## ## SPDX-FileCopyrightText: 2024 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## ## ##################### ## Configuration Logs ##################### [source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))] sourcetype = config_file CHECK_METHOD = modtime [config_file] LINE_BREAKER = ^((?!))$ TRUNCATE = 1000000 SHOULD_LINEMERGE = false DATETIME_CONFIG = NONE CHECK_METHOD = modtime KV_MODE = none pulldown_type = true SEGMENTATION-all = whitespace-only SEGMENTATION-inner = whitespace-only SEGMENTATION-outer = whitespace-only SEGMENTATION-standard = whitespace-only LEARN_MODEL = false LEARN_SOURCETYPE = false ##################### ## DHCP ##################### [source::....dhcpd] sourcetype = dhcpd [dhcpd] KV_MODE = none SHOULD_LINEMERGE = false # For Load Balancing on UF EVENT_BREAKER_ENABLE = true pulldown_type = true category = Network & Security description = DHCP Server system events REPORT-dhcp_discover_extract = dhcp_discover_extract REPORT-dhcp_offer_extract = dhcp_offer_extract REPORT-dhcp_request_extract = dhcp_request_extract REPORT-dhcp_ack_nak_extract_0 = dhcp_ack_nak_extract_0 REPORT-dhcp_ack_nak_extract_1 = dhcp_ack_nak_extract_1 REPORT-dhcp_decline_extract = dhcp_decline_extract REPORT-dhcp_release_extract = dhcp_release_extract REPORT-dhcp_inform_extract = dhcp_inform_extract REPORT-dhcp_unable_to_add_forward_map_extract = dhcp_unable_to_add_forward_map_extract REPORT-dhcp_add_new_forward_map_extract = dhcp_add_new_forward_map_extract REPORT-dhcp_added_reverse_map_extract = dhcp_added_reverse_map_extract REPORT-dhcp_abandon_ip_extract = dhcp_abandon_ip_extract REPORT-dhcp_lease_duplicate_extract = dhcp_lease_duplicate_extract REPORT-bind_update_fail_extract = bind_update_fail_extract REPORT-dhcp_block_action = dhcp_block_action REPORT-dhcp_icmp_echo_reply = dhcp_icmp_echo_reply REPORT-dhcp_reuse_lease = dhcp_reuse_lease EVAL-dest_ip = case(isnotnull(dest_ip),dest_ip,match(dest,"^(:?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), dest, 1==1, server_ip) EVAL-action = if(isnotnull(block_action) or dhcp_type=="DHCPNAK" or dhcp_type=="DHCPDECLINE" or dhcp_type=="DHCPRELEASE", "blocked", "added") FIELDALIAS-signature = dhcp_type as signature FIELDALIAS-src_nt_host = src_host as src_nt_host FIELDALIAS-dest_nt_host = dest_host as dest_nt_host ######################### ## Scripted Metric Inputs ######################### [docker_metric] SHOULD_LINEMERGE=false LINE_BREAKER = ([\r\n]+) KV_MODE = json NO_BINARY_CHECK = true TRUNCATE=1000000 TRANSFORMS-docker-metric-dimensions=eval_dimensions METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_docker [vmstat_metric] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = none INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER=whitespace TRANSFORMS-vmstat-metric-dimensions=eval_dimensions METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat [cpu_metric] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = none INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER=whitespace TRANSFORMS-cpu-metric-dimensions=eval_dimensions TRANSFORMS-cpu-metric-field=extract_cpu_metric_field METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_cpu [df_metric] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = none INDEXED_EXTRACTIONS = TSV TRANSFORMS-df-metrics=extract_df_metrics TRANSFORMS-df-metric-dimensions=eval_dimensions METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_df [interfaces_metric] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = none INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER=whitespace EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex) TRANSFORMS-interfaces-metric-dimensions=eval_dimensions METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_interfaces [iostat_metric] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = none INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER=whitespace TRANSFORMS-iostat-metrics-field=extract_iostat_metrics_field TRANSFORMS-iostat-metric-dimensions=eval_dimensions METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_iostat [ps_metric] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = none INDEXED_EXTRACTIONS = CSV FIELD_DELIMITER=whitespace TRANSFORMS-ps-metric-dimensions=eval_dimensions TRANSFORMS-ps-metric-field=extract_ps_metric_field METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps ######################### ## Scripted Event Inputs ######################### [cpu] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi FIELDALIAS-dest_for_cpu = host as dest FIELDALIAS-src_for_cpu = host as src EVAL-CPU = coalesce(cpu,CPU) EVAL-cpu = coalesce(cpu,CPU) EVAL-cpu_instance = coalesce(cpu,CPU) EVAL-pctIdle = coalesce(id,pctIdle) EVAL-PercentIdleTime = coalesce(id,pctIdle) EVAL-cpu_load_percent = if(isnull(pctIdle),100-id,100-pctIdle) EVAL-pctNice = coalesce(pctNice,"0") EVAL-PercentNiceTime = coalesce(pctNice,"0") EVAL-pctUser = coalesce(us,pctUser) EVAL-PercentUserTime = coalesce(us,pctUser) EVAL-cpu_user_percent = coalesce(us,pctUser) EVAL-pctSystem = coalesce(sy,pctSystem) EVAL-PercentSystemTime = coalesce(sy,pctSystem) EVAL-pctIowait = coalesce(wa,pctIowait) EVAL-PercentWaitTime = coalesce(wa,pctIowait) # the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive HEADER_MODE = always [df] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi FIELDALIAS-dest_for_df = host as dest FIELDALIAS-filesystem_for_df = Filesystem AS filesystem FIELDALIAS-filesystem_type_for_df = Type as filesystem_type FIELDALIAS-mount_for_df = MountedOn AS mount EVAL-Type = coalesce('Type',"?") EVAL-filesystem_type = coalesce('Type',"?") EVAL-Size = coalesce('Size','1024_blocks') EVAL-INodes = coalesce('INodes','Inodes') EVAL-IUsePct = coalesce('IUsePct','IUse_') EVAL-UsePct = coalesce('UsePct', 'Use_', 'Capacity') EVAL-Avail = coalesce('Avail', 'Available') EVAL-IUsed = coalesce('IUsed', 'Iused', 'iused') EVAL-IFree = coalesce('IFree', 'ifree', 'Ifree') # the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive HEADER_MODE = always EVAL-storage = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown") EVAL-storage_free = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown") # Redundancy required here because calculated fields are not evaluated in sequence. EVAL-storage_free_percent = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10) EVAL-storage_used = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown") EVAL-storage_used_percent = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10) ## Legacy fields # Note we don't elimininate one layer of indirection here by # eliminating the redundant FIELDALIAS from FreeMegabytes -> FreeMBytes, etc. # which was previously used. EVAL-FreeMBytes = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown") EVAL-TotalMBytes = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown") EVAL-UsedMBytes = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown") EVAL-PercentUsedSpace = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10) # Redundancy required here because calculated fields are not evaluated in sequence. EVAL-PercentFreeSpace = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10) [hardware] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ EVENT_BREAKER_ENABLE=true EVENT_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT EXTRACT-RealMemory = (?i)MEMORY_REAL\s+(?P[^\s]*)[ ]? EXTRACT-SwapMemory = (?i)MEMORY_SWAP\s+(?P[^\s]*)[ ]? EXTRACT-Unit = (?i)MEMORY_REAL\s+\d+\.?\d*\s*(?P\w+)? EVAL-RealMemoryMB = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown") EVAL-SwapMemoryMB = case(match(Unit, "kB"), SwapMemory*pow(1024,-1), match(Unit, "KB"), SwapMemory*pow(1024,-1), match(Unit, "mB"), SwapMemory, match(Unit, "MB"), SwapMemory, match(Unit, "gB"), SwapMemory*pow(1024,1), match(Unit, "GB"), SwapMemory*pow(1024,1), match(Unit, "tB"), SwapMemory*pow(1024,2), match(Unit, "TB"), SwapMemory*pow(1024,2), match(Unit, "pB"), SwapMemory*pow(1024,3), match(Unit, "PB"), SwapMemory*pow(1024,3), 1==1, "unknown") EXTRACT-cpu_cores = (?i)CPU_COUNT\s+(?P[^ \n]*)? EXTRACT-cpu_type = (?i)CPU_TYPE\s+(?P[^\n]*)? EXTRACT-cpu_freq = (?