to Linux
[script://./bin/selinuxChecker.sh]
disabled = true
interval = 3600
source = Linux:SELinuxConfig
sourcetype = Linux:SELinuxConfig
# Currently only supports SunOS, Linux, OSX.
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/service.sh]
disabled = true
interval = 3600
source = Unix:Service
sourcetype = Unix:Service
# Currently only supports SunOS, Linux, OSX.
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/sshdChecker.sh]
disabled = true
interval = 3600
source = Unix:SSHDConfig
sourcetype = Unix:SSHDConfig
# Currently only supports Linux, OSX.
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/update.sh]
disabled = true
interval = 86400
source = Unix:Update
sourcetype = Unix:Update
[script://./bin/uptime.sh]
disabled = true
interval = 86400
source = Unix:Uptime
sourcetype = Unix:Uptime
[script://./bin/version.sh]
disabled = true
interval = 86400
source = Unix:Version
sourcetype = Unix:Version
# This script may need to be modified to point to the VSFTPD configuration file.
[script://./bin/vsftpdChecker.sh]
disabled = true
interval = 86400
source = Unix:VSFTPDConfig
sourcetype = Unix:VSFTPDConfig

7
default/macros.conf Normal file
View file

@ -0,0 +1,7 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[nix-netmon-hosts-search]
definition = eventtype=netstat | stats count by host | sort +host

