Fix OpenBSD Support and Other Bugs

Changes:

* Fix OpenBSD cpu.sh output to match others
* Fix OpenBSD df.sh output (no need for %% here)
* Do not use sudo or doas when running as root
* Use #!/usr/bin/env bash to support OpenBSD in run_nix_ta_commands
* Fix rsyslog example to trim whitespace in run_nix_ta_commands
* Add /usr/local/sbin:/usr/local/bin to PATH in run_nix_ta_commands
* Fix getting hour and minute for OpenBSD in run_nix_ta_commands
  "08" shows up to printf as octal
* Support difference in OpenBSD logger command:
  Requires modifying /etc/syslog.conf and setting facility in /etc/nix_ta.conf

VERSION

@@ -1,2 +1,2 @@
-9.2.0.9
-9.2.0.9
+9.2.0.10
+9.2.0.10

app.manifest

@@ -29,7 +29,7 @@
         "id": {
             "group": null,
             "name": "TA-nix",
-            "version": "9.2.0.9"
+            "version": "9.2.0.10"
         },
         "license": {
             "name": "Splunk Software License Agreement",

bin/cpu.sh

@@ -152,13 +152,17 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then
     FILTER='($0 !~ "^([0-9]+[\t ]+)?CPU"){next;}'
     # shellcheck disable=SC2016
     FORMAT='{
-			if ($1 ~ /^[0-9]+$/)
-				name="all";
-			else if ($1 ~ /^CPU[0-9]+$/)
-				name=substr($1,4);
-			else name=0;
-				printf "%s\t%s\t%s\t%s\t%s\t%s",name,substr($3,1,length($3)-1),substr($5,1,length($5)-1),substr($7,1,length($7)-1),substr($11,1,length($11)-1),substr($13,1,length($13)-1)
-			}'
+	if ($1 ~ /^[0-9]+$/)
+		cpu="all";
+	else if ($1 ~ /^CPU[0-9]+$/)
+		cpu=substr($1,4);
+	else cpu=0;
+	pctUser=substr($3,1,length($3)-1);
+	pctNice=substr($5,1,length($5)-1);
+	pctSystem=substr($7,1,length($7)-1);
+	pctIowait=substr($11,1,length($11)-1);
+	pctIdle=substr($13,1,length($13)-1);
+	}'
 elif [ "$KERNEL" = "FreeBSD" ] ; then
     CMD='eval top -P -d2 c; top -d2 c'
     assertHaveCommand "$CMD"

bin/df.sh

@@ -250,7 +250,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then
 	# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
 	# shellcheck disable=SC2016
 	PRINTF='/^Filesystem/ {
-		print "Filesystem\tType\tSize\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\n";
+		print "Filesystem\tType\tSize\tUsed\tAvail\tUse%\tInodes\tIUsed\tIFree\tIUse%\tMountedOn";
 	}
 	$0 !~ /^Filesystem/ && $0 !~ / on / {
 		printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9;

bin/docker.sh

@@ -21,12 +21,14 @@ declare -A bw_start
 [[ $0 =~ .*_metric.sh ]] && mode=metric
 
 # Either add the splunk user to the docker group or add the following to /etc/sudoers:
-# splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all
-# splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format *
-# splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f *
+#   splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all
+#   splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format *
+#   splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f *
 
 docker_cmd=docker
-! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd"
+if [ $(id -u) != 0 ]; then
+  ! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd"
+fi
 docker_list=$($docker_cmd ps --all --no-trunc --format '{{ .ID }}')
 
 header_string="ContainerId Name CPUPct MemUsage MemTotal MemPct NetRX RXps NetTX TXps BlockRead BRps BlockWrite BWps Pids"

bin/service.sh

@@ -188,10 +188,21 @@ elif [ "$KERNEL" = "Darwin" ] ; then
 	POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }'
 