[^\s]+)(?[G|M]Hz) EVAL-cpu_mhz = case(match(cpu_freq_unit,"GHz"),cpu_freq*1000,match(cpu_freq_unit,"MHz"),cpu_freq) EVAL-mem = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown") EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) [interfaces] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ EVENT_BREAKER_ENABLE=true EVENT_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE=multi EVAL-enabled = "true" EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) EVAL-ip = if(isnull(inetAddr), inet6Addr, inetAddr) EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex) FIELDALIAS-interface = Name as interface FIELDALIAS-mac = MAC as mac [iostat] SHOULD_LINEMERGE = false LINE_BREAKER = (^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi # the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive HEADER_MODE = always # coalesce command is used to normalizes field names with the same value and for backward compatibility EVAL-mount = coalesce(Device, Device_, device, "?") EVAL-read_ops = coalesce(rReq_PS, r_s, "?") EVAL-write_ops = coalesce(wReq_PS, w_s, "?") EVAL-latency = coalesce(avgWaitMillis, await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?") EVAL-total_ops = case(rReq_PS == "?", "?", wReq_PS == "?", "?", isnotnull(rReq_PS) AND isnotnull(wReq_PS), rReq_PS + wReq_PS, isnull(r_s), "?", isnull(w_s), "?", 1==1, r_s + w_s) EVAL-Device = coalesce(Device, Device_, device, "?") EVAL-rReq_PS = coalesce(rReq_PS, r_s, "?") EVAL-rKB_PS = coalesce(rKB_PS, rkB_s, Kb_read, kr_s, "?") EVAL-rrqmPct = coalesce(rrqmPct, rrqm, "?") EVAL-rAvgWaitMillis = coalesce(rAvgWaitMillis, r_await, "?") EVAL-rAvgReqSZkb = coalesce(rAvgReqSZkb, rareq_sz, "?") EVAL-wReq_PS = coalesce(wReq_PS, w_s, "?") EVAL-wKB_PS = coalesce(wKB_PS, wkB_s, Kb_wrtn, kw_s, "?") EVAL-wrqmPct = coalesce(wrqmPct, wrqm, "?") EVAL-wAvgWaitMillis = coalesce(wAvgWaitMillis, w_await, "?") EVAL-wAvgReqSZkb = coalesce(wAvgReqSZkb, wareq_sz, "?") EVAL-avgQueueSZ = coalesce(avgQueueSZ, aqu_sz, avgqu_sz, "?") EVAL-bandwUtilPct = coalesce(bandwUtilPct, util, tm_act, ms_o, b, "?") EVAL-avgSvcMillis = coalesce(avgSvcMillis, svctm, ms_w, asvc_t, "?") EVAL-avgWaitMillis = coalesce(avgWaitMillis, await, wsvc_t, if(isnotnull(ms_o), "?", null()), if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?") [source::...(nfsiostat)] sourcetype = nfsiostat HEADER_MODE = always SHOULD_LINEMERGE = false [nfsiostat] DATETIME_CONFIG = CURRENT KV_MODE = multi LINE_BREAKER = (^$|[\r\n]+[\r\n]+) FIELDALIAS-mount = Mount as mount FIELDALIAS-read_latency = r_avg_exe as read_latency FIELDALIAS-write_latency = w_avg_exe as write_latency FIELDALIAS-read_ops = r_op_s as read_ops FIELDALIAS-write_ops = w_op_s as write_ops EVAL-total_ops = read_ops + write_ops EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) [lastlog] ## Override system/default lastlog sourcetype invalidation invalid_cause = SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi [lsof] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ EVENT_BREAKER_ENABLE=true EVENT_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi [netstat] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi EVAL-src_port = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvindex(split(ForeignAddress, "."), -1),mvindex(split(ForeignAddress, ":"), -1)) EVAL-src = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvjoin(mvindex(split(ForeignAddress, "."), 0, -2), "."),mvjoin(mvindex(split(ForeignAddress, ":"), 0, -2), ":")) EVAL-dest_port = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvindex(split(LocalAddress, "."), -1),mvindex(split(LocalAddress, ":"), -1)) EVAL-dest = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvjoin(mvindex(split(LocalAddress, "."), 0, -2), "."),mvjoin(mvindex(split(LocalAddress, ":"), 0, -2), ":")) FIELDALIAS-transport=Proto as transport FIELDALIAS-state=State as state EVAL-state = case(state=="LISTEN","listening",state=="ESTAB","established",true(),lower(state)) EVAL-vendor_product = "nix" [bandwidth] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi EVAL-bytes=(rxKB_PS+txKB_PS)*1024 EVAL-bytes_in=rxKB_PS*1024 EVAL-thruput=rxKB_PS*1024 + txKB_PS*1024 EVAL-bytes_out=txKB_PS*1024 EVAL-packets=rxPackets_PS+txPackets_PS FIELDALIAS-packets_in=rxPackets_PS as packets_in FIELDALIAS-packets_out=txPackets_PS as packets_out [openPorts] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi FIELDALIAS-dest_port_for_open_ports_sh = Port AS dest_port FIELDALIAS-dest_for_open_ports_sh = host AS dest FIELDALIAS-transport_for_open_ports_sh = Proto AS transport EVAL-transport_dest_port = Proto + "/" + Port EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) # extraction for sourcetype unix:listeningports [Unix:ListeningPorts] EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P[a-fA-F0-9]+) [package] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ EVENT_BREAKER_ENABLE=true EVENT_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi [protocol] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE=multi # the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive HEADER_MODE = always [ps] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) EVENT_BREAKER_ENABLE=true EVENT_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi # the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive HEADER_MODE = always EVAL-pctCPU = coalesce(CPU, pctCPU) EVAL-PercentProcessorTime = coalesce(CPU, pctCPU) EVAL-cpu_load_percent = coalesce(CPU, pctCPU) EVAL-process_cpu_used_percent = coalesce(CPU, pctCPU) FIELDALIAS-dest_for_ps = host as dest FIELDALIAS-src_for_ps = host as src EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) FIELDALIAS-process_id_for_ps = PID AS pid,PID as process_id EVAL-pctMEM = coalesce(MEM, pctMEM) EVAL-PercentMemory = coalesce(MEM, pctMEM) EVAL-RSZ_KB = coalesce(RSS, RSZ_KB) EVAL-rss = coalesce(RSS, RSZ_KB) EVAL-process_mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024) # UsedBytes is calculated as RSZ_KB*1024. Previously it was calculated using # %MEM and the "Mem:" header from "top -bn 1", which tended to underestimate # compared to this value. This is a rough measure of resident set size (i.e., # physical memory in use). EVAL-mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024) EVAL-UsedBytes = if(isnull(RSS), RSZ_KB*1024, RSS*1024) EVAL-VSZ_KB = coalesce(VSZ, VSZ_KB) EVAL-vsz = coalesce(VSZ, VSZ_KB) EVAL-TTY = coalesce(TTY, TT) EVAL-tty = coalesce(TTY, TT) EVAL-S = coalesce(S, STAT) EVAL-stat = coalesce(S, STAT) FIELDALIAS-user_for_ps = USER AS user # The "app" field is the conjunction of COMMAND plus ARGS # Note that the UNIX app joins arguments with an underscore. EVAL-app = if(ARGS!="", COMMAND." ".ARGS,COMMAND) EVAL-process = if(ARGS!="", COMMAND." ".ARGS,COMMAND) EVAL-process_name = replace(COMMAND, "[\[\]()]", "") EVAL-CPUTIME = coalesce(TIME, CPUTIME) # Truncate needless leading zeroes from the cumulative CPU time field. EVAL-cpu_time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", "")) EVAL-time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", "")) # Incorporating CIM review changes EVAL-action = "allowed" EVAL-process_exec = replace(COMMAND, "[\[\]()]", "") [time] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ EVENT_BREAKER_ENABLE=true EVENT_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT [top] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) EVENT_BREAKER_ENABLE=true EVENT_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE=multi FIELDALIAS-user = USER as user FIELDALIAS-process = COMMAND as process FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) # the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive HEADER_MODE = always [usersWithLoginPrivs] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE=multi [who] SHOULD_LINEMERGE=false LINE_BREAKER=^((?!))