788
default/props.conf Normal file
View file

@ -0,0 +1,788 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
#####################
## Configuration Logs
#####################
[source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))]
sourcetype = config_file
CHECK_METHOD = modtime
[config_file]
LINE_BREAKER = ^((?!))$
TRUNCATE = 1000000
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
CHECK_METHOD = modtime
KV_MODE = none
pulldown_type = true
SEGMENTATION-all = whitespace-only
SEGMENTATION-inner = whitespace-only
SEGMENTATION-outer = whitespace-only
SEGMENTATION-standard = whitespace-only
LEARN_MODEL = false
LEARN_SOURCETYPE = false
#####################
## DHCP
#####################
[source::....dhcpd]
sourcetype = dhcpd
[dhcpd]
KV_MODE = none
SHOULD_LINEMERGE = false
# For Load Balancing on UF
EVENT_BREAKER_ENABLE = true
pulldown_type = true
category = Network & Security
description = DHCP Server system events
REPORT-dhcp_discover_extract = dhcp_discover_extract
REPORT-dhcp_offer_extract = dhcp_offer_extract
REPORT-dhcp_request_extract = dhcp_request_extract
REPORT-dhcp_ack_nak_extract_0 = dhcp_ack_nak_extract_0
REPORT-dhcp_ack_nak_extract_1 = dhcp_ack_nak_extract_1
REPORT-dhcp_decline_extract = dhcp_decline_extract
REPORT-dhcp_release_extract = dhcp_release_extract
REPORT-dhcp_inform_extract = dhcp_inform_extract
REPORT-dhcp_unable_to_add_forward_map_extract = dhcp_unable_to_add_forward_map_extract
REPORT-dhcp_add_new_forward_map_extract = dhcp_add_new_forward_map_extract
REPORT-dhcp_added_reverse_map_extract = dhcp_added_reverse_map_extract
REPORT-dhcp_abandon_ip_extract = dhcp_abandon_ip_extract
REPORT-dhcp_lease_duplicate_extract = dhcp_lease_duplicate_extract
REPORT-bind_update_fail_extract = bind_update_fail_extract
REPORT-dhcp_block_action = dhcp_block_action
REPORT-dhcp_icmp_echo_reply = dhcp_icmp_echo_reply
REPORT-dhcp_reuse_lease = dhcp_reuse_lease
EVAL-dest_ip = case(isnotnull(dest_ip),dest_ip,match(dest,"^(:?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), dest, 1==1, server_ip)
EVAL-action = if(isnotnull(block_action) or dhcp_type=="DHCPNAK" or dhcp_type=="DHCPDECLINE" or dhcp_type=="DHCPRELEASE", "blocked", "added")
FIELDALIAS-signature = dhcp_type as signature
FIELDALIAS-src_nt_host = src_host as src_nt_host
FIELDALIAS-dest_nt_host = dest_host as dest_nt_host
#########################
## Scripted Metric Inputs
#########################
[vmstat_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-vmstat-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat
[cpu_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-cpu-metric-dimensions=eval_dimensions
TRANSFORMS-cpu-metric-field=extract_cpu_metric_field
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_cpu
[df_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = TSV
TRANSFORMS-df-metrics=extract_df_metrics
TRANSFORMS-df-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_df
[interfaces_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex)
TRANSFORMS-interfaces-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_interfaces
[iostat_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-iostat-metrics-field=extract_iostat_metrics_field
TRANSFORMS-iostat-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_iostat
[ps_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-ps-metric-dimensions=eval_dimensions
TRANSFORMS-ps-metric-field=extract_ps_metric_field
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps
#########################
## Scripted Event Inputs
#########################
[cpu]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_for_cpu = host as dest
FIELDALIAS-src_for_cpu = host as src
EVAL-CPU = coalesce(cpu,CPU)
EVAL-cpu = coalesce(cpu,CPU)
EVAL-cpu_instance = coalesce(cpu,CPU)
EVAL-pctIdle = coalesce(id,pctIdle)
EVAL-PercentIdleTime = coalesce(id,pctIdle)
EVAL-cpu_load_percent = if(isnull(pctIdle),100-id,100-pctIdle)
EVAL-pctNice = coalesce(pctNice,"0")
EVAL-PercentNiceTime = coalesce(pctNice,"0")
EVAL-pctUser = coalesce(us,pctUser)
EVAL-PercentUserTime = coalesce(us,pctUser)
EVAL-cpu_user_percent = coalesce(us,pctUser)
EVAL-pctSystem = coalesce(sy,pctSystem)
EVAL-PercentSystemTime = coalesce(sy,pctSystem)
EVAL-pctIowait = coalesce(wa,pctIowait)
EVAL-PercentWaitTime = coalesce(wa,pctIowait)
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
[df]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_for_df = host as dest
FIELDALIAS-filesystem_for_df = Filesystem AS filesystem
FIELDALIAS-filesystem_type_for_df = Type as filesystem_type
FIELDALIAS-mount_for_df = MountedOn AS mount
EVAL-Type = coalesce('Type',"?")
EVAL-filesystem_type = coalesce('Type',"?")
EVAL-Size = coalesce('Size','1024_blocks')
EVAL-INodes = coalesce('INodes','Inodes')
EVAL-IUsePct = coalesce('IUsePct','IUse_')
EVAL-UsePct = coalesce('UsePct', 'Use_', 'Capacity')
EVAL-Avail = coalesce('Avail', 'Available')
EVAL-IUsed = coalesce('IUsed', 'Iused', 'iused')
EVAL-IFree = coalesce('IFree', 'ifree', 'Ifree')
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
EVAL-storage = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-storage_free = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
# Redundancy required here because calculated fields are not evaluated in sequence.
EVAL-storage_free_percent = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
EVAL-storage_used = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-storage_used_percent = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
## Legacy fields
# Note we don't elimininate one layer of indirection here by
# eliminating the redundant FIELDALIAS from FreeMegabytes -> FreeMBytes, etc.
# which was previously used.
EVAL-FreeMBytes = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-TotalMBytes = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-UsedMBytes = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-PercentUsedSpace = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
# Redundancy required here because calculated fields are not evaluated in sequence.
EVAL-PercentFreeSpace = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
[hardware]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
EXTRACT-RealMemory = (?i)MEMORY_REAL\s+(?P<RealMemory>[^\s]*)[ ]?
EXTRACT-SwapMemory = (?i)MEMORY_SWAP\s+(?P<SwapMemory>[^\s]*)[ ]?
EXTRACT-Unit = (?i)MEMORY_REAL\s+\d+\.?\d*\s*(?P<Unit>\w+)?
EVAL-RealMemoryMB = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown")
EVAL-SwapMemoryMB = case(match(Unit, "kB"), SwapMemory*pow(1024,-1), match(Unit, "KB"), SwapMemory*pow(1024,-1), match(Unit, "mB"), SwapMemory, match(Unit, "MB"), SwapMemory, match(Unit, "gB"), SwapMemory*pow(1024,1), match(Unit, "GB"), SwapMemory*pow(1024,1), match(Unit, "tB"), SwapMemory*pow(1024,2), match(Unit, "TB"), SwapMemory*pow(1024,2), match(Unit, "pB"), SwapMemory*pow(1024,3), match(Unit, "PB"), SwapMemory*pow(1024,3), 1==1, "unknown")
EXTRACT-cpu_cores = (?i)CPU_COUNT\s+(?P<cpu_cores>[^ \n]*)?
EXTRACT-cpu_type = (?i)CPU_TYPE\s+(?P<cpu_type>[^\n]*)?
EXTRACT-cpu_freq = (?<cpu_freq>[^\s]+)(?<cpu_freq_unit>[G|M]Hz)
EVAL-cpu_mhz = case(match(cpu_freq_unit,"GHz"),cpu_freq*1000,match(cpu_freq_unit,"MHz"),cpu_freq)
EVAL-mem = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown")
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
[interfaces]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
EVAL-enabled = "true"
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
EVAL-ip = if(isnull(inetAddr), inet6Addr, inetAddr)
EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex)
FIELDALIAS-interface = Name as interface
FIELDALIAS-mac = MAC as mac
[iostat]
SHOULD_LINEMERGE = false
LINE_BREAKER = (^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
# coalesce command is used to normalizes field names with the same value and for backward compatibility
EVAL-mount = coalesce(Device, Device_, device, "?")
EVAL-read_ops = coalesce(rReq_PS, r_s, "?")
EVAL-write_ops = coalesce(wReq_PS, w_s, "?")
EVAL-latency = coalesce(avgWaitMillis, await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?")
EVAL-total_ops = case(rReq_PS == "?", "?", wReq_PS == "?", "?", isnotnull(rReq_PS) AND isnotnull(wReq_PS), rReq_PS + wReq_PS, isnull(r_s), "?", isnull(w_s), "?", 1==1, r_s + w_s)
EVAL-Device = coalesce(Device, Device_, device, "?")
EVAL-rReq_PS = coalesce(rReq_PS, r_s, "?")
EVAL-rKB_PS = coalesce(rKB_PS, rkB_s, Kb_read, kr_s, "?")
EVAL-rrqmPct = coalesce(rrqmPct, rrqm, "?")
EVAL-rAvgWaitMillis = coalesce(rAvgWaitMillis, r_await, "?")
EVAL-rAvgReqSZkb = coalesce(rAvgReqSZkb, rareq_sz, "?")
EVAL-wReq_PS = coalesce(wReq_PS, w_s, "?")
EVAL-wKB_PS = coalesce(wKB_PS, wkB_s, Kb_wrtn, kw_s, "?")
EVAL-wrqmPct = coalesce(wrqmPct, wrqm, "?")
EVAL-wAvgWaitMillis = coalesce(wAvgWaitMillis, w_await, "?")
EVAL-wAvgReqSZkb = coalesce(wAvgReqSZkb, wareq_sz, "?")
EVAL-avgQueueSZ = coalesce(avgQueueSZ, aqu_sz, avgqu_sz, "?")
EVAL-bandwUtilPct = coalesce(bandwUtilPct, util, tm_act, ms_o, b, "?")
EVAL-avgSvcMillis = coalesce(avgSvcMillis, svctm, ms_w, asvc_t, "?")
EVAL-avgWaitMillis = coalesce(avgWaitMillis, await, wsvc_t, if(isnotnull(ms_o), "?", null()), if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?")
[source::...(nfsiostat)]
sourcetype = nfsiostat
HEADER_MODE = always
SHOULD_LINEMERGE = false
[nfsiostat]
DATETIME_CONFIG = CURRENT
KV_MODE = multi
LINE_BREAKER = (^$|[\r\n]+[\r\n]+)
FIELDALIAS-mount = Mount as mount
FIELDALIAS-read_latency = r_avg_exe as read_latency
FIELDALIAS-write_latency = w_avg_exe as write_latency
FIELDALIAS-read_ops = r_op_s as read_ops
FIELDALIAS-write_ops = w_op_s as write_ops
EVAL-total_ops = read_ops + write_ops
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
[lastlog]
## Override system/default lastlog sourcetype invalidation
invalid_cause =
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
[lsof]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
[netstat]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
EVAL-src_port = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvindex(split(ForeignAddress, "."), -1),mvindex(split(ForeignAddress, ":"), -1))
EVAL-src = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvjoin(mvindex(split(ForeignAddress, "."), 0, -2), "."),mvjoin(mvindex(split(ForeignAddress, ":"), 0, -2), ":"))
EVAL-dest_port = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvindex(split(LocalAddress, "."), -1),mvindex(split(LocalAddress, ":"), -1))
EVAL-dest = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvjoin(mvindex(split(LocalAddress, "."), 0, -2), "."),mvjoin(mvindex(split(LocalAddress, ":"), 0, -2), ":"))
FIELDALIAS-transport=Proto as transport
FIELDALIAS-state=State as state
EVAL-state = case(state=="LISTEN","listening",state=="ESTAB","established",true(),lower(state))
EVAL-vendor_product = "nix"
[bandwidth]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
EVAL-bytes=(rxKB_PS+txKB_PS)*1024
EVAL-bytes_in=rxKB_PS*1024
EVAL-thruput=rxKB_PS*1024 + txKB_PS*1024
EVAL-bytes_out=txKB_PS*1024
EVAL-packets=rxPackets_PS+txPackets_PS
FIELDALIAS-packets_in=rxPackets_PS as packets_in
FIELDALIAS-packets_out=txPackets_PS as packets_out
[openPorts]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_port_for_open_ports_sh = Port AS dest_port
FIELDALIAS-dest_for_open_ports_sh = host AS dest
FIELDALIAS-transport_for_open_ports_sh = Proto AS transport
EVAL-transport_dest_port = Proto + "/" + Port
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
# extraction for sourcetype unix:listeningports
[Unix:ListeningPorts]
EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P<file_hash>[a-fA-F0-9]+)
[package]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
[protocol]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
[ps]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
EVAL-pctCPU = coalesce(CPU, pctCPU)
EVAL-PercentProcessorTime = coalesce(CPU, pctCPU)
EVAL-cpu_load_percent = coalesce(CPU, pctCPU)
EVAL-process_cpu_used_percent = coalesce(CPU, pctCPU)
FIELDALIAS-dest_for_ps = host as dest
FIELDALIAS-src_for_ps = host as src
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
FIELDALIAS-process_id_for_ps = PID AS pid,PID as process_id
EVAL-pctMEM = coalesce(MEM, pctMEM)
EVAL-PercentMemory = coalesce(MEM, pctMEM)
EVAL-RSZ_KB = coalesce(RSS, RSZ_KB)
EVAL-rss = coalesce(RSS, RSZ_KB)
EVAL-process_mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
# UsedBytes is calculated as RSZ_KB*1024. Previously it was calculated using
# %MEM and the "Mem:" header from "top -bn 1", which tended to underestimate
# compared to this value. This is a rough measure of resident set size (i.e.,
# physical memory in use).
EVAL-mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
EVAL-UsedBytes = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
EVAL-VSZ_KB = coalesce(VSZ, VSZ_KB)
EVAL-vsz = coalesce(VSZ, VSZ_KB)
EVAL-TTY = coalesce(TTY, TT)
EVAL-tty = coalesce(TTY, TT)
EVAL-S = coalesce(S, STAT)
EVAL-stat = coalesce(S, STAT)
FIELDALIAS-user_for_ps = USER AS user
# The "app" field is the conjunction of COMMAND plus ARGS
# Note that the UNIX app joins arguments with an underscore.
EVAL-app = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process_name = replace(COMMAND, "[\[\]()]", "")
EVAL-CPUTIME = coalesce(TIME, CPUTIME)
# Truncate needless leading zeroes from the cumulative CPU time field.
EVAL-cpu_time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", ""))
EVAL-time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", ""))
# Incorporating CIM review changes
EVAL-action = "allowed"
EVAL-process_exec = replace(COMMAND, "[\[\]()]", "")
[time]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
[top]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
FIELDALIAS-user = USER as user
FIELDALIAS-process = COMMAND as process
FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
[usersWithLoginPrivs]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
[who]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
[vmstat]
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
REPORT-0kv_for_vmstat = fields_for_vmstat_sh,vmstat_linux,vmstat_osx
FIELDALIAS-dest_for_vmstat = host as dest
EVAL-mem = if(isnotnull(memFreeMB) AND isnotnull(memUsedMB),(memFreeMB)+(memUsedMB),null())
EVAL-mem_free = if(isnotnull(memFreeMB),memFreeMB,null())
EVAL-mem_used = if(isnotnull(memUsedMB),memUsedMB,null())
EVAL-mem_page_ops = pgPageIn_PS + pgPageOut_PS
FIELDALIAS-mem_free_percent = memFreePct as mem_free_percent
FIELDALIAS-wait_threads_count = waitThreads as wait_threads_count
FIELDALIAS-system_threads_count = threads as system_threads_count
FIELDALIAS-src_for_vmstat = host as src
FIELDALIAS-cpu_interrupts = interrupts_PS as cpu_interrupts
FIELDALIAS-swap_percent = swapUsedPct as swap_percent
## Legacy fields
FIELDALIAS-FreeMBytes = memFreeMB AS FreeMBytes
EVAL-UsedBytes = tonumber(memUsedMB, 10)*1048756
FIELDALIAS-UsedMBytes = memUsedMB AS UsedMBytes
FIELDALIAS-TotalMBytes = memTotalMB AS TotalMBytes
##Memoey Paging per second fields
FIELDALIAS-mem_page_in = pgPageIn_PS AS mem_page_in
FIELDALIAS-mem_page_out = pgPageOut_PS AS mem_page_out
[Unix:UserAccounts]
EVAL-description = "/etc/passwd file"
EVAL-enabled = "yes"
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
FIELDALIAS-dest = host as dest
#####################
## BEGIN SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps
#####################
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Global ######
# [source::...(linux.*|sample.*.linux)]
# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen
# [source::...(osx.*|sample.*.osx)]
# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen
# [source::...(solaris.*|sample.*.solaris)]
# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen
# [source::...sample.*.unix]
# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen
## support for linux only
[Linux:SELinuxConfig]
EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules"
[linux_audit]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
TIME_PREFIX = audit\(
MAX_TIMESTAMP_LOOKAHEAD=23
MAX_DAYS_AGO=3650
REPORT-command = command_for_linux_audit
EVAL-status = if('res'=="failed","failure",'res')
FIELDALIAS-object = id as object
FIELDALIAS-dvc = hostname as dvc
FIELDALIAS-dest = hostname as dest
FIELDALIAS-object_id = id as object_id
EVAL-op = if(op=="PAM:authentication", res, op)
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
LOOKUP-action = nix_linux_audit_action_lookup op OUTPUT action,object_category
EVAL-object_attrs= case(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER",grp)
EVAL-app = "nix"
EVAL-change_type = "AAA"
EVAL-object = if((type="GRP_MGMT" OR type="DEL_GROUP" or type=="ADD_GROUP") AND isnotnull('grp'),'grp','object')
EVAL-user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user')
EVAL-user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user')
EVAL-user_id = if(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP" ,'uid','id')
EVAL-src_user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user')
EVAL-src_user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user')
EVAL-src_user_id = if(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ,'uid','src_user_id')
EVAL-reason = if(type="USER_AUTH" AND (res=="failed" OR res=="failure"),"other",'reason')
[source::...Unix:Service]
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true
EVAL-service = coalesce(UNIT, app)
EVAL-service_name = coalesce(UNIT, app)
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
LOOKUP-StartMode_for_linux_service = nix_linux_service_startmode_lookup runlevel0,runlevel1,runlevel2,runlevel3,runlevel4,runlevel5,runlevel6 OUTPUTNEW StartMode
EVAL-note = if(match(_raw,"runlevel[06]\=on"),"Runlevels 0 and 6 are reserved for halt and reboot respectively",null())
EVAL-start_mode=case(isnotnull(StartMode),StartMode,1=1,"Auto")
FIELDALIAS-start_mode_for_solaris_service = StartMode as start_mode
FIELDALIAS-status_for_solaris_service = State as status
FIELDALIAS-dest = host as dest
# extraction for sourcetype Unix:Service
[Unix:Service]
EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P<file_hash>[a-fA-F0-9]+)
# Incorporating CIM review changes
EVAL-status = case(ACTIVE=="active","started",ACTIVE=="inactive","stopped",ACTIVE=="activating","stopped",ACTIVE=="reloading","stopped",ACTIVE=="failed","critical",ACTIVE=="deactivating","stopped")
## no windows application at this time
[source::*:SSHDConfig]
EVAL-note = if(match(sshd_protocol,"1"),"SSH-1 has inherent design flaws which make it vulnerable (e.g., man-in-the-middle attacks)",null())
###### Update ######
[source::...Unix:Update]
EVENT_BREAKER_ENABLE = true
FIELDALIAS-signature_for_update = package as signature
LOOKUP-status_for_update = nix_da_update_status_lookup sourcetype OUTPUTNEW status
###### Uptime ######
[source::...Unix:Uptime]
FIELDALIAS-uptime_for_unix_uptime = SystemUpTime as uptime
FIELDALIAS-dest = host as dest
###### Version ######
[source::...Unix:Version]
SHOULD_LINEMERGE = false
FIELDALIAS-family_for_nix_version = os_name as family
LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range
FIELDALIAS-version_for_nix_version = os_release as version
FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture
EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null())
EVAL-vendor_product = if(isnotnull(os_name),os_name,null())
FIELDALIAS-dest_for_nix_version = host as dest
###### VSFTPD Config ######
## no windows application at this time
[source::*:VSFTPDConfig]
EVAL-note = "FTP uses clear text to pass authentication credentials. Consider using SSH instead."
#####################
## END SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps
#####################
#####################
## System Logs
#####################
###### Global ######
[source::....nix]
sourcetype = linux_secure
[source::/etc/passwd*]
sourcetype = ignored_type
[source::/etc/shadow*]
sourcetype = ignored_type
## Custom Sourcetype
#[source::....<your_sourcetype>]
#sourcetype = <your_sourcetype>
#[<your_sourcetype>]
### Event extractions by type
#REPORT-0authentication_for_your_sourcetype = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
#EVAL-action = if(app="su" AND isnull(action),"success",action)
#REPORT-account_management_for_your_sourcetype = useradd, userdel
#REPORT-firewall_for_your_sourcetype = ipfw, ipfw-stealth, ipfw-icmp, pf
#REPORT-routing_for_your_sourcetype = iptables
#EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
#REPORT-signature_for_your_sourcetype_timesync = signature_for_nix_timesync
#REPORT-dest_for_your_sourcetype = host_as_dest
#LOOKUP-action_for_your_sourcetype = nix_action_lookup vendor_action OUTPUTNEW action
#REPORT-pid-process_for_your_sourcetype = syslog-extractions
#REPORT-src_for_your_sourcetype = src_dns_as_src, src_ip_as_src, host_as_src
###### AIX Sourcetype ######
[source::....aix_secure]
sourcetype = aix_secure
[aix_secure]
EVENT_BREAKER_ENABLE = true
REPORT-0authentication_for_aix_secure = failed_login1, bad-su2, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-dest_for_aix_secure = loghost_as_dest
FIELDALIAS-dvc = dest as dvc
LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_aix_secure = src_dns_as_src, src_ip_as_src
###### OSX Security ######
[source::....osx_secure]
sourcetype = osx_secure
[osx_secure]
EVENT_BREAKER_ENABLE = true
## Event extractions by type
REPORT-0authentication_for_osx_secure = ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-dest_for_osx_secure = host_as_dest
LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_osx_secure = src_dns_as_src, src_ip_as_src
###### Linux Security ######
[source::....linux_secure]
sourcetype = linux_secure
[linux_secure]
EVENT_BREAKER_ENABLE = true
## Event extractions by type
EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app)
REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
REPORT-dest_for_linux_secure = loghost_as_dest
LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_linux_secure = src_dns_as_src, src_ip_as_src
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
EVAL-object = case((command=="useradd" OR command=="userdel" OR command=="passwd") AND isnotnull(user), user, true(), object)
FIELDALIAS-dvc = dest as dvc
EVAL-src_user = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user')
FIELDALIAS-user_name = user as user_name
EVAL-src_user_name = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user')
###### Syslog ######
[source::....syslog]
sourcetype = syslog
[syslog]
EVENT_BREAKER_ENABLE = true
## Event extractions by type
REPORT-0authentication_for_syslog = remote_login_failure, bad-su2, passwd-auth-failure, failed_login1, bad-su, failed-su, ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_syslog = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
REPORT-password_change_for_syslog = pam-passwd-ok, passwd-change-fail
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
REPORT-signature_for_syslog_timesync = signature_for_nix_timesync
REPORT-dest_for_syslog = host_as_dest
LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_syslog = src_dns_as_src, src_ip_as_src
FIELDALIAS-dvc = dest as dvc
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
###### bash history ######
[bash_history]
SHOULD_LINEMERGE=FALSE
EVENT_BREAKER_ENABLE = true
DATETIME_CONFIG=CURRENT
REPORT-bhist=bash_user,bash_user_root
FIELDALIAS-bhist=_raw AS bash_command
FIELDALIAS-dest_for_history = host as dest
###### auditd ######
[auditd]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
TIME_PREFIX = audit\(
MAX_TIMESTAMP_LOOKAHEAD=23
MAX_DAYS_AGO=3650

