mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 16 Packages Wiki Activity Actions

Import Splunk Add-On for Unix and Linux version 9.2.0

Browse source
This commit is contained in:
Michael Erdely 2024-12-24 23:51:57 -05:00
commit 92ac2630a1
Signed by: mike
SSH key fingerprint: SHA256:ukbnfrRMaRYlBZXENtBTyO2jLnql5AA5m+SzZCfYQe0
77 changed files with 11487 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

30
default/app.conf Normal file
View file

@ -0,0 +1,30 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[install]
is_configured = false
state = enabled
build = 1720176219
[ui]
setup_view = ta_nix_configuration
is_visible = true
label = Splunk Add-on for Unix and Linux
docs_section_override = AddOns:released
[launcher]
author = Splunk, Inc.
version = 9.2.0
description = Splunk Add-on for Unix and Linux
[package]
id = Splunk_TA_nix
check_for_updates = true
[id]
name = Splunk_TA_nix
version = 9.2.0

8
default/data/ui/nav/default.xml Normal file
View file

@ -0,0 +1,8 @@
<!--
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<nav>
<view name="ta_nix_configuration" default='true' />
</nav>

23
default/data/ui/views/ta_nix_configuration.env_cloud.xml Normal file
View file

@ -0,0 +1,23 @@
<!--
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<dashboard script="setup_cloud.js" stylesheet="setup.css" version="1.1">
<label>Splunk Add-on for Unix and Linux: Setup</label>
<row>
<panel>
<html>
<p>Please set up this add-on on your forwarders. Documentation on how to configure this add-on is
<a target="_blank" href="http://docs.splunk.com/Documentation/UnixAddOn/latest/User/DeploytheSplunkAdd-onforUnixandLinuxinadistributedSplunkenvironment">here</a>.
<br/>
Click on below button, if you are getting redirected to this page while editing the add-on's knowledge object.
</p>
<div id="btn-bar">
<input id="save-btn" class="btn btn-primary" type="submit" value="Click me!" />
</div>
</html>
</panel>
</row>
</dashboard>

96
default/data/ui/views/ta_nix_configuration.xml Normal file
View file

@ -0,0 +1,96 @@
<!--
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<!--
|| NOTE: The `isVisible` property is a special Splunk Light only property
|| that prevents this dashboard from appearing on the page:
|| http://localhost:8000/en-US/app/search/dashboards .
|| It has no effect on Splunk Enterprise.
-->
<dashboard script="setup.js" stylesheet="setup.css" isVisible="false" version="1.1">
<label>Splunk Add-on for Unix and Linux: Setup</label>
<row>
<html>
<p id="overview">
The Splunk Add-on for Unix and Linux provides pre-built data inputs to facilitate
Linux and Unix system monitoring using Splunk. Check out the
<a href="http://apps.splunk.com/app/833/" target="_blank">
Splunk for Unix Technical Add-on
</a> page on <a href="http://apps.splunk.com/" target="_blank">Splunkbase</a>
for support information, the latest updates, and more.
</p>
<div id="not-unix-error" class="error-box">
This server is not running a known Unix or Linux operating system.
Install this add-on on Unix or Linux systems only.
</div>
<div>
<h2>File and Directory Inputs:</h2>
<table id="monitor-input-table" class="input-table">
<tr>
<th class="table-header">Name</th>
<th>Enable
<a href="#" class="enable-all-btn">(All)</a>
</th>
<th>Disable
<a href="#" class="disable-all-btn">(All)</a>
</th>
</tr>
<!-- Rows will be inserted here -->
</table>
</div>
<div>
<h2>Scripted Metric Inputs:</h2>
<table id="scripted-metric-input-table" class="input-table">
<tr>
<th class="table-header">Name</th>
<th>Enable
<a href="#" class="enable-all-btn">(All)</a>
</th>
<th>Disable
<a href="#" class="disable-all-btn">(All)</a>
</th>
<th>Interval (sec)</th>
<th>Index</th>
</tr>
<!-- Rows will be inserted here -->
</table>
<h2>Scripted Event Inputs:</h2>
<table id="scripted-event-input-table" class="input-table">
<tr>
<th class="table-header">Name</th>
<th>Enable
<a href="#" class="enable-all-btn">(All)</a>
</th>
<th>Disable
<a href="#" class="disable-all-btn">(All)</a>
</th>
<th>Interval (sec)</th>
</tr>
<!-- Rows will be inserted here -->
</table>
</div>
<div id="generic-save-error" class="error-box">
There was an unexpected problem while saving the inputs.
Please reload the page and try again.
</div>
<div id="index-not-selected-error" class="error-box">
Field 'Index' is empty or invalid for the metric inputs. Change the index or disable the input.
</div>
<div id="invalid-interval-error" class="error-box">
Field 'Interval' must be a positive integer value.
</div>
<div id="btn-bar">
<input id="save-btn" class="btn btn-primary" type="submit" value="Save" />
</div>
</html>
</row>
</dashboard>

