Import Splunk Add-On for Unix and Linux version 9.2.0

2024-12-24 23:51:57 -05:00 · 2024-12-24 23:51:57 -05:00 · 92ac2630a1
commit 92ac2630a1
77 changed files with 11487 additions and 0 deletions
--- a/default/eventtypes.conf
+++ b/default/eventtypes.conf
@ -0,0 +1,722 @@
+##
+## SPDX-FileCopyrightText: 2024 Splunk, Inc.
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+
+[nix_ta_custom_eventtype]
+search = NOT *
+
+[nix_ta_data]
+search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
+
+###### Globals ######
+[nix_security]
+search = sourcetype="*_secure"
+#tags = os unix
+
+[nix_configs]
+search = eventtype=nix_ta_data AND (source="/etc/*" OR source="*.conf" OR source="*.cfg")
+
+[nix_errors]
+search = eventtype=nix_ta_data error OR critical OR failure OR fail OR failed OR fatal
+#tags = error
+
+
+###### DHCP ######
+[dhcpd_server]
+search = sourcetype=dhcpd (DHCPACK OR DHCPNAK OR DHCPRELEASE)
+#tags = dhcp network session unix
+
+[dhcpd_start]
+search = sourcetype=dhcpd signature=DHCPACK
+#tags = start
+
+[dhcpd_unable_unexpected]
+search = sourcetype=dhcpd unable OR unexpected
+#tags = error
+
+[dhcpd_server_dhcpack]
+search = sourcetype=dhcpd DHCPACK
+
+[dhcpd_server_dhcpdiscover]
+search = sourcetype=dhcpd DHCPDISCOVER
+
+[dhcpd_server_dhcpoffer]
+search = sourcetype=dhcpd DHCPOFFER
+
+[dhcpd_server_dhcprelease]
+search = sourcetype=dhcpd DHCPRELEASE
+#tags = end
+
+[dhcpd_server_dhcprequest]
+search = sourcetype=dhcpd DHCPREQUEST
+
+
+###### Scripted Inputs ######
+## CPU stats
+[cpu]
+search = sourcetype=cpu
+#tags = performance os resource report unix cpu
+
+[cpu_anomalous]
+search = sourcetype=cpu PercentSystemTime>90
+#tags = enabled
+
+[df]
+search = sourcetype=df
+#tags = df host check success storage performance
+
+[iostat]
+search = sourcetype=iostat
+
+[nfsiostat]
+search = sourcetype=nfsiostat
+
+[lsof]
+search = sourcetype=lsof
+
+[hardware]
+search = sourcetype=hardware
+
+[interfaces]
+search = sourcetype=interfaces
+# tags = Inventory Network
+
+[lastlog]
+search = sourcetype=lastlog
+
+[netstat]
+search = sourcetype=netstat
+# listening port
+
+[openPorts]
+search = sourcetype=openPorts
+
+[package]
+search = sourcetype=package
+
+[protocol]
+search = sourcetype=protocol
+
+[ps]
+search = sourcetype=ps
+#tags = process oshost success ps cpu performance
+
+[top]
+search = sourcetype=top
+
+[time]
+search = sourcetype=time
+
+[usersWithLoginPrivs]
+search = sourcetype=usersWithLoginPrivs
+
+[vmstat]
+search = sourcetype=vmstat
+#tags = performance os avail unix report vmstat resource success memory
+
+[who]
+search = sourcetype=who
+
+[bandwidth]
+search = sourcetype=bandwidth
+
+
+###### System Logs ######
+
+#### Account Management
+[useradd]
+search = eventtype=nix_ta_data useradd user
+#tags = account management add change
+
+# Aug 20 20:21:12 host useradd[12811]: new account added - account=splunk, uid=1003, gid=1000, home=/opt/splunk, shell=/bin/false, by=0
+[useradd-suse]
+search = eventtype=nix_ta_data useradd new account added
+#tags = account management add change
+
+[userdel]
+search = eventtype=nix_ta_data userdel user
+#tags = account management delete change
+
+[groupadd]
+search = eventtype=nix_ta_data groupadd group
+#tags = account management add change
+
+#Aug 20 20:21:12 host useradd[12811]: account added to group - account=splunk, group=services, gid=33, by=0
+[groupadd-suse]
+search = eventtype=nix_ta_data useradd account added group
+#tags = account management add change
+
+[groupdel]
+search = eventtype=nix_ta_data (NOT *deleting-user-from*) (groupdel OR userdel) group