9
default/restmap.conf Normal file
View file

@ -0,0 +1,9 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[script:setup]
python.version = python3
match=/SetupService
handler=setupservice.SetupService

851
default/tags.conf Normal file
View file

@ -0,0 +1,851 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
###### Globals ######
[eventtype=nix_security]
os = enabled
unix = enabled
[eventtype=nix_errors]
error = enabled
[eventtype=interfaces]
inventory = enabled
network = enabled
###### DHCP ######
[eventtype=dhcpd_server]
dhcp = enabled
network = enabled
session = enabled
unix = enabled
[eventtype=dhcpd_start]
start = enabled
[eventtype=dhcpd_unable_unexpected]
error = enabled
[eventtype=dhcpd_server_dhcprelease]
end = enabled
###### Scripted Inputs ######
[eventtype=cpu]
os = enabled
resource = enabled
report = enabled
unix = enabled
cpu = enabled
avail = enabled
performance = enabled
oshost = enabled
[eventtype=cpu_anomalous]
anomalous = enabled
[eventtype=df]
df = enabled
host = enabled
check = enabled
success = enabled
storage = enabled
performance = enabled
oshost = enabled
[eventtype=iostat]
report = enabled
resource = enabled
iostat = enabled
performance = enabled
cpu = enabled
storage = enabled
success = enabled
oshost = enabled
[eventtype=nfsiostat]
storage = enabled
performance = enabled
[eventtype=lsof]
report = enabled
lsof = enabled
resource = enabled
file = enabled
success = enabled
[eventtype=netstat]
report = enabled
netstat = enabled
os = enabled
cpu = enabled
success = enabled
listening = enabled
port = enabled
[eventtype=ps]
performance = enabled
cpu = enabled
success = enabled
ps = enabled
oshost = enabled
process = enabled
[eventtype=top]
top = enabled
os = enabled
success = enabled
process = enabled
[eventtype=time]
report = enabled
os = enabled
success = enabled
time = enabled
[eventtype=vmstat]
report = enabled
vmstat = enabled
resource = enabled
success = enabled
cpu = enabled
memory = enabled
performance = enabled
oshost = enabled
[eventtype=bandwidth]
network = enabled
resource = enabled
success = enabled
performance = enabled
oshost = enabled
[eventtype=hardware]
inventory = enabled
oshost = enabled
cpu = enabled
memory = enabled
# For ESS:
os = enabled
avail = enabled
unix = enabled
###### System Logs ######
#### Account Management
[eventtype=useradd]
account = enabled
management = enabled
add = enabled
change = enabled
[eventtype=useradd-suse]
account = enabled
management = enabled
add = enabled
change = enabled
[eventtype=userdel]
account = enabled
management = enabled
delete = enabled
change = enabled
[eventtype=groupadd]
management = enabled
add = enabled
change = enabled
[eventtype=groupadd-suse]
management = enabled
add = enabled
change = enabled
account = enabled
[eventtype=groupdel]
management = enabled
delete = enabled
change = enabled
[eventtype=linux-password-change]
account = enabled
management = enabled
password = enabled
modify = enabled
change = enabled
[eventtype=linux-password-change-failed]
account = enabled
management = enabled
password = enabled
modify = enabled
change = enabled
#### acpi
[eventtype=nix_acpi]
os = enabled
unix = enabled
power = enabled
#### agpgart
[eventtype=nix_agpgart]
os = enabled
unix = enabled
graphics = enabled
#### apm
[eventtype=nix_apm]
os = enabled
unix = enabled
power = enabled
#### auditd
[eventtype=auditd]
os = enabled
unix = enabled
resource = enabled
file = enabled
[eventtype=auditd_modify]
modify = enabled
#### Authentication
## ksu
[eventtype=ksu_authentication]
authentication = enabled
[app=ksu]
local = enabled
privileged = enabled
[app=ksudo]
local = enabled
privileged = enabled
## login
[eventtype=login_authentication]
authentication = enabled
## pam
[eventtype=pam_unix_authentication]
authentication = enabled
## passwd
[eventtype=passwd-auth-failure]
application = enabled
authentication = enabled
## rlogin
[eventtype=rlogin_too_many_failures]
application = enabled
attack = enabled
watchlist = enabled
[eventtype=remote_login_failure]
application = enabled
authentication = enabled
remote = enabled
[eventtype=remote_login_allowed]
application = enabled
authentication = enabled
remote = enabled
## sshd
[eventtype=sshd_authentication]
authentication = enabled
remote = enabled
[eventtype=ssh_open]
communicate = enabled
connect = enabled
[eventtype=ssh_close]
access = enabled
stop = enabled
logoff = enabled
[eventtype=ssh_disconnect]
access = enabled
stop = enabled
logoff = enabled
[eventtype=failed_login]
authentication = enabled
[eventtype=Failed_SU]
authentication = enabled
## su
[eventtype=su_authentication]
authentication = enabled
[app=su]
local = enabled
privileged = enabled
[app=sudo]
local = enabled
privileged = enabled
[eventtype=su_failed]
authentication = enabled
[eventtype=su_session]
session = enabled
[eventtype=su_root_session]
session = enabled
privileged = enabled
## Telnet
[app=wksh]
cleartext = enabled
#### automount
[eventtype=nix_automount]
os = enabled
unix = enabled
#### Config
[eventtype=nix_config_change]
os = enabled
unix = enabled
host = enabled
configuration = enabled
modify = enabled
#### Console
[eventtype=nix_console]
os = enabled
unix = enabled
#### cron
[eventtype=nix_cron]
os = enabled
unix = enabled
#### CUPS
[eventtype=nix_cups_access]
os = enabled
unix = enabled
access = enabled
printer = enabled
[eventtype=nix_cups_error]
os = enabled
unix = enabled
printer = enabled
[eventtype=nix_cups_page]
os = enabled
unix = enabled
printer = enabled
#### dhclient
[eventtype=nix_dhclient]
os = enabled
unix = enabled
#### DMA
[eventtype=nix_dma]
os = enabled
unix = enabled
memory = enabled
access = enabled
#### Firewall
[eventtype=iptables_firewall_accept]
os = enabled
unix = enabled
host = enabled
firewall = enabled
communicate = enabled
success = enabled
[eventtype=iptables_firewall_deny]
os = enabled
unix = enabled
host = enabled
firewall = enabled
communicate = enabled
failure = enabled
#### FTP
[eventtype=nix_ftp_xferlog]
os = enabled
unix = enabled
ftp = enabled
transfer = enabled
[eventtype=nix_ncftpd_logins]
os = enabled
unix = enabled
ftp = enabled
authentication = enabled
#### Fingerprinting
[eventtype=nix_fingerprinting]
os = enabled
unix = enabled
#### gconfd
[eventtype=nix_gconfd]
os = enabled
unix = enabled
[eventtype=nix_gconfd_error]
error = enabled
[eventtype=nix_gconfd_exiting]
stop = enabled
[eventtype=nix_gconfd_starting]
start = enabled
## gdm
[eventtype=nix_gdm]
os = enabled
unix = enabled
#### gpm
[eventtype=nix_gpm]
os = enabled
unix = enabled
#### FreeBSD
[eventtype=freebsd_refresh_na_answer]
os = enabled
unix = enabled
[eventtype=freebsd_refresh_retry_exceeded]
os = enabled
unix = enabled
#### hald
[eventtype=nix_hald]
os = enabled
unix = enabled
#### hpiod
[eventtype=hpiod_Linux_syslog]
os = enabled
unix = enabled
#### kernel
[eventtype=nix_kernel_attached]
os = enabled
unix = enabled
kernel = enabled
#### kill
[eventtype=nix_process_kill]
os = enabled
unix = enabled
process = enabled
stop = enabled
#### mDNSResponder
[eventtype=nix_mDNSResponder]
os = enabled
unix = enabled
dns = enabled
#### named
[eventtype=nix_named1]
os = enabled
unix = enabled
dns = enabled
[eventtype=nix_named2]
os = enabled
unix = enabled
dns = enabled
#### OSX
[eventtype=osx_crash_log]
os = enabled
unix = enabled
error = enabled
#### Netlabel
[eventtype=nix_netlabel]
os = enabled
unix = enabled
kernel = enabled
#### PCI
[eventtype=nix_pci]
os = enabled
unix = enabled
#### Plug-n-play
[eventtype=nix_pnp]
os = enabled
unix = enabled
#### POP3
[eventtype=nix_popper]
os = enabled
unix = enabled
mail = enabled
#### postfix
[eventtype=nix_postfix]
os = enabled
unix = enabled
#### Prelink
[eventtype=nix_prelink]
os = enabled
unix = enabled
#### RPC
[eventtype=nix_rpc_statd]
os = enabled
unix = enabled
#### RPM
[eventtype=nix_rpm]
os = enabled
unix = enabled
update = enabled
#### Runlevel
[eventtype=nix_runlevel_change]
os = enabled
unix = enabled
configuration = enabled
modify = enabled
#### SNMPD
[eventtype=snmpd]
os = enabled
unix = enabled
snmp = enabled
[eventtype=snmpd_failure]
failure = enabled
#### scrollkeeper
[eventtype=nix_scrollkeeper]
os = enabled
unix = enabled
## Shutdown
[eventtype=nix_halt]
os = enabled
unix = enabled
stop = enabled
[eventtype=nix_restart]
os = enabled
unix = enabled
stop = enabled
#### smartd
[eventtype=nix_smartd]
os = enabled
unix = enabled
#### Time
[eventtype=nix_timesync]
report = enabled
time = enabled
synchronize = enabled
success = enabled
os = enabled
performance = enabled
[eventtype=nix_timesync_failure]
report = enabled
time = enabled
synchronize = enabled
failure = enabled
os = enabled
performance = enabled
#### Update
[eventtype=nix_yum_update]
report = enabled
update = enabled
success = enabled
#### udevd
[eventtype=nix_udevd]
os = enabled
unix = enabled
kernel = enabled
#### USB
[eventtype=nix_usb]
os = enabled
unix = enabled
usb = enabled
#### userhelper
[eventtype=nix_userhelper]
os = enabled
unix = enabled
#### Open ports
[eventtype=openPorts]
unix = enabled
report = enabled
os = enabled
###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ######
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Scripted Inputs ######
## Global
[eventtype=aix_scripted_input]
check = enabled
report = enabled
[eventtype=hpux_scripted_input]
check = enabled
report = enabled
[eventtype=linux_scripted_input]
check = enabled
report = enabled
[eventtype=osx_scripted_input]
check = enabled
report = enabled
[eventtype=solaris_scripted_input]
check = enabled
report = enabled
[eventtype=unix_scripted_input]
check = enabled
report = enabled
## CPUTime
[eventtype=cputime]
os = enabled
avail = enabled
cpu = enabled
performance = enabled
oshost = enabled
[eventtype=cputime_anomalous]
anomalous = enabled
## Disk
[eventtype=freediskspace]
os = enabled
avail = enabled
disk = enabled
performance = enabled
oshost = enabled
storage = enabled
[eventtype=freediskspace_anomalous]
anomalous = enabled
## Listening Ports
[eventtype=listeningports]
os = enabled
config = enabled
report = enabled
## Local Processes
[eventtype=localprocesses_anomalous]
anomalous = enabled
## Memory
[eventtype=memory]
os = enabled
avail = enabled
memory = enabled
performance = enabled
oshost = enabled
[eventtype=memory_anomalous]
anomalous = enabled
## SELinux Config
[eventtype=selinuxconfig]
application = enabled
config = enabled
selinux = enabled
[selinux=disabled]
insecure = enabled
## Service
[eventtype=service]
os = enabled
config = enabled
service = enabled
report = enabled
[eventtype=service_runlevel_anomalous]
anomalous = enabled
[app=ntpd]
time = enabled
synchronize = enabled
[app=%2Fnetwork%2Fntp%3Adefault]
time = enabled
synchronize = enabled
[app=yum-updatesd]
automatic = enabled
update = enabled
## SSHD Config
[eventtype=sshdconfig]
application = enabled
config = enabled
ssh = enabled
[eventtype=sshd_insecure]
insecure = enabled
## Update
[eventtype=update]
os = enabled
info = enabled
system = enabled
update = enabled
[eventtype=update_status]
status = enabled
## Uptime
[eventtype=uptime]
os = enabled
info = enabled
report = enabled
uptime = enabled
performance = enabled
[eventtype=uptime_anomalous]
anomalous = enabled
## User Accounts
[eventtype=useraccounts]
os = disabled
config = enabled
user = enabled
inventory = enabled
[eventtype=useraccounts_anomalous]
anomalous = enabled
[shell=%2Fbin%2Fbash]
interactive = enabled
[shell=%2Fbin%2Fsh]
interactive = enabled
[shell=%2Fusr%2Fbin%2Fbash]
interactive = enabled
[shell=%2Fusr%2Fbin%2Fpfksh]
interactive = enabled
[shell=%2Fusr%2Fbin%2Fpfsh]
interactive = enabled
## Version
[eventtype=nix_version]
os = enabled
info = enabled
report = enabled
system = enabled
version = enabled
inventory = enabled
oshost = enabled
cpu = enabled
memory = enabled
## VSFTDP Config
[eventtype=vsftpd_config]
application = enabled
config = enabled
ftp = enabled
cleartext = enabled
[eventtype=vsftpd_config_anonymous]
anonymous = enabled
###### END CONTENT IMPORTED FROM TA-deploymentapps ######