722
default/eventtypes.conf Normal file
View file

@ -0,0 +1,722 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[nix_ta_custom_eventtype]
search = NOT *
[nix_ta_data]
search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
###### Globals ######
[nix_security]
search = sourcetype="*_secure"
#tags = os unix
[nix_configs]
search = eventtype=nix_ta_data AND (source="/etc/*" OR source="*.conf" OR source="*.cfg")
[nix_errors]
search = eventtype=nix_ta_data error OR critical OR failure OR fail OR failed OR fatal
#tags = error
###### DHCP ######
[dhcpd_server]
search = sourcetype=dhcpd (DHCPACK OR DHCPNAK OR DHCPRELEASE)
#tags = dhcp network session unix
[dhcpd_start]
search = sourcetype=dhcpd signature=DHCPACK
#tags = start
[dhcpd_unable_unexpected]
search = sourcetype=dhcpd unable OR unexpected
#tags = error
[dhcpd_server_dhcpack]
search = sourcetype=dhcpd DHCPACK
[dhcpd_server_dhcpdiscover]
search = sourcetype=dhcpd DHCPDISCOVER
[dhcpd_server_dhcpoffer]
search = sourcetype=dhcpd DHCPOFFER
[dhcpd_server_dhcprelease]
search = sourcetype=dhcpd DHCPRELEASE
#tags = end
[dhcpd_server_dhcprequest]
search = sourcetype=dhcpd DHCPREQUEST
###### Scripted Inputs ######
## CPU stats
[cpu]
search = sourcetype=cpu
#tags = performance os resource report unix cpu
[cpu_anomalous]
search = sourcetype=cpu PercentSystemTime>90
#tags = enabled
[df]
search = sourcetype=df
#tags = df host check success storage performance
[iostat]
search = sourcetype=iostat
[nfsiostat]
search = sourcetype=nfsiostat
[lsof]
search = sourcetype=lsof
[hardware]
search = sourcetype=hardware
[interfaces]
search = sourcetype=interfaces
# tags = Inventory Network
[lastlog]
search = sourcetype=lastlog
[netstat]
search = sourcetype=netstat
# listening port
[openPorts]
search = sourcetype=openPorts
[package]
search = sourcetype=package
[protocol]
search = sourcetype=protocol
[ps]
search = sourcetype=ps
#tags = process oshost success ps cpu performance
[top]
search = sourcetype=top
[time]
search = sourcetype=time
[usersWithLoginPrivs]
search = sourcetype=usersWithLoginPrivs
[vmstat]
search = sourcetype=vmstat
#tags = performance os avail unix report vmstat resource success memory
[who]
search = sourcetype=who
[bandwidth]
search = sourcetype=bandwidth
###### System Logs ######
#### Account Management
[useradd]
search = eventtype=nix_ta_data useradd user
#tags = account management add change
# Aug 20 20:21:12 host useradd[12811]: new account added - account=splunk, uid=1003, gid=1000, home=/opt/splunk, shell=/bin/false, by=0
[useradd-suse]
search = eventtype=nix_ta_data useradd new account added
#tags = account management add change
[userdel]
search = eventtype=nix_ta_data userdel user
#tags = account management delete change
[groupadd]
search = eventtype=nix_ta_data groupadd group
#tags = account management add change
#Aug 20 20:21:12 host useradd[12811]: account added to group - account=splunk, group=services, gid=33, by=0
[groupadd-suse]
search = eventtype=nix_ta_data useradd account added group
#tags = account management add change
[groupdel]
search = eventtype=nix_ta_data (NOT *deleting-user-from*) (groupdel OR userdel) group
#tags = account management delete change
[linux-password-change]
search = eventtype=nix_ta_data process=passwd password changed
#tags = account management password modify change
#Feb 21 11:24:45 host passwd[17805]: password change failed, pam error 11 - account=root, uid=0, by=0
[linux-password-change-failed]
search = eventtype=nix_ta_data process=passwd password change failed
#tags = account management password modify change
#### acpi
[nix_acpi]
search = eventtype=nix_ta_data ACPI:
#tags = os unix power
#### agpgart
[nix_agpgart]
search = eventtype=nix_ta_data agpgart:
#tags = os unix graphics
#### apm
[nix_apm]
search = eventtype=nix_ta_data apm:
#tags = os unix power
#### auditd
[auditd]
search = sourcetype=auditd
#tags = os unix resource file
[auditd_modify]
search = source=auditd PATH
#tags = modify
#### Authentication
## ksu
[ksu_authentication]
# NOTE: May want to restrict search `ksu` to `cmd="ksu"` to reduce false positives.
search = eventtype=nix_ta_data ksu ("authentication failed" OR authenticated OR (Account authorization (failed OR successful)))
#tags = authentication
## login
[login_authentication]
search = eventtype=nix_ta_data login: "Login failure on"
#tags = authentication
## pam
[pam_unix_authentication]
search = eventtype=nix_ta_data pam_unix (gdm OR sudo OR su) ("authentication failure" OR "session opened")
#tags = authentication
## passwd
#Oct 2 20:45:29 host passwd[15323]: User admin: Authentication failure
[passwd-auth-failure]
search = eventtype=nix_ta_data process=passwd Authentication failure punct="*__::_*_[]:__:__"
#tags = application authentication
## rlogin
[rlogin_too_many_failures]
search = eventtype=nix_ta_data "general syslog msg" "TOO MANY LOGIN TRIES"
#tags = application attack watchlist
## Detects a failed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
[remote_login_failure]
search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not allowed")
#tags = application authentication remote
## Detects a allowed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
[remote_login_allowed]
search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to"
#tags = application authentication remote
## sshd
[sshd_authentication]
# osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
# Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host
search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT")
#tags = authentication remote
[ssh_login_postponed]
search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed
# no tags assigned to this eventtype
[ssh_open]
search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from)
#tags = communicate connect
# example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246
[ssh_close]
search = eventtype=nix_ta_data punct="*__::_*_[]:____*..." OR punct="*__::_*_[]:_(:):_____" OR punct="*__::_*_()[]:_____" sshd (Closing connection to) OR (Connection closed by) OR (session closed)
#tags = access stop logoff
# example = Dec 17 18:31:44 domU-12-31-39-03-01-11 sshd[31792]: Received disconnect from 74.53.187.50: 11: Bye Bye
[ssh_disconnect]
search = eventtype=nix_ta_data punct="*__::_*_[]:___*...:_:__" Bye Received disconnect
#tags = access stop logoff
[ssh_check_pass]
search = eventtype=nix_ta_data sshd check pass user unknown (punct="__*::_*_()[]:__;__" OR punct="*__::_*_[]:_(:):__;__")
#no tags assigned to this eventtype
## su
[su_authentication]
# Example event, from su on CentOS7
# type=USER_AUTH msg=audit(1611753517.687:2310): pid=10012 uid=0 auid=2024 ses=181 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=so1 addr=? terminal=pts/1 res=success'
search = eventtype=nix_ta_data NOT "USER_CMD" ((from to) OR succeeded OR success OR successful OR failed OR failure) (cmd="su" OR ("USER_AUTH" AND exe=*/su*) OR ((NOT BAD) su: from to at))
#tags = authentication
[su_failed]
search = eventtype=nix_ta_data (("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR ("BAD SU "))
#tags = authentication
[su_session]
search = eventtype=nix_ta_data su: session
#tags = session
[su_root_session]
search = eventtype=nix_ta_data su: session root
#tags = session privileged
## Telnet
[wksh_authentication]
search = eventtype=nix_ta_data wksh "HANDLING TELNET CALL"
# no tags assigned to this eventtype
#### automount
[nix_automount]
search = eventtype=nix_ta_data automount punct="::__::_*:_*"
#tags = os unix
#### Config
[nix_config_change]
search = eventtype=nix_ta_data Configuration changed
#tags = os unix host configuration modify
#### Console
[nix_console]
search = eventtype=nix_ta_data Console:
#tags = os unix
#### cron
[nix_cron]
search = eventtype=nix_ta_data cron OR crond punct="::__::_*:_*" NOT Install: NOT Updated: NOT Erased:
#tags = os unix
#### CUPS
[nix_cups_access]
search = eventtype=nix_ta_data punct="_-_-_[//:::_-]_\"_//._/.\"___-_-"
#tags = os unix access printer
[nix_cups_error]
search = eventtype=nix_ta_data punct="_[//:::_-]_*"
#tags = os unix printer
[nix_cups_page]
search = eventtype=nix_ta_data punct="___[//:::_-]___-_"
#tags = os unix printer
#### dhclient
[nix_dhclient]
search = eventtype=nix_ta_data dhclient punct="__::_*:_*" NOT punct="//_::_*:_*." NOT punct="\"///*\"" NOT Rule NOT Name
#tags = os unix
#### DMA
[nix_dma]
search = eventtype=nix_ta_data DMA zone:
#tags = os unix memory access
#### Firewall
# These firewall accept and deny rules are based on iptables logs. For additional firewalls the user must develop a device add
# on and tag their events with these tags
[iptables_firewall_accept]
search = eventtype=nix_ta_data signature=firewall action=PASS OR action=permit
#tags = os unix host firewall communicate success
[iptables_firewall_deny]
search = eventtype=nix_ta_data signature=firewall action=BLOCK OR action=dropped
#tags = os unix host firewall communicate failure
#### FTP
[nix_ftp_xferlog]
search = eventtype=nix_ta_data punct="___*::___...__///*"
#tags = os unix ftp transfer
[nix_ncftpd_logins]
search = eventtype=nix_ta_data ncftpd punct="*__::_*:_*"
#tags = os unix ftp authentication
#### Fingerprinting
[nix_fingerprinting]
search = eventtype=nix_ta_data Client OS detected:
#tags = os unix
#### gconfd
[nix_gconfd]
search = eventtype=nix_ta_data gconfd
#tags = os unix
[nix_gconfd_error]
search = eventtype=nix_ta_data gconfd Error
#tags = error
[nix_gconfd_exiting]
search = eventtype=nix_ta_data gconfd Exiting OR signal
#tags = stop
[nix_gconfd_resolved_address]
search = eventtype=nix_ta_data gconfd Resolved address
[nix_gconfd_starting]
search = eventtype=nix_ta_data gconfd starting
#tags = start
#### gdm
[nix_gdm]
search = eventtype=nix_ta_data gdm punct="*__::_*:_*" NOT scrollkeeper NOT Updated: NOT Installed: NOT Erased: NOT pam*
#tags = os unix
#### gpm
[nix_gpm]
search = eventtype=nix_ta_data gpm NOT Installed: NOT Updated: NOT Erased: NOT user NOT *.rpm punct="*__::_*:_*."
#tags = os unix
#### FreeBSD
[freebsd_refresh_na_answer]
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_-____...#_(_...#)"
#tags = os unix
[freebsd_refresh_retry_exceeded]
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_____...#__(_...#)"
#tags = os unix
#### hald
[nix_hald]
search = eventtype=nix_ta_data hald punct="*__::_*:_*"
#tags = os unix
#### hpiod
[hpiod_Linux_syslog]
search = eventtype=nix_ta_data hpiod punct="*__::_*:_*"
#tags = os unix
#### kernel
[nix_kernel_attached]
search = eventtype=nix_ta_data kernel
#tags = os unix kernel
#### kill
[nix_process_kill]
search = eventtype=nix_ta_data exiting signal 15
#tags = os unix process stop
#### mDNSResponder
[nix_mDNSResponder]
search = eventtype=nix_ta_data mDNSResponder punct="*__::_*:_*"
#tags = os unix dns
#### named
[nix_named1]
search = eventtype=nix_ta_data named punct="*__::_/_[]:__*" OR punct="*__::_..._[]:_*"
#tags = os unix dns
[nix_named2]
search = eventtype=nix_ta_data named punct="*__::_*_[]:__*" NOT punct="__::_*_[]:_____..."
#tags = os unix dns
#### OSX Crash Log
[osx_crash_log]
search = eventtype=nix_ta_data Host Name Date/Time
#tags = os unix error
#### Netlabel
[nix_netlabel]
search = eventtype=nix_ta_data NetLabel:
#tags = os unix kernel
#### PCI
[nix_pci]
search = eventtype=nix_ta_data PCI: NOT BIOS
#tags = os unix
#### Plug-n-play
[nix_pnp]
search = eventtype=nix_ta_data pnp:
#tags = os unix
#### POP3
[nix_popper]
search = eventtype=nix_ta_data popper
#tags = os unix mail
#### postfix
[nix_postfix]
search = eventtype=nix_ta_data postfix punct="*__::_*:_*"
#tags = os unix
#### Prelink
[nix_prelink]
search = eventtype=nix_ta_data /usr/sbin/prelink: OR Prelinking
#tags = os unix
#### RPC
[nix_rpc_statd]
search = eventtype=nix_ta_data rpc.statd
#tags = os unix
#### RPM
[nix_rpm]
search = eventtype=nix_ta_data *.rpm punct="*-*.*."
#tags = os update
#### Runlevel
[nix_runlevel_change]
search = eventtype=nix_ta_data init: punct="*__::_*:_*"
#tags = os unix configuration modify
#### SNMPD
[snmpd]
search = eventtype=nix_ta_data snmpd
#tags = os unix snmp
[snmpd_failure]
search = eventtype=nix_ta_data snmpd SNMPD_*_FAILURE
#tags = failure
#### scrollkeeper
[nix_scrollkeeper]
search = eventtype=nix_ta_data scrollkeeper punct="__::__*"
#tags = os unix
## Shutdown
[nix_halt]
search = eventtype=nix_ta_data shutdown: system halt
#tags = os unix stop
[nix_restart]
search = eventtype=nix_ta_data shutdown: system reboot
#tags = os unix stop
#### smartd
[nix_smartd]
search = eventtype=nix_ta_data smartd punct="*__::_*:_*"
#tags = os unix
#### Time
[nix_timesync]
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR "MS Name/IP address") (("LastRx" AND "stratum") OR "Adjusting system clock" OR "synchronized to" OR "step time server" OR "adjust time server")
#tags = report time synchronize success
[nix_timesync_failure]
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR 506) ("NTP Server Unreachable" OR "Cannot talk to daemon")
#tags = report time synchronize failure
#### Update
[nix_yum_update]
search = eventtype=nix_ta_data yum Updated
#tags = report update success
#### udevd
[nix_udevd]
search = eventtype=nix_ta_data udevd
#tags = os unix kernel
#### USB
[nix_usb]
search = eventtype=nix_ta_data usb*: NOT punct="<>:__*"
#tags = os unix usb
#### userhelper
[nix_userhelper]
search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*"
#tags = os unix
###### ADDED FROM UNIX APP ######
[failed_login]
search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for"
#tags = authentication
[Failed_SU]
search = eventtype=nix_ta_data ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
#tags = authentication
[nix-all-logs]
search = eventtype=nix_ta_data AND (source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog)
###### END FROM UNIX APP ######
###### ADDED FROM TA-deploymentapps ######
###### Scripted Inputs ######
## Global
[aix_scripted_input]
search = sourcetype=AIX:*
#tags = check report
[hpux_scripted_input]
search = sourcetype=HPUX:*
#tags = check report
[linux_scripted_input]
search = sourcetype=Linux:*
#tags = check report
[osx_scripted_input]
search = sourcetype=OSX:*
#tags = check report
[solaris_scripted_input]
search = sourcetype=Solaris:*
#tags = check report
[unix_scripted_input]
search = sourcetype=Unix:*
#tags = check report
## CPUTime
[cputime]
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime
#tags = performance os avail cpu
[cputime_anomalous]
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime PercentSystemTime>90
#tags = anomalous
## Disk
[freediskspace]
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace
#tags = performance os avail disk storage
[freediskspace_anomalous]
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace PercentFreeSpace<10
#tags = anomalous
## Listening Ports
[listeningports]
search = (NOT sourcetype=WMI:ListeningPorts) sourcetype=*:ListeningPorts (NOT file_hash=*)
#tags = os config report
## Local Processes
[localprocesses]
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses
#tags = os avail process
[localprocesses_anomalous]
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses (PercentSystemTime>50 OR PercentMemory>50) NOT app=Total
#tags = anomalous
## Memory
[memory]
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory
#tags = performance os avail memory
[memory_anomalous]
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory mem_free<104857600
#tags = anomalous
## SELinux Config
[selinuxconfig]
search = sourcetype=Linux:SELinuxConfig
#tags = application config selinux
## Service
[service]
search = (NOT sourcetype=WMI:Service) sourcetype=*:Service (NOT file_hash=*)
#tags = os config service report
[service_runlevel_anomalous]
search = sourcetype=*:Service (runlevel0=on OR runlevel6=on)
#tags = anomalous
## SSHD Config
[sshdconfig]
search = sourcetype=*:SSHDConfig
#tags = application config ssh
[sshd_insecure]
search = eventtype=nix_ta_data sshd_protocol=*1*
#tags = insecure
## Update
[update]
search = sourcetype=*:Update
#tags = os info update
[update_status]
search = sourcetype=*:Update NOT total_updates
#tags = status
## Uptime
[uptime]
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime
#tags = os info report uptime performance
[uptime_anomalous]
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime SystemUpTime>2592000
#tags = anomalous
## User Accounts
[useraccounts]
search = sourcetype=*:UserAccounts (NOT file_hash=*)
#tags = (os) config user inventory
[useraccounts_anomalous]
search = sourcetype=*:UserAccounts NOT password=x NOT password=\* (NOT file_hash=*)
#tags = anomalous
## Version
[nix_version]
search = (NOT sourcetype=WMI:Version) sourcetype=*:Version
#tags = os info report system version inventory
## VSFTDP Config
[vsftpd_config]
search = sourcetype=*:VSFTPDConfig
#tags = application config ftp cleartext
[vsftpd_config_anonymous]
search = sourcetype=*:VSFTPDConfig anonymous_enable=YES
#tags = anonymous
###### END FROM TA-deploymentapps ######