+#tags = account management delete change
+
+[linux-password-change]
+search = eventtype=nix_ta_data process=passwd password changed
+#tags = account management password modify change
+
+#Feb 21 11:24:45 host passwd[17805]: password change failed, pam error 11 - account=root, uid=0, by=0
+[linux-password-change-failed]
+search = eventtype=nix_ta_data process=passwd password change failed
+#tags = account management password modify change
+
+
+#### acpi
+[nix_acpi]
+search = eventtype=nix_ta_data ACPI:
+#tags = os unix power
+
+
+#### agpgart
+[nix_agpgart]
+search = eventtype=nix_ta_data agpgart:
+#tags = os unix graphics
+
+
+#### apm
+[nix_apm]
+search = eventtype=nix_ta_data apm:
+#tags = os unix power
+
+
+#### auditd
+[auditd]
+search = sourcetype=auditd
+#tags = os unix resource file
+
+[auditd_modify]
+search = source=auditd PATH
+#tags = modify
+
+
+#### Authentication
+
+## ksu
+[ksu_authentication]
+# NOTE: May want to restrict search `ksu` to `cmd="ksu"` to reduce false positives.
+search = eventtype=nix_ta_data ksu ("authentication failed" OR authenticated OR (Account authorization (failed OR successful)))
+#tags = authentication
+
+## login
+[login_authentication]
+search = eventtype=nix_ta_data login: "Login failure on"
+#tags = authentication
+
+## pam
+[pam_unix_authentication]
+search = eventtype=nix_ta_data pam_unix (gdm OR sudo OR su) ("authentication failure" OR "session opened")
+#tags = authentication
+
+## passwd
+#Oct  2 20:45:29 host passwd[15323]: User admin: Authentication failure
+[passwd-auth-failure]
+search = eventtype=nix_ta_data process=passwd Authentication failure punct="*__::_*_[]:__:__"
+#tags = application authentication
+
+## rlogin
+[rlogin_too_many_failures]
+search = eventtype=nix_ta_data "general syslog msg" "TOO MANY LOGIN TRIES"
+#tags = application attack watchlist
+
+## Detects a failed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
+[remote_login_failure]
+search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not allowed")
+#tags = application authentication remote
+
+## Detects a allowed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
+[remote_login_allowed]
+search = eventtype=nix_ta_data  "pam_rhosts_auth" AND "allowed to"
+#tags = application authentication remote
+
+## sshd
+[sshd_authentication]
+# osx sshd authentication error
+# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
+# Apr  2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=host
+search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT")
+#tags = authentication remote
+
+[ssh_login_postponed]
+search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed
+# no tags assigned to this eventtype
+
+[ssh_open]
+search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from)
+#tags = communicate connect
+
+# example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246
+[ssh_close]
+search = eventtype=nix_ta_data punct="*__::_*_[]:____*..." OR punct="*__::_*_[]:_(:):_____" OR punct="*__::_*_()[]:_____" sshd (Closing connection to) OR (Connection closed by) OR (session closed)
+#tags = access stop logoff
+
+# example = Dec 17 18:31:44 domU-12-31-39-03-01-11 sshd[31792]: Received disconnect from 74.53.187.50: 11: Bye Bye
+[ssh_disconnect]
+search = eventtype=nix_ta_data punct="*__::_*_[]:___*...:_:__"  Bye Received disconnect
+#tags = access stop logoff
+
+[ssh_check_pass]
+search = eventtype=nix_ta_data sshd check pass user unknown (punct="__*::_*_()[]:__;__" OR punct="*__::_*_[]:_(:):__;__")
+#no tags assigned to this eventtype
+
+## su
+[su_authentication]