531
default/transforms.conf Normal file
View file

@ -0,0 +1,531 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
###### Globals ######
## Lookups
[nix_action_lookup]
filename = nix_vendor_actions.csv
case_sensitive_match = false
## Aliases
[host_as_dest]
SOURCE_KEY = host
REGEX = (.+)
FORMAT = dest::"$1"
[host_as_src]
SOURCE_KEY = host
REGEX = (.+)
FORMAT = src::"$1"
[src_dns_as_src]
SOURCE_KEY = src_dns
REGEX = (.+)
FORMAT = src::"$1"
[src_ip_as_src]
SOURCE_KEY = src_ip
REGEX = (.+)
FORMAT = src::"$1"
[dest_nt_host_as_dest]
SOURCE_KEY = dest_nt_host
REGEX = (.+)
FORMAT = dest::"$1"
[dest_mac_as_dest]
SOURCE_KEY = dest_mac
REGEX = (.+)
FORMAT = dest::"$1"
[dest_ip_as_dest]
SOURCE_KEY = dest_ip
REGEX = (.+)
FORMAT = dest::"$1"
###### DHCP ######
[dhcp_prefix_dest]
#when dhcp server is the dest, extract the dest and process fields
#format as below (fields are within the angle brackets):
#<dest> <dest_host>[process_id]|<process>:
REGEX=\s+(?<dest>\S+)\s+(?:(?<dest_host>[^\s\[\]]+)\[(?<process_id>[^\]\s]+)\]|(?<process>[^\s\[\]]+)):\s+
[dhcp_prefix_src]
#when dhcp server is the src, extract the src and process fields
#format as below (fields are within the angle brackets):
#<src> <src_host>[process_id]|<process>:
REGEX=\s+(?<src>\S+)\s+(?:(?<src_host>[^\s\[\]]+)\[(?<process_id>[^\]\s]+)\]|(?<process>[^\s\[\]]+)):\s+
[dhcp_mac_hostname_for_dest]
#extract mac address and hostname for dest
#format as below (fields are within the angle brackets):
#<dest_mac> (<dest_host>)
#Note: dest_host may not exist
REGEX=\s+(?<dest_mac>\S+)\s+(?:\((?<dest_host>[^)]+)\)\s+)?
[dhcp_mac_hostname_for_src]
#extract mac address and hostname for src
#format as below (fields are within the angle brackets):
#<src_mac> (<src_host>)
#Note: src_host may not exist
REGEX=\s+(?<mac_address>\S+)\s+(?:\((?<src_host>[^)]+)\)\s+)?
[dhcp_relay]
#extract relay field
REGEX = (?<relay>[^\s:\\]+)
[dhcp_block_action]
#extract blocked actions
REGEX = (?<block_action>(REFUSED|Invalid|ignored|rejected|not authoritative|[uU]nable to add forward map))
[dhcp_discover_extract]
# for event of DHCPDISCOVER, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPDISCOVER from <src_mac> (<src_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPDISCOVER)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]]
[dhcp_offer_extract]
# for event of DHCPOFFER, format as below (fields are within the angle brackets):
# <src> <process>: DHCPOFFER on <dest_ip> to <dest_mac> (<dest_host>) via <relay>
# Note: dest_host may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPOFFER)\s+on\s+(?<dest_ip>\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]]
[dhcp_request_extract]
# for event of DHCPREQUEST, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPREQUEST for <src> (<server_ip>) from <src_mac> (<src_host>) via <relay> uid <uuid>
# Note: server_ip, src_host, uuid may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPREQUEST)\s+for\s+(?<src>\S+)\s+(?:\((?<server_ip>[^)]+)\)\s+)?from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]](?:\s+uid\s+(?<uuid>[^\s]+))?
[dhcp_ack_nak_extract_0]
# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets):
# <src> <process>: DHCPACK|DHCPNAK on <dest_ip> to <dest_mac> (<dest_host>) via (<relay>) relay <relay_ip> lease-duration <lease_duration> uid <uuid>
# Note: dest_host, relay_ip, lease_duration, uuid may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPACK|DHCPNAK)\s+on\s+(?<dest_ip>\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]](?:\s+relay\s+(?<relay_ip>\S+)\s+lease-duration\s+(?<lease_duration>\S+)\s+.*uid\s+(?<uuid>\S+))?
[dhcp_ack_nak_extract_1]
# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets):
# <src> <process>: DHCPACK|DHCPNAK to <dest_ip> (<dest_mac>) via <relay>
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPACK|DHCPNAK)\s+to\s+(?<dest_ip>\S+)\s+\((?<dest_mac>[^)]+)\)\s+via\s+[[dhcp_relay]]
[dhcp_decline_extract]
# for event of DHCPDECLINE, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPDECLINE of <src> from <src_mac> (<src_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPDECLINE)\s+of\s+(?<src>\S+)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]]
[dhcp_release_extract]
# for event of DHCPRELEASE, format as below (fields are within the angle brackets):
# <src> <process>: DHCPRELEASE of <dest> from <dest_mac> (<dest_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPRELEASE)\s+of\s+(?<dest>\S+)\s+from[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]]
[dhcp_inform_extract]
# for event of DHCPINFORM, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPINFORM from <src> via <relay>
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPINFORM)\s+from\s+(?<src>\S+)\s+via\s+[[dhcp_relay]]
[dhcp_unable_to_add_forward_map_extract]
# for event of unable to add forward map, format as below (fields are within the angle brackets):
# <src> <process>: Unable to add forward map from <dest> to <dest_ip>
REGEX=[[dhcp_prefix_src]][uU]nable\s+to\s+add\s+forward\s+map\s+from\s+(?<dest>\S+)\s+to\s+(?<dest_ip>[^\s:]+)
[dhcp_add_new_forward_map_extract]
# for event of add new forward map, format as below (fields are within the angle brackets):
# <src> <process>: Added new forward map from <dest> to <dest_ip>
REGEX=[[dhcp_prefix_src]][aA]dded\s+new\s+forward\s+map\s+from\s+(?<dest>\S+)\s+to\s+(?<dest_ip>[^\s:]+)
[dhcp_added_reverse_map_extract]
# for event of add reverse map, format as below (fields are within the angle brackets):
# <dest> <process>: [aA]dded reverse map from <src_ptr> to <src>
REGEX=[[dhcp_prefix_dest]][aA]dded\s+reverse\s+map\s+from\s+(?<src_ptr>\S+)\s+to\s+(?<src>\S+)
[dhcp_abandon_ip_extract]
# for event of Abandon IP address, format as below (fields are within the angle brackets):
# <src> <process>: Abandoning IP address <dest_ip>
REGEX=[[dhcp_prefix_src]]Abandoning\s+IP\s+address\s+(?<dest_ip>[^\s:]+)
[dhcp_lease_duplicate_extract]
# for event of lease duplicate, format as below (fields are within the angle brackets):
# <server> <process>: uid lease <dest_ip> for client <dest_mac> is duplicate on <src>
REGEX=\s+(?<server>\S+)\s+(?<server_process>[^\s:]+):\s+uid\s+lease\s+(?<dest_ip>\S+)\s+for\s+client\s+(?<dest_mac>\S+)\s+is\s+duplicate\s+on\s+(?<src>\S+)/
[bind_update_fail_extract]
# for event of bind update reject, format as below (fields are within the angle brackets):
# <dest> <process>: bind update on <src> from <failover_peer> rejected
REGEX=[[dhcp_prefix_dest]]bind\s+update\s+on\s+(?<src>\S+)\s+from\s+(?<failover_peer>\S+)\s+rejected.*
[dhcp_icmp_echo_reply]
REGEX=[[dhcp_prefix_src]]ICMP\s+Echo\s+reply\s+while\s+lease\s+(?<dest>\S+)
[dhcp_reuse_lease]
REGEX=[[dhcp_prefix_src]]reuse_lease:\s+lease\s+age.*under.*threshold,\s+reply\s+with\s+unaltered,\s+existing\s+lease\s+for\s+(?<dest>[^$]+)
###### Scripted Metric Inputs ######
[eval_dimensions]
# Support for omitting the IPv6 Address field when the script output doesn't include an IPv6 Address
INGEST_EVAL = metric_name=sourcetype, entity_type="TA_Nix", OS_name=replace(OSName, "_", " "), IPv6_address = if(IPv6_Address=="?", null(), IPv6_Address)
[extract_df_metrics]
INGEST_EVAL = UsePct=coalesce('UsePct','Capacity','Use'), Size_KB=coalesce('Size','1K_blocks','1024_blocks'), Used_KB='Used', Avail_KB=coalesce('Avail','Available'), INodes=coalesce('INodes','Inodes'), IUsed=coalesce('IUsed','iused','Iused'), IFree=coalesce('IFree','ifree','Ifree'), IUsePct=coalesce('IUsePct','IUse'), Size=coalesce('Size','1K_blocks','1024_blocks'), Avail=coalesce('Avail','Available'), Type=coalesce('Type',"?")
[metric-schema:extract_metrics_interfaces]
METRIC-SCHEMA-MEASURES= Collisions,RXbytes,RXerrors,TXbytes,TXerrors,RXdropped,TXdropped
METRIC-SCHEMA-BLACKLIST-DIMS= OSName, IPv6_Address
# added extract_iostat_metrics_field for backward compatibility
[extract_iostat_metrics_field]
INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm, rAvgWaitMillis=r_await, rAvgReqSZkb=rareq_sz, wReq_PS=w_s, wKB_PS=coalesce(wkB_s, Kb_wrtn, kw_s), wrqmPct=wrqm, wAvgWaitMillis=w_await, wAvgReqSZkb=wareq_sz, avgQueueSZ=coalesce(aqu_sz, avgqu_sz), bandwUtilPct=coalesce(util, tm_act, ms_o, b), avgSvcMillis=coalesce(svctm, ms_w, asvc_t), avgWaitMillis=coalesce(await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), null())
[extract_ps_metric_field]
INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB)
[extract_cpu_metric_field]
INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU)
[metric-schema:extract_metrics_iostat]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_vmstat]
METRIC-SCHEMA-MEASURES= memTotalMB,memFreeMB,memUsedMB,memFreePct,memUsedPct,pgPageOut,swapUsedPct,pgSwapOut,cSwitches,interrupts,forks,processes,threads,loadAvg1mi,waitThreads,interrupts_PS,pgPageIn_PS,pgPageOut_PS
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_df]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address, Filesystem, Type, MountedOn, IPv6_Address, IPv6_address
METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address
[metric-schema:extract_metrics_cpu]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OSName, OS_name, OS_version, IP_address, cpu, CPU
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_ps]
METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ ARGS,COMMAND,CPUTIME,ELAPSED,PID,PSR,S,STAT,START,STARTED,TT,TTY,USER,OSName,OS_name,OS_version,IP_address,IPv6_Address,IPv6_address
METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address
###### Scripted Event Inputs ######
[vmstat_osx]
REGEX = (?m)(?:Pages free:\s*(\d+)\.).*(?:Pages active:\s*(\d+)\.).*(?:Pages inactive:\s*(\d+)\.).*(?:Pages wired down:\s*(\d+)\.).*(?:Pageins:\s*(\d+)\.).*(?:Pageouts:\s*(\d+)\.)
FORMAT = free::$1 active::$2 inactive::$3 wired::$4 pageins::$5 pageouts::$6
#procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
# r b swpd free inact active si so bi bo in cs us sy id wa
# 0 0 24 4272 172660 67124 0 0 2 1 0 1 0 0 100 0
[vmstat_linux]
REGEX = (\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)
FORMAT = proc_waiting::$1 proc_unitsleep::$2 swap::$3 free::$4 inactive::$5 active::$6 swap_in::$7 swap_out::$8 blocks_in::$9 blocks_out::$10 interrupts::$11 contextswitch::$12 usermode::$13 kernelmode::$14 idle::$15 waiting::$16
#memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS
# 8192 4153 4039 50.7 49.3 1585619 5.0 ? ? ? ? 82 566 0.72 0.00 714.2 1.0 133.0
[fields_for_vmstat_sh]
REGEX = \s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)
FORMAT = memTotalMB::"$1" memFreeMB::"$2" memUsedMB::"$3" memFreePct::"$4" memUsedPct::"$5" pgPageOut::"$6" swapUsedPct::"$7" pgSwapOut::"$8" cSwitches::"$9" interrupts::"$10" forks::"$11" processes::"$12" threads::"$13" loadAvg1mi::"$14" waitThreads::"$15" interrupts_PS::"$16" pgPageIn_PS::"$17" pgPageOut_PS::"$18"
###### System Logs ######
# General
[loghost_as_dest]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s(\S+)\s\w+[\w\s\[]*
FORMAT = dest::$1
## Account Management
[useradd]
