mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 15 Packages Wiki Activity Actions

Fix OpenBSD Support and Other Bugs

Browse source 
Changes:

* Fix OpenBSD cpu.sh output to match others
* Fix OpenBSD df.sh output (no need for %% here)
* Do not use sudo or doas when running as root
* Use #!/usr/bin/env bash to support OpenBSD in run_nix_ta_commands
* Fix rsyslog example to trim whitespace in run_nix_ta_commands
* Add /usr/local/sbin:/usr/local/bin to PATH in run_nix_ta_commands
* Fix getting hour and minute for OpenBSD in run_nix_ta_commands
  "08" shows up to printf as octal
* Support difference in OpenBSD logger command:
  Requires modifying /etc/syslog.conf and setting facility in /etc/nix_ta.conf
This commit is contained in:
Michael Erdely 2025-01-25 13:41:20 -05:00
parent 8c02cbc5cc
commit a24e4c8ee5
Signed by: mike
SSH key fingerprint: SHA256:ukbnfrRMaRYlBZXENtBTyO2jLnql5AA5m+SzZCfYQe0
10 changed files with 92 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
VERSION
View file

@ -1,2 +1,2 @@
9.2.0.9 9.2.0.10
9.2.0.9 9.2.0.10

2
app.manifest
View file

@ -29,7 +29,7 @@
"id": { "id": {
"group": null, "group": null,
"name": "TA-nix", "name": "TA-nix",
"version": "9.2.0.9" "version": "9.2.0.10"
}, },
"license": { "license": {
"name": "Splunk Software License Agreement", "name": "Splunk Software License Agreement",

18
bin/cpu.sh
View file

@ -152,13 +152,17 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then
FILTER='($0 !~ "^([0-9]+[\t ]+)?CPU"){next;}' FILTER='($0 !~ "^([0-9]+[\t ]+)?CPU"){next;}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
FORMAT='{ FORMAT='{
if ($1 ~ /^[0-9]+$/) if ($1 ~ /^[0-9]+$/)
name="all"; cpu="all";
else if ($1 ~ /^CPU[0-9]+$/) else if ($1 ~ /^CPU[0-9]+$/)
name=substr($1,4); cpu=substr($1,4);
else name=0; else cpu=0;
printf "%s\t%s\t%s\t%s\t%s\t%s",name,substr($3,1,length($3)-1),substr($5,1,length($5)-1),substr($7,1,length($7)-1),substr($11,1,length($11)-1),substr($13,1,length($13)-1) pctUser=substr($3,1,length($3)-1);
}' pctNice=substr($5,1,length($5)-1);
pctSystem=substr($7,1,length($7)-1);
pctIowait=substr($11,1,length($11)-1);
pctIdle=substr($13,1,length($13)-1);
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='eval top -P -d2 c; top -d2 c' CMD='eval top -P -d2 c; top -d2 c'
assertHaveCommand "$CMD" assertHaveCommand "$CMD"

2
bin/df.sh
View file

@ -250,7 +250,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PRINTF='/^Filesystem/ { PRINTF='/^Filesystem/ {
print "Filesystem\tType\tSize\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\n"; print "Filesystem\tType\tSize\tUsed\tAvail\tUse%\tInodes\tIUsed\tIFree\tIUse%\tMountedOn";
} }
$0 !~ /^Filesystem/ && $0 !~ / on / { $0 !~ /^Filesystem/ && $0 !~ / on / {
printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9; printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9;

10
bin/docker.sh
View file

@ -21,12 +21,14 @@ declare -A bw_start
[[ $0 =~ .*_metric.sh ]] && mode=metric [[ $0 =~ .*_metric.sh ]] && mode=metric
# Either add the splunk user to the docker group or add the following to /etc/sudoers: # Either add the splunk user to the docker group or add the following to /etc/sudoers:
# splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all # splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all
# splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format * # splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format *
# splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f * # splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f *
docker_cmd=docker docker_cmd=docker
! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd" if [ $(id -u) != 0 ]; then
! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd"
fi
docker_list=$($docker_cmd ps --all --no-trunc --format '{{ .ID }}') docker_list=$($docker_cmd ps --all --no-trunc --format '{{ .ID }}')
header_string="ContainerId Name CPUPct MemUsage MemTotal MemPct NetRX RXps NetTX TXps BlockRead BRps BlockWrite BWps Pids" header_string="ContainerId Name CPUPct MemUsage MemTotal MemPct NetRX RXps NetTX TXps BlockRead BRps BlockWrite BWps Pids"