270
default/inputs.conf Normal file
View file

@ -0,0 +1,270 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[script://./bin/vmstat_metric.sh]
sourcetype = vmstat_metric
source = vmstat
interval = 60
disabled = 1
[script://./bin/iostat_metric.sh]
sourcetype = iostat_metric
source = iostat
interval = 60
disabled = 1
[script://./bin/ps_metric.sh]
sourcetype = ps_metric
source = ps
interval = 30
disabled = 1
[script://./bin/df_metric.sh]
sourcetype = df_metric
source = df
interval = 300
disabled = 1
[script://./bin/interfaces_metric.sh]
sourcetype = interfaces_metric
source = interfaces
interval = 60
disabled = 1
[script://./bin/cpu_metric.sh]
sourcetype = cpu_metric
source = cpu
interval = 30
disabled = 1
################################################
############### Event Inputs ###################
################################################
[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1
[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
disabled = 1
[script://./bin/nfsiostat.sh]
interval = 60
sourcetype = nfsiostat
source = nfsiostat
disabled = 1
[script://./bin/ps.sh]
interval = 30
sourcetype = ps
source = ps
disabled = 1
[script://./bin/top.sh]
interval = 60
sourcetype = top
source = top
disabled = 1
[script://./bin/netstat.sh]
interval = 60
sourcetype = netstat
source = netstat
disabled = 1
[script://./bin/bandwidth.sh]
interval = 60
sourcetype = bandwidth
source = bandwidth
disabled = 1
[script://./bin/protocol.sh]
interval = 60
sourcetype = protocol
source = protocol
disabled = 1
[script://./bin/openPorts.sh]
interval = 300
sourcetype = openPorts
source = openPorts
disabled = 1
[script://./bin/time.sh]
interval = 21600
sourcetype = time
source = time
disabled = 1
[script://./bin/lsof.sh]
interval = 600
sourcetype = lsof
source = lsof
disabled = 1
[script://./bin/df.sh]
interval = 300
sourcetype = df
source = df
disabled = 1
# Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
disabled = 1
# Lists users who could login (i.e., they are assigned a login shell)
[script://./bin/usersWithLoginPrivs.sh]
sourcetype = usersWithLoginPrivs
source = usersWithLoginPrivs
interval = 3600
disabled = 1
# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 1
# Shows stats per link-level Etherner interface (simply, NIC)
[script://./bin/interfaces.sh]
sourcetype = interfaces
source = interfaces
interval = 60
disabled = 1
# Shows stats per CPU (useful for SMP machines)
[script://./bin/cpu.sh]
sourcetype = cpu
source = cpu
interval = 30
disabled = 1
# This script reads the auditd logs translated with ausearch
[script://./bin/rlog.sh]
sourcetype = auditd
source = auditd
interval = 60
disabled = 1
# Run package management tool collect installed packages
[script://./bin/package.sh]
sourcetype = package
source = package
interval = 3600
disabled = 1
[script://./bin/hardware.sh]
sourcetype = hardware
source = hardware
interval = 36000
disabled = 1
[monitor:///Library/Logs]
disabled = 1
[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 1
[monitor:///var/adm]
whitelist=(\.log$|messages)
disabled = 1
[monitor:///etc]
whitelist=(\.(conf|cfg|ini|init|cf|cnf|profile|rc|rules|tab|login)$|(config|shrc|tab|policy)$|^ifcfg)
disabled = 1
### bash history
[monitor:///root/.bash_history]
disabled = true
sourcetype = bash_history
[monitor:///home/*/.bash_history]
disabled = true
sourcetype = bash_history
##### Added for ES support
# Note that because the UNIX app uses a single script to retrieve information
# from multiple OS flavors, and is intended to run on Universal Forwarders,
# it is not possible to differentiate between OS flavors by assigning
# different sourcetypes for each OS flavor (e.g. Linux:SSHDConfig), as was
# the practice in the older deployment-apps included with ES. Instead,
# sourcetypes are prefixed with the generic "Unix".
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/openPortsEnhanced.sh]
disabled = true
interval = 3600
source = Unix:ListeningPorts
sourcetype = Unix:ListeningPorts
[script://./bin/passwd.sh]
disabled = true
interval = 3600
source = Unix:UserAccounts
sourcetype = Unix:UserAccounts
# Only applicable to Linux
[script://./bin/selinuxChecker.sh]
disabled = true
interval = 3600
source = Linux:SELinuxConfig
sourcetype = Linux:SELinuxConfig
# Currently only supports SunOS, Linux, OSX.
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/service.sh]
disabled = true
interval = 3600
source = Unix:Service
sourcetype = Unix:Service
# Currently only supports SunOS, Linux, OSX.
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/sshdChecker.sh]
disabled = true
interval = 3600
source = Unix:SSHDConfig
sourcetype = Unix:SSHDConfig
# Currently only supports Linux, OSX.
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/update.sh]
disabled = true
interval = 86400
source = Unix:Update
sourcetype = Unix:Update
[script://./bin/uptime.sh]
disabled = true
interval = 86400
source = Unix:Uptime
sourcetype = Unix:Uptime
[script://./bin/version.sh]
disabled = true
interval = 86400
source = Unix:Version
sourcetype = Unix:Version
# This script may need to be modified to point to the VSFTPD configuration file.
[script://./bin/vsftpdChecker.sh]
disabled = true
interval = 86400
source = Unix:VSFTPDConfig
sourcetype = Unix:VSFTPDConfig

7
default/macros.conf Normal file
View file

@ -0,0 +1,7 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[nix-netmon-hosts-search]
definition = eventtype=netstat | stats count by host | sort +host