REGEX = (useradd).*?(?:new (?:user|account))(?:: | (?:added) - )(?:name|account)=([^\,]+),(?:\s)(?:(?:UID|uid)=(\w+),)?(?:\s)(?:(?:GID|gid)=(\w+),)?(?:\s)*(?:home=((?:\/[^\/ ]*)+\/?),)?(?:.*uid=(\d+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"user" user::$2 change_type::"AAA" object_id::$3 object_path::$5 status::"success" object_attrs::$4 src_user_id::$6
[userdel]
REGEX = (userdel).*?(?:(?:delete)(?:\s)*(?:user|account)) .(\S+).
FORMAT = vendor_action::"delete" object_category::"user" action::"deleted" change_type::"AAA" command::$1 user::$2 status::"success"
[userdel-grp]
REGEX = (userdel).*?(?:(?:removed)(?:\s)*(?:\w+)?(?:\s)*(group))\s+\'(\S+)\'\s+owned\s+by\s+\'(\S+)\'
FORMAT = action::"deleted" change_type::"AAA" command::$1 object_category::$2 object::$3 status::"success" "object_attrs"::$4
[groupdel]
REGEX = (groupdel).*(?:group)\s+'(\S+)'\s+removed(?:\s)*(?:(?:from\s+))?(\S+)?
FORMAT = action::"deleted" change_type::"AAA" command::$1 object::$2 object_category::"group" status::"success" object_path::$3
[groupadd]
REGEX = (groupadd).*?(?:group added to |new group: )(?:((?:\/[^\/ ]*)+\/?):)?\s*(?:name=(\w+))?(?:,\s*GID=(\w+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"group" object::$3 change_type::"AAA" object_id::$4 object_path::$2 status::"success"
[groupadd-suse]
REGEX = (useradd).*?(?:account added to group -)\s*(?:account=([^,]+))?(?:,\s*)?(?:group=([^,]+))(?:,\s*)?(?:gid=(?:[^,]+))?\,\s+(?:by\s+\(uid=(\d+)\))?
FORMAT = vendor_action::"account added to group" action::"modified" command::$1 object_category::"user" user::$2 change_type::"AAA" object_attrs::$3 status::"success" src_user_id::$4
## password change
[pam-passwd-ok]
REGEX = (passwd).*pam_unix\((?:passwd):chauthtok\): password changed for (\S+)
FORMAT = action::"modified" change_type::"AAA" command::$1 object_attrs::"password" object_category::"user" status::"success" user::$2
[passwd-change-fail]
REGEX = (passwd).*(?:password change failed).*(?:account=)([^,\s]+),\s+uid=([^,\s]+)\,\s+by(?:\s+\(uid=(\d+)\))?
FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs::"password" object_category::"user" status::"failure" object_id::$3 src_user_id::$4
[command_for_linux_audit]
REGEX = exe=.*\/(\S+)\"
FORMAT = command::$1
## Authentication
# Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2
# Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2
[ssh-login-accepted]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5
# Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX
# Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2
[ssh-login-failed]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5
# Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX
[ssh-invalid-user]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5
# Jan 11 03:16:49 crest-aix-dev auth|security:info syslog: ssh: failed login attempt for root from XXX.XXX.XX.XXX
# Jan 8 06:00:56 crest-aix-dev auth|security:info syslog: pts/2: failed login attempt for root from qa-centos7x64-267.sv.splunk.com
[failed_login1]
REGEX = (?:syslog):.*(?:failed login attempt for)\s+(\S+)\s+from\s+(\S+)
FORMAT = app::"nix" action::"failure" src::$2 user::$1 reason::"failed login"
# Mar 18 16:54:02 splunk5 sshd(pam_unix)[17183]: session opened for user mark by (uid=0)
# Mar 18 16:58:23 splunk5 sshd(pam_unix)[31639]: session closed for user mark
# Apr 30 17:45:35 magnum.google.com sshd[5019]: Connection closed by XXX.XXX.XX.XXX
[ssh-session-close]
REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(?: by \(uid=(\d+)\))?(?: by ((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)))?
FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye
[ssh-disconnect]
REGEX = (Received disconnect) from ([^\s]+):
FORMAT = name::$1 src_ip::$2
[sshd_authentication_kerberos_success]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authorized\s+to)\s+([^,]+)\,\s+krb5\s+principal\s+([^@]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3" src_user::"$4"
[sshd_authentication_refused]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+refused)\:.*?directory\s+\/home\/([^\/]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3"
[sshd_authentication_tried]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+tried)\s+for\s+([^\s]+)(?:.*?host\=([^,]+),\s+ip=((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)))?
FORMAT = app::$1 vendor_action::$2 user::"$3" src_dns::"$4" src_ip::"$5"
[sshd_login_restricted]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Login\s+restricted)\s+for\s+([^:]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3"
[pam_unix_authentication_failure]
REGEX = pam_unix\((?:[^:]+):\w+\)\:\s+authentication\s+(failure)\;\s+logname\=(?:[^\s]+)?\s+uid\=(?:[^\s]+)?\s+euid=(?:[^\s]+)?\s+tty=(?:[^\s]+)?\s+ruser=([^\s]+)?\s+rhost=([^\s]+)?\s*(?:user=([^\s]+)?)?
FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2
[pam_unix_authentication_success]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6
[passwd-auth-failure]
REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure)
FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure"
[sudo_cannot_identify]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+auth\s+(could\s+not\s+identify\s+password)\s+for\s+\[([^]]+)
FORMAT = app::"$1" vendor_action::"$2" user::"$3" reason::"could not identify password"
[remote_login_allowed]
REGEX = (pam_rhosts_auth)\[\d+\]:\s+allowed\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+)
FORMAT = action::"success" app::$1 user::$2 vendor_action::"allowed"
[remote_login_failure]
REGEX = (pam_rhosts_auth)\[\d+\]:\s+denied\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+)
FORMAT = action::"failure" app::$1 user::$2 vendor_action::"denied" reason::"access not allowed"
[failed-su]
REGEX = \'(?:su)\s+(?:[^']+)\'\s+(failed)\s+for\s+([^\s]+)
FORMAT = vendor_action::$1 action::"failure" app::"nix" user::$2 reason::"other"
[bad-su]
REGEX = (?:su):\s+BAD\s+SU\s+dcid\s+to\s+(\w+)\s+on\s+(?:(?:\/[^\/ \n]*)+)
FORMAT = action::"failure" app::"nix" user::$1 reason::"BAD SU dcid"
[bad-su2]
REGEX = (?:su):\s+BAD\s+SU\s+from\s+(\S+)\s+to\s+(\S+)\s+at\s+(?:(?:\/[^\/ \n]*)+)
FORMAT = action::"failure" app::"nix" user::$2 src_user::$1 reason::"BAD SU"
[ksu_authentication]
REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?\'ksu\s+([^']+)\'\s+(authentication\s+failed|authenticated).*?for\s+(\w+)
FORMAT = app::$1 user::"$2" vendor_action::"$3" src_user::$4
[ksu_authorization]
REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?Account\s+([^:]+)\:\s+authorization\s+for\s+([^@]+).*?(failed|successful)
FORMAT = app::$1 user::"$2" src_user::"$3" vendor_action::$4
[login_authentication]
REGEX = (login)\:.*(failure).*from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\,\s+(\S+))?
FORMAT = app::$1 action::$2 user::$4 src::$3 reason::"login failure"
[su_simple]
REGEX = (?:su)\:\s+(?:\[[^]]+]\s+)?from\s+([^\s]+)\s+to\s+([^\s]+)
FORMAT = app::"nix" src_user::$1 user::$2 action::"success"
[su_authentication]
REGEX = \'(?:su)\s+([^']+)\'\s+(succeeded|failed)\s+for\s+([^\s]+)
FORMAT = app::"nix" user::"$1" vendor_action::$2 src_user::$3
[su_successful]
REGEX = (Successful)\s+(?:su)\s+for\s+([^\s]+)\s+by\s+([^\s]+)
FORMAT = app::"nix" vendor_action::$1 user::$2 src_user::$3
[wksh_authentication]
REGEX = (wksh):\s+(HANDLING\s+TELNET\s+CALL)\s+\(User:\s+([^,]+),\s+Branch:\s+(?:[^,]+),\s+Client:\s+([^)]+)
FORMAT = app::$1 vendor_action::"$2" user::$3 src_dns::$4
[ftpd_authentication]
REGEX = (ftpd)\[\d+\]\:.*(FTP\s+LOGIN)\s+FROM\s+([^\s]+)\s+\[((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))\]\,\s+(.*)
FORMAT = app::$1 vendor_action::"$2" src::$3 src_ip::$4 user::"$5"
## Firewall
[ipfw]
REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*(\d+) (Deny|Accept) (UDP|TCP) \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? (in|out) via ([^\s]+)
FORMAT = rule_number::$1 action::$2 proto::$3 dest_ip::$4 dest_port::$5 src_ip::$6 src_port::$7 direction::$8 interface::$9
[ipfw-stealth]
REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*Stealth Mode connection (attempt) to (UDP|TCP) \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? from \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)?
FORMAT = action::$1 proto::$2 src_ip::$3 src_port::$4 dest_ip::$5 dest_port::$6
[ipfw-icmp]
#REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via ([^\s])*\s*
REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP|ICMPv6):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via (.*)
FORMAT = rule_number::$1 action::$2 proto::$3 application::$4 src_ip::$5 dest_ip::$6 direction::$7 interface::$8
[pf]
REGEX = rule ([-\d]+\/\d+)\(.*?\): (pass|block) (in|out) on (\w+): \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:[:\]]+)?(\d+)? [<>] \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:[:\]]+)?(\d+)?: (?:.*)
FORMAT = rule_number::$1 action::$2 direction::$3 interface::$4 src_ip::$5 src_port::$6 dest_ip::$7 dest_port::$8
## Routing
# Mar 26 11:03:20 splunk4 kernel: BLOCK IN=eth0 OUT= MAC=00:15:c5:e0:ba:45:00:10:db:ff:20:70:08:00 SRC=10.1.5.78 DST=10.2.1.44 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=64317 DF PROTO=TCP SPT=57293 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
[iptables]
REGEX = kernel:\s+(\w+ ?\w*) IN=(\w+) OUT=(\w*) .*SRC=((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) DST=((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)).*PROTO=(\w+) SPT=(\w+) DPT=(\w+)
FORMAT = action::"$1" inbound_interface::$2 outbound_interface::$3 src_ip::$4 dest_ip::$5 proto::$6 src_port::$7 dest_port::$8
## bash
[bash_user]
SOURCE_KEY=source
REGEX=^\/home\/([^\/]+)\/
FORMAT=user_name::$1
[bash_user_root]
SOURCE_KEY=source
REGEX=^\/(root)\/
FORMAT=user_name::$1
## Time synchronization
[signature_for_nix_timesync]
REGEX = ((?:Adjusting\s+system\s+clock)|(?:synchronized\s+to)|(?:step\s+time\s+server)|(?:adjust\s+time\s+server)|(?:NTP\s+Server\s+Unreachable))
FORMAT = signature::$1
###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ######
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Scripted Inputs ######
## Global
##
[force_host_for_linux_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-001
[force_host_for_osx_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-002
[force_host_for_solaris_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-003
[force_host_for_unix_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-004
## Service
[nix_linux_service_startmode_lookup]
filename = nix_linux_service_startmodes.csv
## Update
[nix_da_update_status_lookup]
filename = nix_da_update_status.csv
[Description_for_installedupdates]
REGEX = ^Description=([^\r\n]+)
FORMAT = Description::$1
## Version
[nix_da_version_range_lookup]
filename = nix_da_version_ranges.csv
[nix_linux_audit_action_lookup]
filename = nix_linux_audit_action_object_category.csv
[force_host_for_linux_cpu]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_memory]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_io]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_disk]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
###### END CONTENT IMPORTED FROM TA-deploymentapps ######