 elif [ "$KERNEL" = "OpenBSD" ] ; then
+  # For this to work when running as a non-root user, add the following
+  # to /etc/doas.conf (replacing USERNAME with the user running the script):
+  #   permit nopass USERNAME cmd /usr/sbin/rcctl args ls started
+  #   permit nopass USERNAME cmd /usr/sbin/rcctl args ls failed
+  #   permit nopass USERNAME cmd /usr/sbin/rcctl args ls rogue
+  if [ $(id -u) != 0 ]; then
+    failed=" $(doas -n /usr/sbin/rcctl ls failed) "
+    rogue=" $(doas -n /usr/sbin/rcctl ls rogue) "
+    running=" $(doas -n /usr/sbin/rcctl ls started) "
+  else
+    failed=" $(/usr/sbin/rcctl ls failed) "
+    rogue=" $(/usr/sbin/rcctl ls rogue) "
+    running=" $(/usr/sbin/rcctl ls started) "
+  fi
   enabled=" $(/usr/sbin/rcctl ls on) "
-  failed=" $(doas /usr/sbin/rcctl ls failed) "
-  rogue=" $(doas /usr/sbin/rcctl ls rogue) "
-  running=" $(doas /usr/sbin/rcctl ls started) "
   for svc in $(/usr/sbin/rcctl ls all); do
     enabled=false
     echo $enabled | grep " $svc " && enabled=true

bin/update.sh

@@ -17,10 +17,14 @@ if [ "$KERNEL" = "Linux" ] ; then
 		assertHaveCommand apt
 		assertHaveCommand sed
 		# For this to work properly, add a line to /etc/sudoers like this:
-		# splunk ALL=(root) NOPASSWD: /usr/bin/apt update
+		#   splunk ALL=(root) NOPASSWD: /usr/bin/apt update
 		# Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script
 		# sed command here replaces '/, [, ]' with ' '
-		CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
+		if [ $(id -u) != 0 ]; then
+			CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
+		else
+			CMD='eval date ; apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
+		fi
 		# shellcheck disable=SC2016
 		PARSE_0='NR==1 {DATE=$0}'
 		# shellcheck disable=SC2016
@@ -41,9 +45,13 @@ if [ "$KERNEL" = "Linux" ] ; then
 		assertHaveCommand checkupdates
 		assertHaveCommand sed
 		# For this to work properly, add a line to /etc/sudoers like this:
-		# splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy
+		#   splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy
 		# Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update)
-		CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
+		if [ $(id -u) != 0 ]; then
+			CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
+		else
+			CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
+		fi
 		# shellcheck disable=SC2016
 		PARSE_0='NR==1 {DATE=$0}'
 		PARSE_1='NR==2 {ARCH=$0}'

default/app.conf

@@ -17,7 +17,7 @@ docs_section_override = AddOns:released
 
 [launcher]
 author = Michael Erdely
-version = 9.2.0.9
+version = 9.2.0.10
 description = Technical Add-on for Unix and Linux
 
 #[package]
@@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux
 
 [id]
 name = TA-unix
-version = 9.2.0.9
+version = 9.2.0.10
 

docs/ReleaseNotes.md

@@ -1,5 +1,22 @@
 # Technical Add-on for Unix and Linux
 
+## Version 9.2.0.10 (2025-01-25)
+
+Fix OpenBSD Support and Other Bugs
+
+Changes:
+
+* Fix OpenBSD cpu.sh output to match others
+* Fix OpenBSD df.sh output (no need for %% here)
+* Do not use sudo or doas when running as root
+* Use #!/usr/bin/env bash to support OpenBSD in run_nix_ta_commands
+* Fix rsyslog example to trim whitespace in run_nix_ta_commands
+* Add /usr/local/sbin:/usr/local/bin to PATH in run_nix_ta_commands
+* Fix getting hour and minute for OpenBSD in run_nix_ta_commands
+  "08" shows up to printf as octal
+* Support difference in OpenBSD logger command:
+  Requires modifying /etc/syslog.conf and setting facility in /etc/nix_ta.conf
+
 ## Version 9.2.0.9 (2025-01-25)
 