+# Example event, from su on CentOS7
+# type=USER_AUTH msg=audit(1611753517.687:2310): pid=10012 uid=0 auid=2024 ses=181 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=so1 addr=? terminal=pts/1 res=success'
+
+search = eventtype=nix_ta_data NOT "USER_CMD" ((from to) OR succeeded OR success OR successful OR failed OR failure) (cmd="su" OR ("USER_AUTH" AND exe=*/su*) OR ((NOT BAD) su: from to at))
+#tags = authentication
+
+[su_failed]
+search = eventtype=nix_ta_data (("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR ("BAD SU "))
+#tags = authentication
+
+[su_session]
+search = eventtype=nix_ta_data su: session
+#tags = session
+
+[su_root_session]
+search = eventtype=nix_ta_data su: session root
+#tags = session privileged
+
+## Telnet
+[wksh_authentication]
+search = eventtype=nix_ta_data wksh "HANDLING TELNET CALL"
+# no tags assigned to this eventtype
+
+#### automount
+[nix_automount]
+search = eventtype=nix_ta_data automount punct="::__::_*:_*"
+#tags = os unix
+
+
+#### Config
+[nix_config_change]
+search = eventtype=nix_ta_data Configuration changed
+#tags = os unix host configuration modify
+
+
+#### Console
+[nix_console]
+search = eventtype=nix_ta_data Console:
+#tags = os unix
+
+
+#### cron
+[nix_cron]
+search = eventtype=nix_ta_data cron OR crond punct="::__::_*:_*" NOT Install: NOT Updated: NOT Erased:
+#tags = os unix
+
+
+#### CUPS
+[nix_cups_access]
+search = eventtype=nix_ta_data punct="_-_-_[//:::_-]_\"_//._/.\"___-_-"
+#tags = os unix access printer
+
+[nix_cups_error]
+search = eventtype=nix_ta_data punct="_[//:::_-]_*"
+#tags = os unix printer
+
+[nix_cups_page]
+search = eventtype=nix_ta_data punct="___[//:::_-]___-_"
+#tags = os unix printer
+
+
+#### dhclient
+[nix_dhclient]
+search = eventtype=nix_ta_data dhclient punct="__::_*:_*" NOT punct="//_::_*:_*." NOT punct="\"///*\"" NOT Rule NOT Name
+#tags = os unix
+
+
+#### DMA
+[nix_dma]
+search = eventtype=nix_ta_data DMA zone:
+#tags = os unix memory access
+
+
+#### Firewall
+# These firewall accept and deny rules are based on iptables logs.  For additional firewalls the user must develop a device add
+# on and tag their events with these tags
+[iptables_firewall_accept]
+search = eventtype=nix_ta_data signature=firewall action=PASS OR action=permit
+#tags = os unix host firewall communicate success
+
+[iptables_firewall_deny]
+search = eventtype=nix_ta_data signature=firewall action=BLOCK OR action=dropped
+#tags = os unix host firewall communicate failure
+
+
+#### FTP
+[nix_ftp_xferlog]
+search = eventtype=nix_ta_data punct="___*::___...__///*"
+#tags = os unix ftp transfer
+
+[nix_ncftpd_logins]
+search = eventtype=nix_ta_data ncftpd punct="*__::_*:_*"
+#tags = os unix ftp authentication
+
+
+#### Fingerprinting
+[nix_fingerprinting]
+search = eventtype=nix_ta_data Client OS detected:
+#tags = os unix
+
+
+#### gconfd
+[nix_gconfd]
+search = eventtype=nix_ta_data gconfd
+#tags = os unix
+
+[nix_gconfd_error]
+search = eventtype=nix_ta_data gconfd Error
+#tags = error
+
+[nix_gconfd_exiting]
+search = eventtype=nix_ta_data gconfd Exiting OR signal
+#tags = stop
+
+[nix_gconfd_resolved_address]
+search = eventtype=nix_ta_data gconfd Resolved address
+
+[nix_gconfd_starting]
+search = eventtype=nix_ta_data gconfd starting
+#tags = start
+
+
+#### gdm
+[nix_gdm]
+search = eventtype=nix_ta_data gdm punct="*__::_*:_*" NOT scrollkeeper NOT Updated: NOT Installed: NOT Erased: NOT pam*
+#tags = os unix
+
+
+#### gpm
+[nix_gpm]
+search = eventtype=nix_ta_data gpm  NOT Installed: NOT Updated: NOT Erased: NOT user NOT *.rpm punct="*__::_*:_*."