8
default/web.conf Normal file
View file

@ -0,0 +1,8 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[expose:setup]
pattern=SetupService
methods=GET,POST

8
lookups/nix_da_update_status.csv Normal file
View file

@ -0,0 +1,8 @@
sourcetype,status
AIX:Update,available
FreeBSD:Update,available
HPUX:Update,available
Linux:Update,available
OSX:Update,available
Solaris:Update,available
Unix:Update,available
1 sourcetype status
2 AIX:Update available
3 FreeBSD:Update available
4 HPUX:Update available
5 Linux:Update available
6 OSX:Update available
7 Solaris:Update available
8 Unix:Update available

8
lookups/nix_da_version_ranges.csv Normal file
View file

@ -0,0 +1,8 @@
sourcetype,range
AIX:Version,aix
FreeBSD:Version,freebsd
HPUX:Version,hpux
Linux:Version,linux
OSX:Version,osx
Solaris:Version,solaris
Unix:Version,unix
1 sourcetype range
2 AIX:Version aix
3 FreeBSD:Version freebsd
4 HPUX:Version hpux
5 Linux:Version linux
6 OSX:Version osx
7 Solaris:Version solaris
8 Unix:Version unix

12
lookups/nix_linux_audit_action_object_category.csv Normal file
View file

@ -0,0 +1,12 @@
op,action,object_category
add-user,created,user
add-home-dir,created,user
add-group,created,group
add-shadow-group,created,group
delete-user,deleted,user
deleting-user-from-group,modified,user
deleting-user-from-shadow-group,modified,user
delete-shadow-group,deleted,group
delete-group,deleted,group
success,success,user
failed,failure,user
1 op action object_category
2 add-user created user
3 add-home-dir created user
4 add-group created group
5 add-shadow-group created group
6 delete-user deleted user
7 deleting-user-from-group modified user
8 deleting-user-from-shadow-group modified user
9 delete-shadow-group deleted group
10 delete-group deleted group
11 success success user
12 failed failure user

