From 07122cafadcc61b3e38e5367d2531c5859a68f68 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Wed, 8 Jan 2025 18:21:51 -0500 Subject: [PATCH 01/19] Use ip command to determine IP address ('hostname -I' does not work on all Linux systems) Filter out multiple listing of the same btrfs volume Use mktemp for temp files (for times when the TA may be run outside of Splunk) If running rlog.sh outside of Splunk, use $HOME to store seek file Debian also uses apt Arch Linux uses pacman Add use of sudo -n for 'apt update' and 'pacman -Syy' vmstat uses "K paged out" Replace the use of 'sar' with netstat and vm_stat for MacOS --- VERSION | 4 ++-- app.manifest | 18 +++++++++--------- bin/bandwidth.sh | 6 +++--- bin/cpu_metric.sh | 4 ++-- bin/df.sh | 2 ++ bin/df_metric.sh | 6 ++++-- bin/hardware.sh | 2 +- bin/interfaces_metric.sh | 4 ++-- bin/iostat_metric.sh | 4 ++-- bin/ps_metric.sh | 4 ++-- bin/rlog.sh | 12 +++++++++--- bin/selinuxChecker.sh | 2 +- bin/update.sh | 21 ++++++++++++++++++--- bin/vmstat.sh | 23 +++++++++-------------- bin/vmstat_metric.sh | 27 +++++++++++---------------- default/app.conf | 14 +++++++------- docs/ReleaseNotes.md | 18 ++++++++++++++++++ splunkbase.manifest | 38 ++++++++++++++++++++------------------ 18 files changed, 122 insertions(+), 87 deletions(-) create mode 100644 docs/ReleaseNotes.md diff --git a/VERSION b/VERSION index 3267917..1d43a4b 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0 -9.2.0 \ No newline at end of file +9.2.0.1 +9.2.0.1 diff --git a/app.manifest b/app.manifest index 05b18b7..184ab32 100644 --- a/app.manifest +++ b/app.manifest @@ -4,9 +4,9 @@ "info": { "author": [ { - "company": "Splunk, Inc.", - "email": "support@splunk.com", - "name": "Splunk, Inc." + "company": "erdelynet.com", + "email": "mike@erdelynet.com", + "name": "erdelynet.com" } ], "classification": { @@ -25,11 +25,11 @@ "Network Sessions": "=4.20.2", "Performance": "=4.20.2" }, - "description": "Splunk Add-on for Unix and Linux", + "description": "Technical Add-on for Unix and Linux", "id": { "group": null, - "name": "Splunk_TA_nix", - "version": "9.2.0" + "name": "TA-nix", + "version": "9.2.0.1" }, "license": { "name": "Splunk Software License Agreement", @@ -45,9 +45,9 @@ "releaseNotes": { "name": "README", "text": "./README.txt", - "uri": "https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes" + "uri": "https://git.erdelynet.com/mike/TA-nix/docs/ReleaseNotes.md" }, - "title": "Splunk Add-on for Unix and Linux" + "title": "Technical Add-on for Unix and Linux" }, "inputGroups": null, "platformRequirements": null, @@ -63,4 +63,4 @@ "_indexers" ], "tasks": null -} \ No newline at end of file +} diff --git a/bin/bandwidth.sh b/bin/bandwidth.sh index e5a1364..da3ee0f 100755 --- a/bin/bandwidth.sh +++ b/bin/bandwidth.sh @@ -66,11 +66,11 @@ elif [ "$KERNEL" = "AIX" ] ; then # shellcheck disable=SC2016 FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS="?"; txKB_PS="?"}' elif [ "$KERNEL" = "Darwin" ] ; then - CMD='sar -n DEV 1 2' + CMD='eval ifconfig -a -u | awk "/^[^ \t]/{i=substr(\$1,1,length(\$1)-1)}/status: active/{print i}" | while read -r int; do netstat -bnI $int -w 1 | head -n3 | sed "s/^/$int/"; done' # shellcheck disable=SC2016 - FILTER='($0 !~ "Average" || $0 ~ "sar" || $2~/lo[0-9]|IFACE/) {next}' + FILTER='$2~/^(input|packets)$/{next}' # shellcheck disable=SC2016 - FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$6/1024}' + FORMAT='{Name=$1; rxPackets_PS=$2; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$7/1024}' elif [ "$KERNEL" = "HP-UX" ] ; then # Sample output: http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02263324 CMD='netstat -i 1 2' diff --git a/bin/cpu_metric.sh b/bin/cpu_metric.sh index 04d73df..3f12dd6 100755 --- a/bin/cpu_metric.sh +++ b/bin/cpu_metric.sh @@ -16,9 +16,9 @@ if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand mpstat FOUND_MPSTAT=$? if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')" fi if [ $FOUND_SAR -eq 0 ] ; then CMD='sar -P ALL 1 1' diff --git a/bin/df.sh b/bin/df.sh index a2ab71c..4689cd4 100755 --- a/bin/df.sh +++ b/bin/df.sh @@ -12,6 +12,8 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 BEGIN='BEGIN { OFS = "\t" }' # shellcheck disable=SC2016 + FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}' + # shellcheck disable=SC2016 FILTER_POST='/(devtmpfs|tmpfs)/ {next}' # shellcheck disable=SC2016 PRINTF=' diff --git a/bin/df_metric.sh b/bin/df_metric.sh index 9f0d020..12d79a1 100755 --- a/bin/df_metric.sh +++ b/bin/df_metric.sh @@ -13,12 +13,14 @@ if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand df CMD='df -k --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target' if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" fi BEGIN='BEGIN { OFS = "\t" }' FORMAT='{OSName=OSName;OS_version=OS_version;IP_address=IP_address;IPv6_Address=IPv6_Address}' + # shellcheck disable=SC2016 + FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}' # shellcheck disable=SC2016 FILTER_POST='/(devtmpfs|tmpfs)/ {next}' # shellcheck disable=SC2016 diff --git a/bin/hardware.sh b/bin/hardware.sh index db40484..31eefec 100755 --- a/bin/hardware.sh +++ b/bin/hardware.sh @@ -9,7 +9,7 @@ FORMAT='{key = $1; if (NF == 1) {value = ""} else {value = $2; for PRINTF='{printf("%-20s %-s\n", key, value)}' if [ "$KERNEL" = "Linux" ] ; then - TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_hardware_error_tmpfile # For filtering out lshw warning from stderr + TMP_ERROR_FILTER_FILE=$(mktemp) # For filtering out lshw warning from stderr queryHaveCommand ip FOUND_IP=$? # CPUs diff --git a/bin/interfaces_metric.sh b/bin/interfaces_metric.sh index 52c799b..d6a75ef 100755 --- a/bin/interfaces_metric.sh +++ b/bin/interfaces_metric.sh @@ -18,9 +18,9 @@ if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand ip FOUND_IP=$? if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" fi if [ $FOUND_IP -eq 0 ]; then CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" diff --git a/bin/iostat_metric.sh b/bin/iostat_metric.sh index 2a69a6e..da1550e 100755 --- a/bin/iostat_metric.sh +++ b/bin/iostat_metric.sh @@ -11,9 +11,9 @@ if [ "$KERNEL" = "Linux" ] ; then CMD='iostat -xky 1 1' assertHaveCommand "$CMD" if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')" fi FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f' # shellcheck disable=SC2016 diff --git a/bin/ps_metric.sh b/bin/ps_metric.sh index 4855452..30f0878 100755 --- a/bin/ps_metric.sh +++ b/bin/ps_metric.sh @@ -12,9 +12,9 @@ if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; th CMD='ps auxww' if [ "$KERNEL" = "Linux" ] ; then if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" fi elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. diff --git a/bin/rlog.sh b/bin/rlog.sh index f1fa92b..72ae084 100755 --- a/bin/rlog.sh +++ b/bin/rlog.sh @@ -7,10 +7,16 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios +if [ -n "$SPLUNK_DB" ]; then + OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios + SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime +else + # handle the case where this is not being run by the Splunk user from Splunk + OLD_SEEK_FILE=$HOME/.splunk_unix_audit_seekfile # For handling upgrade scenarios + SEEK_FILE=$HOME/.splunk_unix_audit_seektime +fi CURRENT_AUDIT_FILE=/var/log/audit/audit.log # For handling upgrade scenarios -SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime -TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_rlog_error_tmpfile # For filering out "no matches" error from stderr +TMP_ERROR_FILTER_FILE=$(mktemp) # For filering out "no matches" error from stderr AUDIT_FILE="/var/log/audit/audit.log*" if [ "$KERNEL" = "Linux" ] ; then diff --git a/bin/selinuxChecker.sh b/bin/selinuxChecker.sh index b213dd8..e819196 100755 --- a/bin/selinuxChecker.sh +++ b/bin/selinuxChecker.sh @@ -5,7 +5,7 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_selinux_error_tmpfile # For filtering out awk warning from stderr +TMP_ERROR_FILTER_FILE=$(mktemp) # For filtering out awk warning from stderr PRINTF='END {printf "%s app=selinux %s %s %s %s\n", DATE, FILEHASH, SELINUX, SELINUXTYPE, SETLOCALDEFS}' if [ "$KERNEL" = "Linux" ] ; then diff --git a/bin/update.sh b/bin/update.sh index d834c3a..85f0732 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -5,18 +5,21 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_update_error_tmpfile # For filering out apt warning from stderr +TMP_ERROR_FILTER_FILE=$(mktemp) # For filering out apt warning from stderr if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand date OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) OS_FILE=/etc/os-release # Ubuntu doesn't have yum installed by default hence apt is being used to get the list of upgradable packages - if [ "$OSName" = "Ubuntu" ]; then + if [ "$OSName" = "Ubuntu" ] || [ "$OSName" = "Debian_GNU/Linux" ]; then assertHaveCommand apt assertHaveCommand sed + # For this to work properly, add a line to /etc/sudoers like this: + # splunk ALL=(root) NOPASSWD: /usr/bin/apt update + # Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script # sed command here replaces '/, [, ]' with ' ' - CMD='eval date ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' # shellcheck disable=SC2016 @@ -33,6 +36,18 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 PARSE_2='header_found { gsub(/[[:space:]]*\|[[:space:]]*/, "|"); split($0, arr, /\|/); printf "%s repository=%s package=%s current_package_version=%s latest_package_version=%s sles_architecture=%s\n", DATE, arr[2], arr[3], arr[4], arr[5], arr[6]}' MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2" + elif [ "$OSName" = "Arch_Linux" ] || [ "$OSName" = "Arch_Linux_ARM" ]; then + assertHaveCommand checkupdates + assertHaveCommand sed + # For this to work properly, add a line to /etc/sudoers like this: + # splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy + # Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update) + CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + PARSE_1='NR==2 {ARCH=$0}' + PARSE_2='NR>2 {printf "%s arch_architecture=%s package=%s current_package_version=%s latest_package_version=%s\n", DATE, ARCH, $1, $2, $4}' + MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2" else assertHaveCommand yum diff --git a/bin/vmstat.sh b/bin/vmstat.sh index 2fc902b..178c09f 100755 --- a/bin/vmstat.sh +++ b/bin/vmstat.sh @@ -26,7 +26,7 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}' # shellcheck disable=SC2016 - PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' + PARSE_2='/(K|pages) paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' # shellcheck disable=SC2016 PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}' # shellcheck disable=SC2016 @@ -126,9 +126,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then elif [ "$KERNEL" = "Darwin" ] ; then assertHaveCommand sysctl assertHaveCommand top - assertHaveCommand sar + assertHaveCommand vm_stat # shellcheck disable=SC2016 - CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2' + CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; vm_stat | awk "/Pageouts:/{print \"pgpageout \" \$NF}/^Swapouts:/{print \"pgswapout \" \$NF}"; vm_stat -c5 1 | tail -n -4 | awk "{pi=pi+\$19;po=po+\$20;si=si+\$21;so=so+\$22}END{printf \"pginps %.2f pgoutps %.2f swinps %.2f swoups %.2f\n\",pi/4,po/4,si/4,so/4}"' FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' # shellcheck disable=SC2016 PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}' @@ -137,24 +137,19 @@ elif [ "$KERNEL" = "Darwin" ] ; then # shellcheck disable=SC2016 PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}' # shellcheck disable=SC2016 - PARSE_3='/^VM:/ {pgPageOut=0+$7}' - if $OSX_GE_SNOW_LEOPARD; then - # shellcheck disable=SC2016 - PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' - else - # shellcheck disable=SC2016 - PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}' - fi + PARSE_3='/^pgpageout / {pgPageOut=0+$2}' + # shellcheck disable=SC2016 + PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' # shellcheck disable=SC2016 PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}' # shellcheck disable=SC2016 PARSE_6='/^CPU_COUNT/ {cpuCount=$2}' # shellcheck disable=SC2016 - PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}' + PARSE_7='$1 == "pginps" {pgPageIn_PS=$2;pgPageOut_PS=$4;pgSwapIn=$6;pgSwapOut=$8}' # shellcheck disable=SC2016 - PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}' + PARSE_8='/^pgswapout / {pgSwapOut=0+$2}' MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE" - FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}' + FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}' elif [ "$KERNEL" = "FreeBSD" ] ; then # shellcheck disable=SC2016 CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' diff --git a/bin/vmstat_metric.sh b/bin/vmstat_metric.sh index b9f4ce7..e0c56e2 100755 --- a/bin/vmstat_metric.sh +++ b/bin/vmstat_metric.sh @@ -23,16 +23,16 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2' if [ ! -f "/etc/os-release" ] ; then - DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')" else - DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)" + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')" fi # shellcheck disable=SC2016 PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}' # shellcheck disable=SC2016 PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}' # shellcheck disable=SC2016 - PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' + PARSE_2='/(K|pages) paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' # shellcheck disable=SC2016 PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}' # shellcheck disable=SC2016 @@ -136,9 +136,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then elif [ "$KERNEL" = "Darwin" ] ; then assertHaveCommand sysctl assertHaveCommand top - assertHaveCommand sar + assertHaveCommand vm_stat # shellcheck disable=SC2016 - CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2' + CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; vm_stat | awk "/Pageouts:/{print \"pgpageout \" \$NF}/^Swapouts:/{print \"pgswapout \" \$NF}"; vm_stat -c5 1 | tail -n -4 | awk "{pi=pi+\$19;po=po+\$20;si=si+\$21;so=so+\$22}END{printf \"pginps %.2f pgoutps %.2f swinps %.2f swoups %.2f\n\",pi/4,po/4,si/4,so/4}"' DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' # shellcheck disable=SC2016 @@ -148,24 +148,19 @@ elif [ "$KERNEL" = "Darwin" ] ; then # shellcheck disable=SC2016 PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}' # shellcheck disable=SC2016 - PARSE_3='/^VM:/ {pgPageOut=0+$7}' - if $OSX_GE_SNOW_LEOPARD; then - # shellcheck disable=SC2016 - PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' - else - # shellcheck disable=SC2016 - PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}' - fi + PARSE_3='/^pgpageout / {pgPageOut=0+$2}' + # shellcheck disable=SC2016 + PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' # shellcheck disable=SC2016 PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}' # shellcheck disable=SC2016 PARSE_6='/^CPU_COUNT/ {cpuCount=$2}' # shellcheck disable=SC2016 - PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}' + PARSE_7='$1 == "pginps" {pgPageIn_PS=$2;pgPageOut_PS=$4;pgSwapIn=$6;pgSwapOut=$8}' # shellcheck disable=SC2016 - PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}' + PARSE_8='/^pgswapout / {pgSwapOut=0+$2}' MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE" - FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}' + FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}' elif [ "$KERNEL" = "FreeBSD" ] ; then # shellcheck disable=SC2016 CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' diff --git a/default/app.conf b/default/app.conf index 52645ba..444c420 100644 --- a/default/app.conf +++ b/default/app.conf @@ -12,19 +12,19 @@ build = 1720176219 [ui] setup_view = ta_nix_configuration is_visible = true -label = Splunk Add-on for Unix and Linux +label = Technical Add-on for Unix and Linux docs_section_override = AddOns:released [launcher] -author = Splunk, Inc. -version = 9.2.0 -description = Splunk Add-on for Unix and Linux +author = Michael Erdely +version = 9.2.0.1 +description = Technical Add-on for Unix and Linux [package] -id = Splunk_TA_nix +id = TA-unix check_for_updates = true [id] -name = Splunk_TA_nix -version = 9.2.0 +name = TA-unix +version = 9.2.0.1 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md new file mode 100644 index 0000000..a28658b --- /dev/null +++ b/docs/ReleaseNotes.md @@ -0,0 +1,18 @@ +# Technical Add-on for Unix and Linux + +## Version 9.2.0.1 + +Initial fork of the Splunk Add-on for Unix and Linux + +Changes: + +* Use ip command to determine IP address + ('hostname -I' does not work on all Linux systems) +* Filter out multiple listing of the same btrfs volume +* Use mktemp for temp files (for times when the TA may be run outside of Splunk) +* If running rlog.sh outside of Splunk, use $HOME to store seek file +* Debian also uses apt +* Arch Linux uses pacman +* Add use of sudo -n for 'apt update' and 'pacman -Syy' +* vmstat uses "K paged out" +* Replace the use of 'sar' with netstat and vm_stat for MacOS diff --git a/splunkbase.manifest b/splunkbase.manifest index 934b98e..7099cc4 100644 --- a/splunkbase.manifest +++ b/splunkbase.manifest @@ -1,10 +1,11 @@ { "version": "1.0", "date": "2024-10-18T12:52:23.073000921Z", + "date": "2025-01-08T18:38:19.132050611Z", "hashAlgorithm": "SHA-256", "app": { "id": 833, - "version": "9.2.0", + "version": "9.2.0.1", "files": [ { "path": "LICENSES/Apache-2.0.txt", @@ -28,11 +29,11 @@ }, { "path": "VERSION", - "hash": "4b083d27782e80fd5bce34252adc7de9e9ab611475e170cb507e49586483025e" + "hash": "fd47b230df0f247b21e965b9529efd00447fdbf1cb1740848b529f79a9feacac" }, { "path": "app.manifest", - "hash": "24b4bb6f47bc1472038f5c983ec91705052162da89555f52a78c9f3c830cfd82" + "hash": "251b481753129caea80da188d33f2b99bbd178560e136ee2936b4e9499e1416e" }, { "path": "appserver/static/appIcon.png", @@ -76,19 +77,19 @@ }, { "path": "bin/cpu_metric.sh", - "hash": "2d175a98ded5f141b20fd3b3847217447b5489b4d989512d8b8679a4f2777a0b" + "hash": "c5e937d91afab8ec06376a0db3c79f37e0da6377ea2b34cfde67793d89fd14d5" }, { "path": "bin/df.sh", - "hash": "27b0ad779340e6bd8a26e296ce9b0b9cd2721eaadcf4669e5579560a676c9db7" + "hash": "15c4e33987209afe1cb807af7aecfbd522107746d318827d161d1ee233d00acf" }, { "path": "bin/df_metric.sh", - "hash": "4457b92d8d8ee24441eb38df2134113f5a821111b7c3573b48313adcee39d3e8" + "hash": "286830c6b30cc9a3e5240e3b63db0edd2c68c9e797d452483dea09b4ad6f48e9" }, { "path": "bin/hardware.sh", - "hash": "20e341826d21047e9cc3b7cd632422f6b9a0364282333616c1f912b4dddb7093" + "hash": "7722f446226609784d219cb525eee3ed65d622ce05122301f65625c6fd2e4434" }, { "path": "bin/interfaces.sh", @@ -96,7 +97,7 @@ }, { "path": "bin/interfaces_metric.sh", - "hash": "9458deb6ba4c56a22264df75d42945e170f6f1a729d93220617c85810733ef19" + "hash": "374e24c7e87669fbd25ded5e56c05fd057c0c272e03e0df6cabcd5db31267db9" }, { "path": "bin/iostat.sh", @@ -104,7 +105,7 @@ }, { "path": "bin/iostat_metric.sh", - "hash": "4af68e89e6a93fa34ccd724ff78a509b7868bc06e60a4f16a6aa24d300d8efc8" + "hash": "59b775cc60e92950605b621989ee17aa947adc07d407c78b657ecedf90452f77" }, { "path": "bin/lastlog.sh", @@ -148,15 +149,15 @@ }, { "path": "bin/ps_metric.sh", - "hash": "0c3dc356f47728b9b99be79fffe40256eded1644f599b1bbe8b1a9e8db05b10d" + "hash": "ff65aec6a98560667d08e1b75f4661d99b5255be239756f89cc72a58d1e44fe2" }, { "path": "bin/rlog.sh", - "hash": "271fcaf091527670df3e794c29d7bf57d1371909c72c25d56c79dd136b029513" + "hash": "96d0cc8f2c0beec46bca37d7ddf73c122f76525b7363d9a2fec92125abab83a2" }, { "path": "bin/selinuxChecker.sh", - "hash": "07135df789924f8d4f5ae8228ccbfe0a5e47756de202fcf00a019a12712d8312" + "hash": "409ad1927603069c7b08e09e60f2edf1c7e50f02eb6a64c7a514693131dc82e6" }, { "path": "bin/service.sh", @@ -184,7 +185,7 @@ }, { "path": "bin/update.sh", - "hash": "048f6e678f873d2b856ec851c52389d9f8d5ccde0fee0ead0dcf5348cc3cb587" + "hash": "2cce5510b8cf94e3c32681c934985a01164e2b63b64d458de9a7dc0ff81bc679" }, { "path": "bin/uptime.sh", @@ -200,11 +201,11 @@ }, { "path": "bin/vmstat.sh", - "hash": "b816aa5e67ad18b995eb577e16ca7c91ae3ecdeeb019d0b79321ade83a90daef" + "hash": "9ce5a407629d5d47c2c3f8b1d046f712d24a232950c54d450ddbc21bd34aea84" }, { "path": "bin/vmstat_metric.sh", - "hash": "47df351e2afd7abedb49f8d38f5350ce6276fdb512005ba56e7ff9692f581515" + "hash": "85c516f1d73b9cb45e3b16819fada786753fa417f2fbded1955ccace62de41f8" }, { "path": "bin/vsftpdChecker.sh", @@ -216,7 +217,7 @@ }, { "path": "default/app.conf", - "hash": "451c717df6073aabd78b5ba4abb33ac71b6d61df8d46a243913b01ed9ac77040" + "hash": "e5c48e804d836b03361fea96c1e78f265116f5117a739f4dad9bc1916ad873f8" }, { "path": "default/data/ui/nav/default.xml", @@ -320,7 +321,8 @@ "9.0", "9.1", "9.2", - "9.3" + "9.3", + "9.4" ], "architectures": [ "x86_64" @@ -356,4 +358,4 @@ ] } ] -} \ No newline at end of file +} From 7b0b7035100a8aa1c197a8fe8301d83e2f1fb2b6 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Thu, 9 Jan 2025 17:55:11 -0500 Subject: [PATCH 02/19] Fix other Splunk Add-on references Replace all references to Splunk Add-on with Technical Add-on Replace URLs Remove splunkbase stuff Add copyright --- README.txt | 8 ++++++-- .../js_sdk_extensions/scripted_inputs.js | 2 +- appserver/static/setup.js | 16 ++++++++-------- bin/bandwidth.sh | 1 + bin/cpu_metric.sh | 1 + bin/df.sh | 1 + bin/df_metric.sh | 1 + bin/hardware.sh | 1 + bin/interfaces_metric.sh | 1 + bin/iostat_metric.sh | 1 + bin/ps_metric.sh | 1 + bin/rlog.sh | 1 + bin/selinuxChecker.sh | 1 + bin/setup.sh | 13 +++++++------ bin/setupservice.py | 7 ++++--- bin/update.sh | 1 + bin/vmstat.sh | 1 + bin/vmstat_metric.sh | 1 + default/app.conf | 6 +++--- .../ui/views/ta_nix_configuration.env_cloud.xml | 5 +++-- default/data/ui/views/ta_nix_configuration.xml | 10 +++++----- default/props.conf | 2 +- default/tags.conf | 2 +- default/transforms.conf | 2 +- 24 files changed, 53 insertions(+), 33 deletions(-) diff --git a/README.txt b/README.txt index f5f01df..ec5d99b 100644 --- a/README.txt +++ b/README.txt @@ -1,4 +1,8 @@ -Splunk Add-on for Unix and Linux +Technical Add-on for Unix and Linux +Copyright (C) 2025 Michael Erdely All Rights Reserved. Copyright (C) 2024 Splunk Inc. All Rights Reserved. -For documentation, see: https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/ +For documentation, see: https://git.erdelynet.com/mike/TA-unix/src/branch/main/docs/ReleaseNotes.md + +For documentation on Splunk's Add-on for Unix and Linux (which applies to this TA too), see: +https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/ diff --git a/appserver/static/components/js_sdk_extensions/scripted_inputs.js b/appserver/static/components/js_sdk_extensions/scripted_inputs.js index 47337ce..9ce94b8 100644 --- a/appserver/static/components/js_sdk_extensions/scripted_inputs.js +++ b/appserver/static/components/js_sdk_extensions/scripted_inputs.js @@ -25,7 +25,7 @@ define([ root.ScriptedInput = root.Entity.extend({ path: function () { // Approximate path - accepts reads only - // ex: data/inputs/script/%2FApplications%2Fsplunk_622light_unix%2Fetc%2Fapps%2FSplunk_TA_nix%2Fbin%2Fcpu.sh + // ex: data/inputs/script/%2FApplications%2Fsplunk_622light_unix%2Fetc%2Fapps%2FTA-unix%2Fbin%2Fcpu.sh return Paths.monitorInputs + '/' + encodeURIComponent(this.name) }, diff --git a/appserver/static/setup.js b/appserver/static/setup.js index cfca2cf..88547d4 100644 --- a/appserver/static/setup.js +++ b/appserver/static/setup.js @@ -9,8 +9,8 @@ require([ 'splunkjs/mvc/simplexml/ready!', 'underscore', 'jquery', - '../app/Splunk_TA_nix/components/js_sdk_extensions/scripted_inputs', - '../app/Splunk_TA_nix/components/js_sdk_extensions/monitor_inputs' + '../app/TA-unix/components/js_sdk_extensions/scripted_inputs', + '../app/TA-unix/components/js_sdk_extensions/monitor_inputs' ], function (mvc, ignored, _, $, sdkx_scripted_inputs, sdkx_monitor_inputs) { var ScriptedInputs = sdkx_scripted_inputs.ScriptedInputs var MonitorInputs = sdkx_monitor_inputs.MonitorInputs @@ -66,11 +66,11 @@ require([ var monitorInputs = {} new MonitorInputs(service, { owner: '-', - app: 'Splunk_TA_nix', + app: 'TA-unix', sharing: 'app' }).fetch(function (err, inputs) { var inputsList = _.filter(inputs.list(), function (input) { - return input.namespace.app === 'Splunk_TA_nix' + return input.namespace.app === 'TA-unix' }) _.each(inputsList, function (input) { @@ -93,7 +93,7 @@ require([ var scriptedMetricInputs = {} new ScriptedInputs(service, { owner: '-', - app: 'Splunk_TA_nix', + app: 'TA-unix', sharing: 'app' }).fetch(function (err, inputs) { var inputsList = _.filter(inputs.list(), function (input) { @@ -101,7 +101,7 @@ require([ .substring(input.name.lastIndexOf('/') + 1) .split('_') return ( - input.namespace.app === 'Splunk_TA_nix' && + input.namespace.app === 'TA-unix' && input_name[input_name.length - 1] === 'metric.sh' ) }) @@ -129,7 +129,7 @@ require([ var scriptedEventInputs = {} new ScriptedInputs(service, { owner: '-', - app: 'Splunk_TA_nix', + app: 'TA-unix', sharing: 'app' }).fetch(function (err, inputs) { var inputsList = _.filter(inputs.list(), function (input) { @@ -137,7 +137,7 @@ require([ .substring(input.name.lastIndexOf('/') + 1) .split('_') return ( - input.namespace.app === 'Splunk_TA_nix' && + input.namespace.app === 'TA-unix' && input_name[input_name.length - 1] !== 'metric.sh' ) }) diff --git a/bin/bandwidth.sh b/bin/bandwidth.sh index da3ee0f..10bb027 100755 --- a/bin/bandwidth.sh +++ b/bin/bandwidth.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/cpu_metric.sh b/bin/cpu_metric.sh index 3f12dd6..b1f30f6 100755 --- a/bin/cpu_metric.sh +++ b/bin/cpu_metric.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/df.sh b/bin/df.sh index 4689cd4..be0a901 100755 --- a/bin/df.sh +++ b/bin/df.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/df_metric.sh b/bin/df_metric.sh index 12d79a1..4888ea0 100755 --- a/bin/df_metric.sh +++ b/bin/df_metric.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/hardware.sh b/bin/hardware.sh index 31eefec..81c68e9 100755 --- a/bin/hardware.sh +++ b/bin/hardware.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/interfaces_metric.sh b/bin/interfaces_metric.sh index d6a75ef..2ab3ff6 100755 --- a/bin/interfaces_metric.sh +++ b/bin/interfaces_metric.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/iostat_metric.sh b/bin/iostat_metric.sh index da1550e..80d101b 100755 --- a/bin/iostat_metric.sh +++ b/bin/iostat_metric.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/ps_metric.sh b/bin/ps_metric.sh index 30f0878..81d601a 100755 --- a/bin/ps_metric.sh +++ b/bin/ps_metric.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/rlog.sh b/bin/rlog.sh index 72ae084..a791ca6 100755 --- a/bin/rlog.sh +++ b/bin/rlog.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 # diff --git a/bin/selinuxChecker.sh b/bin/selinuxChecker.sh index e819196..6599aab 100755 --- a/bin/selinuxChecker.sh +++ b/bin/selinuxChecker.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/setup.sh b/bin/setup.sh index 3b1ef92..9a39542 100755 --- a/bin/setup.sh +++ b/bin/setup.sh @@ -1,4 +1,5 @@ #!/usr/bin/env bash +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 @@ -237,7 +238,7 @@ function show_inputs script_list=$(get_script_list) for line in $script_list; do case "$line" in - *unix* | *Splunk_TA_nix* ) get_scripted_input_status "$line"; input_counter=`expr $input_counter + 1`; + *unix* | *TA-unix* ) get_scripted_input_status "$line"; input_counter=`expr $input_counter + 1`; esac done echo "" @@ -267,7 +268,7 @@ function enable_all_inputs fi if [ "$res" == "success" ] && [[ ( $line != *"_metric"* || $flag == 1 ) ]]; then case "$line" in - *unix* | *Splunk_TA_nix* ) echo "enabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); enable_scripted_input $input_endpoint;; + *unix* | *TA-unix* ) echo "enabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); enable_scripted_input $input_endpoint;; esac fi done @@ -289,7 +290,7 @@ function disable_all_inputs script_list=$(get_script_list) for line in $script_list; do case "$line" in - *unix* | *Splunk_TA_nix* ) echo "disabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); disable_scripted_input $input_endpoint;; + *unix* | *TA-unix* ) echo "disabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); disable_scripted_input $input_endpoint;; esac done for line in $MONITOR_INPUTS; do @@ -388,7 +389,7 @@ function clone_all_inputs script_list=$(get_script_list) for line in $script_list; do case "$line" in - *unix* | *Splunk_TA_nix* ) echo ""; echo " cloning $line to $server_name"; echo ""; scripted_clone "$line" + *unix* | *TA-unix* ) echo ""; echo " cloning $line to $server_name"; echo ""; scripted_clone "$line" esac done for line in $MONITOR_INPUTS; do @@ -642,7 +643,7 @@ function select_input_menu script_list=$(get_script_list) for line in $script_list; do case "$line" in - *unix* | *Splunk_TA_nix* ) echo " $input_counter - $line"; selection_list[$input_counter]=$line; input_counter=`expr $input_counter + 1`; + *unix* | *TA-unix* ) echo " $input_counter - $line"; selection_list[$input_counter]=$line; input_counter=`expr $input_counter + 1`; esac done for line in $MONITOR_INPUTS; do @@ -882,7 +883,7 @@ function set_unix_app_info for line in $app_output; do case "$line" in *unix* ) set_app_installed "unix";; - *Splunk_TA_nix* ) set_app_installed "Splunk_TA_nix";; + *TA-unix* ) set_app_installed "TA-unix";; *ENABLED*) set_app_enabled;; #*DISABLED*) set_app_disabled;; esac diff --git a/bin/setupservice.py b/bin/setupservice.py index 5bba8ed..65e98ca 100644 --- a/bin/setupservice.py +++ b/bin/setupservice.py @@ -1,3 +1,4 @@ +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 @@ -20,19 +21,19 @@ class SetupService(splunk.rest.BaseRestHandler): sessionKey = self.sessionKey try: conf = bundle.getConf( - "app", sessionKey, namespace="Splunk_TA_nix", owner="nobody" + "app", sessionKey, namespace="TA-unix", owner="nobody" ) stanza = conf.stanzas["install"].findKeys("is_configured") if stanza: if stanza["is_configured"] == "0" or stanza["is_configured"] == "false": conf["install"]["is_configured"] = "true" splunk.rest.simpleRequest( - "/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey + "/apps/local/TA-unix/_reload", sessionKey=sessionKey ) else: conf["install"]["is_configured"] = "true" splunk.rest.simpleRequest( - "/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey + "/apps/local/TA-unix/_reload", sessionKey=sessionKey ) except Exception as e: self.response.write(e) diff --git a/bin/update.sh b/bin/update.sh index 85f0732..81d09cf 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/vmstat.sh b/bin/vmstat.sh index 178c09f..a14b9da 100755 --- a/bin/vmstat.sh +++ b/bin/vmstat.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/bin/vmstat_metric.sh b/bin/vmstat_metric.sh index e0c56e2..2a5d159 100755 --- a/bin/vmstat_metric.sh +++ b/bin/vmstat_metric.sh @@ -1,4 +1,5 @@ #!/bin/sh +# Copyright (C) 2025 Michael Erdely All Rights Reserved. # SPDX-FileCopyrightText: 2024 Splunk, Inc. # SPDX-License-Identifier: Apache-2.0 diff --git a/default/app.conf b/default/app.conf index 444c420..5d81fbe 100644 --- a/default/app.conf +++ b/default/app.conf @@ -20,9 +20,9 @@ author = Michael Erdely version = 9.2.0.1 description = Technical Add-on for Unix and Linux -[package] -id = TA-unix -check_for_updates = true +#[package] +#id = TA-unix +#check_for_updates = true [id] name = TA-unix diff --git a/default/data/ui/views/ta_nix_configuration.env_cloud.xml b/default/data/ui/views/ta_nix_configuration.env_cloud.xml index 4968e7e..03f46f5 100644 --- a/default/data/ui/views/ta_nix_configuration.env_cloud.xml +++ b/default/data/ui/views/ta_nix_configuration.env_cloud.xml @@ -4,11 +4,12 @@ --> - + -

Please set up this add-on on your forwarders. Documentation on how to configure this add-on is +

Please set up this add-on on your forwarders. Documentation on how to configure this add-on, + which is the same as the Splunk Add-on for Unix and Linux, is here.