788
default/props.conf Normal file
View file

@ -0,0 +1,788 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
#####################
## Configuration Logs
#####################
[source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))]
sourcetype = config_file
CHECK_METHOD = modtime
[config_file]
LINE_BREAKER = ^((?!))$
TRUNCATE = 1000000
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
CHECK_METHOD = modtime
KV_MODE = none
pulldown_type = true
SEGMENTATION-all = whitespace-only
SEGMENTATION-inner = whitespace-only
SEGMENTATION-outer = whitespace-only
SEGMENTATION-standard = whitespace-only
LEARN_MODEL = false
LEARN_SOURCETYPE = false
#####################
## DHCP
#####################
[source::....dhcpd]
sourcetype = dhcpd
[dhcpd]
KV_MODE = none
SHOULD_LINEMERGE = false
# For Load Balancing on UF
EVENT_BREAKER_ENABLE = true
pulldown_type = true
category = Network & Security
description = DHCP Server system events
REPORT-dhcp_discover_extract = dhcp_discover_extract
REPORT-dhcp_offer_extract = dhcp_offer_extract
REPORT-dhcp_request_extract = dhcp_request_extract
REPORT-dhcp_ack_nak_extract_0 = dhcp_ack_nak_extract_0
REPORT-dhcp_ack_nak_extract_1 = dhcp_ack_nak_extract_1
REPORT-dhcp_decline_extract = dhcp_decline_extract
REPORT-dhcp_release_extract = dhcp_release_extract
REPORT-dhcp_inform_extract = dhcp_inform_extract
REPORT-dhcp_unable_to_add_forward_map_extract = dhcp_unable_to_add_forward_map_extract
REPORT-dhcp_add_new_forward_map_extract = dhcp_add_new_forward_map_extract
REPORT-dhcp_added_reverse_map_extract = dhcp_added_reverse_map_extract
REPORT-dhcp_abandon_ip_extract = dhcp_abandon_ip_extract
REPORT-dhcp_lease_duplicate_extract = dhcp_lease_duplicate_extract
REPORT-bind_update_fail_extract = bind_update_fail_extract
REPORT-dhcp_block_action = dhcp_block_action
REPORT-dhcp_icmp_echo_reply = dhcp_icmp_echo_reply
REPORT-dhcp_reuse_lease = dhcp_reuse_lease
EVAL-dest_ip = case(isnotnull(dest_ip),dest_ip,match(dest,"^(:?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), dest, 1==1, server_ip)
EVAL-action = if(isnotnull(block_action) or dhcp_type=="DHCPNAK" or dhcp_type=="DHCPDECLINE" or dhcp_type=="DHCPRELEASE", "blocked", "added")
FIELDALIAS-signature = dhcp_type as signature
FIELDALIAS-src_nt_host = src_host as src_nt_host
FIELDALIAS-dest_nt_host = dest_host as dest_nt_host
#########################
## Scripted Metric Inputs
#########################
[vmstat_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-vmstat-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat
[cpu_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-cpu-metric-dimensions=eval_dimensions
TRANSFORMS-cpu-metric-field=extract_cpu_metric_field
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_cpu
[df_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = TSV
TRANSFORMS-df-metrics=extract_df_metrics
TRANSFORMS-df-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_df
[interfaces_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex)
TRANSFORMS-interfaces-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_interfaces
[iostat_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-iostat-metrics-field=extract_iostat_metrics_field
TRANSFORMS-iostat-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_iostat
[ps_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-ps-metric-dimensions=eval_dimensions
TRANSFORMS-ps-metric-field=extract_ps_metric_field
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps
#########################
## Scripted Event Inputs
#########################
[cpu]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_for_cpu = host as dest
FIELDALIAS-src_for_cpu = host as src
EVAL-CPU = coalesce(cpu,CPU)
EVAL-cpu = coalesce(cpu,CPU)
EVAL-cpu_instance = coalesce(cpu,CPU)
EVAL-pctIdle = coalesce(id,pctIdle)
EVAL-PercentIdleTime = coalesce(id,pctIdle)
EVAL-cpu_load_percent = if(isnull(pctIdle),100-id,100-pctIdle)
EVAL-pctNice = coalesce(pctNice,"0")
EVAL-PercentNiceTime = coalesce(pctNice,"0")
EVAL-pctUser = coalesce(us,pctUser)
EVAL-PercentUserTime = coalesce(us,pctUser)
EVAL-cpu_user_percent = coalesce(us,pctUser)
EVAL-pctSystem = coalesce(sy,pctSystem)
EVAL-PercentSystemTime = coalesce(sy,pctSystem)
EVAL-pctIowait = coalesce(wa,pctIowait)
EVAL-PercentWaitTime = coalesce(wa,pctIowait)
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
[df]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_for_df = host as dest
FIELDALIAS-filesystem_for_df = Filesystem AS filesystem
FIELDALIAS-filesystem_type_for_df = Type as filesystem_type
FIELDALIAS-mount_for_df = MountedOn AS mount
EVAL-Type = coalesce('Type',"?")
EVAL-filesystem_type = coalesce('Type',"?")
EVAL-Size = coalesce('Size','1024_blocks')
EVAL-INodes = coalesce('INodes','Inodes')
EVAL-IUsePct = coalesce('IUsePct','IUse_')
EVAL-UsePct = coalesce('UsePct', 'Use_', 'Capacity')
EVAL-Avail = coalesce('Avail', 'Available')
EVAL-IUsed = coalesce('IUsed', 'Iused', 'iused')
EVAL-IFree = coalesce('IFree', 'ifree', 'Ifree')
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
EVAL-storage = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-storage_free = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
# Redundancy required here because calculated fields are not evaluated in sequence.
EVAL-storage_free_percent = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
EVAL-storage_used = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-storage_used_percent = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
## Legacy fields
# Note we don't elimininate one layer of indirection here by
# eliminating the redundant FIELDALIAS from FreeMegabytes -> FreeMBytes, etc.
# which was previously used.
EVAL-FreeMBytes = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-TotalMBytes = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-UsedMBytes = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-PercentUsedSpace = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
# Redundancy required here because calculated fields are not evaluated in sequence.
EVAL-PercentFreeSpace = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
[hardware]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
EXTRACT-RealMemory = (?i)MEMORY_REAL\s+(?P<RealMemory>[^\s]*)[ ]?
EXTRACT-SwapMemory = (?i)MEMORY_SWAP\s+(?P<SwapMemory>[^\s]*)[ ]?
EXTRACT-Unit = (?i)MEMORY_REAL\s+\d+\.?\d*\s*(?P<Unit>\w+)?
EVAL-RealMemoryMB = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown")
EVAL-SwapMemoryMB = case(match(Unit, "kB"), SwapMemory*pow(1024,-1), match(Unit, "KB"), SwapMemory*pow(1024,-1), match(Unit, "mB"), SwapMemory, match(Unit, "MB"), SwapMemory, match(Unit, "gB"), SwapMemory*pow(1024,1), match(Unit, "GB"), SwapMemory*pow(1024,1), match(Unit, "tB"), SwapMemory*pow(1024,2), match(Unit, "TB"), SwapMemory*pow(1024,2), match(Unit, "pB"), SwapMemory*pow(1024,3), match(Unit, "PB"), SwapMemory*pow(1024,3), 1==1, "unknown")
EXTRACT-cpu_cores = (?i)CPU_COUNT\s+(?P<cpu_cores>[^ \n]*)?
EXTRACT-cpu_type = (?i)CPU_TYPE\s+(?P<cpu_type>[^\n]*)?
EXTRACT-cpu_freq = (?<cpu_freq>[^\s]+)(?<cpu_freq_unit>[G|M]Hz)
EVAL-cpu_mhz = case(match(cpu_freq_unit,"GHz"),cpu_freq*1000,match(cpu_freq_unit,"MHz"),cpu_freq)
EVAL-mem = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown")
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
[interfaces]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
EVAL-enabled = "true"
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
EVAL-ip = if(isnull(inetAddr), inet6Addr, inetAddr)
EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex)
FIELDALIAS-interface = Name as interface
FIELDALIAS-mac = MAC as mac
[iostat]
SHOULD_LINEMERGE = false
LINE_BREAKER = (^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
# coalesce command is used to normalizes field names with the same value and for backward compatibility
EVAL-mount = coalesce(Device, Device_, device, "?")
EVAL-read_ops = coalesce(rReq_PS, r_s, "?")
EVAL-write_ops = coalesce(wReq_PS, w_s, "?")
EVAL-latency = coalesce(avgWaitMillis, await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?")
EVAL-total_ops = case(rReq_PS == "?", "?", wReq_PS == "?", "?", isnotnull(rReq_PS) AND isnotnull(wReq_PS), rReq_PS + wReq_PS, isnull(r_s), "?", isnull(w_s), "?", 1==1, r_s + w_s)
EVAL-Device = coalesce(Device, Device_, device, "?")
EVAL-rReq_PS = coalesce(rReq_PS, r_s, "?")
EVAL-rKB_PS = coalesce(rKB_PS, rkB_s, Kb_read, kr_s, "?")
EVAL-rrqmPct = coalesce(rrqmPct, rrqm, "?")
EVAL-rAvgWaitMillis = coalesce(rAvgWaitMillis, r_await, "?")
EVAL-rAvgReqSZkb = coalesce(rAvgReqSZkb, rareq_sz, "?")
EVAL-wReq_PS = coalesce(wReq_PS, w_s, "?")
EVAL-wKB_PS = coalesce(wKB_PS, wkB_s, Kb_wrtn, kw_s, "?")
EVAL-wrqmPct = coalesce(wrqmPct, wrqm, "?")
EVAL-wAvgWaitMillis = coalesce(wAvgWaitMillis, w_await, "?")
EVAL-wAvgReqSZkb = coalesce(wAvgReqSZkb, wareq_sz, "?")
EVAL-avgQueueSZ = coalesce(avgQueueSZ, aqu_sz, avgqu_sz, "?")
EVAL-bandwUtilPct = coalesce(bandwUtilPct, util, tm_act, ms_o, b, "?")
EVAL-avgSvcMillis = coalesce(avgSvcMillis, svctm, ms_w, asvc_t, "?")
EVAL-avgWaitMillis = coalesce(avgWaitMillis, await, wsvc_t, if(isnotnull(ms_o), "?", null()), if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?")
[source::...(nfsiostat)]
sourcetype = nfsiostat
HEADER_MODE = always
SHOULD_LINEMERGE = false
[nfsiostat]
DATETIME_CONFIG = CURRENT
KV_MODE = multi
LINE_BREAKER = (^$|[\r\n]+[\r\n]+)
FIELDALIAS-mount = Mount as mount
FIELDALIAS-read_latency = r_avg_exe as read_latency
FIELDALIAS-write_latency = w_avg_exe as write_latency
FIELDALIAS-read_ops = r_op_s as read_ops
FIELDALIAS-write_ops = w_op_s as write_ops
EVAL-total_ops = read_ops + write_ops
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
[lastlog]
## Override system/default lastlog sourcetype invalidation
invalid_cause =
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
[lsof]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
[netstat]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
EVAL-src_port = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvindex(split(ForeignAddress, "."), -1),mvindex(split(ForeignAddress, ":"), -1))
EVAL-src = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvjoin(mvindex(split(ForeignAddress, "."), 0, -2), "."),mvjoin(mvindex(split(ForeignAddress, ":"), 0, -2), ":"))
EVAL-dest_port = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvindex(split(LocalAddress, "."), -1),mvindex(split(LocalAddress, ":"), -1))
EVAL-dest = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvjoin(mvindex(split(LocalAddress, "."), 0, -2), "."),mvjoin(mvindex(split(LocalAddress, ":"), 0, -2), ":"))
FIELDALIAS-transport=Proto as transport
FIELDALIAS-state=State as state
EVAL-state = case(state=="LISTEN","listening",state=="ESTAB","established",true(),lower(state))
EVAL-vendor_product = "nix"
[bandwidth]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
EVAL-bytes=(rxKB_PS+txKB_PS)*1024
EVAL-bytes_in=rxKB_PS*1024
EVAL-thruput=rxKB_PS*1024 + txKB_PS*1024
EVAL-bytes_out=txKB_PS*1024
EVAL-packets=rxPackets_PS+txPackets_PS
FIELDALIAS-packets_in=rxPackets_PS as packets_in
FIELDALIAS-packets_out=txPackets_PS as packets_out
[openPorts]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_port_for_open_ports_sh = Port AS dest_port
FIELDALIAS-dest_for_open_ports_sh = host AS dest
FIELDALIAS-transport_for_open_ports_sh = Proto AS transport
EVAL-transport_dest_port = Proto + "/" + Port
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
# extraction for sourcetype unix:listeningports
[Unix:ListeningPorts]
EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P<file_hash>[a-fA-F0-9]+)
[package]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
[protocol]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
[ps]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