129
lookups/nix_linux_service_startmodes.csv Normal file
View file

@ -0,0 +1,129 @@
runlevel0,runlevel1,runlevel2,runlevel3,runlevel4,runlevel5,runlevel6,StartMode
off,off,off,off,off,off,off,Disabled
off,off,off,off,off,off,on,Auto
off,off,off,off,off,on,off,Auto
off,off,off,off,off,on,on,Auto
off,off,off,off,on,off,off,Auto
off,off,off,off,on,off,on,Auto
off,off,off,off,on,on,off,Auto
off,off,off,off,on,on,on,Auto
off,off,off,on,off,off,off,Auto
off,off,off,on,off,off,on,Auto
off,off,off,on,off,on,off,Auto
off,off,off,on,off,on,on,Auto
off,off,off,on,on,off,off,Auto
off,off,off,on,on,off,on,Auto
off,off,off,on,on,on,off,Auto
off,off,off,on,on,on,on,Auto
off,off,on,off,off,off,off,Auto
off,off,on,off,off,off,on,Auto
off,off,on,off,off,on,off,Auto
off,off,on,off,off,on,on,Auto
off,off,on,off,on,off,off,Auto
off,off,on,off,on,off,on,Auto
off,off,on,off,on,on,off,Auto
off,off,on,off,on,on,on,Auto
off,off,on,on,off,off,off,Auto
off,off,on,on,off,off,on,Auto
off,off,on,on,off,on,off,Auto
off,off,on,on,off,on,on,Auto
off,off,on,on,on,off,off,Auto
off,off,on,on,on,off,on,Auto
off,off,on,on,on,on,off,Auto
off,off,on,on,on,on,on,Auto
off,on,off,off,off,off,off,Auto
off,on,off,off,off,off,on,Auto
off,on,off,off,off,on,off,Auto
off,on,off,off,off,on,on,Auto
off,on,off,off,on,off,off,Auto
off,on,off,off,on,off,on,Auto
off,on,off,off,on,on,off,Auto
off,on,off,off,on,on,on,Auto
off,on,off,on,off,off,off,Auto
off,on,off,on,off,off,on,Auto
off,on,off,on,off,on,off,Auto
off,on,off,on,off,on,on,Auto
off,on,off,on,on,off,off,Auto
off,on,off,on,on,off,on,Auto
off,on,off,on,on,on,off,Auto
off,on,off,on,on,on,on,Auto
off,on,on,off,off,off,off,Auto
off,on,on,off,off,off,on,Auto
off,on,on,off,off,on,off,Auto
off,on,on,off,off,on,on,Auto
off,on,on,off,on,off,off,Auto
off,on,on,off,on,off,on,Auto
off,on,on,off,on,on,off,Auto
off,on,on,off,on,on,on,Auto
off,on,on,on,off,off,off,Auto
off,on,on,on,off,off,on,Auto
off,on,on,on,off,on,off,Auto
off,on,on,on,off,on,on,Auto
off,on,on,on,on,off,off,Auto
off,on,on,on,on,off,on,Auto
off,on,on,on,on,on,off,Auto
off,on,on,on,on,on,on,Auto
on,off,off,off,off,off,off,Auto
on,off,off,off,off,off,on,Auto
on,off,off,off,off,on,off,Auto
on,off,off,off,off,on,on,Auto
on,off,off,off,on,off,off,Auto
on,off,off,off,on,off,on,Auto
on,off,off,off,on,on,off,Auto
on,off,off,off,on,on,on,Auto
on,off,off,on,off,off,off,Auto
on,off,off,on,off,off,on,Auto
on,off,off,on,off,on,off,Auto
on,off,off,on,off,on,on,Auto
on,off,off,on,on,off,off,Auto
on,off,off,on,on,off,on,Auto
on,off,off,on,on,on,off,Auto
on,off,off,on,on,on,on,Auto
on,off,on,off,off,off,off,Auto
on,off,on,off,off,off,on,Auto
on,off,on,off,off,on,off,Auto
on,off,on,off,off,on,on,Auto
on,off,on,off,on,off,off,Auto
on,off,on,off,on,off,on,Auto
on,off,on,off,on,on,off,Auto
on,off,on,off,on,on,on,Auto
on,off,on,on,off,off,off,Auto
on,off,on,on,off,off,on,Auto
on,off,on,on,off,on,off,Auto
on,off,on,on,off,on,on,Auto
on,off,on,on,on,off,off,Auto
on,off,on,on,on,off,on,Auto
on,off,on,on,on,on,off,Auto
on,off,on,on,on,on,on,Auto
on,on,off,off,off,off,off,Auto
on,on,off,off,off,off,on,Auto
on,on,off,off,off,on,off,Auto
on,on,off,off,off,on,on,Auto
on,on,off,off,on,off,off,Auto
on,on,off,off,on,off,on,Auto
on,on,off,off,on,on,off,Auto
on,on,off,off,on,on,on,Auto
on,on,off,on,off,off,off,Auto
on,on,off,on,off,off,on,Auto
on,on,off,on,off,on,off,Auto
on,on,off,on,off,on,on,Auto
on,on,off,on,on,off,off,Auto
on,on,off,on,on,off,on,Auto
on,on,off,on,on,on,off,Auto
on,on,off,on,on,on,on,Auto
on,on,on,off,off,off,off,Auto
on,on,on,off,off,off,on,Auto
on,on,on,off,off,on,off,Auto
on,on,on,off,off,on,on,Auto
on,on,on,off,on,off,off,Auto
on,on,on,off,on,off,on,Auto
on,on,on,off,on,on,off,Auto
on,on,on,off,on,on,on,Auto
on,on,on,on,off,off,off,Auto
on,on,on,on,off,off,on,Auto
on,on,on,on,off,on,off,Auto
on,on,on,on,off,on,on,Auto
on,on,on,on,on,off,off,Auto
on,on,on,on,on,off,on,Auto
on,on,on,on,on,on,off,Auto
on,on,on,on,on,on,on,Auto
1 runlevel0 runlevel1 runlevel2 runlevel3 runlevel4 runlevel5 runlevel6 StartMode
2 off off off off off off off Disabled
3 off off off off off off on Auto
4 off off off off off on off Auto
5 off off off off off on on Auto
6 off off off off on off off Auto
7 off off off off on off on Auto
8 off off off off on on off Auto
9 off off off off on on on Auto
10 off off off on off off off Auto
11 off off off on off off on Auto
12 off off off on off on off Auto
13 off off off on off on on Auto
14 off off off on on off off Auto
15 off off off on on off on Auto
16 off off off on on on off Auto
17 off off off on on on on Auto
18 off off on off off off off Auto
19 off off on off off off on Auto
20 off off on off off on off Auto
21 off off on off off on on Auto
22 off off on off on off off Auto
23 off off on off on off on Auto
24 off off on off on on off Auto
25 off off on off on on on Auto
26 off off on on off off off Auto
27 off off on on off off on Auto
28 off off on on off on off Auto
29 off off on on off on on Auto
30 off off on on on off off Auto
31 off off on on on off on Auto
32 off off on on on on off Auto
33 off off on on on on on Auto
34 off on off off off off off Auto
35 off on off off off off on Auto
36 off on off off off on off Auto
37 off on off off off on on Auto
38 off on off off on off off Auto
39 off on off off on off on Auto
40 off on off off on on off Auto
41 off on off off on on on Auto
42 off on off on off off off Auto
43 off on off on off off on Auto
44 off on off on off on off Auto
45 off on off on off on on Auto
46 off on off on on off off Auto
47 off on off on on off on Auto
48 off on off on on on off Auto
49 off on off on on on on Auto
50 off on on off off off off Auto
51 off on on off off off on Auto
52 off on on off off on off Auto
53 off on on off off on on Auto
54 off on on off on off off Auto
55 off on on off on off on Auto
56 off on on off on on off Auto
57 off on on off on on on Auto
58 off on on on off off off Auto
59 off on on on off off on Auto
60 off on on on off on off Auto
61 off on on on off on on Auto
62 off on on on on off off Auto
63 off on on on on off on Auto
64 off on on on on on off Auto
65 off on on on on on on Auto
66 on off off off off off off Auto
67 on off off off off off on Auto
68 on off off off off on off Auto
69 on off off off off on on Auto
70 on off off off on off off Auto
71 on off off off on off on Auto
72 on off off off on on off Auto
73 on off off off on on on Auto
74 on off off on off off off Auto
75 on off off on off off on Auto
76 on off off on off on off Auto
77 on off off on off on on Auto
78 on off off on on off off Auto
79 on off off on on off on Auto
80 on off off on on on off Auto
81 on off off on on on on Auto
82 on off on off off off off Auto
83 on off on off off off on Auto
84 on off on off off on off Auto
85 on off on off off on on Auto
86 on off on off on off off Auto
87 on off on off on off on Auto
88 on off on off on on off Auto
89 on off on off on on on Auto
90 on off on on off off off Auto
91 on off on on off off on Auto
92 on off on on off on off Auto
93 on off on on off on on Auto
94 on off on on on off off Auto
95 on off on on on off on Auto
96 on off on on on on off Auto
97 on off on on on on on Auto
98 on on off off off off off Auto
99 on on off off off off on Auto
100 on on off off off on off Auto
101 on on off off off on on Auto
102 on on off off on off off Auto
103 on on off off on off on Auto
104 on on off off on on off Auto
105 on on off off on on on Auto
106 on on off on off off off Auto
107 on on off on off off on Auto
108 on on off on off on off Auto
109 on on off on off on on Auto
110 on on off on on off off Auto
111 on on off on on off on Auto
112 on on off on on on off Auto
113 on on off on on on on Auto
114 on on on off off off off Auto
115 on on on off off off on Auto
116 on on on off off on off Auto
117 on on on off off on on Auto
118 on on on off on off off Auto
119 on on on off on off on Auto
120 on on on off on on off Auto
121 on on on off on on on Auto
122 on on on on off off off Auto
123 on on on on off off on Auto
124 on on on on off on off Auto
125 on on on on off on on Auto
126 on on on on on off off Auto
127 on on on on on off on Auto
128 on on on on on on off Auto
129 on on on on on on on Auto

22
lookups/nix_vendor_actions.csv Normal file
View file

@ -0,0 +1,22 @@
vendor_action,action
accepted,success
add,created
added,created
create,created
authenticated,success
"authentication failed",failure
"authentication refused",failure
"authentication tried",failure
"authorized to",success
"could not identify password",failure
delete,deleted
failed,failure
"ftp login",success
"handling telnet call",success
"invalid user",failure
"login restricted",failure
remove,deleted
"session opened",success
succeeded,success
successful,success
"account added to group",modified
1 vendor_action action
2 accepted success
3 add created
4 added created
5 create created
6 authenticated success
7 authentication failed failure
8 authentication refused failure
9 authentication tried failure
10 authorized to success
11 could not identify password failure
12 delete deleted
13 failed failure
14 ftp login success
15 handling telnet call success
16 invalid user failure
17 login restricted failure
18 remove deleted
19 session opened success
20 succeeded success
21 successful success
22 account added to group modified

11
metadata/default.meta Normal file
View file

@ -0,0 +1,11 @@
# Application-level permissions
[]
access = read : [ * ], write : [ admin , sc_admin ]
export = system
[savedsearches]
owner = admin
## Exclude export of custom alert actions
[alert_actions/email]
export = none