Click on below button, if you are getting redirected to this page while editing the add-on's knowledge object. diff --git a/default/data/ui/views/ta_nix_configuration.xml b/default/data/ui/views/ta_nix_configuration.xml index 9164c27..8b44507 100644 --- a/default/data/ui/views/ta_nix_configuration.xml +++ b/default/data/ui/views/ta_nix_configuration.xml @@ -10,15 +10,15 @@ || It has no effect on Splunk Enterprise. --> - +

- The Splunk Add-on for Unix and Linux provides pre-built data inputs to facilitate + The Technical Add-on for Unix and Linux provides pre-built data inputs to facilitate Linux and Unix system monitoring using Splunk. Check out the - - Splunk for Unix Technical Add-on - page on Splunkbase + + Technical Add-on for Unix and Linux + page for support information, the latest updates, and more.

diff --git a/default/props.conf b/default/props.conf index 66efd54..ea03dea 100644 --- a/default/props.conf +++ b/default/props.conf @@ -549,7 +549,7 @@ FIELDALIAS-dest = host as dest # Stanzas in this section are legacy configuration stanzas # intended to support parsing of data created by scripts in # TA-deploymentapps, which has since been retired. Systems that use -# Splunk_TA_nix on the search head but which may be searching data +# TA-unix on the search head but which may be searching data # from forwarders on which the older scripts are still in use should # be able to search new and old data seamlessly. diff --git a/default/tags.conf b/default/tags.conf index 3c14e47..3e38c29 100644 --- a/default/tags.conf +++ b/default/tags.conf @@ -652,7 +652,7 @@ os = enabled # Stanzas in this section are legacy configuration stanzas # intended to support parsing of data created by scripts in # TA-deploymentapps, which has since been retired. Systems that use -# Splunk_TA_nix on the search head but which may be searching data +# TA-unix on the search head but which may be searching data # from forwarders on which the older scripts are still in use should # be able to search new and old data seamlessly. diff --git a/default/transforms.conf b/default/transforms.conf index e0183dc..6d8ba2a 100644 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -459,7 +459,7 @@ FORMAT = signature::$1 # Stanzas in this section are legacy configuration stanzas # intended to support parsing of data created by scripts in # TA-deploymentapps, which has since been retired. Systems that use -# Splunk_TA_nix on the search head but which may be searching data +# TA-unix on the search head but which may be searching data # from forwarders on which the older scripts are still in use should # be able to search new and old data seamlessly. From c2893d577b8903d9cffeaaa7bb6f02803c5ea199 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 11 Jan 2025 14:02:23 -0500 Subject: [PATCH 03/19] Improvements for version.sh --- VERSION | 4 +- app.manifest | 2 +- bin/version.sh | 37 ++++- default/app.conf | 4 +- docs/ReleaseNotes.md | 10 ++ splunkbase.manifest | 361 ------------------------------------------- 6 files changed, 47 insertions(+), 371 deletions(-) delete mode 100644 splunkbase.manifest diff --git a/VERSION b/VERSION index 1d43a4b..9f50d06 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.1 -9.2.0.1 +9.2.0.2 +9.2.0.2 diff --git a/app.manifest b/app.manifest index 184ab32..da16fa8 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.1" + "version": "9.2.0.2" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/version.sh b/bin/version.sh index ed494ef..7edd86f 100755 --- a/bin/version.sh +++ b/bin/version.sh @@ -5,10 +5,31 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -PRINTF='END {printf "%s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER}' +PRINTF='END {printf "%s %s %s %s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, KERN_REL, OS_NAME, KERN_VER, OS_REL, OS_VER, DISTRO}' -if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then +if [ "$KERNEL" = "Linux" ] ; then + assertHaveCommand date + assertHaveCommand uname + [ -f /etc/os-release ] && . /etc/os-release + machine_arch=$(uname -p) + os_release=$(uname -r) + os_version=$(uname -v) + [ -n "$NAME" ] && distro_name=$NAME + [ -n "$VERSION_ID" ] && os_release=$VERSION_ID + [ -n "$VERSION_ID" ] && os_version=$VERSION_ID + [ -r /etc/debian_version ] && grep -Eq "^[0-9.]+$" /etc/debian_version && os_release=$(cat /etc/debian_version) + [ "$BUILD_ID" = "rolling" ] && os_release=rolling + [ "$BUILD_ID" = "rolling" ] && os_version=rolling + + CMD="eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; echo $machine_arch; echo $os_release; echo $os_version; echo $distro_name" +elif [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand date + assertHaveCommand uname + assertHaveCommand sw_vers + os_release=$(sw_vers --productVersion) + CMD="eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p; echo $os_release; echo $os_release" +elif [ "$KERNEL" = "SunOS" ] [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand date assertHaveCommand uname CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p' @@ -30,15 +51,21 @@ PARSE_0='NR==1 {DATE=$0}' # shellcheck disable=SC2016 PARSE_1='NR==2 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_2='NR==3 {OS_REL="os_release=\"" $0 "\""}' +PARSE_2='NR==3 {OS_REL="os_release=\"" $0 "\"";KERN_REL="kernel_release=\"" $0 "\""}' # shellcheck disable=SC2016 PARSE_3='NR==4 {OS_NAME="os_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\""}' +PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\"";KERN_VER="kernel_version=\"" $0 "\""}' # shellcheck disable=SC2016 PARSE_5='NR==6 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_6='NR==7 {OS_REL="os_release=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_7='NR==8 {OS_VER="os_version=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_8='NR==9 {DISTRO="distro_name=\"" $0 "\""}' -MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5" +MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8" $CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF" echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST" diff --git a/default/app.conf b/default/app.conf index 5d81fbe..ed1bf0e 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.1 +version = 9.2.0.2 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.1 +version = 9.2.0.2 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index a28658b..9bb7cde 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,15 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.2 + +Improvements for version.sh + +Changes: + +* Include kernel_release, kernel_version, and distro_name +* For Linux and MacOS, use actual OS versions/releases instead of + kernel version/release + ## Version 9.2.0.1 Initial fork of the Splunk Add-on for Unix and Linux diff --git a/splunkbase.manifest b/splunkbase.manifest deleted file mode 100644 index 7099cc4..0000000 --- a/splunkbase.manifest +++ /dev/null @@ -1,361 +0,0 @@ -{ - "version": "1.0", - "date": "2024-10-18T12:52:23.073000921Z", - "date": "2025-01-08T18:38:19.132050611Z", - "hashAlgorithm": "SHA-256", - "app": { - "id": 833, - "version": "9.2.0.1", - "files": [ - { - "path": "LICENSES/Apache-2.0.txt", - "hash": "d3910dee6fe9fe134856d76268fe82adb1ade1ecf51b3568b7da6b94894b88f3" - }, - { - "path": "LICENSES/LicenseRef-Splunk-8-2021.txt", - "hash": "37906d637abbbeca35cfb2efcb658cabbc0208d101848372c1e55fbf9ba62e47" - }, - { - "path": "README/restmap.conf.spec", - "hash": "5cc8f9508cd792137e1a2129763dd78e9275a0c2f8d3cf7fc25b72848a07d869" - }, - { - "path": "README.txt", - "hash": "106e6203d3ff66f04cac953385cb517cff459b572f8d52adf71a8a59c5851776" - }, - { - "path": "THIRDPARTY", - "hash": "6340a3cf0959b37d83e10ce4e12bc4ab53d2ae2729ee506451b8d554418d1ab3" - }, - { - "path": "VERSION", - "hash": "fd47b230df0f247b21e965b9529efd00447fdbf1cb1740848b529f79a9feacac" - }, - { - "path": "app.manifest", - "hash": "251b481753129caea80da188d33f2b99bbd178560e136ee2936b4e9499e1416e" - }, - { - "path": "appserver/static/appIcon.png", - "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" - }, - { - "path": "appserver/static/components/js_sdk_extensions/common.js", - "hash": "295fe307ec286b9b4eb89c4b59dbd6204376e63b7346c26fd1b087446db372c2" - }, - { - "path": "appserver/static/components/js_sdk_extensions/monitor_inputs.js", - "hash": "27af704acaeb3b98c78ad5322a6171e1b748b5650be809f5d92a4e5618529123" - }, - { - "path": "appserver/static/components/js_sdk_extensions/scripted_inputs.js", - "hash": "6fe5d6f31a60a86d9988170e1641f13eb315351f890c2247c6de83b3aa372e26" - }, - { - "path": "appserver/static/setup.css", - "hash": "f27882e6a07bbd87f99f95d77211439e71959efae6d52ce4771ce26d06e0bcc9" - }, - { - "path": "appserver/static/setup.js", - "hash": "a3d4e2567779b605a97daa3ced2fc49a8e487a5ec4ee95080392824eb74e7e11" - }, - { - "path": "appserver/static/setup_cloud.js", - "hash": "00875c907fd0dc80fa5d05130c28410a8abd99a0ff43da86c6af87e01d8a21da" - }, - { - "path": "bin/bandwidth.sh", - "hash": "14682eacdc5ab8849ce3e786c05d0140ea166b6f28403106e433048c09533146" - }, - { - "path": "bin/common.sh", - "hash": "6569707362169122ec6a41c9345ed00e09e0913e3855ccb68a21ade3c1c9012d" - }, - { - "path": "bin/cpu.sh", - "hash": "e34d912324ceb3f6add524722adc9057b4177015fad844a5e37634ef40cbb9c7" - }, - { - "path": "bin/cpu_metric.sh", - "hash": "c5e937d91afab8ec06376a0db3c79f37e0da6377ea2b34cfde67793d89fd14d5" - }, - { - "path": "bin/df.sh", - "hash": "15c4e33987209afe1cb807af7aecfbd522107746d318827d161d1ee233d00acf" - }, - { - "path": "bin/df_metric.sh", - "hash": "286830c6b30cc9a3e5240e3b63db0edd2c68c9e797d452483dea09b4ad6f48e9" - }, - { - "path": "bin/hardware.sh", - "hash": "7722f446226609784d219cb525eee3ed65d622ce05122301f65625c6fd2e4434" - }, - { - "path": "bin/interfaces.sh", - "hash": "ebdd6823f6db05bc76ebdbfb61d1fda63959fd334cf59d2e038ea7bae64355b7" - }, - { - "path": "bin/interfaces_metric.sh", - "hash": "374e24c7e87669fbd25ded5e56c05fd057c0c272e03e0df6cabcd5db31267db9" - }, - { - "path": "bin/iostat.sh", - "hash": "505a4694c4879fd8ed155394be51431c9839fc9f980077abb0416f844f09d722" - }, - { - "path": "bin/iostat_metric.sh", - "hash": "59b775cc60e92950605b621989ee17aa947adc07d407c78b657ecedf90452f77" - }, - { - "path": "bin/lastlog.sh", - "hash": "8d8c0744767d9426cb98122d33eb6acd5447db4a03cfccfd5fdc014f1e15ea3e" - }, - { - "path": "bin/lsof.sh", - "hash": "a98a9c64496a081c395e00b692f5eca25ae186cc050c0f31d5425a561fdc63a1" - }, - { - "path": "bin/netstat.sh", - "hash": "a5ef9833cf21c6572431f32991d153a625510a4b0553fe6f56d07bb4f4914b2e" - }, - { - "path": "bin/nfsiostat.sh", - "hash": "eccc2bf3701840173206ecf7603c20861b4ce106b6be795df2fa312744958107" - }, - { - "path": "bin/openPorts.sh", - "hash": "9f7cb2a7f9e8b43ceb7e22930ea125855e64527caa13d76b5c219ec473b899c5" - }, - { - "path": "bin/openPortsEnhanced.sh", - "hash": "d7e19798aec7fb3244b6fe36fce28ca3fc8951a0e38d0516f5ef8c1b06197246" - }, - { - "path": "bin/package.sh", - "hash": "d9da2664cc2b913285d595e7c74dab9e5a6f1703d44e8f517e9b62a5ba70496a" - }, - { - "path": "bin/passwd.sh", - "hash": "4ab37e3c9d07842777ed42f8b22adfe8fe05a9ab0758e833fdc885a26237bafe" - }, - { - "path": "bin/protocol.sh", - "hash": "61e372f670cb74131890a2c0ff381891c83337687b6809f31bf920a99f5bd432" - }, - { - "path": "bin/ps.sh", - "hash": "3a6ebc99c1b5207d54c885338cf06b22f343c1f64a6048d03fd0bf48b82d41b5" - }, - { - "path": "bin/ps_metric.sh", - "hash": "ff65aec6a98560667d08e1b75f4661d99b5255be239756f89cc72a58d1e44fe2" - }, - { - "path": "bin/rlog.sh", - "hash": "96d0cc8f2c0beec46bca37d7ddf73c122f76525b7363d9a2fec92125abab83a2" - }, - { - "path": "bin/selinuxChecker.sh", - "hash": "409ad1927603069c7b08e09e60f2edf1c7e50f02eb6a64c7a514693131dc82e6" - }, - { - "path": "bin/service.sh", - "hash": "d579051391bd1af365bdda6016e3529009e0e7b62e1846fdcdb755b36f0d7c49" - }, - { - "path": "bin/setup.sh", - "hash": "b0263d112fa183411bfe141840d697217025856d44fa67be6d14b240728b7062" - }, - { - "path": "bin/setupservice.py", - "hash": "c69d1b0b4a10ec966c2e752b7ec1c3f4be5ca3721626bbab62ddfe1509d15137" - }, - { - "path": "bin/sshdChecker.sh", - "hash": "ba9ada21b413a1f7ea5ab7850314e96b03c8a3369267af24d9cf2d8f76edb6dc" - }, - { - "path": "bin/time.sh", - "hash": "5ad0ed71a9c4637046da43656aea4a614e331217fb707e9df7443aaa6036eeba" - }, - { - "path": "bin/top.sh", - "hash": "f380506de00a3bb51d9351108057e498cd8211e3ade7c16fa65121d3ff66ba1d" - }, - { - "path": "bin/update.sh", - "hash": "2cce5510b8cf94e3c32681c934985a01164e2b63b64d458de9a7dc0ff81bc679" - }, - { - "path": "bin/uptime.sh", - "hash": "2770952e0c29a92e37d2d23a8a93223812e2facd4597c50e3e832439fdbdf600" - }, - { - "path": "bin/usersWithLoginPrivs.sh", - "hash": "0006baa9bc57e6b5711e557b6532b8c48b29d42bca6364d664042d2aa6f2cf12" - }, - { - "path": "bin/version.sh", - "hash": "4d484fc3e1853d0e07d47ba9c4401266a1fbe0712a554e9eeaeb835b96d8a59f" - }, - { - "path": "bin/vmstat.sh", - "hash": "9ce5a407629d5d47c2c3f8b1d046f712d24a232950c54d450ddbc21bd34aea84" - }, - { - "path": "bin/vmstat_metric.sh", - "hash": "85c516f1d73b9cb45e3b16819fada786753fa417f2fbded1955ccace62de41f8" - }, - { - "path": "bin/vsftpdChecker.sh", - "hash": "0009c03f72289e5b7b692cb74951382d1a6d4c3698ef5b08b74e468f3dfe199f" - }, - { - "path": "bin/who.sh", - "hash": "47318dee6246abfd577984383ac134225a84e0dcf0753413f88b7f2be5a8087d" - }, - { - "path": "default/app.conf", - "hash": "e5c48e804d836b03361fea96c1e78f265116f5117a739f4dad9bc1916ad873f8" - }, - { - "path": "default/data/ui/nav/default.xml", - "hash": "36078398f91fa377c21f2369271797cc0016b8ba1a6f271e327cce2809f2711d" - }, - { - "path": "default/data/ui/views/ta_nix_configuration.env_cloud.xml", - "hash": "7176b693e2eeb2757d6a5a9651e793141a52b5b36f4b229c31f4ab3e970e8510" - }, - { - "path": "default/data/ui/views/ta_nix_configuration.xml", - "hash": "2d30308510e08aea0a190984fda45b708ab373768796494202a4813c37ef74d2" - }, - { - "path": "default/eventtypes.conf", - "hash": "c52b63bf8b429e406a1488c59c1945531123bed647b08460d85ca3a6a4f8f81e" - }, - { - "path": "default/inputs.conf", - "hash": "0eff320f7aba6d35e27e8a0ae0837ad6c4340f9e84a9cdfb71e8162a97ecc782" - }, - { - "path": "default/macros.conf", - "hash": "0daf589bcfbd430f45b55ed3f3d0784f8ad6e79d75300fac9c2604a79fc7f4dc" - }, - { - "path": "default/props.conf", - "hash": "8742759e63baf3dc737adecec95fb7370741cb5f2268064593cb2e5a1ba8b260" - }, - { - "path": "default/restmap.conf", - "hash": "2774f5332efc8bfeebb88a1d771b8d65cca9197666d0c5e9a4a371b8ed468d73" - }, - { - "path": "default/tags.conf", - "hash": "ad29e489018a892f8d50731e32efa48a01dcdb438096d443f7b6e068cfd1ca15" - }, - { - "path": "default/transforms.conf", - "hash": "d13792dde1aa85d9e864782787948d6f10b888e4a689d6668de3cc604e2ad1ab" - }, - { - "path": "default/web.conf", - "hash": "75f12a6541d22c27d526ab544973398ae4b6d5aa1e57e8e4b22e845e564a2e56" - }, - { - "path": "lookups/nix_da_update_status.csv", - "hash": "a9a794b39377946e0dcb5f70c9c8ba6114fec1728512c9f39cfb0f3eca46159c" - }, - { - "path": "lookups/nix_da_version_ranges.csv", - "hash": "992529c548d8273e073a988d089fbd5c7fa5c1ef47d51243e9da9dfb77eba6d2" - }, - { - "path": "lookups/nix_linux_audit_action_object_category.csv", - "hash": "5838950fd3cade537dea91d1dcdcbd10532457fa7de07d397bfc699e56a19867" - }, - { - "path": "lookups/nix_linux_service_startmodes.csv", - "hash": "dd669b358909f4d9be9d0aef9f4720e78a290e422a90ec3e3cdabe39ed9b8be2" - }, - { - "path": "lookups/nix_vendor_actions.csv", - "hash": "f287b03905a705fed92dd4a1d1cf060c16b9521aba80b06494af8d5e8530fa97" - }, - { - "path": "metadata/default.meta", - "hash": "6fa3057938996152cdfeddb46b20a1c079966ba87a56cf7c13c9d35f3caaf2e7" - }, - { - "path": "static/appIcon.png", - "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" - }, - { - "path": "static/appIconAlt.png", - "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" - }, - { - "path": "static/appIconAlt_2x.png", - "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" - }, - { - "path": "static/appIconLg.png", - "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" - }, - { - "path": "static/appIconLg_2x.png", - "hash": "11ca7ef68587f5f1bacbbcb24b85924089724bcf02610b512f899fadac186f34" - }, - { - "path": "static/appIcon_2x.png", - "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" - } - ] - }, - "products": [ - { - "platform": "splunk", - "product": "enterprise", - "versions": [ - "9.0", - "9.1", - "9.2", - "9.3", - "9.4" - ], - "architectures": [ - "x86_64" - ], - "operatingSystems": [ - "windows", - "linux", - "macos", - "freebsd", - "solaris", - "aix" - ] - }, - { - "platform": "splunk", - "product": "cloud", - "versions": [ - "9.0", - "9.1", - "9.2", - "9.3" - ], - "architectures": [ - "x86_64" - ], - "operatingSystems": [ - "windows", - "linux", - "macos", - "freebsd", - "solaris", - "aix" - ] - } - ] -} From b4d814d90df33c6c675fd960dd88b2315e1ac466 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 11 Jan 2025 14:22:51 -0500 Subject: [PATCH 04/19] add Makefile for building releases --- Makefile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..4306552 --- /dev/null +++ b/Makefile @@ -0,0 +1,14 @@ +TEMP_DIR := $(shell mktemp -d) +WORK_DIR := $(TEMP_DIR)/TA-unix + +all: release + +release: + mkdir -p $(WORK_DIR) + cp -R . $(WORK_DIR)/ + rm -Rf $(WORK_DIR)/Makefile $(WORK_DIR)/.git $(WORK_DIR)/local $(WORK_DIR)/ta-for-unix-and-linux-*.tgz + tar -C $(WORK_DIR) -czf ./ta-for-unix-and-linux-`head -n1 VERSION`.tgz TA-unix + rm -Rf $(TEMP_DIR) + +clean: + rm -Rf ./ta-for-unix-and-linux-*.tgz $(TEMP_DIR) From 53e0e8b8f0ca918fa65832aa3fe6cc8ab4d35f8e Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 11 Jan 2025 14:27:35 -0500 Subject: [PATCH 05/19] improve Makefile --- Makefile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 4306552..1ceef1a 100644 --- a/Makefile +++ b/Makefile @@ -1,13 +1,15 @@ TEMP_DIR := $(shell mktemp -d) WORK_DIR := $(TEMP_DIR)/TA-unix +TAR_FILE := ./ta-for-unix-and-linux-`head -n1 VERSION`.tgz all: release release: mkdir -p $(WORK_DIR) cp -R . $(WORK_DIR)/ - rm -Rf $(WORK_DIR)/Makefile $(WORK_DIR)/.git $(WORK_DIR)/local $(WORK_DIR)/ta-for-unix-and-linux-*.tgz - tar -C $(WORK_DIR) -czf ./ta-for-unix-and-linux-`head -n1 VERSION`.tgz TA-unix + rm -Rf $(WORK_DIR)/Makefile $(WORK_DIR)/.git $(WORK_DIR)/local $(WORK_DIR)/bin/__pycache__ $(WORK_DIR)/ta-for-unix-and-linux-*.tgz + tar -C $(TEMP_DIR) -czf $(TAR_FILE) TA-unix + test -d $(HOME)/Downloads && cp $(TAR_FILE) $(HOME)/Downloads rm -Rf $(TEMP_DIR) clean: From cb7f7785c819e3fb609a243250ab558ff2b0c9fd Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 11 Jan 2025 14:45:28 -0500 Subject: [PATCH 06/19] Fix bug in 9.2.0.2 * Add code I forgot for machine_arch for Linux * Add Makefile to make making releases easier --- Makefile | 9 ++++++++- VERSION | 4 ++-- app.manifest | 2 +- bin/version.sh | 2 ++ default/app.conf | 4 ++-- docs/ReleaseNotes.md | 7 +++++++ 6 files changed, 22 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 1ceef1a..e519df9 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,16 @@ TEMP_DIR := $(shell mktemp -d) WORK_DIR := $(TEMP_DIR)/TA-unix -TAR_FILE := ./ta-for-unix-and-linux-`head -n1 VERSION`.tgz +VERSION := $(shell head -n1 VERSION) +TAR_FILE := ./ta-for-unix-and-linux-$(VERSION).tgz all: release +updateversion: +ifndef NEWVERSION + $(error NEWVERSION is not specified. Usage make NEWVERSION= updateversion) +endif + sed -ri "s/$(VERSION)/$(NEWVERSION)/g" app.manifest default/app.conf VERSION + release: mkdir -p $(WORK_DIR) cp -R . $(WORK_DIR)/ diff --git a/VERSION b/VERSION index 9f50d06..c705dce 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.2 -9.2.0.2 +9.2.0.3 +9.2.0.3 diff --git a/app.manifest b/app.manifest index da16fa8..6ef5050 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.2" + "version": "9.2.0.3" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/version.sh b/bin/version.sh index 7edd86f..e37812e 100755 --- a/bin/version.sh +++ b/bin/version.sh @@ -21,6 +21,8 @@ if [ "$KERNEL" = "Linux" ] ; then [ -r /etc/debian_version ] && grep -Eq "^[0-9.]+$" /etc/debian_version && os_release=$(cat /etc/debian_version) [ "$BUILD_ID" = "rolling" ] && os_release=rolling [ "$BUILD_ID" = "rolling" ] && os_version=rolling + which dpkg > /dev/null 2>&1 && machine_arch=$(dpkg --print-architecture) + [ "$NAME" = "Arch Linux" -o "$NAME" = "Arch Linux ARM" ] && machine_arch=$(uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/") CMD="eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; echo $machine_arch; echo $os_release; echo $os_version; echo $distro_name" elif [ "$KERNEL" = "Darwin" ] ; then diff --git a/default/app.conf b/default/app.conf index ed1bf0e..388abc4 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.2 +version = 9.2.0.3 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.2 +version = 9.2.0.3 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index 9bb7cde..296d838 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,12 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.3 + +Fix bug in 9.2.0.2 + +* Add code I forgot for machine_arch for Linux +* Add Makefile to make making releases easier + ## Version 9.2.0.2 Improvements for version.sh From 5e766d84d5bc5702f067f71ff4e387544f6d28eb Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 11 Jan 2025 15:07:24 -0500 Subject: [PATCH 07/19] Make distro_name work everywhere * For MacOS, print MacOS for distro_name * For others, print $KERNEL for distro_name --- VERSION | 4 ++-- app.manifest | 2 +- bin/version.sh | 27 ++++++++++++++------------- default/app.conf | 4 ++-- docs/ReleaseNotes.md | 11 +++++++++++ 5 files changed, 30 insertions(+), 18 deletions(-) diff --git a/VERSION b/VERSION index c705dce..543f19d 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.3 -9.2.0.3 +9.2.0.4 +9.2.0.4 diff --git a/app.manifest b/app.manifest index 6ef5050..7dbd1e4 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.3" + "version": "9.2.0.4" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/version.sh b/bin/version.sh index e37812e..1df3c2f 100755 --- a/bin/version.sh +++ b/bin/version.sh @@ -15,6 +15,7 @@ if [ "$KERNEL" = "Linux" ] ; then machine_arch=$(uname -p) os_release=$(uname -r) os_version=$(uname -v) + distro_name=Linux [ -n "$NAME" ] && distro_name=$NAME [ -n "$VERSION_ID" ] && os_release=$VERSION_ID [ -n "$VERSION_ID" ] && os_version=$VERSION_ID @@ -24,48 +25,48 @@ if [ "$KERNEL" = "Linux" ] ; then which dpkg > /dev/null 2>&1 && machine_arch=$(dpkg --print-architecture) [ "$NAME" = "Arch Linux" -o "$NAME" = "Arch Linux ARM" ] && machine_arch=$(uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/") - CMD="eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; echo $machine_arch; echo $os_release; echo $os_version; echo $distro_name" + CMD="eval date ; echo $distro_name ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; echo $machine_arch; echo $os_release; echo $os_version" elif [ "$KERNEL" = "Darwin" ] ; then assertHaveCommand date assertHaveCommand uname assertHaveCommand sw_vers os_release=$(sw_vers --productVersion) - CMD="eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p; echo $os_release; echo $os_release" + CMD="eval date ; echo MacOS ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p; echo $os_release; echo $os_release" elif [ "$KERNEL" = "SunOS" ] [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand date assertHaveCommand uname - CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p' + CMD='eval date ; echo $KERNEL ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p;' elif [ "$KERNEL" = "HP-UX" ] ; then # HP-UX lacks -p switch. assertHaveCommand date assertHaveCommand uname - CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v' + CMD='eval date ; echo HP-UX ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v' elif [ "$KERNEL" = "AIX" ] ; then # AIX uses oslevel for version and release switch. assertHaveCommand date assertHaveCommand uname - CMD='eval date ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel -s' + CMD='eval date ; echo AIX ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel -s' fi # Get the date. # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' # shellcheck disable=SC2016 -PARSE_1='NR==2 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}' +PARSE_1='NR==2 {DISTRO="distro_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_2='NR==3 {OS_REL="os_release=\"" $0 "\"";KERN_REL="kernel_release=\"" $0 "\""}' +PARSE_2='NR==3 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_3='NR==4 {OS_NAME="os_name=\"" $0 "\""}' +PARSE_3='NR==4 {OS_REL="os_release=\"" $0 "\"";KERN_REL="kernel_release=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\"";KERN_VER="kernel_version=\"" $0 "\""}' +PARSE_4='NR==5 {OS_NAME="os_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_5='NR==6 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' +PARSE_5='NR==6 {OS_VER="os_version=\"" $0 "\"";KERN_VER="kernel_version=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_6='NR==7 {OS_REL="os_release=\"" $0 "\""}' +PARSE_6='NR==7 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_7='NR==8 {OS_VER="os_version=\"" $0 "\""}' +PARSE_7='NR==8 {OS_REL="os_release=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_8='NR==9 {DISTRO="distro_name=\"" $0 "\""}' +PARSE_8='NR==9 {OS_VER="os_version=\"" $0 "\""}' MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8" diff --git a/default/app.conf b/default/app.conf index 388abc4..80bdaf3 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.3 +version = 9.2.0.4 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.3 +version = 9.2.0.4 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index 296d838..678c514 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,9 +1,20 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.4 + +Make distro_name work everywhere + +Changes: + +* For MacOS, print MacOS for distro_name +* For others, print $KERNEL for distro_name + ## Version 9.2.0.3 Fix bug in 9.2.0.2 +Changes: + * Add code I forgot for machine_arch for Linux * Add Makefile to make making releases easier From 5551b8973dae3094520b096734527adc3a564145 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 11 Jan 2025 23:28:44 -0500 Subject: [PATCH 08/19] Add script for docker events/metrics and support running TA outside of Splunk * Add docker.sh and docker_metric.sh for collecting docker events/metrics * Add helper script to extra/ to run the TA commands on systems without a Splunk forwarder. The commands can be sent to a syslog server. This script is useful for systems with small or read-only filesystems that cannot support a Universal Forwarder. * Add syslog_inputs_nix_ta app to extra/ for ingesting the data from syslog --- Makefile | 6 +- VERSION | 4 +- app.manifest | 2 +- bin/docker.sh | 92 ++++++++++ bin/docker_metric.sh | 1 + default/app.conf | 4 +- default/eventtypes.conf | 6 +- default/inputs.conf | 12 ++ default/props.conf | 17 ++ default/transforms.conf | 7 + docs/ReleaseNotes.md | 21 ++- extra/run_nix_ta_commands | 159 ++++++++++++++++++ .../metadata/default.meta | 4 + 13 files changed, 322 insertions(+), 13 deletions(-) create mode 100755 bin/docker.sh create mode 120000 bin/docker_metric.sh create mode 100755 extra/run_nix_ta_commands create mode 100644 extra/syslog_inputs_nix_ta/metadata/default.meta diff --git a/Makefile b/Makefile index e519df9..c3b3ddf 100644 --- a/Makefile +++ b/Makefile @@ -6,10 +6,10 @@ TAR_FILE := ./ta-for-unix-and-linux-$(VERSION).tgz all: release updateversion: -ifndef NEWVERSION - $(error NEWVERSION is not specified. Usage make NEWVERSION= updateversion) +ifndef NEW + $(error NEW is not specified. Usage make NEW= updateversion) endif - sed -ri "s/$(VERSION)/$(NEWVERSION)/g" app.manifest default/app.conf VERSION + sed -ri "s/$(VERSION)/$(NEW)/g" app.manifest default/app.conf VERSION release: mkdir -p $(WORK_DIR) diff --git a/VERSION b/VERSION index 543f19d..10582ea 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.4 -9.2.0.4 +9.2.0.5 +9.2.0.5 diff --git a/app.manifest b/app.manifest index 7dbd1e4..85496fd 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.4" + "version": "9.2.0.5" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/docker.sh b/bin/docker.sh new file mode 100755 index 0000000..9369605 --- /dev/null +++ b/bin/docker.sh @@ -0,0 +1,92 @@ +#!