 Support OpenBSD

extra/run_nix_ta_commands

@@ -1,17 +1,17 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # This script allows getting the Techical Add-on for Unix and Linux data into
 # Splunk from systems that are not running a Splunk Universal Forwarder.
 # This is useful for systems with small or read-only file-systems.
 #
-# ## Sample rsyslog.conf
+# ## Sample rsyslog.conf:
 # # Config for handling remote logs
 # template(name="RemoteLogs" type="string" string="/share/syslog/%FROMHOST%/%$.myprogramname%/%$.myprogramname%-%$YEAR%-%$MONTH%-%$DAY%.log")
 # # Write raw messages for splunk logs
 # template(name="RawMessageOnly" type="string" string="%$.mymsg%\n")
 # # Look for logs with nix_ta to apply RawMessagesOnly and send to RemoteLogs
 # if ($syslogtag startswith 'nix_ta_') then {
-#   set $.mymsg = replace($msg, "#011", " ");
+#   set $.mymsg = ltrim(rtrim(replace($msg, "#011", " ")));
 #   action(type="omfile" dynaFile="RemoteLogs" template="RawMessageOnly"
 #     fileCreateMode="0644" dirCreateMode="0755"
 #     fileOwner="root" fileGroup="splunk"
@@ -20,31 +20,45 @@
 # }
 # # End of sample rsyslog.conf
 #
-# To use:
+# ## run_nix_ta_commands configuration file
 # * Create a new file (/etc/nix_ta.conf) with the following settings in it
 #   * ta_home: The directory you copied the Technical Add-on for Unix and Linux files
 #   * tag_prefix: The events will be sent to syslog with ${tag_prefix}SCRIPTNAME as a tag
 #   * syslog_server: The UDP syslog server to send events to
 #   * run_minute: For scripts that have intervals over an hour, which minute to run them
 #   * run_hour: For scripts that run once a day, which hour to run them
-# * Create a cron job: * * * * * /path/to/script/run_nix_ta_commands
+#   * facility: For logger commands like OpenBSD that do not support pointing to a syslog_server directly
+#               Set to something like "local3.info"
+#
+# ## Using syslog facility instead of specifying a syslog server with logger
+# Using $facility when logger does not support specifying $syslog_server:
+# Modify local syslog server to send logs for $facility to the $syslog_server
+# On OpenBSD, an example for /etc/syslog.conf is:
+#   local3.*                             @192.168.1.1
+#
+# ## Cron job example:
+#   * * * * * /path/to/script/run_nix_ta_commands
 
 # Ensure the logger command is available
 which logger > /dev/null 2>&1 || { echo "Error: The logger command is required for this script"; exit; }
 
+# Ensure PATH has correct paths
+export PATH=$PATH:/usr/local/sbin:/usr/local/bin
+
 # Example/default settings -- override in /etc/nix_ta.conf
 ta_home=/srv/TA-unix
 tag_prefix=nix_ta_
 syslog_server=192.168.1.1
 run_minute=2
 run_hour=6
+facility=
 
 [ -r /etc/nix_ta.conf ] && . /etc/nix_ta.conf
 
 # Get the current minute now to be consistent through the script run
-minute=$(printf "%d" $(date +%M))
+minute=$(printf "%d" $((10#$(date +%M))))
 # Get the current hour now to be consistent through the script run
-hour=$(printf "%d" $(date +%H))
+hour=$(printf "%d" $((10#$(date +%H))))
 # Set defaults disabling force-mode and list-mode
 force=0
 list=0
@@ -71,7 +85,11 @@ shift $((OPTIND -1))
 runit() {
   [ -z "$1" ] && return 1
   if [ -x $ta_home/bin/$1.sh ]; then
-    { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]')
+    if [ -n "$facility" ]; then
+      { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -p $facility -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]')
+    else
+      { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]')
+    fi
   else
     echo Could not find $1 in $ta_home/bin
     return 1