## ## SPDX-FileCopyrightText: 2024 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## ## [script://./bin/docker_metric.sh] sourcetype = docker_metric source = docker interval = 60 disabled = 1 [script://./bin/vmstat_metric.sh] sourcetype = vmstat_metric source = vmstat interval = 60 disabled = 1 [script://./bin/iostat_metric.sh] sourcetype = iostat_metric source = iostat interval = 60 disabled = 1 [script://./bin/ps_metric.sh] sourcetype = ps_metric source = ps interval = 30 disabled = 1 [script://./bin/df_metric.sh] sourcetype = df_metric source = df interval = 300 disabled = 1 [script://./bin/interfaces_metric.sh] sourcetype = interfaces_metric source = interfaces interval = 60 disabled = 1 [script://./bin/cpu_metric.sh] sourcetype = cpu_metric source = cpu interval = 30 disabled = 1 ################################################ ############### Event Inputs ################### ################################################ [script://./bin/docker.sh] interval = 60 sourcetype = docker source = docker disabled = 1 [script://./bin/vmstat.sh] interval = 60 sourcetype = vmstat source = vmstat disabled = 1 [script://./bin/iostat.sh] interval = 60 sourcetype = iostat source = iostat disabled = 1 [script://./bin/nfsiostat.sh] interval = 60 sourcetype = nfsiostat source = nfsiostat disabled = 1 [script://./bin/ps.sh] interval = 30 sourcetype = ps source = ps disabled = 1 [script://./bin/top.sh] interval = 60 sourcetype = top source = top disabled = 1 [script://./bin/netstat.sh] interval = 60 sourcetype = netstat source = netstat disabled = 1 [script://./bin/bandwidth.sh] interval = 60 sourcetype = bandwidth source = bandwidth disabled = 1 [script://./bin/protocol.sh] interval = 60 sourcetype = protocol source = protocol disabled = 1 [script://./bin/openPorts.sh] interval = 300 sourcetype = openPorts source = openPorts disabled = 1 [script://./bin/time.sh] interval = 21600 sourcetype = time source = time disabled = 1 [script://./bin/lsof.sh] interval = 600 sourcetype = lsof source = lsof disabled = 1 [script://./bin/df.sh] interval = 300 sourcetype = df source = df disabled = 1 # Shows current user sessions [script://./bin/who.sh] sourcetype = who source = who interval = 150 disabled = 1 # Lists users who could login (i.e., they are assigned a login shell) [script://./bin/usersWithLoginPrivs.sh] sourcetype = usersWithLoginPrivs source = usersWithLoginPrivs interval = 3600 disabled = 1 # Shows last login time for users who have ever logged in [script://./bin/lastlog.sh] sourcetype = lastlog source = lastlog interval = 300 disabled = 1 # Shows stats per link-level Etherner interface (simply, NIC) [script://./bin/interfaces.sh] sourcetype = interfaces source = interfaces interval = 60 disabled = 1 # Shows stats per CPU (useful for SMP machines) [script://./bin/cpu.sh] sourcetype = cpu source = cpu interval = 30 disabled = 1 # This script reads the auditd logs translated with ausearch [script://./bin/rlog.sh] sourcetype = auditd source = auditd interval = 60 disabled = 1 # Run package management tool collect installed packages [script://./bin/package.sh] sourcetype = package source = package interval = 3600 disabled = 1 [script://./bin/hardware.sh] sourcetype = hardware source = hardware interval = 36000 disabled = 1 [monitor:///Library/Logs] disabled = 1 [monitor:///var/log] whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out) blacklist=(lastlog|anaconda\.syslog) disabled = 1 [monitor:///var/adm] whitelist=(\.log$|messages) disabled = 1 [monitor:///etc] whitelist=(\.(conf|cfg|ini|init|cf|cnf|profile|rc|rules|tab|login)$|(config|shrc|tab|policy)$|^ifcfg) disabled = 1 ### bash history [monitor:///root/.bash_history] disabled = true sourcetype = bash_history [monitor:///home/*/.bash_history] disabled = true sourcetype = bash_history ##### Added for ES support # Note that because the UNIX app uses a single script to retrieve information # from multiple OS flavors, and is intended to run on Universal Forwarders, # it is not possible to differentiate between OS flavors by assigning # different sourcetypes for each OS flavor (e.g. Linux:SSHDConfig), as was # the practice in the older deployment-apps included with ES. Instead, # sourcetypes are prefixed with the generic "Unix". # May require Splunk forwarder to run as root on some platforms. [script://./bin/openPortsEnhanced.sh] disabled = true interval = 3600 source = Unix:ListeningPorts sourcetype = Unix:ListeningPorts [script://./bin/passwd.sh] disabled = true interval = 3600 source = Unix:UserAccounts sourcetype = Unix:UserAccounts # Only applicable to Linux [script://./bin/selinuxChecker.sh] disabled = true interval = 3600 source = Linux:SELinuxConfig sourcetype = Linux:SELinuxConfig # Currently only supports SunOS, Linux, OSX. # May require Splunk forwarder to run as root on some platforms. [script://./bin/service.sh] disabled = true interval = 3600 source = Unix:Service sourcetype = Unix:Service # Currently only supports SunOS, Linux, OSX. # May require Splunk forwarder to run as root on some platforms. [script://./bin/sshdChecker.sh] disabled = true interval = 3600 source = Unix:SSHDConfig sourcetype = Unix:SSHDConfig # Currently only supports Linux, OSX. # May require Splunk forwarder to run as root on some platforms. [script://./bin/update.sh] disabled = true interval = 86400 source = Unix:Update sourcetype = Unix:Update [script://./bin/uptime.sh] disabled = true interval = 86400 source = Unix:Uptime sourcetype = Unix:Uptime [script://./bin/version.sh] disabled = true interval = 86400 source = Unix:Version sourcetype = Unix:Version # This script may need to be modified to point to the VSFTPD configuration file. [script://./bin/vsftpdChecker.sh] disabled = true interval = 86400 source = Unix:VSFTPDConfig sourcetype = Unix:VSFTPDConfig