/bin/bash +# SPDX-FileCopyrightText: 2022 Michael Erdely +# SPDX-License-Identifier: MIT + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +assertHaveCommand docker +assertHaveCommand bc +assertHaveCommand ip +assertHaveCommand awk + +declare -A pids +declare -A time_start +declare -A cpu_start +declare -A rx_start +declare -A tx_start +declare -A br_start +declare -A bw_start + +[[ $0 =~ .*_metric.sh ]] && mode=metric + +# Either add the splunk user to the docker group or add the following to /etc/sudoers: +# splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all +# splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format * +# splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f * + +docker_cmd=docker +! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd" +docker_list=$($docker_cmd ps --all --no-trunc --format '{{ .ID }}') + +header_string="ContainerId Name CPUPct MemUsage MemTotal MemPct NetRX RXps NetTX TXps BlockRead BRps BlockWrite BWps Pids" +metric_string="" +header_format="%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n" +string_format="%s\t%s\t%s\t%.2f\t%s\t%s\t%.2f\t%s\t%.2f\t%s\t%.2f\t%s\t%.2f\t%s\t%.2f\t%s\n" +json_format='{ "time": "%s", "ContainerId": "%s", "Name": "%s", "CPUPct": %.2f, "MemUsage": %s, "MemTotal": %s, "MemPct": %.2f, "NetRX": %s, "RXps": %.2f, "NetTX": %s, "TXps": %.2f, "BlockRead": %s, "BRps": %.2f, "BlockWrite": %s, "BWps": %.2f, "Pids": %s }\n' + +if [ "$mode" = "metric" ]; then + metric_name=docker_metric + if [ ! -f "/etc/os-release" ] ; then + OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') + OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) + IP_address=$(ip addr show dev $(ip route show | awk 'BEGIN{m=1000}$1=="default"$0!~/ metric /{print $5;exit}$1=="default"{if($NF /dev/null 2>&1 || { echo "Error: The logger command is required for this script"; exit; } + +ta_home=/srv/TA-unix +tag_prefix=nix_ta_ +syslog_server=192.168.1.1 +run_minute=2 +run_hour=6 + +# Get the current minute now to be consistent through the script run +minute=$(date +%_M | tr -d ' ') +# Get the current hour now to be consistent through the script run +hour=$(date +%_H | tr -d ' ') +# Set defaults disabling force-mode and list-mode +force=0 +list=0 + +usage() { + echo "usage: $(basename $0) [-h] [-f] [-l] [script]" + echo " -h: print this help text" + echo " -f: run all enabled scripts regardless of interval" + echo " -l: list scripts, enabled status, and interval (if enabled)" + exit +} + +# Get the command line options +while getopts ":hlf" opt; do + case $opt in + f) force=1 ;; + l) list=1 ;; + *) usage ;; + esac +done +shift $((OPTIND -1)) + +# Function to actually run the script and pipe it to logger +runit() { + [ -z "$1" ] && return 1 + if [ -x $ta_home/bin/$1.sh ]; then + { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]') + else + echo Could not find $1 in $ta_home/bin + return 1 + fi +} + +# Check the inputs.conf to see if any of the checks are disabled +declare -A scripts +declare -A intervals +# Load defaults first +if [ -r $ta_home/default/inputs.conf ]; then + eval $(awk -F '[=#]' ' + /^\[/{name=""} + /^\[script:\/\//{n=split($1,a,"/");name=gensub(/\.[a-z]+\]/,"",1,a[n]);printf "scripts[%s]=1\nintervals[%s]=60\n",name,name} + name!="" && $1~/(^|\s*)disabled(\s*|$)/ {disabled=gensub(/(^ | $)/,"","g",gensub(/true/,"1",1,gensub(/false/,"0",1,$2)));printf "scripts[%s]=%s\n",name,disabled} + name!="" && $1~/(^|\s*)interval(\s*|$)/ {interval=gensub(/(^ | $)/,"","g",$2);printf "intervals[%s]=%s\n",name,interval} + ' $ta_home/default/inputs.conf) +fi +# See if any defaults are overridden in the local directory +if [ -r $ta_home/local/inputs.conf ]; then + eval $(awk -F '[=#]' ' + /^\[/{name="";disabled=1;interval=60} + /^\[script:\/\//{n=split($1,a,"/");name=gensub(/\.[a-z]+\]/,"",1,a[n])} + name!="" && $1~/(^|\s*)disabled(\s*|$)/ {disabled=gensub(/(^ | $)/,"","g",gensub(/true/,"1",1,gensub(/false/,"0",1,$2)));printf "scripts[%s]=%s\n",name,disabled} + name!="" && $1~/(^|\s*)interval(\s*|$)/ {interval=gensub(/(^ | $)/,"","g",$2);printf "intervals[%s]=%s\n",name,interval} + ' $ta_home/local/inputs.conf) +fi + +# If -l, just print the scripts +if [ $list = 1 ]; then + for script in "${!scripts[@]}"; do + if [ "${scripts[$script]}" = "0" ]; then + echo "$script is enabled (${intervals[$script]} seconds)" + else + echo "$script is disabled" + fi + done + exit +fi + +# If a script is specified on the command line, run it (even if disabled) +if [ "$1" ]; then + runit $1 + exit +fi + +# Without -l or -f, loop through the enabled scripts and run them at their interval +for script in "${!scripts[@]}"; do + # Only run enabled scripts + if [ "${scripts[$script]}" = "0" ]; then + i=${intervals[$script]} + [ $i -lt 60 ] && i=60 + min=$((i/60)) + + # If -f, always run each script + if [ $force = 1 ]; then + runit $script + + # If interval is 60 seconds or less, run every minute + elif [ $min -le 1 ]; then + runit $script + + # If the current minute is divisible by the number of interval minutes, run + # example: 600 is 5 minutes, it'll run at 0, 5, 10, 15, ... minutes + elif [ $((minute % min)) = 0 ]; then + runit $script + + # If interval is an hour or more + elif [ $min -gt 60 ]; then + hr=$((i/60/60)) + + # If interval is 1 hour or less, run every hour on $run_minute + if [ $hr -le 1 ] && [ $minute = $run_minute ]; then + runit $script + + # If the current hour is divisible by the number of interval hours, run + # example: 21600 is 6 hours, it'll run at 0, 6, 12, 18 hours + elif [ $((hour % hr)) = 0 ] && [ $minute = $run_minute ]; then + runit $script + + # If the number of hours is 24 or more, run every day at $run_hour:$run_minute + elif [ $hr -ge 24 ] && [ $hour = $run_hour ] && [ $minute = $run_minute ]; then + runit $script + fi + fi + fi +done + diff --git a/extra/syslog_inputs_nix_ta/metadata/default.meta b/extra/syslog_inputs_nix_ta/metadata/default.meta new file mode 100644 index 0000000..16a0283 --- /dev/null +++ b/extra/syslog_inputs_nix_ta/metadata/default.meta @@ -0,0 +1,4 @@ +# Application-level permissions +[] +access = read : [ * ], write : [ admin , sc_admin ] +export = system From e5e03ea4646d6381d5d15c0a361acc874bef1b07 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Fri, 17 Jan 2025 11:44:24 -0500 Subject: [PATCH 09/19] Fix docker script and props * Fix output for docker script (handle lines that didn't have values) * Fix props.conf LINE_BREAKER for docker --- VERSION | 4 ++-- app.manifest | 2 +- bin/docker.sh | 30 ++++++++++++++++++++++++++---- default/app.conf | 4 ++-- default/props.conf | 2 +- docs/ReleaseNotes.md | 9 +++++++++ 6 files changed, 41 insertions(+), 10 deletions(-) diff --git a/VERSION b/VERSION index 10582ea..cb4f71a 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.5 -9.2.0.5 +9.2.0.6 +9.2.0.6 diff --git a/app.manifest b/app.manifest index 85496fd..8eae928 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.5" + "version": "9.2.0.6" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/docker.sh b/bin/docker.sh index 9369605..96a3d51 100755 --- a/bin/docker.sh +++ b/bin/docker.sh @@ -62,8 +62,19 @@ for id in $docker_list; do pids[$id]=$($docker_cmd inspect -f '{{ .State.Pid }}' $id) read time_start[$id] _ < /proc/uptime read _ cpu_start[$id] < /sys/fs/cgroup/system.slice/docker-$id.scope/cpu.stat - while read _if _rx _ _ _ _ _ _ _ _tx _ _ _ _ _ _ _ ; do if=$_if rx_start[$id]=$_rx tx_start[$id]=$_tx; done < /proc/${pids[$id]}/net/dev - br_start[$id]=0;bw_start[$id]=0;while read _ _br _bw _ _ _ _; do br_start[$id]=$((${br_start[$id]}+${_br:7}));bw_start[$id]=$((${bw_start[$id]}+${_bw:7})); done < /sys/fs/cgroup/system.slice/docker-$id.scope/io.stat + while read _if _rx _ _ _ _ _ _ _ _tx _ _ _ _ _ _ _ ; do + [ -z "$_if" ] && continue + [ -z "$_rx" ] && _rx=0 + [ -z "$_tx" ] && _tx=0 + if=$_if rx_start[$id]=$_rx tx_start[$id]=$_tx + done < /proc/${pids[$id]}/net/dev + br_start[$id]=0;bw_start[$id]=0 + while read _ _br _bw _ _ _ _; do + [ -z "$_br" ] && _br=rbytes=0 + [ -z "$_bw" ] && _bw=wbytes=0 + br_start[$id]=$((${br_start[$id]}+${_br:7})) + bw_start[$id]=$((${bw_start[$id]}+${_bw:7})) + done < /sys/fs/cgroup/system.slice/docker-$id.scope/io.stat done sleep 2 # Sleep 2 seconds to give the script time to get CPU stats @@ -78,8 +89,19 @@ for id in $docker_list; do fi read cpu_stop _ < /proc/uptime read _ proc_stop < /sys/fs/cgroup/system.slice/docker-$id.scope/cpu.stat - while read _if _rx _ _ _ _ _ _ _ _tx _ _ _ _ _ _ _ ; do if=$_if NetRX=$_rx NetTX=$_tx; done < /proc/${pids[$id]}/net/dev - BlockRead=0;BlockWrite=0;while read _ _br _bw _ _ _ _; do BlockRead=$((BlockRead+${_br:7}));BlockWrite=$((BlockWrite+${_bw:7})); done < /sys/fs/cgroup/system.slice/docker-$id.scope/io.stat + while read _if _rx _ _ _ _ _ _ _ _tx _ _ _ _ _ _ _ ; do + [ -z "$_if" ] && continue + [ -z "$_rx" ] && _rx=0 + [ -z "$_tx" ] && _tx=0 + if=$_if NetRX=$_rx NetTX=$_tx + done < /proc/${pids[$id]}/net/dev + BlockRead=0;BlockWrite=0 + while read _ _br _bw _ _ _ _; do + [ -z "$_br" ] && _br=rbytes=0 + [ -z "$_bw" ] && _bw=wbytes=0 + BlockRead=$((BlockRead+${_br:7})) + BlockWrite=$((BlockWrite+${_bw:7})) + done < /sys/fs/cgroup/system.slice/docker-$id.scope/io.stat read MemUsage < /sys/fs/cgroup/system.slice/docker-$id.scope/memory.current read Pids < /sys/fs/cgroup/system.slice/docker-$id.scope/pids.current read _ CPU < /sys/fs/cgroup/cpu.stat diff --git a/default/app.conf b/default/app.conf index 019e7b8..75677db 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.5 +version = 9.2.0.6 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.5 +version = 9.2.0.6 diff --git a/default/props.conf b/default/props.conf index efcfa40..417652d 100644 --- a/default/props.conf +++ b/default/props.conf @@ -517,7 +517,7 @@ KV_MODE=multi [docker] SHOULD_LINEMERGE=false -LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +LINE_BREAKER=(^$|[\r\n]+) TRUNCATE=1000000 KV_MODE = json FIELDALIAS-dest_for_docker = host as dest diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index a30babf..8377af6 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,14 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.6 (2025-01-17) + +Fix docker script and props + +Changes: + +* Fix output for docker script (handle lines that didn't have values) +* Fix props.conf LINE_BREAKER for docker + ## Version 9.2.0.5 (2025-01-11) Add script for docker events/metrics and support running TA outside of Splunk From 718a9f787cfdc6416a6e6cf23562e47ff2600eb0 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Mon, 20 Jan 2025 15:59:46 -0500 Subject: [PATCH 10/19] Fix run_nix_ta_commands script * Make run_nix_ta_commands (in extra) use /etc/nix_ta.conf for its settings instead of hard-coding them in the script --- VERSION | 4 ++-- app.manifest | 2 +- default/app.conf | 4 ++-- docs/ReleaseNotes.md | 9 +++++++++ extra/run_nix_ta_commands | 5 ++++- 5 files changed, 18 insertions(+), 6 deletions(-) diff --git a/VERSION b/VERSION index cb4f71a..57399a7 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.6 -9.2.0.6 +9.2.0.7 +9.2.0.7 diff --git a/app.manifest b/app.manifest index 8eae928..8777a00 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.6" + "version": "9.2.0.7" }, "license": { "name": "Splunk Software License Agreement", diff --git a/default/app.conf b/default/app.conf index 75677db..3e4130c 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.6 +version = 9.2.0.7 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.6 +version = 9.2.0.7 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index 8377af6..8eab784 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,14 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.7 (2025-01-20) + +Fix run_nix_ta_commands script + +Changes: + +* Make run_nix_ta_commands (in extra) use /etc/nix_ta.conf for its settings + instead of hard-coding them in the script + ## Version 9.2.0.6 (2025-01-17) Fix docker script and props diff --git a/extra/run_nix_ta_commands b/extra/run_nix_ta_commands index 3e9b7fc..64ef8ba 100755 --- a/extra/run_nix_ta_commands +++ b/extra/run_nix_ta_commands @@ -21,7 +21,7 @@ # # End of sample rsyslog.conf # # To use: -# * Modify the variables below to fit your environment +# * Create a new file (/etc/nix_ta.conf) with the following settings in it # * ta_home: The directory you copied the Technical Add-on for Unix and Linux files # * tag_prefix: The events will be sent to syslog with ${tag_prefix}SCRIPTNAME as a tag # * syslog_server: The UDP syslog server to send events to @@ -32,12 +32,15 @@ # Ensure the logger command is available which logger > /dev/null 2>&1 || { echo "Error: The logger command is required for this script"; exit; } +# Example/default settings -- override in /etc/nix_ta.conf ta_home=/srv/TA-unix tag_prefix=nix_ta_ syslog_server=192.168.1.1 run_minute=2 run_hour=6 +[ -r /etc/nix_ta.conf ] && . /etc/nix_ta.conf + # Get the current minute now to be consistent through the script run minute=$(date +%_M | tr -d ' ') # Get the current hour now to be consistent through the script run From 24f6e18ef8cba3681f397835e8e6f677edc4b06f Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Thu, 23 Jan 2025 18:19:40 -0500 Subject: [PATCH 11/19] Fix df.sh and df_metric.sh Fix Linux when df outputs a "-" Exclude efivars partitions for Linux Fix the output on Darwin to match Linux output --- VERSION | 4 +-- app.manifest | 2 +- bin/df.sh | 49 ++++++------------------------ bin/df_metric.sh | 71 +++++++++----------------------------------- default/app.conf | 4 +-- docs/ReleaseNotes.md | 10 +++++++ 6 files changed, 38 insertions(+), 102 deletions(-) diff --git a/VERSION b/VERSION index 57399a7..5d998c4 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.7 -9.2.0.7 +9.2.0.8 +9.2.0.8 diff --git a/app.manifest b/app.manifest index 8777a00..88ce30d 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.7" + "version": "9.2.0.8" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/df.sh b/bin/df.sh index be0a901..6664ff4 100755 --- a/bin/df.sh +++ b/bin/df.sh @@ -15,7 +15,7 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}' # shellcheck disable=SC2016 - FILTER_POST='/(devtmpfs|tmpfs)/ {next}' + FILTER_POST='/(devtmpfs|tmpfs|efivars)/ {next}' # shellcheck disable=SC2016 PRINTF=' { @@ -217,50 +217,19 @@ elif [ "$KERNEL" = "Darwin" ] ; then #Maps fsType # shellcheck disable=SC2016 MAP_FS_TO_TYPE='/ on / { - for(i=1;i<=NF;i++){ - if($i=="on" && $(i+1) ~ /^\/.*/) - { + for (i = 1; i <= NF; i++) { + if ($i == "on" && $(i + 1) ~ /^\/.*/) key=$(i+1); - } if($i ~ /^\(/) - value=substr($i,2,length($i)-2); + value = substr($i, 2, length($i) - 2); } - fsTypes[key]=value; + fsTypes[key] = value; }' - # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables - # shellcheck disable=SC2016 - PRINTF=' - { - if($0 ~ /^Filesystem.*/){ - sub("%iused","IUsePct",$0); - - for(i=1;i<=NF;i++){ - if($i=="iused") iusedCol=i; - if($i=="ifree") ifreeCol=i; - - if($i=="Mounted" && $(i+1)=="on"){ - mountedCol=i; - sub("Mounted on","MountedOn",$0); - } - } - $(NF+1)="Type"; - $(NF+1)="INodes"; - print $0; - } + PRINTF='/^Filesystem/ { + printf "Filesystem\tType\tSize\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\n"; } - { - for(i=1;i<=NF;i++) - { - if($i ~ /^\/dev\/.*s[0-9]+$/){ - sub("^/dev/", "", $i); - sub("s[0-9]+$", "", $i); - } - if($i ~ /^\/\S*/ && i==mountedCol){ - $(NF+1)=fsTypes[$mountedCol]; - $(NF+1)=$iusedCol+$ifreeCol; - print $0; - } - } + $0 !~ /^Filesystem/ && $0 !~ / on / { + printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9; }' elif [ "$KERNEL" = "FreeBSD" ] ; then diff --git a/bin/df_metric.sh b/bin/df_metric.sh index 4888ea0..5d5c4f1 100755 --- a/bin/df_metric.sh +++ b/bin/df_metric.sh @@ -23,7 +23,7 @@ if [ "$KERNEL" = "Linux" ] ; then # shellcheck disable=SC2016 FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}' # shellcheck disable=SC2016 - FILTER_POST='/(devtmpfs|tmpfs)/ {next}' + FILTER_POST='/(devtmpfs|tmpfs|efivars)/ {next}' # shellcheck disable=SC2016 PRINTF=' function rem_pcent(val) @@ -32,20 +32,19 @@ if [ "$KERNEL" = "Linux" ] ; then {val=substr(val, 1, length(val)-1); return val} } { - if($0 ~ /^Filesystem.*/){ + if ($0 ~ /^Filesystem.*/) { sub("Mounted on","MountedOn",$0); $(NF+1)="OSName"; $(NF+1)="OS_version"; $(NF+1)="IP_address"; $(NF+1)="IPv6_Address"; print $0; + } else { + + if ($10 == "-") $10 = "0%"; + printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, $2, $3, $4, $5, rem_pcent($6), $7, $8, $9, rem_pcent($10), $11, OSName, OS_version, IP_address, IPv6_Address; } - match($0,/^(.*[^ ]) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+%|-) +(.*)$/,a); - - if (length(a) != 0) - { printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", a[1], a[2], a[3], a[4], a[5], rem_pcent(a[6]), a[7], a[8], a[9], rem_pcent(a[10]), a[11], OSName, OS_version, IP_address, IPv6_Address} - }' elif [ "$KERNEL" = "SunOS" ] ; then @@ -236,63 +235,21 @@ elif [ "$KERNEL" = "Darwin" ] ; then #Maps fsType # shellcheck disable=SC2016 MAP_FS_TO_TYPE='/ on / { - for(i=1;i<=NF;i++){ - if($i=="on" && $(i+1) ~ /^\/.*/) - { + for (i = 1; i <= NF; i++) { + if ($i == "on" && $(i + 1) ~ /^\/.*/) key=$(i+1); - } if($i ~ /^\(/) - value=substr($i,2,length($i)-2); + value = substr($i, 2, length($i) - 2); } - fsTypes[key]=value; + fsTypes[key] = value; }' # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables # shellcheck disable=SC2016 - PRINTF=' - { - if($0 ~ /^Filesystem.*/){ - sub("%iused","IUsePct",$0); - - for(i=1;i<=NF;i++){ - if($i=="iused") iusedCol=i; - if($i=="ifree") ifreeCol=i; - if($i=="Mounted" && $(i+1)=="on"){ - mountedCol=i; - sub("Mounted on","MountedOn",$0); - } - } - $(NF+1)="Type"; - $(NF+1)="INodes"; - $(NF+1)="OSName"; - $(NF+1)="OS_version"; - $(NF+1)="IP_address"; - $(NF+1)="IPv6_Address"; - - - print $0; - } + PRINTF='/^Filesystem/ { + printf "Filesystem\tType\t1K-blocks\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\tOSName\tOS_version\tIP_address\tIPv6_Address\n"; } - { - for(i=1;i<=NF;i++) - { - if($i ~ /.*\%$/) - $i=substr($i, 1, length($i)-1); - - if($i ~ /^\/dev\/.*s[0-9]+$/){ - sub("^/dev/", "", $i); - sub("s[0-9]+$", "", $i); - } - - if($i ~ /^\/\S*/ && i==mountedCol){ - $(NF+1)=fsTypes[$mountedCol]; - $(NF+1)=$iusedCol+$ifreeCol; - $(NF+1)=OSName; - $(NF+1)=OS_version; - $(NF+1)=IP_address; - $(NF+1)=IPv6_Address; - print $0; - } - } + $0 !~ /^Filesystem/ && $0 !~ / on / { + printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, substr($5, 1, length($5) - 1), $6+$7, $6, $7, substr($8, 1, length($8) - 1), $9, OSName, OS_version, IP_address, IPv6_Address; }' elif [ "$KERNEL" = "FreeBSD" ] ; then diff --git a/default/app.conf b/default/app.conf index 3e4130c..cbf2275 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.7 +version = 9.2.0.8 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.7 +version = 9.2.0.8 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index 8eab784..9a31062 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,15 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.8 (2025-01-23) + +Fix df.sh and df_metric.sh + +Changes: + +* Fix Linux when df outputs a "-" +* Exclude efivars partitions for Linux +* Fix the output on Darwin to match Linux output + ## Version 9.2.0.7 (2025-01-20) Fix run_nix_ta_commands script From 8c02cbc5cc688e8fcae188218ba85476d8d5c6b3 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 25 Jan 2025 02:07:17 -0500 Subject: [PATCH 12/19] Support OpenBSD Add OpenBSD support to the scripts Fix sysctl usage for FreeBSD in a couple places --- VERSION | 4 ++-- app.manifest | 2 +- bin/bandwidth.sh | 4 ++++ bin/common.sh | 3 +++ bin/cpu.sh | 14 ++++++++++++++ bin/cpu_metric.sh | 20 ++++++++++++++++++++ bin/df.sh | 24 ++++++++++++++++++++++++ bin/df_metric.sh | 26 ++++++++++++++++++++++++++ bin/hardware.sh | 29 ++++++++++++++++++++++++++--- bin/interfaces.sh | 21 +++++++++++++++++++++ bin/interfaces_metric.sh | 24 ++++++++++++++++++++++++ bin/iostat.sh | 6 ++++++ bin/iostat_metric.sh | 7 +++++++ bin/lastlog.sh | 6 ++++++ bin/lsof.sh | 5 +++++ bin/netstat.sh | 2 +- bin/openPorts.sh | 2 +- bin/package.sh | 6 ++++++ bin/protocol.sh | 2 +- bin/ps.sh | 2 +- bin/ps_metric.sh | 4 ++-- bin/rlog.sh | 2 ++ bin/service.sh | 16 ++++++++++++++++ bin/sshdChecker.sh | 3 ++- bin/time.sh | 2 ++ bin/update.sh | 4 ++++ bin/uptime.sh | 2 +- bin/version.sh | 2 +- bin/vmstat.sh | 20 ++++++++++++++++++++ bin/vmstat_metric.sh | 21 +++++++++++++++++++++ default/app.conf | 4 ++-- docs/ReleaseNotes.md | 9 +++++++++ extra/run_nix_ta_commands | 4 ++-- 33 files changed, 283 insertions(+), 19 deletions(-) diff --git a/VERSION b/VERSION index 5d998c4..7c05039 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.8 -9.2.0.8 +9.2.0.9 +9.2.0.9 diff --git a/app.manifest b/app.manifest index 88ce30d..ad13046 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.8" + "version": "9.2.0.9" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/bandwidth.sh b/bin/bandwidth.sh index 10bb027..7499478 100755 --- a/bin/bandwidth.sh +++ b/bin/bandwidth.sh @@ -79,6 +79,10 @@ elif [ "$KERNEL" = "HP-UX" ] ; then FILTER='($0 ~ "Name|sar| lo") {next}' # shellcheck disable=SC2016 FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS=?; txKB_PS=?}' +elif [ "$KERNEL" = "OpenBSD" ] ; then + CMD='eval ifconfig -a | awk "/UP/ && /RUNNING/ && \$1 != \"lo0:\" {print substr(\$1, 1, length(\$1) - 1)}" | while read -r int; do echo $int $(netstat -bnI $int -w 1 | head -n4 | tail -n1) $(netstat -nI $int -w 1 | head -n 4 | tail -n1 ); done' + # shellcheck disable=SC2016 + FORMAT='{Name=$1; rxPackets_PS=$6; txPackets_PS=$8; rxKB_PS=$2/1024; txKB_PS=$2/1024}' elif [ "$KERNEL" = "FreeBSD" ] ; then CMD='sar -n DEV 1 2' # shellcheck disable=SC2016 diff --git a/bin/common.sh b/bin/common.sh index adbbe52..a1b7a2b 100755 --- a/bin/common.sh +++ b/bin/common.sh @@ -71,6 +71,9 @@ case "x$KERNEL" in ;; "xFreeBSD") ;; + "xOpenBSD") + AWK=gawk + ;; "xAIX") ;; "xHP-UX") diff --git a/bin/cpu.sh b/bin/cpu.sh index 4657a72..935eef0 100755 --- a/bin/cpu.sh +++ b/bin/cpu.sh @@ -145,6 +145,20 @@ elif [ "$KERNEL" = "Darwin" ] ; then pctSystem = remove_char($5, "%"); pctIdle = remove_char($7, "%"); }' +elif [ "$KERNEL" = "OpenBSD" ] ; then + CMD='eval top -1 -b; top -b' + assertHaveCommand "$CMD" + # shellcheck disable=SC2016 + FILTER='($0 !~ "^([0-9]+[\t ]+)?CPU"){next;}' + # shellcheck disable=SC2016 + FORMAT='{ + if ($1 ~ /^[0-9]+$/) + name="all"; + else if ($1 ~ /^CPU[0-9]+$/) + name=substr($1,4); + else name=0; + printf "%s\t%s\t%s\t%s\t%s\t%s",name,substr($3,1,length($3)-1),substr($5,1,length($5)-1),substr($7,1,length($7)-1),substr($11,1,length($11)-1),substr($13,1,length($13)-1) + }' elif [ "$KERNEL" = "FreeBSD" ] ; then CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" diff --git a/bin/cpu_metric.sh b/bin/cpu_metric.sh index b1f30f6..9e293f1 100755 --- a/bin/cpu_metric.sh +++ b/bin/cpu_metric.sh @@ -167,6 +167,26 @@ elif [ "$KERNEL" = "Darwin" ] ; then OS_version=OS_version; IP_address=IP_address; }' +elif [ "$KERNEL" = "OpenBSD" ] ; then + CMD='eval top -1 -b; top -b' + assertHaveCommand "$CMD" + # shellcheck disable=SC2016 + FILTER='($0 !~ "^([0-9]+[\t ]+)?CPU"){next;}' + # shellcheck disable=SC2016 + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # shellcheck disable=SC2016 + FORMAT='{ + if ($1 ~ /^[0-9]+$/) + cpu="all"; + else if ($1 ~ /^CPU[0-9]+$/) + cpu=substr($1,4); + else cpu=0; + pctUser=substr($3,1,length($3)-1); + pctNice=substr($5,1,length($5)-1); + pctSystem=substr($7,1,length($7)-1); + pctIowait=substr($11,1,length($11)-1); + pctIdle=substr($13,1,length($13)-1); + }' elif [ "$KERNEL" = "FreeBSD" ] ; then CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" diff --git a/bin/df.sh b/bin/df.sh index 6664ff4..0b1cea0 100755 --- a/bin/df.sh +++ b/bin/df.sh @@ -232,6 +232,30 @@ elif [ "$KERNEL" = "Darwin" ] ; then printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9; }' +elif [ "$KERNEL" = "OpenBSD" ] ; then + assertHaveCommand mount + assertHaveCommand df + CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ih -t nodevfs,nonfs,noswap,nocd9660' + # shellcheck disable=SC2016 + BEGIN='BEGIN { OFS = "\t" }' + #Maps fsType + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/ on / { + for (i = 1; i <= NF; i++){ + if ($i == "on" && $(i + 1) ~ /^\/.*/) + key = $(i + 1); + } + fsTypes[key] = $5; + }' + # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF='/^Filesystem/ { + print "Filesystem\tType\tSize\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\n"; + } + $0 !~ /^Filesystem/ && $0 !~ / on / { + printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9; + }' + elif [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand mount assertHaveCommand df diff --git a/bin/df_metric.sh b/bin/df_metric.sh index 5d5c4f1..cb79d07 100755 --- a/bin/df_metric.sh +++ b/bin/df_metric.sh @@ -252,6 +252,32 @@ elif [ "$KERNEL" = "Darwin" ] ; then printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, substr($5, 1, length($5) - 1), $6+$7, $6, $7, substr($8, 1, length($8) - 1), $9, OSName, OS_version, IP_address, IPv6_Address; }' +elif [ "$KERNEL" = "OpenBSD" ] ; then + assertHaveCommand mount + assertHaveCommand df + CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ih -t nodevfs,nonfs,noswap,nocd9660' + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + # shellcheck disable=SC2016 + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + BEGIN='BEGIN { OFS = "\t" }' + #Maps fsType + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/ on / { + for (i = 1; i <= NF; i++){ + if ($i == "on" && $(i + 1) ~ /^\/.*/) + key = $(i + 1); + } + fsTypes[key] = $5; + }' + # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF='/^Filesystem/ { + printf "Filesystem\tType\t1K-blocks\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\tOSName\tOS_version\tIP_address\tIPv6_Address\n"; + } + $0 !~ /^Filesystem/ && $0 !~ / on / { + printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, substr($5, 1, length($5) - 1), $6+$7, $6, $7, substr($8, 1, length($8) - 1), $9, OSName, OS_version, IP_address, IPv6_Address; + }' + elif [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand mount assertHaveCommand df diff --git a/bin/hardware.sh b/bin/hardware.sh index 81c68e9..10c7e06 100755 --- a/bin/hardware.sh +++ b/bin/hardware.sh @@ -188,6 +188,29 @@ elif [ "$KERNEL" = "HP-UX" ] ; then OUTPUT=$(swapinfo -tm) MEMORY_REAL=$(echo "$OUTPUT" | awk '$1=="memory" {print $2 " MB"; exit}') MEMORY_SWAP=$(echo "$OUTPUT" | awk '$1=="dev" {print $2 " MB"; exit}') +elif [ "$KERNEL" = "OpenBSD" ] ; then + assertHaveCommand sysctl + assertHaveCommand df + assertHaveCommand ifconfig + assertHaveCommand dmesg + assertHaveCommand top + # CPUs + CPU_TYPE=$(sysctl -n hw.model) + CPU_CACHE= + CPU_COUNT=$(sysctl -n hw.ncpu) + # HDs + HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}') + # NICs + IFACE_NAME=$(ifconfig -a | awk '/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /media: / {print iface}') + for NIC in $IFACE_NAME; do + NIC=$(echo $NIC | sed -E 's/[0-9]+$//') + NIC_TYPE="$NIC_TYPE,$(whatis $NIC | sed -E 's/^.