17
bin/service.sh
View file

@ -188,10 +188,21 @@ elif [ "$KERNEL" = "Darwin" ] ; then
POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }' POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }'
elif [ "$KERNEL" = "OpenBSD" ] ; then elif [ "$KERNEL" = "OpenBSD" ] ; then
# For this to work when running as a non-root user, add the following
# to /etc/doas.conf (replacing USERNAME with the user running the script):
# permit nopass USERNAME cmd /usr/sbin/rcctl args ls started
# permit nopass USERNAME cmd /usr/sbin/rcctl args ls failed
# permit nopass USERNAME cmd /usr/sbin/rcctl args ls rogue
if [ $(id -u) != 0 ]; then
failed=" $(doas -n /usr/sbin/rcctl ls failed) "
rogue=" $(doas -n /usr/sbin/rcctl ls rogue) "
running=" $(doas -n /usr/sbin/rcctl ls started) "
else
failed=" $(/usr/sbin/rcctl ls failed) "
rogue=" $(/usr/sbin/rcctl ls rogue) "
running=" $(/usr/sbin/rcctl ls started) "
fi
enabled=" $(/usr/sbin/rcctl ls on) " enabled=" $(/usr/sbin/rcctl ls on) "
failed=" $(doas /usr/sbin/rcctl ls failed) "
rogue=" $(doas /usr/sbin/rcctl ls rogue) "
running=" $(doas /usr/sbin/rcctl ls started) "
for svc in $(/usr/sbin/rcctl ls all); do for svc in $(/usr/sbin/rcctl ls all); do
enabled=false enabled=false
echo $enabled | grep " $svc " && enabled=true echo $enabled | grep " $svc " && enabled=true

16
bin/update.sh
View file

@ -17,10 +17,14 @@ if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand apt assertHaveCommand apt
assertHaveCommand sed assertHaveCommand sed
# For this to work properly, add a line to /etc/sudoers like this: # For this to work properly, add a line to /etc/sudoers like this:
# splunk ALL=(root) NOPASSWD: /usr/bin/apt update # splunk ALL=(root) NOPASSWD: /usr/bin/apt update
# Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script # Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script
# sed command here replaces '/, [, ]' with ' ' # sed command here replaces '/, [, ]' with ' '
CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' if [ $(id -u) != 0 ]; then
CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
else
CMD='eval date ; apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
fi
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}' PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
@ -41,9 +45,13 @@ if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand checkupdates assertHaveCommand checkupdates
assertHaveCommand sed assertHaveCommand sed
# For this to work properly, add a line to /etc/sudoers like this: # For this to work properly, add a line to /etc/sudoers like this:
# splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy # splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy
# Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update) # Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update)
CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates' if [ $(id -u) != 0 ]; then
CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
else
CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
fi
# shellcheck disable=SC2016 # shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}' PARSE_0='NR==1 {DATE=$0}'
PARSE_1='NR==2 {ARCH=$0}' PARSE_1='NR==2 {ARCH=$0}'

4
default/app.conf
View file

@ -17,7 +17,7 @@ docs_section_override = AddOns:released
[launcher] [launcher]
author = Michael Erdely author = Michael Erdely
version = 9.2.0.9 version = 9.2.0.10
description = Technical Add-on for Unix and Linux description = Technical Add-on for Unix and Linux
#[package] #[package]
@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux
[id] [id]
name = TA-unix name = TA-unix
version = 9.2.0.9 version = 9.2.0.10

17
docs/ReleaseNotes.md
View file

@ -1,5 +1,22 @@
# Technical Add-on for Unix and Linux # Technical Add-on for Unix and Linux
## Version 9.2.0.10 (2025-01-25)
Fix OpenBSD Support and Other Bugs
Changes:
* Fix OpenBSD cpu.sh output to match others
* Fix OpenBSD df.sh output (no need for %% here)
* Do not use sudo or doas when running as root
* Use #!/usr/bin/env bash to support OpenBSD in run_nix_ta_commands
* Fix rsyslog example to trim whitespace in run_nix_ta_commands
* Add /usr/local/sbin:/usr/local/bin to PATH in run_nix_ta_commands
* Fix getting hour and minute for OpenBSD in run_nix_ta_commands
"08" shows up to printf as octal
* Support difference in OpenBSD logger command:
Requires modifying /etc/syslog.conf and setting facility in /etc/nix_ta.conf
## Version 9.2.0.9 (2025-01-25) ## Version 9.2.0.9 (2025-01-25)
Support OpenBSD Support OpenBSD