EVAL-pctCPU = coalesce(CPU, pctCPU)
EVAL-PercentProcessorTime = coalesce(CPU, pctCPU)
EVAL-cpu_load_percent = coalesce(CPU, pctCPU)
EVAL-process_cpu_used_percent = coalesce(CPU, pctCPU)
FIELDALIAS-dest_for_ps = host as dest
FIELDALIAS-src_for_ps = host as src
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
FIELDALIAS-process_id_for_ps = PID AS pid,PID as process_id
EVAL-pctMEM = coalesce(MEM, pctMEM)
EVAL-PercentMemory = coalesce(MEM, pctMEM)
EVAL-RSZ_KB = coalesce(RSS, RSZ_KB)
EVAL-rss = coalesce(RSS, RSZ_KB)
EVAL-process_mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
# UsedBytes is calculated as RSZ_KB*1024. Previously it was calculated using
# %MEM and the "Mem:" header from "top -bn 1", which tended to underestimate
# compared to this value. This is a rough measure of resident set size (i.e.,
# physical memory in use).
EVAL-mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
EVAL-UsedBytes = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
EVAL-VSZ_KB = coalesce(VSZ, VSZ_KB)
EVAL-vsz = coalesce(VSZ, VSZ_KB)
EVAL-TTY = coalesce(TTY, TT)
EVAL-tty = coalesce(TTY, TT)
EVAL-S = coalesce(S, STAT)
EVAL-stat = coalesce(S, STAT)
FIELDALIAS-user_for_ps = USER AS user
# The "app" field is the conjunction of COMMAND plus ARGS
# Note that the UNIX app joins arguments with an underscore.
EVAL-app = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process_name = replace(COMMAND, "[\[\]()]", "")
EVAL-CPUTIME = coalesce(TIME, CPUTIME)
# Truncate needless leading zeroes from the cumulative CPU time field.
EVAL-cpu_time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", ""))
EVAL-time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", ""))
# Incorporating CIM review changes
EVAL-action = "allowed"
EVAL-process_exec = replace(COMMAND, "[\[\]()]", "")
[time]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
[top]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
FIELDALIAS-user = USER as user
FIELDALIAS-process = COMMAND as process
FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
[usersWithLoginPrivs]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
[who]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
[vmstat]
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
REPORT-0kv_for_vmstat = fields_for_vmstat_sh,vmstat_linux,vmstat_osx
FIELDALIAS-dest_for_vmstat = host as dest
EVAL-mem = if(isnotnull(memFreeMB) AND isnotnull(memUsedMB),(memFreeMB)+(memUsedMB),null())
EVAL-mem_free = if(isnotnull(memFreeMB),memFreeMB,null())
EVAL-mem_used = if(isnotnull(memUsedMB),memUsedMB,null())
EVAL-mem_page_ops = pgPageIn_PS + pgPageOut_PS
FIELDALIAS-mem_free_percent = memFreePct as mem_free_percent
FIELDALIAS-wait_threads_count = waitThreads as wait_threads_count
FIELDALIAS-system_threads_count = threads as system_threads_count
FIELDALIAS-src_for_vmstat = host as src
FIELDALIAS-cpu_interrupts = interrupts_PS as cpu_interrupts
FIELDALIAS-swap_percent = swapUsedPct as swap_percent
## Legacy fields
FIELDALIAS-FreeMBytes = memFreeMB AS FreeMBytes
EVAL-UsedBytes = tonumber(memUsedMB, 10)*1048756
FIELDALIAS-UsedMBytes = memUsedMB AS UsedMBytes
FIELDALIAS-TotalMBytes = memTotalMB AS TotalMBytes
##Memoey Paging per second fields
FIELDALIAS-mem_page_in = pgPageIn_PS AS mem_page_in
FIELDALIAS-mem_page_out = pgPageOut_PS AS mem_page_out
[Unix:UserAccounts]
EVAL-description = "/etc/passwd file"
EVAL-enabled = "yes"
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
FIELDALIAS-dest = host as dest
#####################
## BEGIN SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps
#####################
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Global ######
# [source::...(linux.*|sample.*.linux)]
# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen
# [source::...(osx.*|sample.*.osx)]
# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen
# [source::...(solaris.*|sample.*.solaris)]
# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen
# [source::...sample.*.unix]
# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen
## support for linux only
[Linux:SELinuxConfig]
EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules"
[linux_audit]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
TIME_PREFIX = audit\(
MAX_TIMESTAMP_LOOKAHEAD=23
MAX_DAYS_AGO=3650
REPORT-command = command_for_linux_audit
EVAL-status = if('res'=="failed","failure",'res')
FIELDALIAS-object = id as object
FIELDALIAS-dvc = hostname as dvc
FIELDALIAS-dest = hostname as dest
FIELDALIAS-object_id = id as object_id
EVAL-op = if(op=="PAM:authentication", res, op)
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
LOOKUP-action = nix_linux_audit_action_lookup op OUTPUT action,object_category
EVAL-object_attrs= case(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER",grp)
EVAL-app = "nix"
EVAL-change_type = "AAA"
EVAL-object = if((type="GRP_MGMT" OR type="DEL_GROUP" or type=="ADD_GROUP") AND isnotnull('grp'),'grp','object')
EVAL-user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user')
EVAL-user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user')
EVAL-user_id = if(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP" ,'uid','id')
EVAL-src_user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user')
EVAL-src_user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user')
EVAL-src_user_id = if(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ,'uid','src_user_id')
EVAL-reason = if(type="USER_AUTH" AND (res=="failed" OR res=="failure"),"other",'reason')
[source::...Unix:Service]
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true
EVAL-service = coalesce(UNIT, app)
EVAL-service_name = coalesce(UNIT, app)
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
LOOKUP-StartMode_for_linux_service = nix_linux_service_startmode_lookup runlevel0,runlevel1,runlevel2,runlevel3,runlevel4,runlevel5,runlevel6 OUTPUTNEW StartMode
EVAL-note = if(match(_raw,"runlevel[06]\=on"),"Runlevels 0 and 6 are reserved for halt and reboot respectively",null())
EVAL-start_mode=case(isnotnull(StartMode),StartMode,1=1,"Auto")
FIELDALIAS-start_mode_for_solaris_service = StartMode as start_mode
FIELDALIAS-status_for_solaris_service = State as status
FIELDALIAS-dest = host as dest
# extraction for sourcetype Unix:Service
[Unix:Service]
EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P<file_hash>[a-fA-F0-9]+)
# Incorporating CIM review changes
EVAL-status = case(ACTIVE=="active","started",ACTIVE=="inactive","stopped",ACTIVE=="activating","stopped",ACTIVE=="reloading","stopped",ACTIVE=="failed","critical",ACTIVE=="deactivating","stopped")
## no windows application at this time
[source::*:SSHDConfig]
EVAL-note = if(match(sshd_protocol,"1"),"SSH-1 has inherent design flaws which make it vulnerable (e.g., man-in-the-middle attacks)",null())
###### Update ######
[source::...Unix:Update]
EVENT_BREAKER_ENABLE = true
FIELDALIAS-signature_for_update = package as signature
LOOKUP-status_for_update = nix_da_update_status_lookup sourcetype OUTPUTNEW status
###### Uptime ######
[source::...Unix:Uptime]
FIELDALIAS-uptime_for_unix_uptime = SystemUpTime as uptime
FIELDALIAS-dest = host as dest
###### Version ######
[source::...Unix:Version]
SHOULD_LINEMERGE = false
FIELDALIAS-family_for_nix_version = os_name as family
LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range
FIELDALIAS-version_for_nix_version = os_release as version
FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture
EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null())
EVAL-vendor_product = if(isnotnull(os_name),os_name,null())
FIELDALIAS-dest_for_nix_version = host as dest
###### VSFTPD Config ######
## no windows application at this time
[source::*:VSFTPDConfig]
EVAL-note = "FTP uses clear text to pass authentication credentials. Consider using SSH instead."
#####################
## END SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps
#####################
#####################
## System Logs
#####################
###### Global ######
[source::....nix]
sourcetype = linux_secure
[source::/etc/passwd*]
sourcetype = ignored_type
[source::/etc/shadow*]
sourcetype = ignored_type
## Custom Sourcetype
#[source::....<your_sourcetype>]
#sourcetype = <your_sourcetype>
#[<your_sourcetype>]
### Event extractions by type
#REPORT-0authentication_for_your_sourcetype = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
#EVAL-action = if(app="su" AND isnull(action),"success",action)
#REPORT-account_management_for_your_sourcetype = useradd, userdel
#REPORT-firewall_for_your_sourcetype = ipfw, ipfw-stealth, ipfw-icmp, pf
#REPORT-routing_for_your_sourcetype = iptables
#EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
#REPORT-signature_for_your_sourcetype_timesync = signature_for_nix_timesync
#REPORT-dest_for_your_sourcetype = host_as_dest
#LOOKUP-action_for_your_sourcetype = nix_action_lookup vendor_action OUTPUTNEW action
#REPORT-pid-process_for_your_sourcetype = syslog-extractions
#REPORT-src_for_your_sourcetype = src_dns_as_src, src_ip_as_src, host_as_src
###### AIX Sourcetype ######
[source::....aix_secure]
sourcetype = aix_secure
[aix_secure]
EVENT_BREAKER_ENABLE = true
REPORT-0authentication_for_aix_secure = failed_login1, bad-su2, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-dest_for_aix_secure = loghost_as_dest
FIELDALIAS-dvc = dest as dvc
LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_aix_secure = src_dns_as_src, src_ip_as_src
###### OSX Security ######
[source::....osx_secure]
sourcetype = osx_secure
[osx_secure]
EVENT_BREAKER_ENABLE = true
## Event extractions by type
REPORT-0authentication_for_osx_secure = ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-dest_for_osx_secure = host_as_dest
LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_osx_secure = src_dns_as_src, src_ip_as_src
###### Linux Security ######
[source::....linux_secure]
sourcetype = linux_secure
[linux_secure]
EVENT_BREAKER_ENABLE = true
## Event extractions by type
EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app)
REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
REPORT-dest_for_linux_secure = loghost_as_dest
LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_linux_secure = src_dns_as_src, src_ip_as_src
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
EVAL-object = case((command=="useradd" OR command=="userdel" OR command=="passwd") AND isnotnull(user), user, true(), object)
FIELDALIAS-dvc = dest as dvc
EVAL-src_user = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user')
FIELDALIAS-user_name = user as user_name
EVAL-src_user_name = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user')
###### Syslog ######
[source::....syslog]
sourcetype = syslog
[syslog]
EVENT_BREAKER_ENABLE = true
## Event extractions by type
REPORT-0authentication_for_syslog = remote_login_failure, bad-su2, passwd-auth-failure, failed_login1, bad-su, failed-su, ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_syslog = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
REPORT-password_change_for_syslog = pam-passwd-ok, passwd-change-fail
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
REPORT-signature_for_syslog_timesync = signature_for_nix_timesync
REPORT-dest_for_syslog = host_as_dest
LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_syslog = src_dns_as_src, src_ip_as_src
FIELDALIAS-dvc = dest as dvc
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
###### bash history ######
[bash_history]
SHOULD_LINEMERGE=FALSE
EVENT_BREAKER_ENABLE = true
DATETIME_CONFIG=CURRENT
REPORT-bhist=bash_user,bash_user_root
FIELDALIAS-bhist=_raw AS bash_command
FIELDALIAS-dest_for_history = host as dest
###### auditd ######
[auditd]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
TIME_PREFIX = audit\(
MAX_TIMESTAMP_LOOKAHEAD=23
MAX_DAYS_AGO=3650