* - //')" + done + NIC_TYPE=${NIC_TYPE#,} + NIC_COUNT=$(echo $IFACE_NAME | wc -w) + # memory + MEMORY_REAL=$(sysctl -n hw.physmem) + MEMORY_SWAP=$(systat -b swap | gawk '/^DISK/{p=1;next}p==1{swap+=$2}END{print int(swap/2)}') elif [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand sysctl assertHaveCommand df @@ -195,9 +218,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand dmesg assertHaveCommand top # CPUs - CPU_TYPE=$(sysctl hw.model | sed 's/^.*: //') + CPU_TYPE=$(sysctl -n hw.model) CPU_CACHE= - CPU_COUNT=$(sysctl hw.ncpu | sed 's/^.*: //') + CPU_COUNT=$(sysctl -n hw.ncpu) # HDs HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}') # NICs @@ -205,7 +228,7 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then NIC_TYPE=$(dmesg | awk '(index($0, iface) && index($0, " port ")) {sub("^.*<", ""); sub(">.*$", ""); print $0}' iface="$IFACE_NAME" | head -1) NIC_COUNT=$(ifconfig -a | grep -c media) # memory - MEMORY_REAL=$(sysctl hw.physmem | awk '{print $2/(1024*1024) "MB"}') + MEMORY_REAL=$(sysctl -n hw.physmem) MEMORY_SWAP=$(top -Sb 0 | awk '/^Swap: / {print $2 "B"}') fi diff --git a/bin/interfaces.sh b/bin/interfaces.sh index 50a7a0c..dc37dd1 100755 --- a/bin/interfaces.sh +++ b/bin/interfaces.sh @@ -469,6 +469,27 @@ elif [ "$KERNEL" = "HP-UX" ] ; then echo "$HEADER" echo "$out" fi +elif [ "$KERNEL" = "OpenBSD" ] ; then + assertHaveCommand ifconfig + assertHaveCommand netstat + + CMD_LIST_INTERFACES='ifconfig -a' + # shellcheck disable=SC2016 + CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /media: / {print iface}' + UNIQUE='sort -u' + # shellcheck disable=SC2016 + GET_MAC='{$1 == "lladdr" && mac = $2}' + # shellcheck disable=SC2016 + GET_IP='/ (netmask|prefixlen) / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}' + out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "$iface $(ifconfig $iface | awk "$GET_MAC $GET_IP END {printf \"%s %s %s\", mac, IPv4, IPv6}") $(echo $(netstat -bnI $iface -w1 | head -n4 | tail -n1) $(netstat -neI $iface -w1 | head -n4 | tail -n1) | awk "{printf \"%s %s %s %s %s\", \$9, \$1, \$6, \$2, \$8}") auto auto" + done elif [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand ifconfig assertHaveCommand netstat diff --git a/bin/interfaces_metric.sh b/bin/interfaces_metric.sh index 2ab3ff6..017d1c8 100755 --- a/bin/interfaces_metric.sh +++ b/bin/interfaces_metric.sh @@ -485,6 +485,30 @@ elif [ "$KERNEL" = "HP-UX" ] ; then echo "$HEADER" echo "$out" fi +elif [ "$KERNEL" = "OpenBSD" ] ; then + assertHaveCommand ifconfig + assertHaveCommand netstat + + CMD_LIST_INTERFACES='ifconfig -a' + # shellcheck disable=SC2016 + CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /media: / {print iface}' + UNIQUE='sort -u' + # shellcheck disable=SC2016 + GET_MAC='{$1 == "lladdr" && mac = $2}' + # shellcheck disable=SC2016 + GET_IP='/ (netmask|prefixlen) / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}' + out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") + lines=$(echo "$out" | wc -l) + INT=$(netstat -nr | awk '$1 == "default" {print $NF; exit}') + IP4=$(ifconfig $INT | awk '$1=="inet"{print $2;p=1;exit}END{if (p!=1) print ""}') + IP6=$(ifconfig $INT | awk '$1=="inet6" && $2!~/%vio0$/{print $2;p=1;exit}END{if (p!=1) print ""}') + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "$iface $(ifconfig $iface | awk "$GET_MAC $GET_IP END {printf \"%s %s %s\", mac, IPv4, IPv6}") $(echo $(netstat -bnI $iface -w1 | head -n4 | tail -n1) $(netstat -neI $iface -w1 | head -n4 | tail -n1) | awk "{printf \"%s %s %s %s %s\", \$9, \$1, \$6, \$2, \$8}") auto auto $(uname -s) $(uname -r) $IP4 $IP6" + done elif [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand ifconfig assertHaveCommand netstat diff --git a/bin/iostat.sh b/bin/iostat.sh index 334992d..a0c57e8 100755 --- a/bin/iostat.sh +++ b/bin/iostat.sh @@ -22,6 +22,12 @@ elif [ "$KERNEL" = "AIX" ] ; then assertHaveCommand "$CMD" # considers the disks, kb_read and kb_wrtn columns and returns output of the second interval FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2' +elif [ "$KERNEL" = "OpenBSD" ] ; then + CMD='systat -B iostat' + assertHaveCommand "$CMD" + HEADER="Device rB/s wB/s r/s w/s" + HEADERIZE="BEGIN {print \"$HEADER\"}" + FILTER=$HEADERIZE'/^[^ \t]/ && !/^(DEVICE|Totals)/{printf "%-7s %.2f %.2f %d %d\n", $1, $2/1024, $3/1024, $4, $5}' elif [ "$KERNEL" = "FreeBSD" ] ; then CMD='iostat -x -c 2' assertHaveCommand "$CMD" diff --git a/bin/iostat_metric.sh b/bin/iostat_metric.sh index 80d101b..c171424 100755 --- a/bin/iostat_metric.sh +++ b/bin/iostat_metric.sh @@ -35,6 +35,13 @@ elif [ "$KERNEL" = "AIX" ] ; then FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2' # shellcheck disable=SC2016 PRINTF='{if ($0~/Disks/ && /Kb_read/ && /Kb_wrtn/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version/1000, IP_address}}' +elif [ "$KERNEL" = "OpenBSD" ] ; then + CMD='systat -B iostat' + assertHaveCommand "$CMD" + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig $(netstat -nr | awk '$1 == "default" {print $NF; exit}') | awk '$1=="inet"{print $2;p=1;exit}END{if (p!=1) print ""}')" + HEADER="Device rB/s wB/s r/s w/s OSName OS_version IP_address" + HEADERIZE="BEGIN {print \"$HEADER\"}" + FILTER=$HEADERIZE'/^[^ \t]/ && !/^(DEVICE|Totals)/{printf "%-7s %.2f %.2f %d %d %s %s %s\n", $1, $2/1024, $3/1024, $4, $5, OSName, OS_version, IP_address}' elif [ "$KERNEL" = "FreeBSD" ] ; then CMD='iostat -x -c 2' assertHaveCommand "$CMD" diff --git a/bin/lastlog.sh b/bin/lastlog.sh index fbab360..d2fa223 100755 --- a/bin/lastlog.sh +++ b/bin/lastlog.sh @@ -29,6 +29,12 @@ elif [ "$KERNEL" = "Darwin" ] ; then FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' # shellcheck disable=SC2016 FORMAT='{username = $1; from = ($0 !~ / /) ? $3 : ""; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' +elif [ "$KERNEL" = "OpenBSD" ] ; then + CMD='last' + # shellcheck disable=SC2016 + FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' + # shellcheck disable=SC2016 + FORMAT='{username = $1; from = (NF==10) ? $3 : ""; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' elif [ "$KERNEL" = "HP-UX" ] ; then CMD='lastb -Rx' # shellcheck disable=SC2016 diff --git a/bin/lsof.sh b/bin/lsof.sh index e641e04..429e5a2 100755 --- a/bin/lsof.sh +++ b/bin/lsof.sh @@ -5,6 +5,11 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +if [ "$KERNEL" = "OpenBSD" ] ; then + fstat | awk '/^USER/{print "COMMAND PID USER FD MOUNT"} $5 ~ /^\// {print $2, $3, $1, $4, $5} $5 !~ /^\// && !/^USER/ {print $2, $3, $1, $4, $5, $6, $7, $8, $9, $10, $11}' + exit 0 +fi + assertHaveCommand lsof CMD='lsof -nPs +c 0' diff --git a/bin/netstat.sh b/bin/netstat.sh index 0434795..850e47f 100755 --- a/bin/netstat.sh +++ b/bin/netstat.sh @@ -39,7 +39,7 @@ elif [ "$KERNEL" = "Darwin" ] ; then FORMAT='{gsub("[46]", "", $1)}' elif [ "$KERNEL" = "HP-UX" ] ; then CMD='eval netstat -an | egrep "tcp|udp"' -elif [ "$KERNEL" = "FreeBSD" ] ; then +elif [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then # shellcheck disable=SC2089 CMD='eval netstat -an | egrep "tcp|udp"' # shellcheck disable=SC2016 diff --git a/bin/openPorts.sh b/bin/openPorts.sh index 1b8a53f..8f46491 100755 --- a/bin/openPorts.sh +++ b/bin/openPorts.sh @@ -52,7 +52,7 @@ elif [ "$KERNEL" = "HP-UX" ] ; then FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}' # shellcheck disable=SC2016 FILTER='{if ($4 == "") next}' -elif [ "$KERNEL" = "FreeBSD" ] ; then +elif [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then # shellcheck disable=SC2089 CMD='eval netstat -ln | egrep "^tcp|^udp"' HEADERIZE="BEGIN {print \"$HEADER\"}" diff --git a/bin/package.sh b/bin/package.sh index f9573fd..ddccd69 100755 --- a/bin/package.sh +++ b/bin/package.sh @@ -46,6 +46,12 @@ elif [ "$KERNEL" = "HP-UX" ] ; then FILTER='/^#/ {next} $1=="" {next}' # shellcheck disable=SC2016 FORMAT='{release="?"; group="?"; vendor="?"; name=$1; version=$2; arch=$3} NF==4 {vendor=$4}' +elif [ "$KERNEL" = "OpenBSD" ] ; then + CMD=pkg_info + HEADER='NAME VERSION ARCH ' + HEADERIZE="BEGIN {print \"$HEADER\"; arch=\"$(arch -s)\"}" + #PRINTF='{ printf "%-50s %-50s %s\n",$1,$2,$3}' + PRINTF='{name=gensub(/-[0-9].*$/,"",1,$1); suffix=gensub(/^.*-([0-9][^-]*)/,"",1,$1); if (suffix!="") suffix="," suffix; version=gensub(/^.*-([0-9][^-]*)-?.*$/,"\\1",1,$1); printf "%-50s %-50s %s\n", name suffix, version, arch}' elif [ "$KERNEL" = "FreeBSD" ] ; then # the below syntax is valid when using zsh, bash, ksh if [[ $KERNEL_RELEASE =~ 10.* ]] || [[ $KERNEL_RELEASE =~ 11.* ]] || [[ $KERNEL_RELEASE =~ 12.* ]] || [[ $KERNEL_RELEASE =~ 13.* ]]; then diff --git a/bin/protocol.sh b/bin/protocol.sh index 0ab8ba2..d632313 100755 --- a/bin/protocol.sh +++ b/bin/protocol.sh @@ -65,7 +65,7 @@ elif [ "$KERNEL" = "HP-UX" ] ; then SECTION_TCP='inTCP && /retransmited$/ {TCPrexmits=$1} inTCP && /out of order/ {TCPreorder=$1} inTCP && /[0-9] packets received$/ {TCPpktRecv=$1} inTCP && /[0-9] packets sent$/ {TCPpktSent=$1}' # shellcheck disable=SC2016 SECTION_UDP='inUDP && /packets received/ {UDPpktRecv=$1} inUDP && /packets sent/ {UDPpktSent=$1} inUDP && /packet receive errors/ {UDPpktLost=$1} inUDP && /packets to unknown port received/ {UDPunkPort=$1}' - elif [ "$KERNEL" = "FreeBSD" ] ; then + elif [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then # shellcheck disable=SC2016 FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}' # shellcheck disable=SC2016 diff --git a/bin/ps.sh b/bin/ps.sh index 56816d6..41468aa 100755 --- a/bin/ps.sh +++ b/bin/ps.sh @@ -6,7 +6,7 @@ . "$(dirname "$0")"/common.sh # shellcheck disable=SC2166 -if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then +if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" -o "$KERNEL" = "OpenBSD" ] ; then assertHaveCommand ps CMD='ps auxww' elif [ "$KERNEL" = "AIX" ] ; then diff --git a/bin/ps_metric.sh b/bin/ps_metric.sh index 81d601a..b92e64d 100755 --- a/bin/ps_metric.sh +++ b/bin/ps_metric.sh @@ -8,7 +8,7 @@ . "$(dirname "$0")"/common.sh # shellcheck disable=SC2166 -if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then +if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" -o "$KERNEL" = "OpenBSD" ] ; then assertHaveCommand ps CMD='ps auxww' if [ "$KERNEL" = "Linux" ] ; then @@ -17,7 +17,7 @@ if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; th else DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" fi - elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then + elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" -o "$KERNEL" = "OpenBSD" ] ; then # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" fi diff --git a/bin/rlog.sh b/bin/rlog.sh index a791ca6..ace5150 100755 --- a/bin/rlog.sh +++ b/bin/rlog.sh @@ -63,6 +63,8 @@ elif [ "$KERNEL" = "Darwin" ] ; then : elif [ "$KERNEL" = "HP-UX" ] ; then : +elif [ "$KERNEL" = "OpenBSD" ] ; then + : elif [ "$KERNEL" = "FreeBSD" ] ; then : fi diff --git a/bin/service.sh b/bin/service.sh index d5c620c..377893f 100755 --- a/bin/service.sh +++ b/bin/service.sh @@ -187,6 +187,22 @@ elif [ "$KERNEL" = "Darwin" ] ; then POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }' +elif [ "$KERNEL" = "OpenBSD" ] ; then + enabled=" $(/usr/sbin/rcctl ls on) " + failed=" $(doas /usr/sbin/rcctl ls failed) " + rogue=" $(doas /usr/sbin/rcctl ls rogue) " + running=" $(doas /usr/sbin/rcctl ls started) " + for svc in $(/usr/sbin/rcctl ls all); do + enabled=false + echo $enabled | grep " $svc " && enabled=true + failed=false + echo $enabled | grep " $svc " && failed=true + rogue=false + echo $enabled | grep " $svc " && rogue=true + state=stopped + echo $enabled | grep " $svc " && state=running + date "+%a %b %e %H:%M:%S %Z %Y type=rcctl app=$svc, enabled=$enabled, failed=$failed, rogue=$rogue, running=$running" + done else # Exits failUnsupportedScript diff --git a/bin/sshdChecker.sh b/bin/sshdChecker.sh index 0a2b545..79586ee 100755 --- a/bin/sshdChecker.sh +++ b/bin/sshdChecker.sh @@ -6,8 +6,9 @@ . "$(dirname "$0")"/common.sh SSH_CONFIG_FILE="" -if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] ; then +if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "OpenBSD" ] ; then SSH_CONFIG_FILE=/etc/ssh/sshd_config + [ "$KERNEL" = "OpenBSD" ] && SPLUNK_HOME=/usr elif [ "$KERNEL" = "Darwin" ] ; then SSH_CONFIG_FILE=/etc/sshd_config else diff --git a/bin/time.sh b/bin/time.sh index 5fc0974..9c02c37 100755 --- a/bin/time.sh +++ b/bin/time.sh @@ -51,6 +51,8 @@ elif [ "$KERNEL" = "Darwin" ] && [ $FOUND_SNTP -eq 0 ] ; then # Mac OS 10.14.6 o echo "CONFIG=$CONFIG, SERVER=$SERVER" >> "$TEE_DEST" #With Chrony +elif [ "$KERNEL" = "OpenBSD" ]; then + CMD2="ntpctl -s all" else CMD2="chronyc -n sources" fi diff --git a/bin/update.sh b/bin/update.sh index 81d09cf..a2b0e97 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -131,6 +131,10 @@ elif [ "$KERNEL" = "Darwin" ] ; then MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3" +elif [ "$KERNEL" = "OpenBSD" ] ; then + CMD="eval pkg_add -usv 2>&1 | grep -vE '(Adding quirks-|pkg_add should be run as root)' | grep ^Adding | sed -E 's/^Adding ([^:]+:)?(.*)->(.*)\(pretending\)/\2 \3/' | while read pkg ver; do name=\$(pkg_info -P \$pkg | grep -A1 ^Pkgpath:|tail -n1|cut -d/ -f2-); date \"+%a %b %e %H:%M:%S %Z %Y arch_architecture=\$(arch -s) package=\$name current_package_version=\$(echo \$pkg | sed -E \"s/\$name-//\") latest_package_version=\$ver\"; done" + #CMD="eval for f in \$(pkg_add -usv 2>&1 | grep -vE \"(Adding quirks-|pkg_add should be run as root)\" | grep ^Adding | sed -E \"s/^Adding ([^:]+:)?(.*)->(.*)\(pretending\)/\2 \3/\"); do echo \$f; done" + MESSAGE="{print}" else # Exits failUnsupportedScript diff --git a/bin/uptime.sh b/bin/uptime.sh index d6f69c5..91d75c9 100755 --- a/bin/uptime.sh +++ b/bin/uptime.sh @@ -18,7 +18,7 @@ fi # This should work for any POSIX-compliant system, but in case it doesn't # we have left the individual OS names here to be broken out later on. -if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "$KERNEL" = "HP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then +if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "$KERNEL" = "HP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then assertHaveCommand date assertHaveCommand ps CMD='eval date; LC_ALL=POSIX ps -o etime= -p 1' diff --git a/bin/version.sh b/bin/version.sh index 1df3c2f..cddefda 100755 --- a/bin/version.sh +++ b/bin/version.sh @@ -32,7 +32,7 @@ elif [ "$KERNEL" = "Darwin" ] ; then assertHaveCommand sw_vers os_release=$(sw_vers --productVersion) CMD="eval date ; echo MacOS ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p; echo $os_release; echo $os_release" -elif [ "$KERNEL" = "SunOS" ] [ "$KERNEL" = "FreeBSD" ] ; then +elif [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then assertHaveCommand date assertHaveCommand uname CMD='eval date ; echo $KERNEL ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p;' diff --git a/bin/vmstat.sh b/bin/vmstat.sh index a14b9da..47d90d3 100755 --- a/bin/vmstat.sh +++ b/bin/vmstat.sh @@ -151,6 +151,26 @@ elif [ "$KERNEL" = "Darwin" ] ; then PARSE_8='/^pgswapout / {pgSwapOut=0+$2}' MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE" FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}' +elif [ "$KERNEL" = "OpenBSD" ] ; then + # shellcheck disable=SC2016 + CMD='eval sysctl -n hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' + FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' + # shellcheck disable=SC2016 + PARSE_0='(NR==1) {memTotalMB=$1 / (1024*1024)}' + # shellcheck disable=SC2016 + PARSE_1='/pages being paged out$/ {pgPageOut+=$1} /forks$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}' + # shellcheck disable=SC2016 + PARSE_2='/load averages:/ {loadAvg1mi=$3} /^[0-9]+ processes: / {processes=$1}' + # shellcheck disable=SC2016 + PARSE_3='/Swap: / { split($10, a, "/"); swapTotal=toMB(a[2]); swapUsed=toMB(a[1]); swapFree=swapTotal-swapFree; } /^Memory: / {memFreeMB=toMB($6)}' + # shellcheck disable=SC2016 + PARSE_4='/^CPU_COUNT/ {cpuCount=$2}' + # shellcheck disable=SC2016 + PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}' + # shellcheck disable=SC2016 + PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}' + MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE" + FILL_BLANKS='END {threads=pgSwapOut="?"}' elif [ "$KERNEL" = "FreeBSD" ] ; then # shellcheck disable=SC2016 CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' diff --git a/bin/vmstat_metric.sh b/bin/vmstat_metric.sh index 2a5d159..c262588 100755 --- a/bin/vmstat_metric.sh +++ b/bin/vmstat_metric.sh @@ -162,6 +162,27 @@ elif [ "$KERNEL" = "Darwin" ] ; then PARSE_8='/^pgswapout / {pgSwapOut=0+$2}' MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE" FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}' +elif [ "$KERNEL" = "OpenBSD" ] ; then + # shellcheck disable=SC2016 + CMD='eval sysctl -n hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' + # shellcheck disable=SC2016 + PARSE_0='(NR==1) {memTotalMB=$1 / (1024*1024)}' + # shellcheck disable=SC2016 + PARSE_1='/pages being paged out$/ {pgPageOut+=$1} /forks$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}' + # shellcheck disable=SC2016 + PARSE_2='/load averages:/ {loadAvg1mi=$3} /^[0-9]+ processes: / {processes=$1}' + # shellcheck disable=SC2016 + PARSE_3='/Swap: / { split($10, a, "/"); swapTotal=toMB(a[2]); swapUsed=toMB(a[1]); swapFree=swapTotal-swapFree; } /^Memory: / {memFreeMB=toMB($6)}' + # shellcheck disable=SC2016 + PARSE_4='/^CPU_COUNT/ {cpuCount=$2}' + # shellcheck disable=SC2016 + PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}' + # shellcheck disable=SC2016 + PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}' + MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE" + FILL_BLANKS='END {threads=pgSwapOut="?"}' elif [ "$KERNEL" = "FreeBSD" ] ; then # shellcheck disable=SC2016 CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' diff --git a/default/app.conf b/default/app.conf index cbf2275..efceb73 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.8 +version = 9.2.0.9 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.8 +version = 9.2.0.9 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index 9a31062..a4eae9c 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,14 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.9 (2025-01-25) + +Support OpenBSD + +Changes: + +* Add OpenBSD support to the scripts +* Fix sysctl usage for FreeBSD in a couple places + ## Version 9.2.0.8 (2025-01-23) Fix df.sh and df_metric.sh diff --git a/extra/run_nix_ta_commands b/extra/run_nix_ta_commands index 64ef8ba..63340c1 100755 --- a/extra/run_nix_ta_commands +++ b/extra/run_nix_ta_commands @@ -42,9 +42,9 @@ run_hour=6 [ -r /etc/nix_ta.conf ] && . /etc/nix_ta.conf # Get the current minute now to be consistent through the script run -minute=$(date +%_M | tr -d ' ') +minute=$(printf "%d" $(date +%M)) # Get the current hour now to be consistent through the script run -hour=$(date +%_H | tr -d ' ') +hour=$(printf "%d" $(date +%H)) # Set defaults disabling force-mode and list-mode force=0 list=0 From a24e4c8ee50ba343df3ea8931f3fbe2eb7c68e0c Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 25 Jan 2025 13:41:20 -0500 Subject: [PATCH 13/19] Fix OpenBSD Support and Other Bugs Changes: * Fix OpenBSD cpu.sh output to match others * Fix OpenBSD df.sh output (no need for %% here) * Do not use sudo or doas when running as root * Use #!/usr/bin/env bash to support OpenBSD in run_nix_ta_commands * Fix rsyslog example to trim whitespace in run_nix_ta_commands * Add /usr/local/sbin:/usr/local/bin to PATH in run_nix_ta_commands * Fix getting hour and minute for OpenBSD in run_nix_ta_commands "08" shows up to printf as octal * Support difference in OpenBSD logger command: Requires modifying /etc/syslog.conf and setting facility in /etc/nix_ta.conf --- VERSION | 4 ++-- app.manifest | 2 +- bin/cpu.sh | 18 +++++++++++------- bin/df.sh | 2 +- bin/docker.sh | 10 ++++++---- bin/service.sh | 17 ++++++++++++++--- bin/update.sh | 16 ++++++++++++---- default/app.conf | 4 ++-- docs/ReleaseNotes.md | 17 +++++++++++++++++ extra/run_nix_ta_commands | 34 ++++++++++++++++++++++++++-------- 10 files changed, 92 insertions(+), 32 deletions(-) diff --git a/VERSION b/VERSION index 7c05039..9a842f9 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.9 -9.2.0.9 +9.2.0.10 +9.2.0.10 diff --git a/app.manifest b/app.manifest index ad13046..4d3d554 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.9" + "version": "9.2.0.10" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/cpu.sh b/bin/cpu.sh index 935eef0..0ef0782 100755 --- a/bin/cpu.sh +++ b/bin/cpu.sh @@ -152,13 +152,17 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then FILTER='($0 !~ "^([0-9]+[\t ]+)?CPU"){next;}' # shellcheck disable=SC2016 FORMAT='{ - if ($1 ~ /^[0-9]+$/) - name="all"; - else if ($1 ~ /^CPU[0-9]+$/) - name=substr($1,4); - else name=0; - printf "%s\t%s\t%s\t%s\t%s\t%s",name,substr($3,1,length($3)-1),substr($5,1,length($5)-1),substr($7,1,length($7)-1),substr($11,1,length($11)-1),substr($13,1,length($13)-1) - }' + if ($1 ~ /^[0-9]+$/) + cpu="all"; + else if ($1 ~ /^CPU[0-9]+$/) + cpu=substr($1,4); + else cpu=0; + pctUser=substr($3,1,length($3)-1); + pctNice=substr($5,1,length($5)-1); + pctSystem=substr($7,1,length($7)-1); + pctIowait=substr($11,1,length($11)-1); + pctIdle=substr($13,1,length($13)-1); + }' elif [ "$KERNEL" = "FreeBSD" ] ; then CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" diff --git a/bin/df.sh b/bin/df.sh index 0b1cea0..e2998d3 100755 --- a/bin/df.sh +++ b/bin/df.sh @@ -250,7 +250,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables # shellcheck disable=SC2016 PRINTF='/^Filesystem/ { - print "Filesystem\tType\tSize\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\n"; + print "Filesystem\tType\tSize\tUsed\tAvail\tUse%\tInodes\tIUsed\tIFree\tIUse%\tMountedOn"; } $0 !~ /^Filesystem/ && $0 !~ / on / { printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9; diff --git a/bin/docker.sh b/bin/docker.sh index 96a3d51..71f556c 100755 --- a/bin/docker.sh +++ b/bin/docker.sh @@ -21,12 +21,14 @@ declare -A bw_start [[ $0 =~ .*_metric.sh ]] && mode=metric # Either add the splunk user to the docker group or add the following to /etc/sudoers: -# splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all -# splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format * -# splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f * +# splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all +# splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format * +# splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f * docker_cmd=docker -! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd" +if [ $(id -u) != 0 ]; then + ! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd" +fi docker_list=$($docker_cmd ps --all --no-trunc --format '{{ .ID }}') header_string="ContainerId Name CPUPct MemUsage MemTotal MemPct NetRX RXps NetTX TXps BlockRead BRps BlockWrite BWps Pids" diff --git a/bin/service.sh b/bin/service.sh index 377893f..db9aa79 100755 --- a/bin/service.sh +++ b/bin/service.sh @@ -188,10 +188,21 @@ elif [ "$KERNEL" = "Darwin" ] ; then POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }' elif [ "$KERNEL" = "OpenBSD" ] ; then + # For this to work when running as a non-root user, add the following + # to /etc/doas.conf (replacing USERNAME with the user running the script): + # permit nopass USERNAME cmd /usr/sbin/rcctl args ls started + # permit nopass USERNAME cmd /usr/sbin/rcctl args ls failed + # permit nopass USERNAME cmd /usr/sbin/rcctl args ls rogue + if [ $(id -u) != 0 ]; then + failed=" $(doas -n /usr/sbin/rcctl ls failed) " + rogue=" $(doas -n /usr/sbin/rcctl ls rogue) " + running=" $(doas -n /usr/sbin/rcctl ls started) " + else + failed=" $(/usr/sbin/rcctl ls failed) " + rogue=" $(/usr/sbin/rcctl ls rogue) " + running=" $(/usr/sbin/rcctl ls started) " + fi enabled=" $(/usr/sbin/rcctl ls on) " - failed=" $(doas /usr/sbin/rcctl ls failed) " - rogue=" $(doas /usr/sbin/rcctl ls rogue) " - running=" $(doas /usr/sbin/rcctl ls started) " for svc in $(/usr/sbin/rcctl ls all); do enabled=false echo $enabled | grep " $svc " && enabled=true diff --git a/bin/update.sh b/bin/update.sh index a2b0e97..cf957d6 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -17,10 +17,14 @@ if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand apt assertHaveCommand sed # For this to work properly, add a line to /etc/sudoers like this: - # splunk ALL=(root) NOPASSWD: /usr/bin/apt update + # splunk ALL=(root) NOPASSWD: /usr/bin/apt update # Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script # sed command here replaces '/, [, ]' with ' ' - CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + if [ $(id -u) != 0 ]; then + CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + else + CMD='eval date ; apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + fi # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' # shellcheck disable=SC2016 @@ -41,9 +45,13 @@ if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand checkupdates assertHaveCommand sed # For this to work properly, add a line to /etc/sudoers like this: - # splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy + # splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy # Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update) - CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + if [ $(id -u) != 0 ]; then + CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + else + CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + fi # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' PARSE_1='NR==2 {ARCH=$0}' diff --git a/default/app.conf b/default/app.conf index efceb73..a2f2a0f 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.9 +version = 9.2.0.10 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.9 +version = 9.2.0.10 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index a4eae9c..be27a1b 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,22 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.10 (2025-01-25) + +Fix OpenBSD Support and Other Bugs + +Changes: + +* Fix OpenBSD cpu.sh output to match others +* Fix OpenBSD df.sh output (no need for %% here) +* Do not use sudo or doas when running as root +* Use #!/usr/bin/env bash to support OpenBSD in run_nix_ta_commands +* Fix rsyslog example to trim whitespace in run_nix_ta_commands +* Add /usr/local/sbin:/usr/local/bin to PATH in run_nix_ta_commands +* Fix getting hour and minute for OpenBSD in run_nix_ta_commands + "08" shows up to printf as octal +* Support difference in OpenBSD logger command: + Requires modifying /etc/syslog.conf and setting facility in /etc/nix_ta.conf + ## Version 9.2.0.9 (2025-01-25) Support OpenBSD diff --git a/extra/run_nix_ta_commands b/extra/run_nix_ta_commands index 63340c1..a71fce2 100755 --- a/extra/run_nix_ta_commands +++ b/extra/run_nix_ta_commands @@ -1,17 +1,17 @@ -#!/bin/bash +#!