359
splunkbase.manifest Normal file
View file

@ -0,0 +1,359 @@
{
"version": "1.0",
"date": "2024-10-18T12:52:23.073000921Z",
"hashAlgorithm": "SHA-256",
"app": {
"id": 833,
"version": "9.2.0",
"files": [
{
"path": "LICENSES/Apache-2.0.txt",
"hash": "d3910dee6fe9fe134856d76268fe82adb1ade1ecf51b3568b7da6b94894b88f3"
},
{
"path": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"hash": "37906d637abbbeca35cfb2efcb658cabbc0208d101848372c1e55fbf9ba62e47"
},
{
"path": "README/restmap.conf.spec",
"hash": "5cc8f9508cd792137e1a2129763dd78e9275a0c2f8d3cf7fc25b72848a07d869"
},
{
"path": "README.txt",
"hash": "106e6203d3ff66f04cac953385cb517cff459b572f8d52adf71a8a59c5851776"
},
{
"path": "THIRDPARTY",
"hash": "6340a3cf0959b37d83e10ce4e12bc4ab53d2ae2729ee506451b8d554418d1ab3"
},
{
"path": "VERSION",
"hash": "4b083d27782e80fd5bce34252adc7de9e9ab611475e170cb507e49586483025e"
},
{
"path": "app.manifest",
"hash": "24b4bb6f47bc1472038f5c983ec91705052162da89555f52a78c9f3c830cfd82"
},
{
"path": "appserver/static/appIcon.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "appserver/static/components/js_sdk_extensions/common.js",
"hash": "295fe307ec286b9b4eb89c4b59dbd6204376e63b7346c26fd1b087446db372c2"
},
{
"path": "appserver/static/components/js_sdk_extensions/monitor_inputs.js",
"hash": "27af704acaeb3b98c78ad5322a6171e1b748b5650be809f5d92a4e5618529123"
},
{
"path": "appserver/static/components/js_sdk_extensions/scripted_inputs.js",
"hash": "6fe5d6f31a60a86d9988170e1641f13eb315351f890c2247c6de83b3aa372e26"
},
{
"path": "appserver/static/setup.css",
"hash": "f27882e6a07bbd87f99f95d77211439e71959efae6d52ce4771ce26d06e0bcc9"
},
{
"path": "appserver/static/setup.js",
"hash": "a3d4e2567779b605a97daa3ced2fc49a8e487a5ec4ee95080392824eb74e7e11"
},
{
"path": "appserver/static/setup_cloud.js",
"hash": "00875c907fd0dc80fa5d05130c28410a8abd99a0ff43da86c6af87e01d8a21da"
},
{
"path": "bin/bandwidth.sh",
"hash": "14682eacdc5ab8849ce3e786c05d0140ea166b6f28403106e433048c09533146"
},
{
"path": "bin/common.sh",
"hash": "6569707362169122ec6a41c9345ed00e09e0913e3855ccb68a21ade3c1c9012d"
},
{
"path": "bin/cpu.sh",
"hash": "e34d912324ceb3f6add524722adc9057b4177015fad844a5e37634ef40cbb9c7"
},
{
"path": "bin/cpu_metric.sh",
"hash": "2d175a98ded5f141b20fd3b3847217447b5489b4d989512d8b8679a4f2777a0b"
},
{
"path": "bin/df.sh",
"hash": "27b0ad779340e6bd8a26e296ce9b0b9cd2721eaadcf4669e5579560a676c9db7"
},
{
"path": "bin/df_metric.sh",
"hash": "4457b92d8d8ee24441eb38df2134113f5a821111b7c3573b48313adcee39d3e8"
},
{
"path": "bin/hardware.sh",
"hash": "20e341826d21047e9cc3b7cd632422f6b9a0364282333616c1f912b4dddb7093"
},
{
"path": "bin/interfaces.sh",
"hash": "ebdd6823f6db05bc76ebdbfb61d1fda63959fd334cf59d2e038ea7bae64355b7"
},
{
"path": "bin/interfaces_metric.sh",
"hash": "9458deb6ba4c56a22264df75d42945e170f6f1a729d93220617c85810733ef19"
},
{
"path": "bin/iostat.sh",
"hash": "505a4694c4879fd8ed155394be51431c9839fc9f980077abb0416f844f09d722"
},
{
"path": "bin/iostat_metric.sh",
"hash": "4af68e89e6a93fa34ccd724ff78a509b7868bc06e60a4f16a6aa24d300d8efc8"
},
{
"path": "bin/lastlog.sh",
"hash": "8d8c0744767d9426cb98122d33eb6acd5447db4a03cfccfd5fdc014f1e15ea3e"
},
{
"path": "bin/lsof.sh",
"hash": "a98a9c64496a081c395e00b692f5eca25ae186cc050c0f31d5425a561fdc63a1"
},
{
"path": "bin/netstat.sh",
"hash": "a5ef9833cf21c6572431f32991d153a625510a4b0553fe6f56d07bb4f4914b2e"
},
{
"path": "bin/nfsiostat.sh",
"hash": "eccc2bf3701840173206ecf7603c20861b4ce106b6be795df2fa312744958107"
},
{
"path": "bin/openPorts.sh",
"hash": "9f7cb2a7f9e8b43ceb7e22930ea125855e64527caa13d76b5c219ec473b899c5"
},
{
"path": "bin/openPortsEnhanced.sh",
"hash": "d7e19798aec7fb3244b6fe36fce28ca3fc8951a0e38d0516f5ef8c1b06197246"
},
{
"path": "bin/package.sh",
"hash": "d9da2664cc2b913285d595e7c74dab9e5a6f1703d44e8f517e9b62a5ba70496a"
},
{
"path": "bin/passwd.sh",
"hash": "4ab37e3c9d07842777ed42f8b22adfe8fe05a9ab0758e833fdc885a26237bafe"
},
{
"path": "bin/protocol.sh",
"hash": "61e372f670cb74131890a2c0ff381891c83337687b6809f31bf920a99f5bd432"
},
{
"path": "bin/ps.sh",
"hash": "3a6ebc99c1b5207d54c885338cf06b22f343c1f64a6048d03fd0bf48b82d41b5"
},
{
"path": "bin/ps_metric.sh",
"hash": "0c3dc356f47728b9b99be79fffe40256eded1644f599b1bbe8b1a9e8db05b10d"
},
{
"path": "bin/rlog.sh",
"hash": "271fcaf091527670df3e794c29d7bf57d1371909c72c25d56c79dd136b029513"
},
{
"path": "bin/selinuxChecker.sh",
"hash": "07135df789924f8d4f5ae8228ccbfe0a5e47756de202fcf00a019a12712d8312"
},
{
"path": "bin/service.sh",
"hash": "d579051391bd1af365bdda6016e3529009e0e7b62e1846fdcdb755b36f0d7c49"
},
{
"path": "bin/setup.sh",
"hash": "b0263d112fa183411bfe141840d697217025856d44fa67be6d14b240728b7062"
},
{
"path": "bin/setupservice.py",
"hash": "c69d1b0b4a10ec966c2e752b7ec1c3f4be5ca3721626bbab62ddfe1509d15137"
},
{
"path": "bin/sshdChecker.sh",
"hash": "ba9ada21b413a1f7ea5ab7850314e96b03c8a3369267af24d9cf2d8f76edb6dc"
},
{
"path": "bin/time.sh",
"hash": "5ad0ed71a9c4637046da43656aea4a614e331217fb707e9df7443aaa6036eeba"
},
{
"path": "bin/top.sh",
"hash": "f380506de00a3bb51d9351108057e498cd8211e3ade7c16fa65121d3ff66ba1d"
},
{
"path": "bin/update.sh",
"hash": "048f6e678f873d2b856ec851c52389d9f8d5ccde0fee0ead0dcf5348cc3cb587"
},
{
"path": "bin/uptime.sh",
"hash": "2770952e0c29a92e37d2d23a8a93223812e2facd4597c50e3e832439fdbdf600"
},
{
"path": "bin/usersWithLoginPrivs.sh",
"hash": "0006baa9bc57e6b5711e557b6532b8c48b29d42bca6364d664042d2aa6f2cf12"
},
{
"path": "bin/version.sh",
"hash": "4d484fc3e1853d0e07d47ba9c4401266a1fbe0712a554e9eeaeb835b96d8a59f"
},
{
"path": "bin/vmstat.sh",
"hash": "b816aa5e67ad18b995eb577e16ca7c91ae3ecdeeb019d0b79321ade83a90daef"
},
{
"path": "bin/vmstat_metric.sh",
"hash": "47df351e2afd7abedb49f8d38f5350ce6276fdb512005ba56e7ff9692f581515"
},
{
"path": "bin/vsftpdChecker.sh",
"hash": "0009c03f72289e5b7b692cb74951382d1a6d4c3698ef5b08b74e468f3dfe199f"
},
{
"path": "bin/who.sh",
"hash": "47318dee6246abfd577984383ac134225a84e0dcf0753413f88b7f2be5a8087d"
},
{
"path": "default/app.conf",
"hash": "451c717df6073aabd78b5ba4abb33ac71b6d61df8d46a243913b01ed9ac77040"
},
{
"path": "default/data/ui/nav/default.xml",
"hash": "36078398f91fa377c21f2369271797cc0016b8ba1a6f271e327cce2809f2711d"
},
{
"path": "default/data/ui/views/ta_nix_configuration.env_cloud.xml",
"hash": "7176b693e2eeb2757d6a5a9651e793141a52b5b36f4b229c31f4ab3e970e8510"
},
{
"path": "default/data/ui/views/ta_nix_configuration.xml",
"hash": "2d30308510e08aea0a190984fda45b708ab373768796494202a4813c37ef74d2"
},
{
"path": "default/eventtypes.conf",
"hash": "c52b63bf8b429e406a1488c59c1945531123bed647b08460d85ca3a6a4f8f81e"
},
{
"path": "default/inputs.conf",
"hash": "0eff320f7aba6d35e27e8a0ae0837ad6c4340f9e84a9cdfb71e8162a97ecc782"
},
{
"path": "default/macros.conf",
"hash": "0daf589bcfbd430f45b55ed3f3d0784f8ad6e79d75300fac9c2604a79fc7f4dc"
},
{
"path": "default/props.conf",
"hash": "8742759e63baf3dc737adecec95fb7370741cb5f2268064593cb2e5a1ba8b260"
},
{
"path": "default/restmap.conf",
"hash": "2774f5332efc8bfeebb88a1d771b8d65cca9197666d0c5e9a4a371b8ed468d73"
},
{
"path": "default/tags.conf",
"hash": "ad29e489018a892f8d50731e32efa48a01dcdb438096d443f7b6e068cfd1ca15"
},
{
"path": "default/transforms.conf",
"hash": "d13792dde1aa85d9e864782787948d6f10b888e4a689d6668de3cc604e2ad1ab"
},
{
"path": "default/web.conf",
"hash": "75f12a6541d22c27d526ab544973398ae4b6d5aa1e57e8e4b22e845e564a2e56"
},
{
"path": "lookups/nix_da_update_status.csv",
"hash": "a9a794b39377946e0dcb5f70c9c8ba6114fec1728512c9f39cfb0f3eca46159c"
},
{
"path": "lookups/nix_da_version_ranges.csv",
"hash": "992529c548d8273e073a988d089fbd5c7fa5c1ef47d51243e9da9dfb77eba6d2"
},
{
"path": "lookups/nix_linux_audit_action_object_category.csv",
"hash": "5838950fd3cade537dea91d1dcdcbd10532457fa7de07d397bfc699e56a19867"
},
{
"path": "lookups/nix_linux_service_startmodes.csv",
"hash": "dd669b358909f4d9be9d0aef9f4720e78a290e422a90ec3e3cdabe39ed9b8be2"
},
{
"path": "lookups/nix_vendor_actions.csv",
"hash": "f287b03905a705fed92dd4a1d1cf060c16b9521aba80b06494af8d5e8530fa97"
},
{
"path": "metadata/default.meta",
"hash": "6fa3057938996152cdfeddb46b20a1c079966ba87a56cf7c13c9d35f3caaf2e7"
},
{
"path": "static/appIcon.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "static/appIconAlt.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "static/appIconAlt_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
},
{
"path": "static/appIconLg.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
},
{
"path": "static/appIconLg_2x.png",
"hash": "11ca7ef68587f5f1bacbbcb24b85924089724bcf02610b512f899fadac186f34"
},
{
"path": "static/appIcon_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
}
]
},
"products": [
{
"platform": "splunk",
"product": "enterprise",
"versions": [
"9.0",
"9.1",
"9.2",
"9.3"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
},
{
"platform": "splunk",
"product": "cloud",
"versions": [
"9.0",
"9.1",
"9.2",
"9.3"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
}
]
}

BIN
static/appIcon.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
static/appIconAlt.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
static/appIconAlt_2x.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
static/appIconLg.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
static/appIconLg_2x.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
static/appIcon_2x.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 6.6 KiB