+#tags = os unix
+
+
+#### FreeBSD
+[freebsd_refresh_na_answer]
+search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_-____...#_(_...#)"
+#tags = os unix
+
+[freebsd_refresh_retry_exceeded]
+search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_____...#__(_...#)"
+#tags = os unix
+
+
+#### hald
+[nix_hald]
+search = eventtype=nix_ta_data hald punct="*__::_*:_*"
+#tags = os unix
+
+
+#### hpiod
+[hpiod_Linux_syslog]
+search = eventtype=nix_ta_data hpiod punct="*__::_*:_*"
+#tags = os unix
+
+
+#### kernel
+[nix_kernel_attached]
+search = eventtype=nix_ta_data kernel
+#tags = os unix kernel
+
+
+#### kill
+[nix_process_kill]
+search = eventtype=nix_ta_data exiting signal 15
+#tags = os unix process stop
+
+
+#### mDNSResponder
+[nix_mDNSResponder]
+search = eventtype=nix_ta_data mDNSResponder punct="*__::_*:_*"
+#tags = os unix dns
+
+
+#### named
+[nix_named1]
+search = eventtype=nix_ta_data named punct="*__::_/_[]:__*" OR punct="*__::_..._[]:_*"
+#tags = os unix dns
+
+[nix_named2]
+search = eventtype=nix_ta_data named punct="*__::_*_[]:__*" NOT punct="__::_*_[]:_____..."
+#tags = os unix dns
+
+
+#### OSX Crash Log
+[osx_crash_log]
+search = eventtype=nix_ta_data Host Name Date/Time
+#tags = os unix error
+
+
+#### Netlabel
+[nix_netlabel]
+search = eventtype=nix_ta_data NetLabel:
+#tags = os unix kernel
+
+
+#### PCI
+[nix_pci]
+search = eventtype=nix_ta_data PCI: NOT BIOS
+#tags = os unix
+
+
+#### Plug-n-play
+[nix_pnp]
+search = eventtype=nix_ta_data pnp:
+#tags = os unix
+
+
+#### POP3
+[nix_popper]
+search = eventtype=nix_ta_data popper
+#tags = os unix mail
+
+
+#### postfix
+[nix_postfix]
+search = eventtype=nix_ta_data postfix punct="*__::_*:_*"
+#tags = os unix
+
+
+#### Prelink
+[nix_prelink]
+search = eventtype=nix_ta_data /usr/sbin/prelink: OR Prelinking
+#tags = os unix
+
+
+#### RPC
+[nix_rpc_statd]
+search = eventtype=nix_ta_data rpc.statd
+#tags = os unix
+
+
+#### RPM
+[nix_rpm]
+search = eventtype=nix_ta_data *.rpm  punct="*-*.*."
+#tags = os update
+
+
+#### Runlevel
+[nix_runlevel_change]
+search = eventtype=nix_ta_data init: punct="*__::_*:_*"
+#tags = os unix configuration modify
+
+
+#### SNMPD
+[snmpd]
+search = eventtype=nix_ta_data snmpd
+#tags = os unix snmp
+
+[snmpd_failure]
+search = eventtype=nix_ta_data snmpd SNMPD_*_FAILURE
+#tags = failure
+
+
+#### scrollkeeper
+[nix_scrollkeeper]
+search = eventtype=nix_ta_data scrollkeeper punct="__::__*"
+#tags = os unix
+
+
+## Shutdown
+[nix_halt]
+search = eventtype=nix_ta_data shutdown: system halt
+#tags = os unix stop
+
+[nix_restart]
+search = eventtype=nix_ta_data shutdown: system reboot
+#tags = os unix stop
+
+
+#### smartd
+[nix_smartd]
+search = eventtype=nix_ta_data smartd punct="*__::_*:_*"
+#tags = os unix
+
+
+#### Time
+[nix_timesync]
+search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR "MS Name/IP address") (("LastRx" AND "stratum") OR "Adjusting system clock" OR "synchronized to" OR "step time server" OR "adjust time server")
+#tags = report time synchronize success
+
+[nix_timesync_failure]
+search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR 506) ("NTP Server Unreachable" OR "Cannot talk to daemon")
+#tags = report time synchronize failure
+
+
+#### Update
+[nix_yum_update]
+search = eventtype=nix_ta_data yum Updated
+#tags = report update success
+
+
+#### udevd
+[nix_udevd]
+search = eventtype=nix_ta_data udevd
+#tags = os unix kernel
+
+
+#### USB
+[nix_usb]
+search = eventtype=nix_ta_data usb*: NOT punct="<>:__*"
+#tags = os unix usb
+
+
+#### userhelper
+[nix_userhelper]
+search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*"
+#tags = os unix
+
+
+###### ADDED FROM UNIX APP ######
+[failed_login]