/usr/bin/env bash # This script allows getting the Techical Add-on for Unix and Linux data into # Splunk from systems that are not running a Splunk Universal Forwarder. # This is useful for systems with small or read-only file-systems. # -# ## Sample rsyslog.conf +# ## Sample rsyslog.conf: # # Config for handling remote logs # template(name="RemoteLogs" type="string" string="/share/syslog/%FROMHOST%/%$.myprogramname%/%$.myprogramname%-%$YEAR%-%$MONTH%-%$DAY%.log") # # Write raw messages for splunk logs # template(name="RawMessageOnly" type="string" string="%$.mymsg%\n") # # Look for logs with nix_ta to apply RawMessagesOnly and send to RemoteLogs # if ($syslogtag startswith 'nix_ta_') then { -# set $.mymsg = replace($msg, "#011", " "); +# set $.mymsg = ltrim(rtrim(replace($msg, "#011", " "))); # action(type="omfile" dynaFile="RemoteLogs" template="RawMessageOnly" # fileCreateMode="0644" dirCreateMode="0755" # fileOwner="root" fileGroup="splunk" @@ -20,31 +20,45 @@ # } # # End of sample rsyslog.conf # -# To use: +# ## run_nix_ta_commands configuration file # * Create a new file (/etc/nix_ta.conf) with the following settings in it # * ta_home: The directory you copied the Technical Add-on for Unix and Linux files # * tag_prefix: The events will be sent to syslog with ${tag_prefix}SCRIPTNAME as a tag # * syslog_server: The UDP syslog server to send events to # * run_minute: For scripts that have intervals over an hour, which minute to run them # * run_hour: For scripts that run once a day, which hour to run them -# * Create a cron job: * * * * * /path/to/script/run_nix_ta_commands +# * facility: For logger commands like OpenBSD that do not support pointing to a syslog_server directly +# Set to something like "local3.info" +# +# ## Using syslog facility instead of specifying a syslog server with logger +# Using $facility when logger does not support specifying $syslog_server: +# Modify local syslog server to send logs for $facility to the $syslog_server +# On OpenBSD, an example for /etc/syslog.conf is: +# local3.* @192.168.1.1 +# +# ## Cron job example: +# * * * * * /path/to/script/run_nix_ta_commands # Ensure the logger command is available which logger > /dev/null 2>&1 || { echo "Error: The logger command is required for this script"; exit; } +# Ensure PATH has correct paths +export PATH=$PATH:/usr/local/sbin:/usr/local/bin + # Example/default settings -- override in /etc/nix_ta.conf ta_home=/srv/TA-unix tag_prefix=nix_ta_ syslog_server=192.168.1.1 run_minute=2 run_hour=6 +facility= [ -r /etc/nix_ta.conf ] && . /etc/nix_ta.conf # Get the current minute now to be consistent through the script run -minute=$(printf "%d" $(date +%M)) +minute=$(printf "%d" $((10#$(date +%M)))) # Get the current hour now to be consistent through the script run -hour=$(printf "%d" $(date +%H)) +hour=$(printf "%d" $((10#$(date +%H)))) # Set defaults disabling force-mode and list-mode force=0 list=0 @@ -71,7 +85,11 @@ shift $((OPTIND -1)) runit() { [ -z "$1" ] && return 1 if [ -x $ta_home/bin/$1.sh ]; then - { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]') + if [ -n "$facility" ]; then + { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -p $facility -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]') + else + { $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]') + fi else echo Could not find $1 in $ta_home/bin return 1 From 653ee79a67b193469692630999974d69271f23c2 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 25 Jan 2025 15:11:30 -0500 Subject: [PATCH 14/19] Fix Darwin Scripts and Document Sudo Changes: * Use sudo in service.sh for Darwin to find user services if not running as root * Fix parsing the output of softwareupdate command on Darwin in update.sh * Better document usage of sudo in docs/Sudo.md --- VERSION | 4 ++-- app.manifest | 2 +- bin/service.sh | 15 ++++++++++++--- bin/update.sh | 22 ++++++++++++---------- default/app.conf | 4 ++-- docs/ReleaseNotes.md | 10 ++++++++++ docs/Sudo.md | 45 ++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 84 insertions(+), 18 deletions(-) create mode 100644 docs/Sudo.md diff --git a/VERSION b/VERSION index 9a842f9..5fc1b17 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.10 -9.2.0.10 +9.2.0.11 +9.2.0.11 diff --git a/app.manifest b/app.manifest index 4d3d554..e0f7eef 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.10" + "version": "9.2.0.11" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/service.sh b/bin/service.sh index db9aa79..06879eb 100755 --- a/bin/service.sh +++ b/bin/service.sh @@ -128,9 +128,18 @@ elif [ "$KERNEL" = "Darwin" ] ; then CMD='eval date ; ls -1 /System/Library/StartupItems/ /Library/StartupItems/' # Get per-user startup items # shellcheck disable=SC2044 - for PLIST_FILE in $(find /Users -name "loginwindow.plist") ; do - CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE - done + # For this to work properly when run as non-root, add a line to + # an /etc/sudoers.d file (eg - /etc/sudoers.d/splunk) like this: + # splunk ALL=(root) NOPASSWD: /usr/bin/find /Users -name loginwindow.plist + if [ $(id -u) != 0 ]; then + for PLIST_FILE in $(sudo -n /usr/bin/find /Users -name loginwindow.plist) ; do + CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE + done + else + for PLIST_FILE in $(/usr/bin/find /Users -name loginwindow.plist) ; do + CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE + done + fi # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' # Retrieve path for system startup items diff --git a/bin/update.sh b/bin/update.sh index cf957d6..6119e66 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -21,9 +21,9 @@ if [ "$KERNEL" = "Linux" ] ; then # Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script # sed command here replaces '/, [, ]' with ' ' if [ $(id -u) != 0 ]; then - CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + CMD='eval date ; sudo -n /usr/bin/apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' else - CMD='eval date ; apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + CMD='eval date ; /usr/bin/apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' fi # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' @@ -48,9 +48,9 @@ if [ "$KERNEL" = "Linux" ] ; then # splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy # Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update) if [ $(id -u) != 0 ]; then - CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n /usr/bin/pacman -Syy > /dev/null 2>&1 ; eval checkupdates' else - CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; pacman -Syy > /dev/null 2>&1 ; eval checkupdates' + CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; /usr/bin/pacman -Syy > /dev/null 2>&1 ; eval checkupdates' fi # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' @@ -103,7 +103,7 @@ elif [ "$KERNEL" = "Darwin" ] ; then assertHaveCommand date assertHaveCommand softwareupdate - CMD='eval date ; softwareupdate -l' + CMD='eval date ; softwareupdate -l 2>&1 | grep -v "XType: Using static font registry"' # shellcheck disable=SC2016 PARSE_0='NR==1 { DATE=$0 @@ -115,14 +115,16 @@ elif [ "$KERNEL" = "Darwin" ] ; then # of the update. Otherwise, print the update. # shellcheck disable=SC2016 PARSE_1='NR>1 && PROCESS==1 && $0 !~ /^[[:blank:]]*$/ { - if ( $0 ~ /^[[:blank:]]*\*/ ) { - PACKAGE="package=\"" $2 "\"" + if ( $1 == "Title:" ) { + line = $0; + gsub(/^.*Title: /, "", line); + gsub(/, Version:.*$/, "", line); + PACKAGE="package=\"" line "\"" RECOMMENDED="" RESTART="" TOTAL=TOTAL+1 - } else { - if ( $0 ~ /recommended/ ) { RECOMMENDED="is_recommended=\"true\"" } - if ( $0 ~ /restart/ ) { RESTART="restart_required=\"true\"" } + if ( $0 ~ /Recommended: YES/ ) { RECOMMENDED="is_recommended=\"true\"" } + if ( $0 ~ /Action: restart/ ) { RESTART="restart_required=\"true\"" } printf "%s %s %s %s\n", DATE, PACKAGE, RECOMMENDED, RESTART } }' diff --git a/default/app.conf b/default/app.conf index a2f2a0f..793a7b1 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.10 +version = 9.2.0.11 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.10 +version = 9.2.0.11 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index be27a1b..b7def40 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,15 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.11 (2025-01-25) + +Fix Darwin Scripts and Document Sudo + +Changes: + +* Use sudo in service.sh for Darwin to find user services if not running as root +* Fix parsing the output of softwareupdate command on Darwin in update.sh +* Better document usage of sudo in docs/Sudo.md + ## Version 9.2.0.10 (2025-01-25) Fix OpenBSD Support and Other Bugs diff --git a/docs/Sudo.md b/docs/Sudo.md new file mode 100644 index 0000000..27ed958 --- /dev/null +++ b/docs/Sudo.md @@ -0,0 +1,45 @@ +# Sudo Usage + +Some commands may need to use sudo or doas to execute. Below is documentation +for those cases. + +## MacOS/Darwin service.sh + +The service.sh script searches users' home directories and a splunk user does +not have rights to do that. + +Create a file like /etc/sudoers.d/splunk and add: + +``` +splunk ALL=(root) NOPASSWD: /usr/bin/find /Users -name loginwindow.plist +``` + +## Docker + +Either add the splunk user to the docker group or run the command with sudo. +To make sudo work, create a file like /etc/sudoers.d/splunk and add: + +``` +splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all +splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format * +splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f * +``` + +## Debian/Ubuntu apt update + +A splunk user does not have the ability to update the package cache. +To make sudo work, create a file like /etc/sudoers.d/splunk and add: + +``` +splunk ALL=(root) NOPASSWD: /usr/bin/apt update +``` + +## Arch Linux pacman update cache + +A splunk user does not have the ability to update the package cache. +To make sudo work, create a file like /etc/sudoers.d/splunk and add: + +``` +splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy +``` + From f3e4386480d50bb6fcac718812592d82f172c610 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Sat, 25 Jan 2025 15:30:25 -0500 Subject: [PATCH 15/19] Add Version to update.sh for Darwin Changes: * Add version to update.sh for Darwin --- VERSION | 4 ++-- app.manifest | 2 +- bin/update.sh | 6 +++++- default/app.conf | 4 ++-- docs/ReleaseNotes.md | 8 ++++++++ 5 files changed, 18 insertions(+), 6 deletions(-) diff --git a/VERSION b/VERSION index 5fc1b17..c5a3754 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.11 -9.2.0.11 +9.2.0.12 +9.2.0.12 diff --git a/app.manifest b/app.manifest index e0f7eef..03e205f 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.11" + "version": "9.2.0.12" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/update.sh b/bin/update.sh index 6119e66..075057d 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -120,12 +120,16 @@ elif [ "$KERNEL" = "Darwin" ] ; then gsub(/^.*Title: /, "", line); gsub(/, Version:.*$/, "", line); PACKAGE="package=\"" line "\"" + version = $0; + gsub(/^.*Title: [^,]+, Version: /, "", version); + gsub(/, Size:.*$/, "", version); + VERSION="latest_package_version=\"" version "\"" RECOMMENDED="" RESTART="" TOTAL=TOTAL+1 if ( $0 ~ /Recommended: YES/ ) { RECOMMENDED="is_recommended=\"true\"" } if ( $0 ~ /Action: restart/ ) { RESTART="restart_required=\"true\"" } - printf "%s %s %s %s\n", DATE, PACKAGE, RECOMMENDED, RESTART + printf "%s %s %s %s\n", DATE, PACKAGE, VERSION, RECOMMENDED, RESTART } }' diff --git a/default/app.conf b/default/app.conf index 793a7b1..4c4b6cf 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.11 +version = 9.2.0.12 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.11 +version = 9.2.0.12 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index b7def40..0775ac2 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,13 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.12 (2025-01-25) + +Add Version to update.sh for Darwin + +Changes: + +* Add version to update.sh for Darwin + ## Version 9.2.0.11 (2025-01-25) Fix Darwin Scripts and Document Sudo From ce9dada330ff27dfa26662298d4600ee164197ee Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Mon, 3 Feb 2025 18:08:38 -0500 Subject: [PATCH 16/19] Fix alignment and fix packages for Arch Linux Changes: * Align columns with "column -t" * Add Arch Linux support in packages.sh --- VERSION | 4 ++-- app.manifest | 2 +- bin/bandwidth.sh | 4 +++- bin/cpu.sh | 6 ++++-- bin/cpu_metric.sh | 6 ++++-- bin/df.sh | 4 +++- bin/df_metric.sh | 4 +++- bin/interfaces.sh | 43 +++++++++++++++++++++++----------------- bin/interfaces_metric.sh | 35 +++++++++++++++++++------------- bin/iostat.sh | 6 ++++-- bin/iostat_metric.sh | 6 ++++-- bin/nfsiostat.sh | 2 ++ bin/package.sh | 9 ++++++++- bin/protocol.sh | 4 +++- bin/vmstat.sh | 4 +++- bin/vmstat_metric.sh | 4 +++- default/app.conf | 4 ++-- docs/ReleaseNotes.md | 9 +++++++++ 18 files changed, 104 insertions(+), 52 deletions(-) diff --git a/VERSION b/VERSION index c5a3754..e4b0645 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.12 -9.2.0.12 +9.2.0.13 +9.2.0.13 diff --git a/app.manifest b/app.manifest index 03e205f..d8b132e 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-nix", - "version": "9.2.0.12" + "version": "9.2.0.13" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/bandwidth.sh b/bin/bandwidth.sh index 7499478..671268c 100755 --- a/bin/bandwidth.sh +++ b/bin/bandwidth.sh @@ -7,6 +7,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + HEADER='Name rxPackets_PS txPackets_PS rxKB_PS txKB_PS' HEADERIZE="BEGIN {print \"$HEADER\"}" PRINTF='{printf "%s %s %s %s %s\n", Name, rxPackets_PS, txPackets_PS, rxKB_PS, txKB_PS}' @@ -92,6 +94,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then fi assertHaveCommand "$CMD" -$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER" +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER" | column -t echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" # jscpd:ignore-end diff --git a/bin/cpu.sh b/bin/cpu.sh index 0ef0782..92f6698 100755 --- a/bin/cpu.sh +++ b/bin/cpu.sh @@ -5,6 +5,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle' HEADERIZE="BEGIN {print \"$HEADER\"}" PRINTF='{printf "%-3s %9s %9s %9s %9s %9s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}' @@ -120,7 +122,7 @@ elif [ "$KERNEL" = "AIX" ] ; then print ""; }' fi - $CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT" + $CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT" | column -t echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST" exit elif [ "$KERNEL" = "Darwin" ] ; then @@ -198,5 +200,5 @@ elif [ "$KERNEL" = "HP-UX" ] ; then FORMAT='{k=0; if(5> "$TEE_DEST" diff --git a/bin/cpu_metric.sh b/bin/cpu_metric.sh index 9e293f1..7f14e60 100755 --- a/bin/cpu_metric.sh +++ b/bin/cpu_metric.sh @@ -6,6 +6,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle OSName OS_version IP_address' HEADERIZE="BEGIN {print \"$HEADER\"}" PRINTF='{printf "%-3s %9s %9s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle, OSName, OS_version, IP_address}' @@ -137,7 +139,7 @@ elif [ "$KERNEL" = "AIX" ] ; then print ""; }' fi - $CMD | tee "$TEE_DEST" | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS "$FORMAT $FILL_DIMENSIONS" + $CMD | tee "$TEE_DEST" | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS "$FORMAT $FILL_DIMENSIONS" | column -t echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST" exit elif [ "$KERNEL" = "Darwin" ] ; then @@ -228,5 +230,5 @@ elif [ "$KERNEL" = "HP-UX" ] ; then FORMAT='{k=0; if(5>"$TEE_DEST" diff --git a/bin/df.sh b/bin/df.sh index e2998d3..6c191ef 100755 --- a/bin/df.sh +++ b/bin/df.sh @@ -6,6 +6,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + # jscpd:ignore-start if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand df @@ -310,5 +312,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then fi # jscpd:ignore-end -$CMD | tee "$TEE_DEST" | $AWK "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF" header="$HEADER" +$CMD | tee "$TEE_DEST" | $AWK "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF" header="$HEADER" | column -t echo "Cmd = [$CMD]; | $AWK '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/bin/df_metric.sh b/bin/df_metric.sh index cb79d07..be4314a 100755 --- a/bin/df_metric.sh +++ b/bin/df_metric.sh @@ -6,6 +6,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + # shellcheck disable=SC2016 FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?";length(IPv6_Address) || IPv6_Address = "?"}' @@ -346,5 +348,5 @@ fi # jscpd:ignore-end # shellcheck disable=SC2086 -$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF" header="$HEADER" +$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF" header="$HEADER" | column -t echo "Cmd = [$CMD]; | $AWK $DEFINE '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >>"$TEE_DEST" diff --git a/bin/interfaces.sh b/bin/interfaces.sh index dc37dd1..2177c7c 100755 --- a/bin/interfaces.sh +++ b/bin/interfaces.sh @@ -6,15 +6,17 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex' +#HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex' +HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex' FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}' -PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}' +#PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}' +PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, (RXdropped == "") ? 0 : RXdropped, TXbytes, TXerrors, (TXdropped == "") ? 0 : TXdropped, speed, duplex}' if [ "$KERNEL" = "Linux" ] ; then OS_FILE=/etc/os-release - HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex' - PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex}' + #HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex' + #PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex}' queryHaveCommand ip FOUND_IP=$? if [ $FOUND_IP -eq 0 ]; then @@ -253,7 +255,7 @@ if [ "$KERNEL" = "Linux" ] ; then out=$($CMD_LIST_INTERFACES) lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do @@ -322,12 +324,13 @@ if [ "$KERNEL" = "Linux" ] ; then GET_MAC='{if ($0 ~ /ether /) { mac = $2; } else if ( NR == 1 ) { mac = $5; }}' fi if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then - $CMD "$iface" | tee -a "$TEE_DEST" | awk "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC" + output="$output$($CMD "$iface" | tee -a "$TEE_DEST" | awk "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC")\n" echo "Cmd = [$CMD $iface]; | awk '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST" else echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST" fi done + printf "$output" | column -t elif [ "$KERNEL" = "SunOS" ] ; then assertHaveCommandGivenPath /usr/sbin/ifconfig @@ -346,7 +349,7 @@ elif [ "$KERNEL" = "SunOS" ] ; then out=$($CMD_LIST_INTERFACES) lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do @@ -358,9 +361,10 @@ elif [ "$KERNEL" = "SunOS" ] ; then else CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null" fi - $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE" + output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE")\n" echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST" done + printf "$output" | column -t elif [ "$KERNEL" = "AIX" ] ; then assertHaveCommandGivenPath /usr/sbin/ifconfig assertHaveCommandGivenPath /usr/bin/netstat @@ -378,16 +382,17 @@ elif [ "$KERNEL" = "AIX" ] ; then out=$($CMD_LIST_INTERFACES) lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST" NODE=$(uname -n) CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface" - $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE" + output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE")\n" echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST" done + printf "$output" elif [ "$KERNEL" = "Darwin" ] ; then assertHaveCommand ifconfig assertHaveCommand netstat @@ -437,15 +442,16 @@ elif [ "$KERNEL" = "Darwin" ] ; then out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST" CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface" - $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface" + output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface")\n" echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST" done + printf "$output" | column -t elif [ "$KERNEL" = "HP-UX" ] ; then assertHaveCommand ifconfig assertHaveCommand lanadmin @@ -466,8 +472,7 @@ elif [ "$KERNEL" = "HP-UX" ] ; then out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS") lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" - echo "$out" + printf "$HEADER\n$out\n" fi elif [ "$KERNEL" = "OpenBSD" ] ; then assertHaveCommand ifconfig @@ -484,12 +489,13 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do - echo "$iface $(ifconfig $iface | awk "$GET_MAC $GET_IP END {printf \"%s %s %s\", mac, IPv4, IPv6}") $(echo $(netstat -bnI $iface -w1 | head -n4 | tail -n1) $(netstat -neI $iface -w1 | head -n4 | tail -n1) | awk "{printf \"%s %s %s %s %s\", \$9, \$1, \$6, \$2, \$8}") auto auto" + output="$output$iface $(ifconfig $iface | awk "$GET_MAC $GET_IP END {printf \"%s %s %s\", mac, IPv4, IPv6}") $(echo $(netstat -bnI $iface -w1 | head -n4 | tail -n1) $(netstat -neI $iface -w1 | head -n4 | tail -n1) | awk "{printf \"%s %s %s %s %s %s %s\", \$9, \$1, 0, \$6, \$2, \$8, 0}") auto auto\n" done + printf "$output" | column -t elif [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand ifconfig assertHaveCommand netstat @@ -536,14 +542,15 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST" CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface" - $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface" + output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface")\n" echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST" done + printf "$output" | column -t fi # jscpd:ignore-end diff --git a/bin/interfaces_metric.sh b/bin/interfaces_metric.sh index 017d1c8..b909c7a 100755 --- a/bin/interfaces_metric.sh +++ b/bin/interfaces_metric.sh @@ -7,6 +7,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex OSName OS_version IP_address IPv6_Address' FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}' PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s %-35s %15s %-16s %-42s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex, OSName, OS_version, IP_address, IPv6_Address}' @@ -260,7 +262,7 @@ if [ "$KERNEL" = "Linux" ] ; then out=$($CMD_LIST_INTERFACES) lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do @@ -325,12 +327,13 @@ if [ "$KERNEL" = "Linux" ] ; then fi if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then # shellcheck disable=SC2086 - $CMD "$iface" | tee -a "$TEE_DEST" | awk $DEFINE "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC" + output="$output$($CMD "$iface" | tee -a "$TEE_DEST" | awk $DEFINE "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC")\n" echo "Cmd = [$CMD $iface]; | awk $DEFINE '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST" else echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST" fi done + printf "$output" | column -t elif [ "$KERNEL" = "SunOS" ] ; then assertHaveCommandGivenPath /usr/sbin/ifconfig @@ -352,7 +355,7 @@ elif [ "$KERNEL" = "SunOS" ] ; then out=$($CMD_LIST_INTERFACES) lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do @@ -365,9 +368,10 @@ elif [ "$KERNEL" = "SunOS" ] ; then CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null" fi # shellcheck disable=SC2086 - $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE" + output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE")\n" echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST" done + printf "$output" | column -t elif [ "$KERNEL" = "AIX" ] ; then assertHaveCommandGivenPath /usr/sbin/ifconfig assertHaveCommandGivenPath /usr/bin/netstat @@ -389,7 +393,7 @@ elif [ "$KERNEL" = "AIX" ] ; then out=$($CMD_LIST_INTERFACES) lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do @@ -397,9 +401,10 @@ elif [ "$KERNEL" = "AIX" ] ; then NODE=$(uname -n) CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface" # shellcheck disable=SC2086 - $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE" + output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE")\n" echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST" done + printf "$output" | column -t elif [ "$KERNEL" = "Darwin" ] ; then assertHaveCommand ifconfig assertHaveCommand netstat @@ -451,16 +456,17 @@ elif [ "$KERNEL" = "Darwin" ] ; then out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST" CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface" # shellcheck disable=SC2086 - $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface" + output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface")\n" echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST" done + printf "$output" | column -t elif [ "$KERNEL" = "HP-UX" ] ; then assertHaveCommand ifconfig assertHaveCommand lanadmin @@ -482,8 +488,7 @@ elif [ "$KERNEL" = "HP-UX" ] ; then out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS") lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" - echo "$out" + printf "$HEADER\n$out\n" | column -t fi elif [ "$KERNEL" = "OpenBSD" ] ; then assertHaveCommand ifconfig @@ -503,12 +508,13 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then IP4=$(ifconfig $INT | awk '$1=="inet"{print $2;p=1;exit}END{if (p!=1) print ""}') IP6=$(ifconfig $INT | awk '$1=="inet6" && $2!~/%vio0$/{print $2;p=1;exit}END{if (p!=1) print ""}') if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do - echo "$iface $(ifconfig $iface | awk "$GET_MAC $GET_IP END {printf \"%s %s %s\", mac, IPv4, IPv6}") $(echo $(netstat -bnI $iface -w1 | head -n4 | tail -n1) $(netstat -neI $iface -w1 | head -n4 | tail -n1) | awk "{printf \"%s %s %s %s %s\", \$9, \$1, \$6, \$2, \$8}") auto auto $(uname -s) $(uname -r) $IP4 $IP6" + output="$output"$iface $(ifconfig $iface | awk "$GET_MAC $GET_IP END {printf \"%s %s %s\", mac, IPv4, IPv6}") $(echo $(netstat -bnI $iface -w1 | head -n4 | tail -n1) $(netstat -neI $iface -w1 | head -n4 | tail -n1) | awk "{printf \"%s %s %s %s %s\", \$9, \$1, \$6, \$2, \$8}") auto auto $(uname -s) $(uname -r) $IP4 $IP6\n" done + printf "$output" | column -t elif [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand ifconfig assertHaveCommand netstat @@ -558,15 +564,16 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") lines=$(echo "$out" | wc -l) if [ "$lines" -gt 0 ]; then - echo "$HEADER" + output="$HEADER\n" fi for iface in $out do echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST" CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface" # shellcheck disable=SC2086 - $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface" + output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface")\n" echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST" done + printf "$output" | column -t fi # jscpd:ignore-end diff --git a/bin/iostat.sh b/bin/iostat.sh index a0c57e8..3f977df 100755 --- a/bin/iostat.sh +++ b/bin/iostat.sh @@ -7,6 +7,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + if [ "$KERNEL" = "Linux" ] ; then CMD='iostat -xky 1 1' assertHaveCommand "$CMD" @@ -49,10 +51,10 @@ elif [ "$KERNEL" = "Darwin" ] ; then LATENCY='function getLatency(disk) {read=getDeltaPS(disk,"Latency Time (Read)"); write=getDeltaPS(disk,"Latency Time (Write)"); return expr read + write;}' FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}' SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}" - $CMD | tee "$TEE_DEST" | awk "$SCRIPT" header="$HEADER" + $CMD | tee "$TEE_DEST" | awk "$SCRIPT" header="$HEADER" | column -t echo "Cmd = [$CMD]; | awk '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST" exit 0 fi -$CMD | tee "$TEE_DEST" | $AWK "$FILTER" +$CMD | tee "$TEE_DEST" | $AWK "$FILTER" | column -t echo "Cmd = [$CMD]; | $AWK '$FILTER'" >> "$TEE_DEST" diff --git a/bin/iostat_metric.sh b/bin/iostat_metric.sh index c171424..0680c86 100755 --- a/bin/iostat_metric.sh +++ b/bin/iostat_metric.sh @@ -8,6 +8,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + if [ "$KERNEL" = "Linux" ] ; then CMD='iostat -xky 1 1' assertHaveCommand "$CMD" @@ -66,10 +68,10 @@ elif [ "$KERNEL" = "Darwin" ] ; then FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}' SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}" # shellcheck disable=SC2086 - $CMD | tee "$TEE_DEST" | awk $DEFINE "$SCRIPT" header="$HEADER" + $CMD | tee "$TEE_DEST" | awk $DEFINE "$SCRIPT" header="$HEADER" | column -t echo "Cmd = [$CMD]; | awk $DEFINE '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST" exit 0 fi # shellcheck disable=SC2086 -$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FILTER $PRINTF" +$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FILTER $PRINTF" | column -t echo "Cmd = [$CMD]; | $AWK $DEFINE '$FILTER'" >> "$TEE_DEST" diff --git a/bin/nfsiostat.sh b/bin/nfsiostat.sh index fd32002..bc97af0 100755 --- a/bin/nfsiostat.sh +++ b/bin/nfsiostat.sh @@ -5,6 +5,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + HEADER='Mount Path r_op/s w_op/s r_KB/s w_KB/s rpc_backlog r_avg_RTT w_avg_RTT r_avg_exe w_avg_exe' HEADERIZE="BEGIN {print \"$HEADER\"}" diff --git a/bin/package.sh b/bin/package.sh index ddccd69..1e0809e 100755 --- a/bin/package.sh +++ b/bin/package.sh @@ -5,12 +5,15 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + HEADER='NAME VERSION RELEASE ARCH VENDOR GROUP' HEADERIZE="BEGIN {print \"$HEADER\"}" PRINTF='{printf "%-55.55s %-20.20s %-20.20s %-10.10s %-30.30s %-20s\n", name, version, release, arch, vendor, group}' CMD='echo There is no flavor-independent command...' if [ "$KERNEL" = "Linux" ] ; then + OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) if $DEBIAN; then CMD1="eval dpkg-query -W -f='" # shellcheck disable=SC2016 @@ -19,6 +22,10 @@ if [ "$KERNEL" = "Linux" ] ; then CMD=$CMD1$CMD2$CMD3 # shellcheck disable=SC2016 FORMAT='{name=$1;version=$2;sub("\\.?