34
extra/run_nix_ta_commands
View file

@ -1,17 +1,17 @@
#!/bin/bash #!/usr/bin/env bash
# This script allows getting the Techical Add-on for Unix and Linux data into # This script allows getting the Techical Add-on for Unix and Linux data into
# Splunk from systems that are not running a Splunk Universal Forwarder. # Splunk from systems that are not running a Splunk Universal Forwarder.
# This is useful for systems with small or read-only file-systems. # This is useful for systems with small or read-only file-systems.
# #
# ## Sample rsyslog.conf # ## Sample rsyslog.conf:
# # Config for handling remote logs # # Config for handling remote logs
# template(name="RemoteLogs" type="string" string="/share/syslog/%FROMHOST%/%$.myprogramname%/%$.myprogramname%-%$YEAR%-%$MONTH%-%$DAY%.log") # template(name="RemoteLogs" type="string" string="/share/syslog/%FROMHOST%/%$.myprogramname%/%$.myprogramname%-%$YEAR%-%$MONTH%-%$DAY%.log")
# # Write raw messages for splunk logs # # Write raw messages for splunk logs
# template(name="RawMessageOnly" type="string" string="%$.mymsg%\n") # template(name="RawMessageOnly" type="string" string="%$.mymsg%\n")
# # Look for logs with nix_ta to apply RawMessagesOnly and send to RemoteLogs # # Look for logs with nix_ta to apply RawMessagesOnly and send to RemoteLogs
# if ($syslogtag startswith 'nix_ta_') then { # if ($syslogtag startswith 'nix_ta_') then {
# set $.mymsg = replace($msg, "#011", " "); # set $.mymsg = ltrim(rtrim(replace($msg, "#011", " ")));
# action(type="omfile" dynaFile="RemoteLogs" template="RawMessageOnly" # action(type="omfile" dynaFile="RemoteLogs" template="RawMessageOnly"
# fileCreateMode="0644" dirCreateMode="0755" # fileCreateMode="0644" dirCreateMode="0755"
# fileOwner="root" fileGroup="splunk" # fileOwner="root" fileGroup="splunk"
@ -20,31 +20,45 @@
# } # }
# # End of sample rsyslog.conf # # End of sample rsyslog.conf
# #
# To use: # ## run_nix_ta_commands configuration file
# * Create a new file (/etc/nix_ta.conf) with the following settings in it # * Create a new file (/etc/nix_ta.conf) with the following settings in it
# * ta_home: The directory you copied the Technical Add-on for Unix and Linux files # * ta_home: The directory you copied the Technical Add-on for Unix and Linux files
# * tag_prefix: The events will be sent to syslog with ${tag_prefix}SCRIPTNAME as a tag # * tag_prefix: The events will be sent to syslog with ${tag_prefix}SCRIPTNAME as a tag
# * syslog_server: The UDP syslog server to send events to # * syslog_server: The UDP syslog server to send events to
# * run_minute: For scripts that have intervals over an hour, which minute to run them # * run_minute: For scripts that have intervals over an hour, which minute to run them
# * run_hour: For scripts that run once a day, which hour to run them # * run_hour: For scripts that run once a day, which hour to run them
# * Create a cron job: * * * * * /path/to/script/run_nix_ta_commands # * facility: For logger commands like OpenBSD that do not support pointing to a syslog_server directly
# Set to something like "local3.info"
#
# ## Using syslog facility instead of specifying a syslog server with logger
# Using $facility when logger does not support specifying $syslog_server:
# Modify local syslog server to send logs for $facility to the $syslog_server
# On OpenBSD, an example for /etc/syslog.conf is:
# local3.* @192.168.1.1
#
# ## Cron job example:
# * * * * * /path/to/script/run_nix_ta_commands
# Ensure the logger command is available # Ensure the logger command is available
which logger > /dev/null 2>&1 || { echo "Error: The logger command is required for this script"; exit; } which logger > /dev/null 2>&1 || { echo "Error: The logger command is required for this script"; exit; }
# Ensure PATH has correct paths
export PATH=$PATH:/usr/local/sbin:/usr/local/bin
# Example/default settings -- override in /etc/nix_ta.conf # Example/default settings -- override in /etc/nix_ta.conf
ta_home=/srv/TA-unix ta_home=/srv/TA-unix
tag_prefix=nix_ta_ tag_prefix=nix_ta_
syslog_server=192.168.1.1 syslog_server=192.168.1.1
run_minute=2 run_minute=2
run_hour=6 run_hour=6
facility=
[ -r /etc/nix_ta.conf ] && . /etc/nix_ta.conf [ -r /etc/nix_ta.conf ] && . /etc/nix_ta.conf
# Get the current minute now to be consistent through the script run # Get the current minute now to be consistent through the script run
minute=$(printf "%d" $(date +%M)) minute=$(printf "%d" $((10#$(date +%M))))
# Get the current hour now to be consistent through the script run # Get the current hour now to be consistent through the script run
hour=$(printf "%d" $(date +%H)) hour=$(printf "%d" $((10#$(date +%H))))
# Set defaults disabling force-mode and list-mode # Set defaults disabling force-mode and list-mode
force=0 force=0
list=0 list=0
@ -71,7 +85,11 @@ shift $((OPTIND -1))
runit() { runit() {
[ -z "$1" ] && return 1 [ -z "$1" ] && return 1
if [ -x $ta_home/bin/$1.sh ]; then if [ -x $ta_home/bin/$1.sh ]; then
{ $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]') if [ -n "$facility" ]; then
{ $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -p $facility -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]')
else
{ $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]')
fi
else else
echo Could not find $1 in $ta_home/bin echo Could not find $1 in $ta_home/bin
return 1 return 1