+search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure"  OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for"
+#tags = authentication
+
+[Failed_SU]
+search = eventtype=nix_ta_data ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
+#tags = authentication
+
+[nix-all-logs]
+search = eventtype=nix_ta_data AND (source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog)
+
+###### END FROM UNIX APP ######
+
+###### ADDED FROM TA-deploymentapps ######
+
+###### Scripted Inputs ######
+
+## Global
+[aix_scripted_input]
+search = sourcetype=AIX:*
+#tags = check report
+
+[hpux_scripted_input]
+search = sourcetype=HPUX:*
+#tags = check report
+
+[linux_scripted_input]
+search = sourcetype=Linux:*
+#tags = check report
+
+[osx_scripted_input]
+search = sourcetype=OSX:*
+#tags = check report
+
+[solaris_scripted_input]
+search = sourcetype=Solaris:*
+#tags = check report
+
+[unix_scripted_input]
+search = sourcetype=Unix:*
+#tags = check report
+
+## CPUTime
+[cputime]
+search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime
+#tags = performance os avail cpu
+
+[cputime_anomalous]
+search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime PercentSystemTime>90
+#tags = anomalous
+
+## Disk
+[freediskspace]
+search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace
+#tags = performance os avail disk storage
+
+[freediskspace_anomalous]
+search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace PercentFreeSpace<10
+#tags = anomalous
+
+## Listening Ports
+[listeningports]
+search = (NOT sourcetype=WMI:ListeningPorts) sourcetype=*:ListeningPorts (NOT file_hash=*)
+#tags = os config report
+
+## Local Processes
+[localprocesses]
+search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses
+#tags = os avail process
+
+[localprocesses_anomalous]
+search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses (PercentSystemTime>50 OR PercentMemory>50) NOT app=Total
+#tags = anomalous
+
+## Memory
+[memory]
+search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory
+#tags = performance os avail memory
+
+[memory_anomalous]
+search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory mem_free<104857600
+#tags = anomalous
+
+## SELinux Config
+[selinuxconfig]
+search = sourcetype=Linux:SELinuxConfig
+#tags = application config selinux
+
+## Service
+[service]
+search = (NOT sourcetype=WMI:Service) sourcetype=*:Service (NOT file_hash=*)
+#tags = os config service report
+
+[service_runlevel_anomalous]
+search = sourcetype=*:Service (runlevel0=on OR runlevel6=on)
+#tags = anomalous
+
+## SSHD Config
+[sshdconfig]
+search = sourcetype=*:SSHDConfig
+#tags = application config ssh
+
+[sshd_insecure]
+search = eventtype=nix_ta_data sshd_protocol=*1*
+#tags = insecure
+
+## Update
+[update]
+search = sourcetype=*:Update
+#tags = os info update
+
+[update_status]
+search = sourcetype=*:Update NOT total_updates
+#tags = status
+
+## Uptime
+[uptime]
+search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime
+#tags = os info report uptime performance
+
+[uptime_anomalous]
+search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime SystemUpTime>2592000
+#tags = anomalous
+
+## User Accounts
+[useraccounts]
+search = sourcetype=*:UserAccounts (NOT file_hash=*)
+#tags = (os) config user inventory
+
+[useraccounts_anomalous]
+search = sourcetype=*:UserAccounts NOT password=x NOT password=\* (NOT file_hash=*)
+#tags = anomalous
+
+## Version
+[nix_version]
+search = (NOT sourcetype=WMI:Version) sourcetype=*:Version
+#tags = os info report system version inventory
+
+## VSFTDP Config
+[vsftpd_config]
+search = sourcetype=*:VSFTPDConfig
+#tags = application config ftp cleartext
+
+[vsftpd_config_anonymous]
+search = sourcetype=*:VSFTPDConfig anonymous_enable=YES
+#tags = anonymous
+
+###### END FROM TA-deploymentapps ######