9
default/restmap.conf Normal file
View file

@ -0,0 +1,9 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[script:setup]
python.version = python3
match=/SetupService
handler=setupservice.SetupService

851
default/tags.conf Normal file
View file

@ -0,0 +1,851 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
###### Globals ######
[eventtype=nix_security]
os = enabled
unix = enabled
[eventtype=nix_errors]
error = enabled
[eventtype=interfaces]
inventory = enabled
network = enabled
###### DHCP ######
[eventtype=dhcpd_server]
dhcp = enabled
network = enabled
session = enabled
unix = enabled
[eventtype=dhcpd_start]
start = enabled
[eventtype=dhcpd_unable_unexpected]
error = enabled
[eventtype=dhcpd_server_dhcprelease]
end = enabled
###### Scripted Inputs ######
[eventtype=cpu]
os = enabled
resource = enabled
report = enabled
unix = enabled
cpu = enabled
avail = enabled
performance = enabled
oshost = enabled
[eventtype=cpu_anomalous]
anomalous = enabled
[eventtype=df]
df = enabled
host = enabled
check = enabled
success = enabled
storage = enabled
performance = enabled
oshost = enabled
[eventtype=iostat]
report = enabled
resource = enabled
iostat = enabled
performance = enabled
cpu = enabled
storage = enabled
success = enabled
oshost = enabled
[eventtype=nfsiostat]
storage = enabled
performance = enabled
[eventtype=lsof]
report = enabled
lsof = enabled
resource = enabled
file = enabled
success = enabled
[eventtype=netstat]
report = enabled
netstat = enabled
os = enabled
cpu = enabled
success = enabled
listening = enabled
port = enabled
[eventtype=ps]
performance = enabled
cpu = enabled
success = enabled
ps = enabled
oshost = enabled
process = enabled
[eventtype=top]
top = enabled
os = enabled
success = enabled
process = enabled
[eventtype=time]
report = enabled
os = enabled
success = enabled
time = enabled
[eventtype=vmstat]
report = enabled
vmstat = enabled
resource = enabled
success = enabled
cpu = enabled
memory = enabled
performance = enabled
oshost = enabled
[eventtype=bandwidth]
network = enabled
resource = enabled
success = enabled
performance = enabled
oshost = enabled
[eventtype=hardware]
inventory = enabled
oshost = enabled
cpu = enabled
memory = enabled
# For ESS:
os = enabled
avail = enabled
unix = enabled
###### System Logs ######
#### Account Management
[eventtype=useradd]
account = enabled
management = enabled
add = enabled
change = enabled
[eventtype=useradd-suse]
account = enabled
management = enabled
add = enabled
change = enabled
[eventtype=userdel]
account = enabled
management = enabled
delete = enabled
change = enabled
[eventtype=groupadd]
management = enabled
add = enabled
change = enabled
[eventtype=groupadd-suse]
management = enabled
add = enabled
change = enabled
account = enabled
[eventtype=groupdel]
management = enabled
delete = enabled
change = enabled
[eventtype=linux-password-change]
account = enabled
management = enabled
password = enabled
modify = enabled
change = enabled
[eventtype=linux-password-change-failed]
account = enabled
management = enabled
password = enabled
modify = enabled
change = enabled
#### acpi
[eventtype=nix_acpi]
os = enabled
unix = enabled
power = enabled
#### agpgart
[eventtype=nix_agpgart]
os = enabled
unix = enabled
graphics = enabled
#### apm
[eventtype=nix_apm]
os = enabled
unix = enabled
power = enabled
#### auditd
[eventtype=auditd]
os = enabled
unix = enabled
resource = enabled
file = enabled
[eventtype=auditd_modify]
modify = enabled
#### Authentication
## ksu
[eventtype=ksu_authentication]
authentication = enabled
[app=ksu]
local = enabled
privileged = enabled
[app=ksudo]
local = enabled
privileged = enabled
## login
[eventtype=login_authentication]
authentication = enabled
## pam
[eventtype=pam_unix_authentication]
authentication = enabled
## passwd
[eventtype=passwd-auth-failure]
application = enabled
authentication = enabled
## rlogin
[eventtype=rlogin_too_many_failures]
application = enabled
attack = enabled
watchlist = enabled
[eventtype=remote_login_failure]
application = enabled
authentication = enabled
remote = enabled
[eventtype=remote_login_allowed]
application = enabled
authentication = enabled
remote = enabled
## sshd
[eventtype=sshd_authentication]
authentication = enabled
remote = enabled
[eventtype=ssh_open]
communicate = enabled
connect = enabled
[eventtype=ssh_close]
access = enabled
stop = enabled
logoff = enabled
[eventtype=ssh_disconnect]
access = enabled
stop = enabled
logoff = enabled
[eventtype=failed_login]
authentication = enabled
[eventtype=Failed_SU]
authentication = enabled
## su
[eventtype=su_authentication]
authentication = enabled
[app=su]
local = enabled
privileged = enabled
[app=sudo]
local = enabled
privileged = enabled
[eventtype=su_failed]
authentication = enabled
[eventtype=su_session]
session = enabled
[eventtype=su_root_session]
session = enabled
privileged = enabled
## Telnet
[app=wksh]
cleartext = enabled
#### automount
[eventtype=nix_automount]
os = enabled
unix = enabled
#### Config
[eventtype=nix_config_change]
os = enabled
unix = enabled
host = enabled
configuration = enabled
modify = enabled
#### Console
[eventtype=nix_console]
os = enabled
unix = enabled
#### cron
[eventtype=nix_cron]
os = enabled
unix = enabled
#### CUPS
[eventtype=nix_cups_access]
os = enabled
unix = enabled
access = enabled
printer = enabled
[eventtype=nix_cups_error]
os = enabled
unix = enabled
printer = enabled
[eventtype=nix_cups_page]
os = enabled
unix = enabled
printer = enabled
#### dhclient
[eventtype=nix_dhclient]
os = enabled
unix = enabled
#### DMA
[eventtype=nix_dma]
os = enabled
unix = enabled
memory = enabled
access = enabled
#### Firewall
[eventtype=iptables_firewall_accept]
os = enabled
unix = enabled
host = enabled
firewall = enabled
communicate = enabled
success = enabled
[eventtype=iptables_firewall_deny]
os = enabled
unix = enabled
host = enabled
firewall = enabled
communicate = enabled
failure = enabled
#### FTP
[eventtype=nix_ftp_xferlog]
os = enabled
unix = enabled
ftp = enabled
transfer = enabled
[eventtype=nix_ncftpd_logins]
os = enabled
unix = enabled
ftp = enabled
authentication = enabled
#### Fingerprinting
[eventtype=nix_fingerprinting]
os = enabled
unix = enabled
#### gconfd
[eventtype=nix_gconfd]
os = enabled
unix = enabled
[eventtype=nix_gconfd_error]
error = enabled
[eventtype=nix_gconfd_exiting]
stop = enabled
[eventtype=nix_gconfd_starting]
start = enabled
## gdm
[eventtype=nix_gdm]
os = enabled
unix = enabled
#### gpm
[eventtype=nix_gpm]
os = enabled
unix = enabled
#### FreeBSD
[eventtype=freebsd_refresh_na_answer]
os = enabled
unix = enabled
[eventtype=freebsd_refresh_retry_exceeded]
os = enabled
unix = enabled
#### hald
[eventtype=nix_hald]
os = enabled
unix = enabled
#### hpiod
[eventtype=hpiod_Linux_syslog]
os = enabled
unix = enabled
#### kernel
[eventtype=nix_kernel_attached]
os = enabled
unix = enabled
kernel = enabled
#### kill
[eventtype=nix_process_kill]
os = enabled
unix = enabled
process = enabled
stop = enabled
#### mDNSResponder
[eventtype=nix_mDNSResponder]
os = enabled
unix = enabled
dns = enabled
#### named
[eventtype=nix_named1]
os = enabled
unix = enabled
dns = enabled
[eventtype=nix_named2]
os = enabled
unix = enabled
dns = enabled
#### OSX
[eventtype=osx_crash_log]
os = enabled
unix = enabled
error = enabled
#### Netlabel
[eventtype=nix_netlabel]
os = enabled
unix = enabled
kernel = enabled
#### PCI
[eventtype=nix_pci]
os = enabled
unix = enabled
#### Plug-n-play
[eventtype=nix_pnp]
os = enabled
unix = enabled
#### POP3
[eventtype=nix_popper]
os = enabled
unix = enabled
mail = enabled
#### postfix
[eventtype=nix_postfix]
os = enabled
unix = enabled
#### Prelink
[eventtype=nix_prelink]
os = enabled
unix = enabled
#### RPC
[eventtype=nix_rpc_statd]
os = enabled
unix = enabled
#### RPM
[eventtype=nix_rpm]
os = enabled
unix = enabled
update = enabled
#### Runlevel
[eventtype=nix_runlevel_change]
os = enabled
unix = enabled
configuration = enabled
modify = enabled
#### SNMPD
[eventtype=snmpd]
os = enabled
unix = enabled
snmp = enabled
[eventtype=snmpd_failure]
failure = enabled
#### scrollkeeper
[eventtype=nix_scrollkeeper]
os = enabled
unix = enabled
## Shutdown
[eventtype=nix_halt]
os = enabled
unix = enabled
stop = enabled
[eventtype=nix_restart]
os = enabled
unix = enabled
stop = enabled
#### smartd
[eventtype=nix_smartd]
os = enabled
unix = enabled
#### Time
[eventtype=nix_timesync]
report = enabled
time = enabled
synchronize = enabled
success = enabled
os = enabled
performance = enabled
[eventtype=nix_timesync_failure]
report = enabled
time = enabled
synchronize = enabled
failure = enabled
os = enabled
performance = enabled
#### Update
[eventtype=nix_yum_update]
report = enabled
update = enabled
success = enabled
#### udevd
[eventtype=nix_udevd]
os = enabled
unix = enabled
kernel = enabled
#### USB
[eventtype=nix_usb]
os = enabled
unix = enabled
usb = enabled
#### userhelper
[eventtype=nix_userhelper]
os = enabled
unix = enabled
#### Open ports
[eventtype=openPorts]
unix = enabled
report = enabled
os = enabled
###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ######
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Scripted Inputs ######
## Global
[eventtype=aix_scripted_input]
check = enabled
report = enabled
[eventtype=hpux_scripted_input]
check = enabled
report = enabled
[eventtype=linux_scripted_input]
check = enabled
report = enabled
[eventtype=osx_scripted_input]
check = enabled
report = enabled
[eventtype=solaris_scripted_input]
check = enabled
report = enabled
[eventtype=unix_scripted_input]
check = enabled
report = enabled
## CPUTime
[eventtype=cputime]
os = enabled
avail = enabled
cpu = enabled
performance = enabled
oshost = enabled
[eventtype=cputime_anomalous]
anomalous = enabled
## Disk
[eventtype=freediskspace]
os = enabled
avail = enabled
disk = enabled
performance = enabled
oshost = enabled
storage = enabled
[eventtype=freediskspace_anomalous]
anomalous = enabled
## Listening Ports
[eventtype=listeningports]
os = enabled
config = enabled
report = enabled
## Local Processes
[eventtype=localprocesses_anomalous]
anomalous = enabled
## Memory
[eventtype=memory]
os = enabled
avail = enabled
memory = enabled
performance = enabled
oshost = enabled
[eventtype=memory_anomalous]
anomalous = enabled
## SELinux Config
[eventtype=selinuxconfig]
application = enabled
config = enabled
selinux = enabled
[selinux=disabled]
insecure = enabled
## Service
[eventtype=service]
os = enabled
config = enabled
service = enabled
report = enabled
[eventtype=service_runlevel_anomalous]
anomalous = enabled
[app=ntpd]
time = enabled
synchronize = enabled
[app=%2Fnetwork%2Fntp%3Adefault]
time = enabled
synchronize = enabled
[app=yum-updatesd]
automatic = enabled
update = enabled
## SSHD Config
[eventtype=sshdconfig]
application = enabled
config = enabled
ssh = enabled
[eventtype=sshd_insecure]
insecure = enabled
## Update
[eventtype=update]
os = enabled
info = enabled
system = enabled
update = enabled
[eventtype=update_status]
status = enabled
## Uptime
[eventtype=uptime]
os = enabled
info = enabled
report = enabled
uptime = enabled
performance = enabled
[eventtype=uptime_anomalous]
anomalous = enabled
## User Accounts
[eventtype=useraccounts]
os = disabled
config = enabled
user = enabled
inventory = enabled
[eventtype=useraccounts_anomalous]
anomalous = enabled
[shell=%2Fbin%2Fbash]
interactive = enabled
[shell=%2Fbin%2Fsh]
interactive = enabled
[shell=%2Fusr%2Fbin%2Fbash]
interactive = enabled
[shell=%2Fusr%2Fbin%2Fpfksh]
interactive = enabled
[shell=%2Fusr%2Fbin%2Fpfsh]
interactive = enabled
## Version
[eventtype=nix_version]
os = enabled
info = enabled
report = enabled
system = enabled
version = enabled
inventory = enabled
oshost = enabled
cpu = enabled
memory = enabled
## VSFTDP Config
[eventtype=vsftpd_config]
application = enabled
config = enabled
ftp = enabled
cleartext = enabled
[eventtype=vsftpd_config_anonymous]
anonymous = enabled
###### END CONTENT IMPORTED FROM TA-deploymentapps ######