[^0-9\\.:\\-].*$", "", version); release=$2; sub("^[0-9\\.:\\-]*","",release); if(release=="") {release="?"}; arch=$3; if (NF>3) {sub("^.*:\\/\\/", "", $4); sub("^www\\.", "", $4); sub("\\/.*$", "", $4); vendor=$4} else {vendor="?"} group="?"}' + elif [ "$OSName" = "Arch_Linux" ] || [ "$OSName" = "Arch_Linux_ARM" ]; then + CMD="eval pacman -Q" + # shellcheck disable=SC2016 + FORMAT="{name=\$1;version=\$2; release=\"?\"; arch=\"$(eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/")\"; vendor=\"?\"; group=\"?\"}" else CMD='eval rpm --query --all --queryformat "%-56{name} %-21{version} %-21{release} %-11{arch} %-31{vendor} %-{group}\n"' # shellcheck disable=SC2016 @@ -69,5 +76,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then fi assertHaveCommand "$CMD" -$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF" header="$HEADER" +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF" header="$HEADER" | column -t echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/bin/protocol.sh b/bin/protocol.sh index d632313..3aa5d5d 100755 --- a/bin/protocol.sh +++ b/bin/protocol.sh @@ -5,6 +5,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + CMD='netstat -s' HEADER=' IPdropped TCPrexmits TCPreorder TCPpktRecv TCPpktSent UDPpktLost UDPunkPort UDPpktRecv UDPpktSent' HEADERIZE="BEGIN {print \"$HEADER\"}" @@ -77,5 +79,5 @@ elif [ "$KERNEL" = "HP-UX" ] ; then fi assertHaveCommand "$CMD" -$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF" header="$HEADER" +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF" header="$HEADER" | column -t echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/bin/vmstat.sh b/bin/vmstat.sh index 47d90d3..187b917 100755 --- a/bin/vmstat.sh +++ b/bin/vmstat.sh @@ -6,6 +6,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + # hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine # the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so # (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute. @@ -193,5 +195,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then FILL_BLANKS='END {threads=pgSwapOut="?"}' fi -$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER" +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER" | column -t echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/bin/vmstat_metric.sh b/bin/vmstat_metric.sh index c262588..4c79353 100755 --- a/bin/vmstat_metric.sh +++ b/bin/vmstat_metric.sh @@ -6,6 +6,8 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh +assertHaveCommand column + # hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine # the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so # (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute. @@ -206,5 +208,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then FILL_BLANKS='END {threads=pgSwapOut="?"}' fi # shellcheck disable=SC2086 -$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF " header="$HEADER" +$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF " header="$HEADER" | column -t echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/default/app.conf b/default/app.conf index 4c4b6cf..41c30da 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.12 +version = 9.2.0.13 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.12 +version = 9.2.0.13 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index 0775ac2..250fb1b 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,14 @@ # Technical Add-on for Unix and Linux +## Version 9.2.0.13 (2025-02-03) + +Fix alignment and fix packages for Arch Linux + +Changes: + +* Align columns with "column -t" +* Add Arch Linux support in packages.sh + ## Version 9.2.0.12 (2025-01-25) Add Version to update.sh for Darwin From 62dcce22922e9ccca40c50be116594e387fe4d79 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Wed, 5 Feb 2025 17:17:23 -0500 Subject: [PATCH 17/19] Import Splunk Add-On for Unix and Linux version 10.0.0 --- THIRDPARTY | 13 +++- VERSION | 4 +- app.manifest | 126 +++++++++++++++++------------------ bin/cpu.sh | 141 +++++++++++++++++++++++++++------------- bin/cpu_metric.sh | 128 ++++++++++++++++++++---------------- bin/lastlog.sh | 39 +++++++++-- bin/nfsiostat.sh | 6 +- bin/time.sh | 25 ++++++- bin/update.sh | 4 +- bin/version.sh | 27 ++++++-- default/app.conf | 6 +- default/eventtypes.conf | 15 ++++- default/props.conf | 48 +++++++------- default/tags.conf | 15 ++++- default/transforms.conf | 119 +++++++++++++++++++-------------- splunkbase.manifest | 42 ++++++------ 16 files changed, 470 insertions(+), 288 deletions(-) diff --git a/THIRDPARTY b/THIRDPARTY index 3c4aff4..4b08779 100644 --- a/THIRDPARTY +++ b/THIRDPARTY @@ -7,9 +7,9 @@ The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-unix-and-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means. -Date generated: 2024-7-5 +Date generated: 2025-1-31 -Revision ID: a08b431842df3cfc234ba3f0675de8898f9ef6ac +Revision ID: 79a4b3bf642285d427e11cd81adb8baaf923e0e9 ================================================================================ ================================================================================ @@ -55,7 +55,14 @@ No licenses found ================================================================================ +================================================================================ + + Copyrights + +================================================================================ + + -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -Report Generated by FOSSA on 2024-7-5 +Report Generated by FOSSA on 2025-1-31 diff --git a/VERSION b/VERSION index 3267917..7f7b04f 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0 -9.2.0 \ No newline at end of file +10.0.0 +10.0.0 \ No newline at end of file diff --git a/app.manifest b/app.manifest index 05b18b7..ee231a2 100644 --- a/app.manifest +++ b/app.manifest @@ -1,66 +1,66 @@ { - "dependencies": null, - "incompatibleApps": null, - "info": { - "author": [ - { - "company": "Splunk, Inc.", - "email": "support@splunk.com", - "name": "Splunk, Inc." - } - ], - "classification": { - "categories": [ - "IT Operations", - "Utilities" - ], - "developmentStatus": "Production/Stable", - "intendedAudience": "IT" - }, - "commonInformationModels": { - "Authentication": "=4.20.2", - "Change": "=4.20.2", - "Endpoint": "=4.20.2", - "Inventory": "=4.20.2", - "Network Sessions": "=4.20.2", - "Performance": "=4.20.2" - }, - "description": "Splunk Add-on for Unix and Linux", - "id": { - "group": null, - "name": "Splunk_TA_nix", - "version": "9.2.0" - }, - "license": { - "name": "Splunk Software License Agreement", - "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", - "uri": "http://www.splunk.com/view/SP-CAAAAFA" - }, - "privacyPolicy": { - "name": null, - "text": null, - "uri": null - }, - "releaseDate": null, - "releaseNotes": { - "name": "README", - "text": "./README.txt", - "uri": "https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes" - }, - "title": "Splunk Add-on for Unix and Linux" + "dependencies": null, + "incompatibleApps": null, + "info": { + "author": [ + { + "name": "Splunk, Inc.", + "email": null, + "company": null + } + ], + "classification": { + "categories": [ + "IT Operations", + "Utilities" + ], + "developmentStatus": "Production/Stable", + "intendedAudience": "IT" }, - "inputGroups": null, - "platformRequirements": null, - "schemaVersion": "2.0.0", - "supportedDeployments": [ - "_standalone", - "_distributed", - "_search_head_clustering" - ], - "targetWorkloads": [ - "_search_heads", - "_forwarders", - "_indexers" - ], - "tasks": null + "commonInformationModels": { + "Authentication": "==4.20.2", + "Change": "==4.20.2", + "Endpoint": "==4.20.2", + "Inventory": "==4.20.2", + "Network Sessions": "==6.0.2", + "Performance": "==4.20.2" + }, + "description": "Splunk Add-on for Unix and Linux", + "id": { + "group": null, + "name": "Splunk_TA_nix", + "version": "10.0.0" + }, + "license": { + "name": "Splunk Software License Agreement", + "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "uri": "http://www.splunk.com/view/SP-CAAAAFA" + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseDate": null, + "releaseNotes": { + "name": "README", + "text": "./README.txt", + "uri": "https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes" + }, + "title": "Splunk Add-on for Unix and Linux" + }, + "inputGroups": null, + "platformRequirements": null, + "schemaVersion": "2.0.0", + "supportedDeployments": [ + "_standalone", + "_distributed", + "_search_head_clustering" + ], + "targetWorkloads": [ + "_search_heads", + "_forwarders", + "_indexers" + ], + "tasks": null } \ No newline at end of file diff --git a/bin/cpu.sh b/bin/cpu.sh index 4657a72..4fdbd2b 100755 --- a/bin/cpu.sh +++ b/bin/cpu.sh @@ -5,9 +5,9 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle' +HEADER='Datetime CPU pctUser pctNice pctSystem pctIowait pctIdle' HEADERIZE="BEGIN {print \"$HEADER\"}" -PRINTF='{printf "%-3s %9s %9s %9s %9s %9s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}' +PRINTF='{printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}' if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand sar @@ -15,19 +15,32 @@ if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand mpstat FOUND_MPSTAT=$? if [ $FOUND_SAR -eq 0 ] ; then - CMD='sar -P ALL 1 1' + CMD='sar -P ALL 2 5' # shellcheck disable=SC2016 - FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}' + FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}' elif [ $FOUND_MPSTAT -eq 0 ] ; then - CMD='mpstat -P ALL 1 1' + CMD='mpstat -P ALL 2 5' # shellcheck disable=SC2016 - FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}' + FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}' else failLackMultipleCommands sar mpstat fi # shellcheck disable=SC2016 FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}' + + PRINTF='{ + if ($0 ~ /all/) { + print header; + printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle; + } else { + printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle; + } + }' + $CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" + echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" + exit elif [ "$KERNEL" = "SunOS" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r' else @@ -35,9 +48,9 @@ elif [ "$KERNEL" = "SunOS" ] ; then fi assertHaveCommand "$CMD" # shellcheck disable=SC2016 - FILTER='($1=="CPU") {exit 1}' + FILTER='($1=="CPU") {exit 1}' # shellcheck disable=SC2016 - FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}' + FORMAT='{datetime="'"$formatted_date"'"; cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}' elif [ "$KERNEL" = "AIX" ] ; then queryHaveCommand mpstat queryHaveCommand lparstat @@ -76,46 +89,72 @@ elif [ "$KERNEL" = "AIX" ] ; then DEFINE="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity" # Get cpu stats using mpstat command and manipulate the output for adding extra fields - CMD='mpstat -a 1 1' + CMD='mpstat -a 2 5' # shellcheck disable=SC2016 - FORMAT='BEGIN {flag = 0} + + FORMAT=' + function get_current_time() { + # Use "date" to fetch the current time and store it in a variable + command = "date +\"%m/%d/%y_%H:%M:%S_%Z\""; + command | getline datetime; + close(command); + return datetime; + } + BEGIN { + flag = 0; + header = ""; + } { if($0 ~ /System configuration|^$/) {next} + if($1 ~ /^-+$/ && header != "") { + print header; + next; + } + if($0 ~ /cpu / && flag == 1) {next} if(flag == 1) { # Prepend extra field values from lparstat - for(i=NF+4; i>=4; i--) + for(i=NF+5; i>=5; i--) { - $i = $(i-3); + $i = $(i-4); } if($0 ~ /ALL/) { - $1 = CPUPool; - $2 = OnlineVirtualCPUs; - $3 = EntitledCapacity; + $1 = get_current_time(); + $2 = CPUPool; + $3 = OnlineVirtualCPUs; + $4 = EntitledCapacity; } else { - $1 = "-"; + $1 = get_current_time(); $2 = "-"; $3 = "-"; + $4 = "-"; } } if($0 ~ /cpu /) { # Prepend extra field headers from lparstat - for(i=NF+4; i>=4; i--) + for(i=NF+5; i>=5; i--) { - $i = $(i-3); + $i = $(i-4); } - $1 = "CPUPool"; - $2 = "OnlineVirtualCPUs"; - $3 = "EntitledCapacity"; + $1 = "Datetime"; + $2 = "CPUPool"; + $3 = "OnlineVirtualCPUs"; + $4 = "EntitledCapacity"; flag = 1; + + header = $1; + for (i = 2; i <= NF; i++) { + header = header sprintf("%21s ", $i); + } } - for(i=1; i<=NF; i++) + printf $1; + for(i=2; i<=NF; i++) { - printf "%17s ", $i; + printf "%21s ", $i; } print ""; }' @@ -124,28 +163,46 @@ elif [ "$KERNEL" = "AIX" ] ; then echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST" exit elif [ "$KERNEL" = "Darwin" ] ; then - HEADER='CPU pctUser pctSystem pctIdle' + HEADER='Datetime CPU pctUser pctSystem pctIdle' HEADERIZE="BEGIN {print \"$HEADER\"}" - PRINTF='{printf "%-3s %9s %9s %9s \n", cpu, pctUser, pctSystem, pctIdle}' + PRINTF='{printf "%-28s %-3s %9s %9s %9s \n", datetime, cpu, pctUser, pctSystem, pctIdle}' # top command here is used to get a single instance of cpu metrics - CMD='top -l 1' + CMD='top -l 5 -s 2' assertHaveCommand "$CMD" # FILTER here skips all the rows that doesn't match "CPU". # shellcheck disable=SC2016 FILTER='($1 !~ "CPU") {next;}' # FORMAT here removes '%'in the end of the metrics. # shellcheck disable=SC2016 - FORMAT='function remove_char(string, char_to_remove) { - sub(char_to_remove, "", string); - return string; - } - { - cpu="all"; - pctUser = remove_char($3, "%"); - pctSystem = remove_char($5, "%"); - pctIdle = remove_char($7, "%"); - }' + FORMAT=' + function get_current_time() { + # Use "date" to fetch the current time and store it in a variable + command = "date +\"%m/%d/%y_%H:%M:%S_%Z\""; + command | getline datetime; + close(command); + return datetime; + } + function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + datetime=get_current_time(); + cpu="all"; + pctUser = remove_char($3, "%"); + pctSystem = remove_char($5, "%"); + pctIdle = remove_char($7, "%"); + }' + PRINTF='{ + print header; + printf "%-28s %-3s %9s %9s %9s \n", datetime, cpu, pctUser, pctSystem, pctIdle; + }' + + $CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" + echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" + exit elif [ "$KERNEL" = "FreeBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -155,6 +212,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then sub(char_to_remove, "", string); return string; } + { + datetime="'"$formatted_date"'"; + } { if ($1 == "CPU:") { cpu = "all"; @@ -169,15 +229,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then pctIdle = remove_char($(NF-1), "%"); pctIowait = "0.0"; }' -elif [ "$KERNEL" = "HP-UX" ] ; then - queryHaveCommand sar - FOUND_SAR=$? - if [ $FOUND_SAR -eq 0 ] ; then - CMD='sar -M 1 1 ALL' - fi - FILTER='/HP-UX|^$|%/ {next}' - # shellcheck disable=SC2016 - FORMAT='{k=0; if(5=7; i--) + for(i=NF+8; i>=8; i--) { - $i = $(i-6); + $i = $(i-7); } - # Prepend OSName, OS_version, IP_address values - $1 = OSName; - $2 = OSVersion/1000; - $3 = IP_address; + # Prepend Datetime, OSName, OS_version, IP_address values + $1 = get_current_time(); + $2 = OSName; + $3 = OSVersion/1000; + $4 = IP_address; # Prepend lparstat field values if($0 ~ /ALL/) { - $4 = CPUPool; - $5 = OnlineVirtualCPUs; - $6 = EntitledCapacity; + $5 = CPUPool; + $6 = OnlineVirtualCPUs; + $7 = EntitledCapacity; } else { - $4 = "-"; $5 = "-"; $6 = "-"; + $7 = "-"; } } if($0 ~ /cpu /) { - for(i=NF+7; i>=7; i--) + for(i=NF+8; i>=8; i--) { - $i = $(i-6); + $i = $(i-7); } - # Prepend OSName, OS_version, IP_address headers - $1 = "OSName"; - $2 = "OS_version"; - $3 = "IP_address"; + # Prepend Datetime, OSName, OS_version, IP_address headers + $1 = "Datetime"; + $2 = "OSName"; + $3 = "OS_version"; + $4 = "IP_address"; # Prepend lparstat field headers - $4 = "CPUPool"; - $5 = "OnlineVirtualCPUs"; - $6 = "EntitledCapacity"; + $5 = "CPUPool"; + $6 = "OnlineVirtualCPUs"; + $7 = "EntitledCapacity"; flag = 1; } - for(i=1; i<=NF; i++) + printf $1; + for(i=2; i<=NF; i++) { printf "%17s ", $i; } @@ -140,11 +155,11 @@ elif [ "$KERNEL" = "AIX" ] ; then echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST" exit elif [ "$KERNEL" = "Darwin" ] ; then - HEADER='CPU pctUser pctSystem pctIdle OSName OS_version IP_address' + HEADER='Datetime pctUser pctSystem pctIdle OSName OS_version IP_address CPU' HEADERIZE="BEGIN {print \"$HEADER\"}" - PRINTF='{printf "%-3s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address}' + PRINTF='{printf "%-28s %9s %9s %9s %-35s %15s %-16s %-3s\n", datetime, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address, cpu}' # top command here is used to get a single instance of cpu metrics - CMD='top -l 1' + CMD='top -l 5 -s 2' assertHaveCommand "$CMD" # FILTER here skips all the rows that doesn't match "CPU". # shellcheck disable=SC2016 @@ -153,20 +168,30 @@ elif [ "$KERNEL" = "Darwin" ] ; then DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" # FORMAT here removes '%'in the end of the metrics. # shellcheck disable=SC2016 - FORMAT='function remove_char(string, char_to_remove) { - sub(char_to_remove, "", string); - return string; - } - { - cpu="all"; - pctUser = remove_char($3, "%"); - pctSystem = remove_char($5, "%"); - pctIdle = remove_char($7, "%"); - OSName=OSName; - OS_version=OS_version; - IP_address=IP_address; - }' + FORMAT=' + function get_current_time() { + # Use "date" to fetch the current time and store it in a variable + command = "date +\"%m/%d/%y_%H:%M:%S_%Z\""; + command | getline datetime; + close(command); + return datetime; + } + function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + datetime=get_current_time(); + cpu="all"; + pctUser = remove_char($3, "%"); + pctSystem = remove_char($5, "%"); + pctIdle = remove_char($7, "%"); + OSName=OSName; + OS_version=OS_version; + IP_address=IP_address; + }' elif [ "$KERNEL" = "FreeBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -178,6 +203,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then sub(char_to_remove, "", string); return string; } + { + datetime="'"$formatted_date"'"; + } { if ($1 == "CPU:") { cpu = "all"; @@ -195,16 +223,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then OS_version=OS_version; IP_address=IP_address; }' -elif [ "$KERNEL" = "HP-UX" ] ; then - queryHaveCommand sar - FOUND_SAR=$? - DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" - if [ $FOUND_SAR -eq 0 ] ; then - CMD='sar -M 1 1 ALL' - fi - FILTER='/HP-UX|^$|%/ {next}' - # shellcheck disable=SC2016 - FORMAT='{k=0; if(5> "$TEE_DEST" +$CMD1 | tee -a "$TEE_DEST" -$CMD2 | tee -a "$TEE_DEST" echo "Cmd2 = [$CMD2]" >> "$TEE_DEST" +if [ "$KERNEL" = "Darwin" ] && [ $FOUND_SNTP -eq 0 ] ; then + TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_time_error_tmpfile + OUTPUT=$($CMD2 2>$TMP_ERROR_FILTER_FILE) + + if grep -q "Timeout" < $TMP_ERROR_FILTER_FILE; then + LAST_LINE=$(echo "$OUTPUT" | tail -n 1) + if [[ "$LAST_LINE" == *"$SERVER"* ]]; then + echo "$LAST_LINE" | tee -a "$TEE_DEST" + fi + cat $TMP_ERROR_FILTER_FILE >> $TEE_DEST + echo "$OUTPUT" >> "$TEE_DEST" + rm $TMP_ERROR_FILTER_FILE 2>/dev/null + elif grep -vq "Timeout" < $TMP_ERROR_FILTER_FILE; then + cat $TMP_ERROR_FILTER_FILE >&2 + echo "$OUTPUT" >> "$TEE_DEST" + rm $TMP_ERROR_FILTER_FILE 2>/dev/null + else + echo "$OUTPUT" | tee -a "$TEE_DEST" + fi +else + $CMD2 | tee -a "$TEE_DEST" +fi diff --git a/bin/update.sh b/bin/update.sh index d834c3a..fa3f73f 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -92,12 +92,12 @@ elif [ "$KERNEL" = "Darwin" ] ; then # shellcheck disable=SC2016 PARSE_1='NR>1 && PROCESS==1 && $0 !~ /^[[:blank:]]*$/ { if ( $0 ~ /^[[:blank:]]*\*/ ) { - PACKAGE="package=\"" $2 "\"" + PACKAGE="package=\"" substr($0, index($0,$3)) "\"" RECOMMENDED="" RESTART="" TOTAL=TOTAL+1 } else { - if ( $0 ~ /recommended/ ) { RECOMMENDED="is_recommended=\"true\"" } + if ( $0 ~ /Recommended/ ) { RECOMMENDED="is_recommended=\"true\"" } if ( $0 ~ /restart/ ) { RESTART="restart_required=\"true\"" } printf "%s %s %s %s\n", DATE, PACKAGE, RECOMMENDED, RESTART } diff --git a/bin/version.sh b/bin/version.sh index ed494ef..bda5074 100755 --- a/bin/version.sh +++ b/bin/version.sh @@ -5,13 +5,24 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -PRINTF='END {printf "%s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER}' +PRINTF='END {printf "%s %s %s %s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER, KERNEL_NAME, KERNEL_VERSION, KERNEL_RELEASE}' -if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then +if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "FreeBSD" ] ; then assertHaveCommand date assertHaveCommand uname - CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p' + VERSION=$(grep "^VERSION=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -) + NAME=$(grep "^NAME=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -) + VERSION_ID=$(grep "^VERSION_ID=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -) + CMD="eval date ; eval uname -m ; echo \"$VERSION\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r" +elif [ "$KERNEL" = "Darwin" ] ; then + # Darwin-macos uses sw_vers for os version, name and release switch. + assertHaveCommand date + assertHaveCommand uname + VERSION=$(sw_vers -BuildVersion) + NAME=$(sw_vers -productName) + VERSION_ID=$(sw_vers -ProductVersion) + CMD="eval date ; eval uname -m ; echo \"$VERSION_ID ($VERSION)\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r" elif [ "$KERNEL" = "HP-UX" ] ; then # HP-UX lacks -p switch. assertHaveCommand date @@ -21,7 +32,7 @@ elif [ "$KERNEL" = "AIX" ] ; then # AIX uses oslevel for version and release switch. assertHaveCommand date assertHaveCommand uname - CMD='eval date ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel -s' + CMD='eval date ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel ; eval uname -m ; eval uname -s ; eval uname -v; eval uname -r' fi # Get the date. @@ -37,8 +48,14 @@ PARSE_3='NR==4 {OS_NAME="os_name=\"" $0 "\""}' PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\""}' # shellcheck disable=SC2016 PARSE_5='NR==6 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_6='NR==7 {KERNEL_NAME="kernel_name=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_7='NR==8 {KERNEL_VERSION="kernel_version=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_8='NR==9 {KERNEL_RELEASE="kernel_release=\"" $0 "\""}' -MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5" +MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8" $CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF" echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST" diff --git a/default/app.conf b/default/app.conf index 52645ba..b6f073a 100644 --- a/default/app.conf +++ b/default/app.conf @@ -7,7 +7,7 @@ [install] is_configured = false state = enabled -build = 1720176219 +build = 1738357282 [ui] setup_view = ta_nix_configuration @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Splunk, Inc. -version = 9.2.0 +version = 10.0.0 description = Splunk Add-on for Unix and Linux [package] @@ -26,5 +26,5 @@ check_for_updates = true [id] name = Splunk_TA_nix -version = 9.2.0 +version = 10.0.0 diff --git a/default/eventtypes.conf b/default/eventtypes.conf index ffee2f7..52fc775 100644 --- a/default/eventtypes.conf +++ b/default/eventtypes.conf @@ -229,12 +229,21 @@ search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to" #tags = application authentication remote +## sshd-session +[sshd_session_start] +search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Failed password for" OR "Connection closed by invalid user" OR "Unable to negotiate" OR "session opened for user" OR "banner exchange" OR "Could not get shadow information" OR "Accepted password") +#tags = network session start + +[sshd_session_end] +search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Read error from remote host" OR "Connection timed out" OR "Disconnected from user" OR "Connection closed by" OR "session closed for user") AND NOT "Connection closed by invalid user" +#tags = network session end + ## sshd [sshd_authentication] # osx sshd authentication error # Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1 # Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host -search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") +search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") AND NOT sourcetype=linux_secure #tags = authentication remote [ssh_login_postponed] @@ -242,7 +251,7 @@ search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed # no tags assigned to this eventtype [ssh_open] -search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) +search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) AND NOT sourcetype=linux_secure #tags = communicate connect # example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246 @@ -573,7 +582,7 @@ search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*" ###### ADDED FROM UNIX APP ###### [failed_login] -search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for" +search = eventtype=nix_ta_data ("failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for") AND NOT sourcetype=linux_secure #tags = authentication [Failed_SU] diff --git a/default/props.conf b/default/props.conf index 66efd54..6b606b8 100644 --- a/default/props.conf +++ b/default/props.conf @@ -103,10 +103,12 @@ TRANSFORMS-vmstat-metric-dimensions=eval_dimensions METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat [cpu_metric] -SHOULD_LINEMERGE=false -LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +# Timestamp extraction settings +TIME_PREFIX = ^ +TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z +MAX_TIMESTAMP_LOOKAHEAD = 25 + TRUNCATE=1000000 -DATETIME_CONFIG = CURRENT KV_MODE = none INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER=whitespace @@ -165,10 +167,16 @@ METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps ## Scripted Event Inputs ######################### [cpu] -SHOULD_LINEMERGE=false -LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +LINE_BREAKER=([\r\n]+)Datetime\s+ +EVENT_BREAKER=([\r\n]+)Datetime\s+ + +# Timestamp extraction settings +TIME_PREFIX = \n +TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z + +EVENT_BREAKER_ENABLE=true +SHOULD_LINEMERGE = false TRUNCATE=1000000 -DATETIME_CONFIG = CURRENT KV_MODE = multi FIELDALIAS-dest_for_cpu = host as dest FIELDALIAS-src_for_cpu = host as src @@ -553,19 +561,6 @@ FIELDALIAS-dest = host as dest # from forwarders on which the older scripts are still in use should # be able to search new and old data seamlessly. -###### Global ###### -# [source::...