531
default/transforms.conf Normal file
View file

@ -0,0 +1,531 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
###### Globals ######
## Lookups
[nix_action_lookup]
filename = nix_vendor_actions.csv
case_sensitive_match = false
## Aliases
[host_as_dest]
SOURCE_KEY = host
REGEX = (.+)
FORMAT = dest::"$1"
[host_as_src]
SOURCE_KEY = host
REGEX = (.+)
FORMAT = src::"$1"
[src_dns_as_src]
SOURCE_KEY = src_dns
REGEX = (.+)
FORMAT = src::"$1"
[src_ip_as_src]
SOURCE_KEY = src_ip
REGEX = (.+)
FORMAT = src::"$1"
[dest_nt_host_as_dest]
SOURCE_KEY = dest_nt_host
REGEX = (.+)
FORMAT = dest::"$1"
[dest_mac_as_dest]
SOURCE_KEY = dest_mac
REGEX = (.+)
FORMAT = dest::"$1"
[dest_ip_as_dest]
SOURCE_KEY = dest_ip
REGEX = (.+)
FORMAT = dest::"$1"
###### DHCP ######
[dhcp_prefix_dest]
#when dhcp server is the dest, extract the dest and process fields
#format as below (fields are within the angle brackets):
#<dest> <dest_host>[process_id]|<process>:
REGEX=\s+(?<dest>\S+)\s+(?:(?<dest_host>[^\s\[\]]+)\[(?<process_id>[^\]\s]+)\]|(?<process>[^\s\[\]]+)):\s+
[dhcp_prefix_src]
#when dhcp server is the src, extract the src and process fields
#format as below (fields are within the angle brackets):
#<src> <src_host>[process_id]|<process>:
REGEX=\s+(?<src>\S+)\s+(?:(?<src_host>[^\s\[\]]+)\[(?<process_id>[^\]\s]+)\]|(?<process>[^\s\[\]]+)):\s+
[dhcp_mac_hostname_for_dest]
#extract mac address and hostname for dest
#format as below (fields are within the angle brackets):
#<dest_mac> (<dest_host>)
#Note: dest_host may not exist
REGEX=\s+(?<dest_mac>\S+)\s+(?:\((?<dest_host>[^)]+)\)\s+)?
[dhcp_mac_hostname_for_src]
#extract mac address and hostname for src
#format as below (fields are within the angle brackets):
#<src_mac> (<src_host>)
#Note: src_host may not exist
REGEX=\s+(?<mac_address>\S+)\s+(?:\((?<src_host>[^)]+)\)\s+)?
[dhcp_relay]
#extract relay field
REGEX = (?<relay>[^\s:\\]+)
[dhcp_block_action]
#extract blocked actions
REGEX = (?<block_action>(REFUSED|Invalid|ignored|rejected|not authoritative|[uU]nable to add forward map))
[dhcp_discover_extract]
# for event of DHCPDISCOVER, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPDISCOVER from <src_mac> (<src_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPDISCOVER)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]]
[dhcp_offer_extract]
# for event of DHCPOFFER, format as below (fields are within the angle brackets):
# <src> <process>: DHCPOFFER on <dest_ip> to <dest_mac> (<dest_host>) via <relay>
# Note: dest_host may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPOFFER)\s+on\s+(?<dest_ip>\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]]
[dhcp_request_extract]
# for event of DHCPREQUEST, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPREQUEST for <src> (<server_ip>) from <src_mac> (<src_host>) via <relay> uid <uuid>
# Note: server_ip, src_host, uuid may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPREQUEST)\s+for\s+(?<src>\S+)\s+(?:\((?<server_ip>[^)]+)\)\s+)?from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]](?:\s+uid\s+(?<uuid>[^\s]+))?
[dhcp_ack_nak_extract_0]
# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets):
# <src> <process>: DHCPACK|DHCPNAK on <dest_ip> to <dest_mac> (<dest_host>) via (<relay>) relay <relay_ip> lease-duration <lease_duration> uid <uuid>
# Note: dest_host, relay_ip, lease_duration, uuid may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPACK|DHCPNAK)\s+on\s+(?<dest_ip>\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]](?:\s+relay\s+(?<relay_ip>\S+)\s+lease-duration\s+(?<lease_duration>\S+)\s+.*uid\s+(?<uuid>\S+))?
[dhcp_ack_nak_extract_1]
# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets):
# <src> <process>: DHCPACK|DHCPNAK to <dest_ip> (<dest_mac>) via <relay>
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPACK|DHCPNAK)\s+to\s+(?<dest_ip>\S+)\s+\((?<dest_mac>[^)]+)\)\s+via\s+[[dhcp_relay]]
[dhcp_decline_extract]
# for event of DHCPDECLINE, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPDECLINE of <src> from <src_mac> (<src_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPDECLINE)\s+of\s+(?<src>\S+)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]]
[dhcp_release_extract]
# for event of DHCPRELEASE, format as below (fields are within the angle brackets):
# <src> <process>: DHCPRELEASE of <dest> from <dest_mac> (<dest_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPRELEASE)\s+of\s+(?<dest>\S+)\s+from[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]]
[dhcp_inform_extract]
# for event of DHCPINFORM, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPINFORM from <src> via <relay>
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPINFORM)\s+from\s+(?<src>\S+)\s+via\s+[[dhcp_relay]]
[dhcp_unable_to_add_forward_map_extract]
# for event of unable to add forward map, format as below (fields are within the angle brackets):
# <src> <process>: Unable to add forward map from <dest> to <dest_ip>
REGEX=[[dhcp_prefix_src]][uU]nable\s+to\s+add\s+forward\s+map\s+from\s+(?<dest>\S+)\s+to\s+(?<dest_ip>[^\s:]+)
[dhcp_add_new_forward_map_extract]
# for event of add new forward map, format as below (fields are within the angle brackets):
# <src> <process>: Added new forward map from <dest> to <dest_ip>
REGEX=[[dhcp_prefix_src]][aA]dded\s+new\s+forward\s+map\s+from\s+(?<dest>\S+)\s+to\s+(?<dest_ip>[^\s:]+)
[dhcp_added_reverse_map_extract]
# for event of add reverse map, format as below (fields are within the angle brackets):
# <dest> <process>: [aA]dded reverse map from <src_ptr> to <src>
REGEX=[[dhcp_prefix_dest]][aA]dded\s+reverse\s+map\s+from\s+(?<src_ptr>\S+)\s+to\s+(?<src>\S+)
[dhcp_abandon_ip_extract]
# for event of Abandon IP address, format as below (fields are within the angle brackets):
# <src> <process>: Abandoning IP address <dest_ip>
REGEX=[[dhcp_prefix_src]]Abandoning\s+IP\s+address\s+(?<dest_ip>[^\s:]+)
[dhcp_lease_duplicate_extract]
# for event of lease duplicate, format as below (fields are within the angle brackets):
# <server> <process>: uid lease <dest_ip> for client <dest_mac> is duplicate on <src>
REGEX=\s+(?<server>\S+)\s+(?<server_process>[^\s:]+):\s+uid\s+lease\s+(?<dest_ip>\S+)\s+for\s+client\s+(?<dest_mac>\S+)\s+is\s+duplicate\s+on\s+(?<src>\S+)/
[bind_update_fail_extract]
# for event of bind update reject, format as below (fields are within the angle brackets):
# <dest> <process>: bind update on <src> from <failover_peer> rejected
REGEX=[[dhcp_prefix_dest]]bind\s+update\s+on\s+(?<src>\S+)\s+from\s+(?<failover_peer>\S+)\s+rejected.*
[dhcp_icmp_echo_reply]
REGEX=[[dhcp_prefix_src]]ICMP\s+Echo\s+reply\s+while\s+lease\s+(?<dest>\S+)
[dhcp_reuse_lease]
REGEX=[[dhcp_prefix_src]]reuse_lease:\s+lease\s+age.*under.*threshold,\s+reply\s+with\s+unaltered,\s+existing\s+lease\s+for\s+(?<dest>[^$]+)
###### Scripted Metric Inputs ######
[eval_dimensions]
# Support for omitting the IPv6 Address field when the script output doesn't include an IPv6 Address
INGEST_EVAL = metric_name=sourcetype, entity_type="TA_Nix", OS_name=replace(OSName, "_", " "), IPv6_address = if(IPv6_Address=="?", null(), IPv6_Address)
[extract_df_metrics]
INGEST_EVAL = UsePct=coalesce('UsePct','Capacity','Use'), Size_KB=coalesce('Size','1K_blocks','1024_blocks'), Used_KB='Used', Avail_KB=coalesce('Avail','Available'), INodes=coalesce('INodes','Inodes'), IUsed=coalesce('IUsed','iused','Iused'), IFree=coalesce('IFree','ifree','Ifree'), IUsePct=coalesce('IUsePct','IUse'), Size=coalesce('Size','1K_blocks','1024_blocks'), Avail=coalesce('Avail','Available'), Type=coalesce('Type',"?")
[metric-schema:extract_metrics_interfaces]
METRIC-SCHEMA-MEASURES= Collisions,RXbytes,RXerrors,TXbytes,TXerrors,RXdropped,TXdropped
METRIC-SCHEMA-BLACKLIST-DIMS= OSName, IPv6_Address
# added extract_iostat_metrics_field for backward compatibility
[extract_iostat_metrics_field]
INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm, rAvgWaitMillis=r_await, rAvgReqSZkb=rareq_sz, wReq_PS=w_s, wKB_PS=coalesce(wkB_s, Kb_wrtn, kw_s), wrqmPct=wrqm, wAvgWaitMillis=w_await, wAvgReqSZkb=wareq_sz, avgQueueSZ=coalesce(aqu_sz, avgqu_sz), bandwUtilPct=coalesce(util, tm_act, ms_o, b), avgSvcMillis=coalesce(svctm, ms_w, asvc_t), avgWaitMillis=coalesce(await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), null())
[extract_ps_metric_field]
INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB)
[extract_cpu_metric_field]
INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU)
[metric-schema:extract_metrics_iostat]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_vmstat]
METRIC-SCHEMA-MEASURES= memTotalMB,memFreeMB,memUsedMB,memFreePct,memUsedPct,pgPageOut,swapUsedPct,pgSwapOut,cSwitches,interrupts,forks,processes,threads,loadAvg1mi,waitThreads,interrupts_PS,pgPageIn_PS,pgPageOut_PS
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_df]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address, Filesystem, Type, MountedOn, IPv6_Address, IPv6_address
METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address
[metric-schema:extract_metrics_cpu]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OSName, OS_name, OS_version, IP_address, cpu, CPU
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_ps]
METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ ARGS,COMMAND,CPUTIME,ELAPSED,PID,PSR,S,STAT,START,STARTED,TT,TTY,USER,OSName,OS_name,OS_version,IP_address,IPv6_Address,IPv6_address
METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address
###### Scripted Event Inputs ######
[vmstat_osx]
REGEX = (?m)(?:Pages free:\s*(\d+)\.).*(?:Pages active:\s*(\d+)\.).*(?:Pages inactive:\s*(\d+)\.).*(?:Pages wired down:\s*(\d+)\.).*(?:Pageins:\s*(\d+)\.).*(?:Pageouts:\s*(\d+)\.)
FORMAT = free::$1 active::$2 inactive::$3 wired::$4 pageins::$5 pageouts::$6
#procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
# r b swpd free inact active si so bi bo in cs us sy id wa
# 0 0 24 4272 172660 67124 0 0 2 1 0 1 0 0 100 0
[vmstat_linux]
REGEX = (\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)
FORMAT = proc_waiting::$1 proc_unitsleep::$2 swap::$3 free::$4 inactive::$5 active::$6 swap_in::$7 swap_out::$8 blocks_in::$9 blocks_out::$10 interrupts::$11 contextswitch::$12 usermode::$13 kernelmode::$14 idle::$15 waiting::$16
#memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS
# 8192 4153 4039 50.7 49.3 1585619 5.0 ? ? ? ? 82 566 0.72 0.00 714.2 1.0 133.0
[fields_for_vmstat_sh]
REGEX = \s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)
FORMAT = memTotalMB::"$1" memFreeMB::"$2" memUsedMB::"$3" memFreePct::"$4" memUsedPct::"$5" pgPageOut::"$6" swapUsedPct::"$7" pgSwapOut::"$8" cSwitches::"$9" interrupts::"$10" forks::"$11" processes::"$12" threads::"$13" loadAvg1mi::"$14" waitThreads::"$15" interrupts_PS::"$16" pgPageIn_PS::"$17" pgPageOut_PS::"$18"
###### System Logs ######
# General
[loghost_as_dest]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s(\S+)\s\w+[\w\s\[]*
FORMAT = dest::$1
## Account Management
[useradd]
REGEX = (useradd).*?(?:new (?:user|account))(?:: | (?:added) - )(?:name|account)=([^\,]+),(?:\s)(?:(?:UID|uid)=(\w+),)?(?:\s)(?:(?:GID|gid)=(\w+),)?(?:\s)*(?:home=((?:\/[^\/ ]*)+\/?),)?(?:.*uid=(\d+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"user" user::$2 change_type::"AAA" object_id::$3 object_path::$5 status::"success" object_attrs::$4 src_user_id::$6