(linux.*|sample.*.linux)] -# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen - -# [source::...(osx.*|sample.*.osx)] -# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen - -# [source::...(solaris.*|sample.*.solaris)] -# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen - -# [source::...sample.*.unix] -# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen - ## support for linux only [Linux:SELinuxConfig] EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules" @@ -638,9 +633,10 @@ FIELDALIAS-dest = host as dest [source::...Unix:Version] SHOULD_LINEMERGE = false -FIELDALIAS-family_for_nix_version = os_name as family +EVAL-description = "script" +EVAL-family = coalesce(kernel_name, os_name) LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range -FIELDALIAS-version_for_nix_version = os_release as version +EVAL-version = if(isnotnull(kernel_version),os_version,os_release) FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null()) EVAL-vendor_product = if(isnotnull(os_name),os_name,null()) @@ -728,13 +724,16 @@ EVENT_BREAKER_ENABLE = true ## Event extractions by type EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app) -REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication +REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, sshd-session-login-failed, sshd-session-login-accepted, sshd-session-invalid-user, sshd-session-connection-close, sshd-session-key-negotiation-failed, sshd-session-banner-exchange-failed, sshd-session-shadow-info-error, sshd-session-read-error-timeout, sshd-session-disconnect, sshd-session-closed-for-user, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, sshd-session-pam_unix_authentication_success, linux_secure_pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication EVAL-action = if(app="su" AND isnull(action),"success",action) REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf REPORT-routing = iptables -EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) +EVAL-signature = if(isnotnull(inbound_interface), "firewall", signature) +EVAL-user_role = if(authentication_service=="pam_unix" AND user=="root", "administator", null()) +EVAL-src = if(authentication_service=="pam_unix" AND signature=="session opened for user" AND app=="sudo", dest, src) +EVAL-dest_dns = if((process == "sshd-session" OR process == "sshd") AND (action == "blocked" OR action == "started" OR action == "ended"), dest, null()) REPORT-dest_for_linux_secure = loghost_as_dest LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action @@ -786,3 +785,6 @@ SHOULD_LINEMERGE = false TIME_PREFIX = audit\( MAX_TIMESTAMP_LOOKAHEAD=23 MAX_DAYS_AGO=3650 +EXTRACT-proctitle = .*proctitle=(?.*)$ +EXTRACT-execve_command = .*type=EXECVE.*a0=(?.*)$ +EVAL-execve_command = replace(execve_command, "a\d+=", "") diff --git a/default/tags.conf b/default/tags.conf index 3c14e47..12a9cb2 100644 --- a/default/tags.conf +++ b/default/tags.conf @@ -262,6 +262,19 @@ authentication = enabled remote = enabled ## sshd + +## Network_Sessions +[eventtype=sshd_session_start] +network = enabled +session = enabled +start = enabled + +[eventtype=sshd_session_end] +network = enabled +session = enabled +end = enabled + +## Authentication [eventtype=sshd_authentication] authentication = enabled remote = enabled @@ -834,8 +847,6 @@ system = enabled version = enabled inventory = enabled oshost = enabled -cpu = enabled -memory = enabled ## VSFTDP Config diff --git a/default/transforms.conf b/default/transforms.conf index e0183dc..f184900 100644 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -198,7 +198,7 @@ INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm, INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB) [extract_cpu_metric_field] -INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU) +INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0") [metric-schema:extract_metrics_iostat] METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address @@ -287,25 +287,85 @@ FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs REGEX = exe=.*\/(\S+)\" FORMAT = command::$1 +## Network_Sessions + +# SSHD evnets for OpenSSH >= v9.8 +# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2 +# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2] +[sshd-session-login-failed] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(failed\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"blocked" src_ip::$3 user::$2 signature::$1 + +# Jan 3 17:21:42 host sshd-session[1187]: Accepted password for devuser from 1X.XX.XX.XX port 1234 ssh2 +[sshd-session-login-accepted] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Accepted\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"started" signature::$1 user::$2 src_ip::$3 + +# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by invalid user ubuntu 1X.XX.XX.XX port 1234 [preauth] +[sshd-session-invalid-user] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed\s+by\s+invalid user).*?(\S+)\s+.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"blocked" signature::$1 user::$2 src_ip::$3 + +# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by 1X.XX.XX.XX port 1234 +[sshd-session-connection-close] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed)\s+by\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"ended" signature::$1 src_ip::$2 + +# Jan 3 09:54:47 host sshd-session[146590]: Unable to negotiate with 1X.XX.XX.XX port 1234: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth] +[sshd-session-key-negotiation-failed] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Unable\s+to\s+negotiate\s+with\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+no\s+matching\s+host\s+key\s+type\s+found +FORMAT = action::"blocked" signature::"Unable to negotiate: no matching host key type found" src_ip::$1 + +# Jan 3 07:08:37 host sshd-session[133482]: banner exchange: Connection from 1X.XX.XX.XX port 1234: invalid format +[sshd-session-banner-exchange-failed] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+banner\s+exchange\s*:\s+.*?\S+\s+from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s*invalid\s+format +FORMAT = action::"blocked" signature::"banner exchange: invalid format" src_ip::$1 + +# Jan 2 18:13:08 host sshd-session[8962]: error: Could not get shadow information for NOUSER +[sshd-session-shadow-info-error] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+error:\s+(Could\s+not\s+get\s+shadow\s+information)\s+for\s+(\S+) +FORMAT = action::"blocked" signature::$1 user::$2 + +# Jan 3 05:46:01 host sshd-session[125949]: pam_unix(sshd:session): session opened for user ec2-user(uid=1000) by ec2-user(uid=0) +[sshd-session-pam_unix_authentication_success] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? +FORMAT = action::"started" signature::$1 user::$2 user_id::$3 src_user::$4 src_user_id::$5 + +# Jan 3 05:46:01 host sshd-session[125949]: Read error from remote host 1X.XX.XX.XX port 1234: Connection timed out +[sshd-session-read-error-timeout] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Read\s+error\s+from\s+remote\s+host\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+(Connection\s+timed\s+out) +FORMAT = action::"ended" src_ip::$1 signature::$2 + +# Jan 3 11:15:07 host sshd-session[226274]: Disconnected from user devuser 1X.XX.XX.XX port 1234 +[sshd-session-disconnect] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?i)(Disconnected\s+from\s+user).*?(\S+)\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"ended" signature::$1 user::$2 src_ip::$3 + +# Jan 3 10:07:28 host sshd-session[147610]: pam_unix(sshd:session): session closed for user ec2-user +[sshd-session-closed-for-user] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+closed\s+for\s+user)\s+([^\s\(]+)$ +FORMAT = action::"ended" signature::$1 user::$2 ## Authentication # Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2 # Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2 [ssh-login-accepted] -REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))? FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5 # Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX # Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2 +# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2 +# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2] [ssh-login-failed] -REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))? FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5 # Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX [ssh-invalid-user] -REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))? FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5 @@ -323,8 +383,9 @@ REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(? FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye +# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX:XXX:XX:XXX:XXX:XXX port 123123:11: disconnected by user [ssh-disconnect] -REGEX = (Received disconnect) from ([^\s]+): +REGEX = (Received disconnect) from ([^\s]+:[a-fA-F0-9.]+|::|[\d.]+) FORMAT = name::$1 src_ip::$2 [sshd_authentication_kerberos_success] @@ -351,6 +412,10 @@ FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2 REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 +[linux_secure_pam_unix_authentication_success] +REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? +FORMAT = app::"$1" signature::$2 authentication_service::"pam_unix" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 src_user_type::"user" user_type::"user" + [passwd-auth-failure] REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure) FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure" @@ -469,26 +534,6 @@ FORMAT = signature::$1 ## -[force_host_for_linux_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-001 - -[force_host_for_osx_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-002 - -[force_host_for_solaris_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-003 - -[force_host_for_unix_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-004 - ## Service [nix_linux_service_startmode_lookup] filename = nix_linux_service_startmodes.csv @@ -497,10 +542,6 @@ filename = nix_linux_service_startmodes.csv [nix_da_update_status_lookup] filename = nix_da_update_status.csv -[Description_for_installedupdates] -REGEX = ^Description=([^\r\n]+) -FORMAT = Description::$1 - ## Version [nix_da_version_range_lookup] filename = nix_da_version_ranges.csv @@ -508,24 +549,4 @@ filename = nix_da_version_ranges.csv [nix_linux_audit_action_lookup] filename = nix_linux_audit_action_object_category.csv -[force_host_for_linux_cpu] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - -[force_host_for_linux_memory] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - -[force_host_for_linux_io] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - -[force_host_for_linux_disk] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - ###### END CONTENT IMPORTED FROM TA-deploymentapps ###### diff --git a/splunkbase.manifest b/splunkbase.manifest index 934b98e..afa20cf 100644 --- a/splunkbase.manifest +++ b/splunkbase.manifest @@ -1,10 +1,10 @@ { "version": "1.0", - "date": "2024-10-18T12:52:23.073000921Z", + "date": "2025-02-04T11:38:22.666904374Z", "hashAlgorithm": "SHA-256", "app": { "id": 833, - "version": "9.2.0", + "version": "10.0.0", "files": [ { "path": "LICENSES/Apache-2.0.txt", @@ -24,15 +24,15 @@ }, { "path": "THIRDPARTY", - "hash": "6340a3cf0959b37d83e10ce4e12bc4ab53d2ae2729ee506451b8d554418d1ab3" + "hash": "e30015ede460c622a205889b17874cd7261a7903442be1750b982cde6de5ab52" }, { "path": "VERSION", - "hash": "4b083d27782e80fd5bce34252adc7de9e9ab611475e170cb507e49586483025e" + "hash": "cda5bf0ca405341ecb098ba217bbcf8b4b2e83dc54d559b623093b211e3ee413" }, { "path": "app.manifest", - "hash": "24b4bb6f47bc1472038f5c983ec91705052162da89555f52a78c9f3c830cfd82" + "hash": "672bddb913818d3f15a6762f41b5dd0dcef93de2c0758e0d0340ca3f6b1cf15f" }, { "path": "appserver/static/appIcon.png", @@ -72,11 +72,11 @@ }, { "path": "bin/cpu.sh", - "hash": "e34d912324ceb3f6add524722adc9057b4177015fad844a5e37634ef40cbb9c7" + "hash": "5d1bc8ba07595872eee78d55136c1bd419a9b63aafd1a10ded78ee3ef186782d" }, { "path": "bin/cpu_metric.sh", - "hash": "2d175a98ded5f141b20fd3b3847217447b5489b4d989512d8b8679a4f2777a0b" + "hash": "30b3d257d73ff3e656c8f8b414cbec0afe0ac52838a7a5a2db3f1d64f74211ee" }, { "path": "bin/df.sh", @@ -108,7 +108,7 @@ }, { "path": "bin/lastlog.sh", - "hash": "8d8c0744767d9426cb98122d33eb6acd5447db4a03cfccfd5fdc014f1e15ea3e" + "hash": "1c52c7e734cdc91a9644c243131e6e82e301f48ff4a4c8b88e68ed69917e6233" }, { "path": "bin/lsof.sh", @@ -120,7 +120,7 @@ }, { "path": "bin/nfsiostat.sh", - "hash": "eccc2bf3701840173206ecf7603c20861b4ce106b6be795df2fa312744958107" + "hash": "c2f50340c82964bcf18710ed787b72354ebf83eacbcdb7b9a58e28c2299802d8" }, { "path": "bin/openPorts.sh", @@ -176,7 +176,7 @@ }, { "path": "bin/time.sh", - "hash": "5ad0ed71a9c4637046da43656aea4a614e331217fb707e9df7443aaa6036eeba" + "hash": "1072cf254e0aa99bfbfd25bf95ba93d5679bcbc16287d60c11a16103998ca2cd" }, { "path": "bin/top.sh", @@ -184,7 +184,7 @@ }, { "path": "bin/update.sh", - "hash": "048f6e678f873d2b856ec851c52389d9f8d5ccde0fee0ead0dcf5348cc3cb587" + "hash": "ebf6c54aa23d171d4204981f82a3e32125ce02a02ae592b939c7ddff375afd71" }, { "path": "bin/uptime.sh", @@ -196,7 +196,7 @@ }, { "path": "bin/version.sh", - "hash": "4d484fc3e1853d0e07d47ba9c4401266a1fbe0712a554e9eeaeb835b96d8a59f" + "hash": "a9e28c5ddd56a8b25da85ab7c4bb3dec939401ad210453b39209c059a9d735d2" }, { "path": "bin/vmstat.sh", @@ -216,7 +216,7 @@ }, { "path": "default/app.conf", - "hash": "451c717df6073aabd78b5ba4abb33ac71b6d61df8d46a243913b01ed9ac77040" + "hash": "bf761213f1ac3ce27e3391dc22a82db31f00f7afbeac4961aea849448ec60fa3" }, { "path": "default/data/ui/nav/default.xml", @@ -232,7 +232,7 @@ }, { "path": "default/eventtypes.conf", - "hash": "c52b63bf8b429e406a1488c59c1945531123bed647b08460d85ca3a6a4f8f81e" + "hash": "a7796bdb4f40330bf674c34d8f45a67151cd7e5bdadeaa46b7fca1c4e122d07a" }, { "path": "default/inputs.conf", @@ -244,7 +244,7 @@ }, { "path": "default/props.conf", - "hash": "8742759e63baf3dc737adecec95fb7370741cb5f2268064593cb2e5a1ba8b260" + "hash": "194b6dbb7b228c2d0e124f64a5ee8a137a7fdbb56681b78418f513821f09e0c1" }, { "path": "default/restmap.conf", @@ -252,11 +252,11 @@ }, { "path": "default/tags.conf", - "hash": "ad29e489018a892f8d50731e32efa48a01dcdb438096d443f7b6e068cfd1ca15" + "hash": "f055d2f3fd959b0af6c48b0494dadc36009b7a90fb5d1a83e0e6784c898d8e05" }, { "path": "default/transforms.conf", - "hash": "d13792dde1aa85d9e864782787948d6f10b888e4a689d6668de3cc604e2ad1ab" + "hash": "7d57050a65dd01efba192a5e74bbf74d9bfb54a240608ac265e57423c000b5ff" }, { "path": "default/web.conf", @@ -317,10 +317,10 @@ "platform": "splunk", "product": "enterprise", "versions": [ - "9.0", "9.1", "9.2", - "9.3" + "9.3", + "9.4" ], "architectures": [ "x86_64" @@ -338,10 +338,10 @@ "platform": "splunk", "product": "cloud", "versions": [ - "9.0", "9.1", "9.2", - "9.3" + "9.3", + "9.4" ], "architectures": [ "x86_64" From 17d61635146c0509831faa29682beaffad4527cd Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Wed, 5 Feb 2025 17:18:14 -0500 Subject: [PATCH 18/19] Merge in Splunk Add-On for Unix and Linux version 10.0.0 --- THIRDPARTY | 13 +++- VERSION | 4 +- app.manifest | 126 +++++++++++++++++------------------ bin/cpu.sh | 143 +++++++++++++++++++++++++++------------- bin/cpu_metric.sh | 130 ++++++++++++++++++++---------------- bin/lastlog.sh | 46 ++++++++++--- bin/nfsiostat.sh | 6 +- bin/time.sh | 25 ++++++- bin/version.sh | 60 ++++++++--------- default/app.conf | 6 +- default/eventtypes.conf | 15 ++++- default/props.conf | 48 +++++++------- default/tags.conf | 14 +++- default/transforms.conf | 119 +++++++++++++++++++-------------- 14 files changed, 461 insertions(+), 294 deletions(-) diff --git a/THIRDPARTY b/THIRDPARTY index 3c4aff4..4b08779 100644 --- a/THIRDPARTY +++ b/THIRDPARTY @@ -7,9 +7,9 @@ The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-unix-and-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means. -Date generated: 2024-7-5 +Date generated: 2025-1-31 -Revision ID: a08b431842df3cfc234ba3f0675de8898f9ef6ac +Revision ID: 79a4b3bf642285d427e11cd81adb8baaf923e0e9 ================================================================================ ================================================================================ @@ -55,7 +55,14 @@ No licenses found ================================================================================ +================================================================================ + + Copyrights + +================================================================================ + + -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -Report Generated by FOSSA on 2024-7-5 +Report Generated by FOSSA on 2025-1-31 diff --git a/VERSION b/VERSION index e4b0645..17a98bb 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -9.2.0.13 -9.2.0.13 +10.0.0.0 +10.0.0.0 diff --git a/app.manifest b/app.manifest index d8b132e..6477357 100644 --- a/app.manifest +++ b/app.manifest @@ -1,66 +1,66 @@ { - "dependencies": null, - "incompatibleApps": null, - "info": { - "author": [ - { - "company": "erdelynet.com", - "email": "mike@erdelynet.com", - "name": "erdelynet.com" - } - ], - "classification": { - "categories": [ - "IT Operations", - "Utilities" - ], - "developmentStatus": "Production/Stable", - "intendedAudience": "IT" - }, - "commonInformationModels": { - "Authentication": "=4.20.2", - "Change": "=4.20.2", - "Endpoint": "=4.20.2", - "Inventory": "=4.20.2", - "Network Sessions": "=4.20.2", - "Performance": "=4.20.2" - }, - "description": "Technical Add-on for Unix and Linux", - "id": { - "group": null, - "name": "TA-nix", - "version": "9.2.0.13" - }, - "license": { - "name": "Splunk Software License Agreement", - "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", - "uri": "http://www.splunk.com/view/SP-CAAAAFA" - }, - "privacyPolicy": { - "name": null, - "text": null, - "uri": null - }, - "releaseDate": null, - "releaseNotes": { - "name": "README", - "text": "./README.txt", - "uri": "https://git.erdelynet.com/mike/TA-nix/docs/ReleaseNotes.md" - }, - "title": "Technical Add-on for Unix and Linux" + "dependencies": null, + "incompatibleApps": null, + "info": { + "author": [ + { + "name": "Michael Erdely", + "email": mike@erdelynet.com, + "company": "erdelynet.com" + } + ], + "classification": { + "categories": [ + "IT Operations", + "Utilities" + ], + "developmentStatus": "Production/Stable", + "intendedAudience": "IT" }, - "inputGroups": null, - "platformRequirements": null, - "schemaVersion": "2.0.0", - "supportedDeployments": [ - "_standalone", - "_distributed", - "_search_head_clustering" - ], - "targetWorkloads": [ - "_search_heads", - "_forwarders", - "_indexers" - ], - "tasks": null + "commonInformationModels": { + "Authentication": "==4.20.2", + "Change": "==4.20.2", + "Endpoint": "==4.20.2", + "Inventory": "==4.20.2", + "Network Sessions": "==6.0.2", + "Performance": "==4.20.2" + }, + "description": "Technical Add-on for Unix and Linux", + "id": { + "group": null, + "name": "TA-unix", + "version": "10.0.0.0" + }, + "license": { + "name": "Splunk Software License Agreement", + "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "uri": "http://www.splunk.com/view/SP-CAAAAFA" + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseDate": null, + "releaseNotes": { + "name": "README", + "text": "./README.txt", + "uri": "https://git.erdelynet.com/mike/TA-unix/docs/ReleaseNotes.md" + }, + "title": "Technical Add-on for Unix and Linux" + }, + "inputGroups": null, + "platformRequirements": null, + "schemaVersion": "2.0.0", + "supportedDeployments": [ + "_standalone", + "_distributed", + "_search_head_clustering" + ], + "targetWorkloads": [ + "_search_heads", + "_forwarders", + "_indexers" + ], + "tasks": null } diff --git a/bin/cpu.sh b/bin/cpu.sh index 92f6698..6e13cff 100755 --- a/bin/cpu.sh +++ b/bin/cpu.sh @@ -7,9 +7,9 @@ assertHaveCommand column -HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle' +HEADER='Datetime CPU pctUser pctNice pctSystem pctIowait pctIdle' HEADERIZE="BEGIN {print \"$HEADER\"}" -PRINTF='{printf "%-3s %9s %9s %9s %9s %9s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}' +PRINTF='{printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}' if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand sar @@ -17,19 +17,32 @@ if [ "$KERNEL" = "Linux" ] ; then queryHaveCommand mpstat FOUND_MPSTAT=$? if [ $FOUND_SAR -eq 0 ] ; then - CMD='sar -P ALL 1 1' + CMD='sar -P ALL 2 5' # shellcheck disable=SC2016 - FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}' + FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}' elif [ $FOUND_MPSTAT -eq 0 ] ; then - CMD='mpstat -P ALL 1 1' + CMD='mpstat -P ALL 2 5' # shellcheck disable=SC2016 - FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}' + FORMAT='{datetime = strftime("%m/%d/%y_%H:%M:%S_%Z"); cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}' else failLackMultipleCommands sar mpstat fi # shellcheck disable=SC2016 FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}' + + PRINTF='{ + if ($0 ~ /all/) { + print header; + printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle; + } else { + printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle; + } + }' + $CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" | column -t + echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" + exit elif [ "$KERNEL" = "SunOS" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r' else @@ -37,9 +50,9 @@ elif [ "$KERNEL" = "SunOS" ] ; then fi assertHaveCommand "$CMD" # shellcheck disable=SC2016 - FILTER='($1=="CPU") {exit 1}' + FILTER='($1=="CPU") {exit 1}' # shellcheck disable=SC2016 - FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}' + FORMAT='{datetime="'"$formatted_date"'"; cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}' elif [ "$KERNEL" = "AIX" ] ; then queryHaveCommand mpstat queryHaveCommand lparstat @@ -78,46 +91,72 @@ elif [ "$KERNEL" = "AIX" ] ; then DEFINE="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity" # Get cpu stats using mpstat command and manipulate the output for adding extra fields - CMD='mpstat -a 1 1' + CMD='mpstat -a 2 5' # shellcheck disable=SC2016 - FORMAT='BEGIN {flag = 0} + + FORMAT=' + function get_current_time() { + # Use "date" to fetch the current time and store it in a variable + command = "date +\"%m/%d/%y_%H:%M:%S_%Z\""; + command | getline datetime; + close(command); + return datetime; + } + BEGIN { + flag = 0; + header = ""; + } { if($0 ~ /System configuration|^$/) {next} + if($1 ~ /^-+$/ && header != "") { + print header; + next; + } + if($0 ~ /cpu / && flag == 1) {next} if(flag == 1) { # Prepend extra field values from lparstat - for(i=NF+4; i>=4; i--) + for(i=NF+5; i>=5; i--) { - $i = $(i-3); + $i = $(i-4); } if($0 ~ /ALL/) { - $1 = CPUPool; - $2 = OnlineVirtualCPUs; - $3 = EntitledCapacity; + $1 = get_current_time(); + $2 = CPUPool; + $3 = OnlineVirtualCPUs; + $4 = EntitledCapacity; } else { - $1 = "-"; + $1 = get_current_time(); $2 = "-"; $3 = "-"; + $4 = "-"; } } if($0 ~ /cpu /) { # Prepend extra field headers from lparstat - for(i=NF+4; i>=4; i--) + for(i=NF+5; i>=5; i--) { - $i = $(i-3); + $i = $(i-4); } - $1 = "CPUPool"; - $2 = "OnlineVirtualCPUs"; - $3 = "EntitledCapacity"; + $1 = "Datetime"; + $2 = "CPUPool"; + $3 = "OnlineVirtualCPUs"; + $4 = "EntitledCapacity"; flag = 1; + + header = $1; + for (i = 2; i <= NF; i++) { + header = header sprintf("%21s ", $i); + } } - for(i=1; i<=NF; i++) + printf $1; + for(i=2; i<=NF; i++) { - printf "%17s ", $i; + printf "%21s ", $i; } print ""; }' @@ -126,28 +165,46 @@ elif [ "$KERNEL" = "AIX" ] ; then echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST" exit elif [ "$KERNEL" = "Darwin" ] ; then - HEADER='CPU pctUser pctSystem pctIdle' + HEADER='Datetime CPU pctUser pctSystem pctIdle' HEADERIZE="BEGIN {print \"$HEADER\"}" - PRINTF='{printf "%-3s %9s %9s %9s \n", cpu, pctUser, pctSystem, pctIdle}' + PRINTF='{printf "%-28s %-3s %9s %9s %9s \n", datetime, cpu, pctUser, pctSystem, pctIdle}' # top command here is used to get a single instance of cpu metrics - CMD='top -l 1' + CMD='top -l 5 -s 2' assertHaveCommand "$CMD" # FILTER here skips all the rows that doesn't match "CPU". # shellcheck disable=SC2016 FILTER='($1 !~ "CPU") {next;}' # FORMAT here removes '%'in the end of the metrics. # shellcheck disable=SC2016 - FORMAT='function remove_char(string, char_to_remove) { - sub(char_to_remove, "", string); - return string; - } - { - cpu="all"; - pctUser = remove_char($3, "%"); - pctSystem = remove_char($5, "%"); - pctIdle = remove_char($7, "%"); - }' + FORMAT=' + function get_current_time() { + # Use "date" to fetch the current time and store it in a variable + command = "date +\"%m/%d/%y_%H:%M:%S_%Z\""; + command | getline datetime; + close(command); + return datetime; + } + function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + datetime=get_current_time(); + cpu="all"; + pctUser = remove_char($3, "%"); + pctSystem = remove_char($5, "%"); + pctIdle = remove_char($7, "%"); + }' + PRINTF='{ + print header; + printf "%-28s %-3s %9s %9s %9s \n", datetime, cpu, pctUser, pctSystem, pctIdle; + }' + + $CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" | column -t + echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" + exit elif [ "$KERNEL" = "OpenBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -1 -b; top -b' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -159,6 +216,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then else if ($1 ~ /^CPU[0-9]+$/) cpu=substr($1,4); else cpu=0; + datetime="'"$formatted_date"'"; pctUser=substr($3,1,length($3)-1); pctNice=substr($5,1,length($5)-1); pctSystem=substr($7,1,length($7)-1); @@ -166,6 +224,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then pctIdle=substr($13,1,length($13)-1); }' elif [ "$KERNEL" = "FreeBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -175,6 +234,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then sub(char_to_remove, "", string); return string; } + { + datetime="'"$formatted_date"'"; + } { if ($1 == "CPU:") { cpu = "all"; @@ -189,15 +251,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then pctIdle = remove_char($(NF-1), "%"); pctIowait = "0.0"; }' -elif [ "$KERNEL" = "HP-UX" ] ; then - queryHaveCommand sar - FOUND_SAR=$? - if [ $FOUND_SAR -eq 0 ] ; then - CMD='sar -M 1 1 ALL' - fi - FILTER='/HP-UX|^$|%/ {next}' - # shellcheck disable=SC2016 - FORMAT='{k=0; if(5=7; i--) + for(i=NF+8; i>=8; i--) { - $i = $(i-6); + $i = $(i-7); } - # Prepend OSName, OS_version, IP_address values - $1 = OSName; - $2 = OSVersion/1000; - $3 = IP_address; + # Prepend Datetime, OSName, OS_version, IP_address values + $1 = get_current_time(); + $2 = OSName; + $3 = OSVersion/1000; + $4 = IP_address; # Prepend lparstat field values if($0 ~ /ALL/) { - $4 = CPUPool; - $5 = OnlineVirtualCPUs; - $6 = EntitledCapacity; + $5 = CPUPool; + $6 = OnlineVirtualCPUs; + $7 = EntitledCapacity; } else { - $4 = "-"; $5 = "-"; $6 = "-"; + $7 = "-"; } } if($0 ~ /cpu /) { - for(i=NF+7; i>=7; i--) + for(i=NF+8; i>=8; i--) { - $i = $(i-6); + $i = $(i-7); } - # Prepend OSName, OS_version, IP_address headers - $1 = "OSName"; - $2 = "OS_version"; - $3 = "IP_address"; + # Prepend Datetime, OSName, OS_version, IP_address headers + $1 = "Datetime"; + $2 = "OSName"; + $3 = "OS_version"; + $4 = "IP_address"; # Prepend lparstat field headers - $4 = "CPUPool"; - $5 = "OnlineVirtualCPUs"; - $6 = "EntitledCapacity"; + $5 = "CPUPool"; + $6 = "OnlineVirtualCPUs"; + $7 = "EntitledCapacity"; flag = 1; } - for(i=1; i<=NF; i++) + printf $1; + for(i=2; i<=NF; i++) { printf "%17s ", $i; } @@ -143,11 +158,11 @@ elif [ "$KERNEL" = "AIX" ] ; then echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST" exit elif [ "$KERNEL" = "Darwin" ] ; then - HEADER='CPU pctUser pctSystem pctIdle OSName OS_version IP_address' + HEADER='Datetime pctUser pctSystem pctIdle OSName OS_version IP_address CPU' HEADERIZE="BEGIN {print \"$HEADER\"}" - PRINTF='{printf "%-3s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address}' + PRINTF='{printf "%-28s %9s %9s %9s %-35s %15s %-16s %-3s\n", datetime, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address, cpu}' # top command here is used to get a single instance of cpu metrics - CMD='top -l 1' + CMD='top -l 5 -s 2' assertHaveCommand "$CMD" # FILTER here skips all the rows that doesn't match "CPU". # shellcheck disable=SC2016 @@ -156,20 +171,30 @@ elif [ "$KERNEL" = "Darwin" ] ; then DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" # FORMAT here removes '%'in the end of the metrics. # shellcheck disable=SC2016 - FORMAT='function remove_char(string, char_to_remove) { - sub(char_to_remove, "", string); - return string; - } - { - cpu="all"; - pctUser = remove_char($3, "%"); - pctSystem = remove_char($5, "%"); - pctIdle = remove_char($7, "%"); - OSName=OSName; - OS_version=OS_version; - IP_address=IP_address; - }' + FORMAT=' + function get_current_time() { + # Use "date" to fetch the current time and store it in a variable + command = "date +\"%m/%d/%y_%H:%M:%S_%Z\""; + command | getline datetime; + close(command); + return datetime; + } + function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + datetime=get_current_time(); + cpu="all"; + pctUser = remove_char($3, "%"); + pctSystem = remove_char($5, "%"); + pctIdle = remove_char($7, "%"); + OSName=OSName; + OS_version=OS_version; + IP_address=IP_address; + }' elif [ "$KERNEL" = "OpenBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -1 -b; top -b' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -183,6 +208,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then else if ($1 ~ /^CPU[0-9]+$/) cpu=substr($1,4); else cpu=0; + datetime="'"$formatted_date"'"; pctUser=substr($3,1,length($3)-1); pctNice=substr($5,1,length($5)-1); pctSystem=substr($7,1,length($7)-1); @@ -190,6 +216,7 @@ elif [ "$KERNEL" = "OpenBSD" ] ; then pctIdle=substr($13,1,length($13)-1); }' elif [ "$KERNEL" = "FreeBSD" ] ; then + formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z") CMD='eval top -P -d2 c; top -d2 c' assertHaveCommand "$CMD" # shellcheck disable=SC2016 @@ -201,6 +228,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then sub(char_to_remove, "", string); return string; } + { + datetime="'"$formatted_date"'"; + } { if ($1 == "CPU:") { cpu = "all"; @@ -218,16 +248,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then OS_version=OS_version; IP_address=IP_address; }' -elif [ "$KERNEL" = "HP-UX" ] ; then - queryHaveCommand sar - FOUND_SAR=$? - DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" - if [ $FOUND_SAR -eq 0 ] ; then - CMD='sar -M 1 1 ALL' - fi - FILTER='/HP-UX|^$|%/ {next}' - # shellcheck disable=SC2016 - FORMAT='{k=0; if(5> "$TEE_DEST" +$CMD1 | tee -a "$TEE_DEST" -$CMD2 | tee -a "$TEE_DEST" echo "Cmd2 = [$CMD2]" >> "$TEE_DEST" +if [ "$KERNEL" = "Darwin" ] && [ $FOUND_SNTP -eq 0 ] ; then + TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_time_error_tmpfile + OUTPUT=$($CMD2 2>$TMP_ERROR_FILTER_FILE) + + if grep -q "Timeout" < $TMP_ERROR_FILTER_FILE; then + LAST_LINE=$(echo "$OUTPUT" | tail -n 1) + if [[ "$LAST_LINE" == *"$SERVER"* ]]; then + echo "$LAST_LINE" | tee -a "$TEE_DEST" + fi + cat $TMP_ERROR_FILTER_FILE >> $TEE_DEST + echo "$OUTPUT" >> "$TEE_DEST" + rm $TMP_ERROR_FILTER_FILE 2>/dev/null + elif grep -vq "Timeout" < $TMP_ERROR_FILTER_FILE; then + cat $TMP_ERROR_FILTER_FILE >&2 + echo "$OUTPUT" >> "$TEE_DEST" + rm $TMP_ERROR_FILTER_FILE 2>/dev/null + else + echo "$OUTPUT" | tee -a "$TEE_DEST" + fi +else + $CMD2 | tee -a "$TEE_DEST" +fi diff --git a/bin/version.sh b/bin/version.sh index cddefda..9023cc7 100755 --- a/bin/version.sh +++ b/bin/version.sh @@ -5,68 +5,62 @@ # shellcheck disable=SC1091 . "$(dirname "$0")"/common.sh -PRINTF='END {printf "%s %s %s %s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, KERN_REL, OS_NAME, KERN_VER, OS_REL, OS_VER, DISTRO}' +PRINTF='END {printf "%s %s %s %s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER, KERNEL_NAME, KERNEL_VERSION, KERNEL_RELEASE}' if [ "$KERNEL" = "Linux" ] ; then assertHaveCommand date assertHaveCommand uname - [ -f /etc/os-release ] && . /etc/os-release - machine_arch=$(uname -p) - os_release=$(uname -r) - os_version=$(uname -v) - distro_name=Linux - [ -n "$NAME" ] && distro_name=$NAME - [ -n "$VERSION_ID" ] && os_release=$VERSION_ID - [ -n "$VERSION_ID" ] && os_version=$VERSION_ID - [ -r /etc/debian_version ] && grep -Eq "^[0-9.]+$" /etc/debian_version && os_release=$(cat /etc/debian_version) - [ "$BUILD_ID" = "rolling" ] && os_release=rolling - [ "$BUILD_ID" = "rolling" ] && os_version=rolling - which dpkg > /dev/null 2>&1 && machine_arch=$(dpkg --print-architecture) - [ "$NAME" = "Arch Linux" -o "$NAME" = "Arch Linux ARM" ] && machine_arch=$(uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/") - - CMD="eval date ; echo $distro_name ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; echo $machine_arch; echo $os_release; echo $os_version" -elif [ "$KERNEL" = "Darwin" ] ; then - assertHaveCommand date - assertHaveCommand uname - assertHaveCommand sw_vers - os_release=$(sw_vers --productVersion) - CMD="eval date ; echo MacOS ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p; echo $os_release; echo $os_release" + VERSION=$(grep "^VERSION=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -) + NAME=$(grep "^NAME=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -) + VERSION_ID=$(grep "^VERSION_ID=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -) + MACHINE_ARCH=$(uname -p) + which dpkg > /dev/null 2>&1 && MACHINE_ARCH=$(dpkg --print-architecture) + which pacman > /dev/null 2>&1 && MACHINE_ARCH=$(uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/") && VERSION=rolling && VERSION_ID=rolling + CMD="eval date ; eval uname -m ; echo \"$VERSION\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; echo \"$MACHINE_ARCH\" ; eval uname -s ; eval uname -v ; eval uname -r" elif [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then assertHaveCommand date assertHaveCommand uname - CMD='eval date ; echo $KERNEL ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p;' + CMD='eval date ; eval uname -m ; eval uname -r ; echo $KERNEL ; eval uname -r; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r;' +elif [ "$KERNEL" = "Darwin" ] ; then + # Darwin-macos uses sw_vers for os version, name and release switch. + assertHaveCommand date + assertHaveCommand uname + VERSION=$(sw_vers -BuildVersion) + NAME=$(sw_vers -productName) + VERSION_ID=$(sw_vers -ProductVersion) + CMD="eval date ; eval uname -m ; echo \"$VERSION_ID ($VERSION)\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r" elif [ "$KERNEL" = "HP-UX" ] ; then # HP-UX lacks -p switch. assertHaveCommand date assertHaveCommand uname - CMD='eval date ; echo HP-UX ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v' + CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v' elif [ "$KERNEL" = "AIX" ] ; then # AIX uses oslevel for version and release switch. assertHaveCommand date assertHaveCommand uname - CMD='eval date ; echo AIX ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel -s' + CMD='eval date ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel ; eval uname -m ; eval uname -s ; eval uname -v; eval uname -r' fi # Get the date. # shellcheck disable=SC2016 PARSE_0='NR==1 {DATE=$0}' # shellcheck disable=SC2016 -PARSE_1='NR==2 {DISTRO="distro_name=\"" $0 "\""}' +PARSE_1='NR==2 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_2='NR==3 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}' +PARSE_2='NR==3 {OS_REL="os_release=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_3='NR==4 {OS_REL="os_release=\"" $0 "\"";KERN_REL="kernel_release=\"" $0 "\""}' +PARSE_3='NR==4 {OS_NAME="os_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_4='NR==5 {OS_NAME="os_name=\"" $0 "\""}' +PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_5='NR==6 {OS_VER="os_version=\"" $0 "\"";KERN_VER="kernel_version=\"" $0 "\""}' +PARSE_5='NR==6 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_6='NR==7 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' +PARSE_6='NR==7 {KERNEL_NAME="kernel_name=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_7='NR==8 {OS_REL="os_release=\"" $0 "\""}' +PARSE_7='NR==8 {KERNEL_VERSION="kernel_version=\"" $0 "\""}' # shellcheck disable=SC2016 -PARSE_8='NR==9 {OS_VER="os_version=\"" $0 "\""}' +PARSE_8='NR==9 {KERNEL_RELEASE="kernel_release=\"" $0 "\""}' MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8" diff --git a/default/app.conf b/default/app.conf index 41c30da..2f0a003 100644 --- a/default/app.conf +++ b/default/app.conf @@ -7,7 +7,7 @@ [install] is_configured = false state = enabled -build = 1720176219 +build = 1738793362 [ui] setup_view = ta_nix_configuration @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 9.2.0.13 +version = 10.0.0.0 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 9.2.0.13 +version = 10.0.0.0 diff --git a/default/eventtypes.conf b/default/eventtypes.conf index 45efebe..9b4820b 100644 --- a/default/eventtypes.conf +++ b/default/eventtypes.conf @@ -233,12 +233,21 @@ search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to" #tags = application authentication remote +## sshd-session +[sshd_session_start] +search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Failed password for" OR "Connection closed by invalid user" OR "Unable to negotiate" OR "session opened for user" OR "banner exchange" OR "Could not get shadow information" OR "Accepted password") +#tags = network session start + +[sshd_session_end] +search = sourcetype=linux_secure eventtype=nix_ta_data ("sshd-session[" OR "sshd[") AND ("Read error from remote host" OR "Connection timed out" OR "Disconnected from user" OR "Connection closed by" OR "session closed for user") AND NOT "Connection closed by invalid user" +#tags = network session end + ## sshd [sshd_authentication] # osx sshd authentication error # Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1 # Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host -search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") +search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") AND NOT sourcetype=linux_secure #tags = authentication remote [ssh_login_postponed] @@ -246,7 +255,7 @@ search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed # no tags assigned to this eventtype [ssh_open] -search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) +search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) AND NOT sourcetype=linux_secure #tags = communicate connect # example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246 @@ -577,7 +586,7 @@ search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*" ###### ADDED FROM UNIX APP ###### [failed_login] -search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for" +search = eventtype=nix_ta_data ("failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for") AND NOT sourcetype=linux_secure #tags = authentication [Failed_SU] diff --git a/default/props.conf b/default/props.conf index 417652d..1ca0fc8 100644 --- a/default/props.conf +++ b/default/props.conf @@ -112,10 +112,12 @@ TRANSFORMS-vmstat-metric-dimensions=eval_dimensions METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat [cpu_metric] -SHOULD_LINEMERGE=false -LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +# Timestamp extraction settings +TIME_PREFIX = ^ +TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z +MAX_TIMESTAMP_LOOKAHEAD = 25 + TRUNCATE=1000000 -DATETIME_CONFIG = CURRENT KV_MODE = none INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER=whitespace @@ -174,10 +176,16 @@ METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps ## Scripted Event Inputs ######################### [cpu] -SHOULD_LINEMERGE=false -LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +LINE_BREAKER=([\r\n]+)Datetime\s+ +EVENT_BREAKER=([\r\n]+)Datetime\s+ + +# Timestamp extraction settings +TIME_PREFIX = \n +TIME_FORMAT = %m/%d/%y_%H:%M:%S_%Z + +EVENT_BREAKER_ENABLE=true +SHOULD_LINEMERGE = false TRUNCATE=1000000 -DATETIME_CONFIG = CURRENT KV_MODE = multi FIELDALIAS-dest_for_cpu = host as dest FIELDALIAS-src_for_cpu = host as src @@ -570,19 +578,6 @@ FIELDALIAS-dest = host as dest # from forwarders on which the older scripts are still in use should # be able to search new and old data seamlessly. -###### Global ###### -# [source::...(linux.*|sample.*.linux)] -# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen - -# [source::...(osx.*|sample.*.osx)] -# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen - -# [source::...(solaris.*|sample.*.solaris)] -# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen - -# [source::...sample.*.unix] -# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen - ## support for linux only [Linux:SELinuxConfig] EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules" @@ -655,9 +650,10 @@ FIELDALIAS-dest = host as dest [source::...Unix:Version] SHOULD_LINEMERGE = false -FIELDALIAS-family_for_nix_version = os_name as family +EVAL-description = "script" +EVAL-family = coalesce(kernel_name, os_name) LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range -FIELDALIAS-version_for_nix_version = os_release as version +EVAL-version = if(isnotnull(kernel_version),os_version,os_release) FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null()) EVAL-vendor_product = if(isnotnull(os_name),os_name,null()) @@ -745,13 +741,16 @@ EVENT_BREAKER_ENABLE = true ## Event extractions by type EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app) -REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication +REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, sshd-session-login-failed, sshd-session-login-accepted, sshd-session-invalid-user, sshd-session-connection-close, sshd-session-key-negotiation-failed, sshd-session-banner-exchange-failed, sshd-session-shadow-info-error, sshd-session-read-error-timeout, sshd-session-disconnect, sshd-session-closed-for-user, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, sshd-session-pam_unix_authentication_success, linux_secure_pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication EVAL-action = if(app="su" AND isnull(action),"success",action) REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf REPORT-routing = iptables -EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) +EVAL-signature = if(isnotnull(inbound_interface), "firewall", signature) +EVAL-user_role = if(authentication_service=="pam_unix" AND user=="root", "administator", null()) +EVAL-src = if(authentication_service=="pam_unix" AND signature=="session opened for user" AND app=="sudo", dest, src) +EVAL-dest_dns = if((process == "sshd-session" OR process == "sshd") AND (action == "blocked" OR action == "started" OR action == "ended"), dest, null()) REPORT-dest_for_linux_secure = loghost_as_dest LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action @@ -803,3 +802,6 @@ SHOULD_LINEMERGE = false TIME_PREFIX = audit\( MAX_TIMESTAMP_LOOKAHEAD=23 MAX_DAYS_AGO=3650 +EXTRACT-proctitle = .*proctitle=(?.*)$ +EXTRACT-execve_command = .*type=EXECVE.*a0=(?.*)$ +EVAL-execve_command = replace(execve_command, "a\d+=", "") diff --git a/default/tags.conf b/default/tags.conf index 3e38c29..6130cb3 100644 --- a/default/tags.conf +++ b/default/tags.conf @@ -262,6 +262,18 @@ authentication = enabled remote = enabled ## sshd + +## Network_Sessions +[eventtype=sshd_session_start] +network = enabled +session = enabled +start = enabled + +[eventtype=sshd_session_end] +network = enabled +session = enabled +end = enabled + [eventtype=sshd_authentication] authentication = enabled remote = enabled @@ -834,8 +846,6 @@ system = enabled version = enabled inventory = enabled oshost = enabled -cpu = enabled -memory = enabled ## VSFTDP Config diff --git a/default/transforms.conf b/default/transforms.conf index 7039cf3..f246b72 100644 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -201,7 +201,7 @@ INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm, INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB) [extract_cpu_metric_field] -INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU) +INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0") [metric-schema:extract_metrics_iostat] METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address @@ -294,25 +294,85 @@ FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs REGEX = exe=.*\/(\S+)\" FORMAT = command::$1 +## Network_Sessions + +# SSHD evnets for OpenSSH >= v9.8 +# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2 +# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2] +[sshd-session-login-failed] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(failed\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"blocked" src_ip::$3 user::$2 signature::$1 + +# Jan 3 17:21:42 host sshd-session[1187]: Accepted password for devuser from 1X.XX.XX.XX port 1234 ssh2 +[sshd-session-login-accepted] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Accepted\s+password).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"started" signature::$1 user::$2 src_ip::$3 + +# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by invalid user ubuntu 1X.XX.XX.XX port 1234 [preauth] +[sshd-session-invalid-user] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed\s+by\s+invalid user).*?(\S+)\s+.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"blocked" signature::$1 user::$2 src_ip::$3 + +# Jan 3 10:07:28 host sshd-session[147610]: Connection closed by 1X.XX.XX.XX port 1234 +[sshd-session-connection-close] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(?i)(Connection\s+closed)\s+by\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"ended" signature::$1 src_ip::$2 + +# Jan 3 09:54:47 host sshd-session[146590]: Unable to negotiate with 1X.XX.XX.XX port 1234: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth] +[sshd-session-key-negotiation-failed] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Unable\s+to\s+negotiate\s+with\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+no\s+matching\s+host\s+key\s+type\s+found +FORMAT = action::"blocked" signature::"Unable to negotiate: no matching host key type found" src_ip::$1 + +# Jan 3 07:08:37 host sshd-session[133482]: banner exchange: Connection from 1X.XX.XX.XX port 1234: invalid format +[sshd-session-banner-exchange-failed] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+banner\s+exchange\s*:\s+.*?\S+\s+from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s*invalid\s+format +FORMAT = action::"blocked" signature::"banner exchange: invalid format" src_ip::$1 + +# Jan 2 18:13:08 host sshd-session[8962]: error: Could not get shadow information for NOUSER +[sshd-session-shadow-info-error] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+error:\s+(Could\s+not\s+get\s+shadow\s+information)\s+for\s+(\S+) +FORMAT = action::"blocked" signature::$1 user::$2 + +# Jan 3 05:46:01 host sshd-session[125949]: pam_unix(sshd:session): session opened for user ec2-user(uid=1000) by ec2-user(uid=0) +[sshd-session-pam_unix_authentication_success] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? +FORMAT = action::"started" signature::$1 user::$2 user_id::$3 src_user::$4 src_user_id::$5 + +# Jan 3 05:46:01 host sshd-session[125949]: Read error from remote host 1X.XX.XX.XX port 1234: Connection timed out +[sshd-session-read-error-timeout] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+Read\s+error\s+from\s+remote\s+host\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))[^:]+:\s+(Connection\s+timed\s+out) +FORMAT = action::"ended" src_ip::$1 signature::$2 + +# Jan 3 11:15:07 host sshd-session[226274]: Disconnected from user devuser 1X.XX.XX.XX port 1234 +[sshd-session-disconnect] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+(?i)(Disconnected\s+from\s+user).*?(\S+)\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) +FORMAT = action::"ended" signature::$1 user::$2 src_ip::$3 + +# Jan 3 10:07:28 host sshd-session[147610]: pam_unix(sshd:session): session closed for user ec2-user +[sshd-session-closed-for-user] +REGEX = (?:sshd-session|sshd)\[\d+\]\:\s+pam_unix\([^:]+:\w+\)\:\s+(session\s+closed\s+for\s+user)\s+([^\s\(]+)$ +FORMAT = action::"ended" signature::$1 user::$2 ## Authentication # Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2 # Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2 [ssh-login-accepted] -REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))? FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5 # Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX # Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2 +# Jan 3 17:21:38 host sshd-session[1187]: Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2 +# Jan 3 11:08:18 host sshd-session[224962]: message repeated 2 times: [ Failed password for devuser from 1X.XX.XX.XX port 1234 ssh2] [ssh-login-failed] -REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))? FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5 # Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX [ssh-invalid-user] -REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +REGEX = (?:sshd|sshd-session)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+))?(?:\s+\w*\s*(ssh\d))? FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5 @@ -330,8 +390,9 @@ REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(? FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye +# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX:XXX:XX:XXX:XXX:XXX port 123123:11: disconnected by user [ssh-disconnect] -REGEX = (Received disconnect) from ([^\s]+): +REGEX = (Received disconnect) from ([^\s]+:[a-fA-F0-9.]+|::|[\d.]+) FORMAT = name::$1 src_ip::$2 [sshd_authentication_kerberos_success] @@ -358,6 +419,10 @@ FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2 REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 +[linux_secure_pam_unix_authentication_success] +REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened\s+for\s+user)\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? +FORMAT = app::"$1" signature::$2 authentication_service::"pam_unix" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 src_user_type::"user" user_type::"user" + [passwd-auth-failure] REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure) FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure" @@ -476,26 +541,6 @@ FORMAT = signature::$1 ## -[force_host_for_linux_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-001 - -[force_host_for_osx_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-002 - -[force_host_for_solaris_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-003 - -[force_host_for_unix_eventgen] -DEST_KEY = MetaData:Host -REGEX = . -FORMAT = host::ACME-004 - ## Service [nix_linux_service_startmode_lookup] filename = nix_linux_service_startmodes.csv @@ -504,10 +549,6 @@ filename = nix_linux_service_startmodes.csv [nix_da_update_status_lookup] filename = nix_da_update_status.csv -[Description_for_installedupdates] -REGEX = ^Description=([^\r\n]+) -FORMAT = Description::$1 - ## Version [nix_da_version_range_lookup] filename = nix_da_version_ranges.csv @@ -515,24 +556,4 @@ filename = nix_da_version_ranges.csv [nix_linux_audit_action_lookup] filename = nix_linux_audit_action_object_category.csv -[force_host_for_linux_cpu] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - -[force_host_for_linux_memory] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - -[force_host_for_linux_io] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - -[force_host_for_linux_disk] -DEST_KEY=MetaData:Host -REGEX=^\S+\s+\S+\s+\S+\s+(\S+) -FORMAT=host::$1 - ###### END CONTENT IMPORTED FROM TA-deploymentapps ###### From 847f4ab7429fe51b6d57abfbd3d9d79c1ddc8d84 Mon Sep 17 00:00:00 2001 From: Michael Erdely Date: Wed, 19 Feb 2025 11:35:40 -0500 Subject: [PATCH 19/19] Fix report CPU_TYPE in hardware.sh for RPIs Changes: * For CPU_TYPE in hardware.sh, report something if /proc/cpuinfo does not contain processor model information --- VERSION | 4 ++-- app.manifest | 2 +- bin/hardware.sh | 1 + default/app.conf | 4 ++-- docs/ReleaseNotes.md | 13 +++++++++++++ 5 files changed, 19 insertions(+), 5 deletions(-) diff --git a/VERSION b/VERSION index 17a98bb..3c35f76 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -10.0.0.0 -10.0.0.0 +10.0.0.1 +10.0.0.1 diff --git a/app.manifest b/app.manifest index 6477357..521d014 100644 --- a/app.manifest +++ b/app.manifest @@ -29,7 +29,7 @@ "id": { "group": null, "name": "TA-unix", - "version": "10.0.0.0" + "version": "10.0.0.1" }, "license": { "name": "Splunk Software License Agreement", diff --git a/bin/hardware.sh b/bin/hardware.sh index 10c7e06..8113a4f 100755 --- a/bin/hardware.sh +++ b/bin/hardware.sh @@ -17,6 +17,7 @@ if [ "$KERNEL" = "Linux" ] ; then CPU_TYPE=$(awk -F: '/model name/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST") CPU_CACHE=$(awk -F: '/cache size/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST") CPU_COUNT=$(grep -c processor /proc/cpuinfo 2>>"$TEE_DEST") + [ -z "$CPU_TYPE" ] && [ -r /proc/device-tree/compatible ] && CPU_TYPE=$(cat /proc/device-tree/compatible | tr '\0' ',') # HDs # shellcheck disable=SC2010 for deviceBasename in $(ls /sys/block | grep -E -v '^(dm|md|ram|sr|loop)') diff --git a/default/app.conf b/default/app.conf index 2f0a003..cb5c981 100644 --- a/default/app.conf +++ b/default/app.conf @@ -17,7 +17,7 @@ docs_section_override = AddOns:released [launcher] author = Michael Erdely -version = 10.0.0.0 +version = 10.0.0.1 description = Technical Add-on for Unix and Linux #[package] @@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux [id] name = TA-unix -version = 10.0.0.0 +version = 10.0.0.1 diff --git a/docs/ReleaseNotes.md b/docs/ReleaseNotes.md index 250fb1b..cab2a89 100644 --- a/docs/ReleaseNotes.md +++ b/docs/ReleaseNotes.md @@ -1,5 +1,18 @@ # Technical Add-on for Unix and Linux +## Version 10.0.0.1 (2025-02-19) + +Fix report CPU_TYPE in hardware.sh for RPIs + +Changes: + +* For CPU_TYPE in hardware.sh, report something if /proc/cpuinfo does not + contain processor model information + +## Version 10.0.0.0 (2025-02-05) + +Merge in Splunk Add-On for Unix and Linux version 10.0.0 + ## Version 9.2.0.13 (2025-02-03) Fix alignment and fix packages for Arch Linux