[userdel]
REGEX = (userdel).*?(?:(?:delete)(?:\s)*(?:user|account)) .(\S+).
FORMAT = vendor_action::"delete" object_category::"user" action::"deleted" change_type::"AAA" command::$1 user::$2 status::"success"
[userdel-grp]
REGEX = (userdel).*?(?:(?:removed)(?:\s)*(?:\w+)?(?:\s)*(group))\s+\'(\S+)\'\s+owned\s+by\s+\'(\S+)\'
FORMAT = action::"deleted" change_type::"AAA" command::$1 object_category::$2 object::$3 status::"success" "object_attrs"::$4
[groupdel]
REGEX = (groupdel).*(?:group)\s+'(\S+)'\s+removed(?:\s)*(?:(?:from\s+))?(\S+)?
FORMAT = action::"deleted" change_type::"AAA" command::$1 object::$2 object_category::"group" status::"success" object_path::$3
[groupadd]
REGEX = (groupadd).*?(?:group added to |new group: )(?:((?:\/[^\/ ]*)+\/?):)?\s*(?:name=(\w+))?(?:,\s*GID=(\w+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"group" object::$3 change_type::"AAA" object_id::$4 object_path::$2 status::"success"
[groupadd-suse]
REGEX = (useradd).*?(?:account added to group -)\s*(?:account=([^,]+))?(?:,\s*)?(?:group=([^,]+))(?:,\s*)?(?:gid=(?:[^,]+))?\,\s+(?:by\s+\(uid=(\d+)\))?
FORMAT = vendor_action::"account added to group" action::"modified" command::$1 object_category::"user" user::$2 change_type::"AAA" object_attrs::$3 status::"success" src_user_id::$4
## password change
[pam-passwd-ok]
REGEX = (passwd).*pam_unix\((?:passwd):chauthtok\): password changed for (\S+)
FORMAT = action::"modified" change_type::"AAA" command::$1 object_attrs::"password" object_category::"user" status::"success" user::$2
[passwd-change-fail]
REGEX = (passwd).*(?:password change failed).*(?:account=)([^,\s]+),\s+uid=([^,\s]+)\,\s+by(?:\s+\(uid=(\d+)\))?
FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs::"password" object_category::"user" status::"failure" object_id::$3 src_user_id::$4
[command_for_linux_audit]
REGEX = exe=.*\/(\S+)\"
FORMAT = command::$1
## Authentication
# Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2
# Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2
[ssh-login-accepted]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5
# Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX
# Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2
[ssh-login-failed]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5
# Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX
[ssh-invalid-user]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5
# Jan 11 03:16:49 crest-aix-dev auth|security:info syslog: ssh: failed login attempt for root from XXX.XXX.XX.XXX
# Jan 8 06:00:56 crest-aix-dev auth|security:info syslog: pts/2: failed login attempt for root from qa-centos7x64-267.sv.splunk.com
[failed_login1]
REGEX = (?:syslog):.*(?:failed login attempt for)\s+(\S+)\s+from\s+(\S+)
FORMAT = app::"nix" action::"failure" src::$2 user::$1 reason::"failed login"
# Mar 18 16:54:02 splunk5 sshd(pam_unix)[17183]: session opened for user mark by (uid=0)
# Mar 18 16:58:23 splunk5 sshd(pam_unix)[31639]: session closed for user mark
# Apr 30 17:45:35 magnum.google.com sshd[5019]: Connection closed by XXX.XXX.XX.XXX
[ssh-session-close]
REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(?: by \(uid=(\d+)\))?(?: by ((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)))?
FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye
[ssh-disconnect]
REGEX = (Received disconnect) from ([^\s]+):
FORMAT = name::$1 src_ip::$2
[sshd_authentication_kerberos_success]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authorized\s+to)\s+([^,]+)\,\s+krb5\s+principal\s+([^@]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3" src_user::"$4"
[sshd_authentication_refused]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+refused)\:.*?directory\s+\/home\/([^\/]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3"
[sshd_authentication_tried]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+tried)\s+for\s+([^\s]+)(?:.*?host\=([^,]+),\s+ip=((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)))?
FORMAT = app::$1 vendor_action::$2 user::"$3" src_dns::"$4" src_ip::"$5"
[sshd_login_restricted]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Login\s+restricted)\s+for\s+([^:]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3"
[pam_unix_authentication_failure]
REGEX = pam_unix\((?:[^:]+):\w+\)\:\s+authentication\s+(failure)\;\s+logname\=(?:[^\s]+)?\s+uid\=(?:[^\s]+)?\s+euid=(?:[^\s]+)?\s+tty=(?:[^\s]+)?\s+ruser=([^\s]+)?\s+rhost=([^\s]+)?\s*(?:user=([^\s]+)?)?
FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2
[pam_unix_authentication_success]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6
[passwd-auth-failure]
REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure)
FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure"
[sudo_cannot_identify]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+auth\s+(could\s+not\s+identify\s+password)\s+for\s+\[([^]]+)
FORMAT = app::"$1" vendor_action::"$2" user::"$3" reason::"could not identify password"
[remote_login_allowed]
REGEX = (pam_rhosts_auth)\[\d+\]:\s+allowed\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+)
FORMAT = action::"success" app::$1 user::$2 vendor_action::"allowed"
[remote_login_failure]
REGEX = (pam_rhosts_auth)\[\d+\]:\s+denied\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+)
FORMAT = action::"failure" app::$1 user::$2 vendor_action::"denied" reason::"access not allowed"
[failed-su]
REGEX = \'(?:su)\s+(?:[^']+)\'\s+(failed)\s+for\s+([^\s]+)
FORMAT = vendor_action::$1 action::"failure" app::"nix" user::$2 reason::"other"
[bad-su]
REGEX = (?:su):\s+BAD\s+SU\s+dcid\s+to\s+(\w+)\s+on\s+(?:(?:\/[^\/ \n]*)+)
FORMAT = action::"failure" app::"nix" user::$1 reason::"BAD SU dcid"
[bad-su2]
REGEX = (?:su):\s+BAD\s+SU\s+from\s+(\S+)\s+to\s+(\S+)\s+at\s+(?:(?:\/[^\/ \n]*)+)
FORMAT = action::"failure" app::"nix" user::$2 src_user::$1 reason::"BAD SU"
[ksu_authentication]
REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?\'ksu\s+([^']+)\'\s+(authentication\s+failed|authenticated).*?for\s+(\w+)
FORMAT = app::$1 user::"$2" vendor_action::"$3" src_user::$4
[ksu_authorization]
REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?Account\s+([^:]+)\:\s+authorization\s+for\s+([^@]+).*?(failed|successful)
FORMAT = app::$1 user::"$2" src_user::"$3" vendor_action::$4
[login_authentication]
REGEX = (login)\:.*(failure).*from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\,\s+(\S+))?
FORMAT = app::$1 action::$2 user::$4 src::$3 reason::"login failure"
[su_simple]
REGEX = (?:su)\:\s+(?:\[[^]]+]\s+)?from\s+([^\s]+)\s+to\s+([^\s]+)
FORMAT = app::"nix" src_user::$1 user::$2 action::"success"
[su_authentication]
REGEX = \'(?:su)\s+([^']+)\'\s+(succeeded|failed)\s+for\s+([^\s]+)
FORMAT = app::"nix" user::"$1" vendor_action::$2 src_user::$3
[su_successful]
REGEX = (Successful)\s+(?:su)\s+for\s+([^\s]+)\s+by\s+([^\s]+)
FORMAT = app::"nix" vendor_action::$1 user::$2 src_user::$3
[wksh_authentication]
REGEX = (wksh):\s+(HANDLING\s+TELNET\s+CALL)\s+\(User:\s+([^,]+),\s+Branch:\s+(?:[^,]+),\s+Client:\s+([^)]+)
FORMAT = app::$1 vendor_action::"$2" user::$3 src_dns::$4
[ftpd_authentication]
REGEX = (ftpd)\[\d+\]\:.*(FTP\s+LOGIN)\s+FROM\s+([^\s]+)\s+\[((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))\]\,\s+(.*)
FORMAT = app::$1 vendor_action::"$2" src::$3 src_ip::$4 user::"$5"
## Firewall
[ipfw]
REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*(\d+) (Deny|Accept) (UDP|TCP) \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? (in|out) via ([^\s]+)
FORMAT = rule_number::$1 action::$2 proto::$3 dest_ip::$4 dest_port::$5 src_ip::$6 src_port::$7 direction::$8 interface::$9
[ipfw-stealth]
REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*Stealth Mode connection (attempt) to (UDP|TCP) \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? from \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)?
FORMAT = action::$1 proto::$2 src_ip::$3 src_port::$4 dest_ip::$5 dest_port::$6
[ipfw-icmp]
#REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via ([^\s])*\s*
REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP|ICMPv6):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via (.*)
FORMAT = rule_number::$1 action::$2 proto::$3 application::$4 src_ip::$5 dest_ip::$6 direction::$7 interface::$8
[pf]
REGEX = rule ([-\d]+\/\d+)\(.*?\): (pass|block) (in|out) on (\w+): \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:[:\]]+)?(\d+)? [<>] \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:[:\]]+)?(\d+)?: (?:.*)
FORMAT = rule_number::$1 action::$2 direction::$3 interface::$4 src_ip::$5 src_port::$6 dest_ip::$7 dest_port::$8
## Routing
# Mar 26 11:03:20 splunk4 kernel: BLOCK IN=eth0 OUT= MAC=00:15:c5:e0:ba:45:00:10:db:ff:20:70:08:00 SRC=10.1.5.78 DST=10.2.1.44 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=64317 DF PROTO=TCP SPT=57293 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
[iptables]
REGEX = kernel:\s+(\w+ ?\w*) IN=(\w+) OUT=(\w*) .*SRC=((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) DST=((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)).*PROTO=(\w+) SPT=(\w+) DPT=(\w+)
FORMAT = action::"$1" inbound_interface::$2 outbound_interface::$3 src_ip::$4 dest_ip::$5 proto::$6 src_port::$7 dest_port::$8
## bash
[bash_user]
SOURCE_KEY=source
REGEX=^\/home\/([^\/]+)\/
FORMAT=user_name::$1
[bash_user_root]
SOURCE_KEY=source
REGEX=^\/(root)\/
FORMAT=user_name::$1
## Time synchronization
[signature_for_nix_timesync]
REGEX = ((?:Adjusting\s+system\s+clock)|(?:synchronized\s+to)|(?:step\s+time\s+server)|(?:adjust\s+time\s+server)|(?:NTP\s+Server\s+Unreachable))
FORMAT = signature::$1
###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ######
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Scripted Inputs ######
## Global
##
[force_host_for_linux_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-001
[force_host_for_osx_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-002
[force_host_for_solaris_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-003
[force_host_for_unix_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-004
## Service
[nix_linux_service_startmode_lookup]
filename = nix_linux_service_startmodes.csv
## Update
[nix_da_update_status_lookup]
filename = nix_da_update_status.csv
[Description_for_installedupdates]
REGEX = ^Description=([^\r\n]+)
FORMAT = Description::$1
## Version
[nix_da_version_range_lookup]
filename = nix_da_version_ranges.csv
[nix_linux_audit_action_lookup]
filename = nix_linux_audit_action_object_category.csv
[force_host_for_linux_cpu]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_memory]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_io]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_disk]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
###### END CONTENT IMPORTED FROM TA-deploymentapps ######

8
default/web.conf Normal file
View file

@ -0,0 +1,8 @@
##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[expose:setup]
pattern=SetupService
methods=GET,POST