$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE=multi [docker] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 KV_MODE = json FIELDALIAS-dest_for_docker = host as dest FIELDALIAS-src_for_docker = host as src [vmstat] LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT # the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive HEADER_MODE = always REPORT-0kv_for_vmstat = fields_for_vmstat_sh,vmstat_linux,vmstat_osx FIELDALIAS-dest_for_vmstat = host as dest EVAL-mem = if(isnotnull(memFreeMB) AND isnotnull(memUsedMB),(memFreeMB)+(memUsedMB),null()) EVAL-mem_free = if(isnotnull(memFreeMB),memFreeMB,null()) EVAL-mem_used = if(isnotnull(memUsedMB),memUsedMB,null()) EVAL-mem_page_ops = pgPageIn_PS + pgPageOut_PS FIELDALIAS-mem_free_percent = memFreePct as mem_free_percent FIELDALIAS-wait_threads_count = waitThreads as wait_threads_count FIELDALIAS-system_threads_count = threads as system_threads_count FIELDALIAS-src_for_vmstat = host as src FIELDALIAS-cpu_interrupts = interrupts_PS as cpu_interrupts FIELDALIAS-swap_percent = swapUsedPct as swap_percent ## Legacy fields FIELDALIAS-FreeMBytes = memFreeMB AS FreeMBytes EVAL-UsedBytes = tonumber(memUsedMB, 10)*1048756 FIELDALIAS-UsedMBytes = memUsedMB AS UsedMBytes FIELDALIAS-TotalMBytes = memTotalMB AS TotalMBytes ##Memoey Paging per second fields FIELDALIAS-mem_page_in = pgPageIn_PS AS mem_page_in FIELDALIAS-mem_page_out = pgPageOut_PS AS mem_page_out [Unix:UserAccounts] EVAL-description = "/etc/passwd file" EVAL-enabled = "yes" EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) FIELDALIAS-dest = host as dest ##################### ## BEGIN SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps ##################### # Stanzas in this section are legacy configuration stanzas # intended to support parsing of data created by scripts in # TA-deploymentapps, which has since been retired. Systems that use # TA-unix on the search head but which may be searching data # from forwarders on which the older scripts are still in use should # be able to search new and old data seamlessly. ###### Global ###### # [source::...(linux.*|sample.*.linux)] # TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen # [source::...(osx.*|sample.*.osx)] # TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen # [source::...(solaris.*|sample.*.solaris)] # TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen # [source::...sample.*.unix] # TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen ## support for linux only [Linux:SELinuxConfig] EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules" [linux_audit] LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false TIME_PREFIX = audit\( MAX_TIMESTAMP_LOOKAHEAD=23 MAX_DAYS_AGO=3650 REPORT-command = command_for_linux_audit EVAL-status = if('res'=="failed","failure",'res') FIELDALIAS-object = id as object FIELDALIAS-dvc = hostname as dvc FIELDALIAS-dest = hostname as dest FIELDALIAS-object_id = id as object_id EVAL-op = if(op=="PAM:authentication", res, op) EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) LOOKUP-action = nix_linux_audit_action_lookup op OUTPUT action,object_category EVAL-object_attrs= case(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER",grp) EVAL-app = "nix" EVAL-change_type = "AAA" EVAL-object = if((type="GRP_MGMT" OR type="DEL_GROUP" or type=="ADD_GROUP") AND isnotnull('grp'),'grp','object') EVAL-user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user') EVAL-user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user') EVAL-user_id = if(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP" ,'uid','id') EVAL-src_user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user') EVAL-src_user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user') EVAL-src_user_id = if(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ,'uid','src_user_id') EVAL-reason = if(type="USER_AUTH" AND (res=="failed" OR res=="failure"),"other",'reason') [source::...Unix:Service] SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE = true EVAL-service = coalesce(UNIT, app) EVAL-service_name = coalesce(UNIT, app) EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) LOOKUP-StartMode_for_linux_service = nix_linux_service_startmode_lookup runlevel0,runlevel1,runlevel2,runlevel3,runlevel4,runlevel5,runlevel6 OUTPUTNEW StartMode EVAL-note = if(match(_raw,"runlevel[06]\=on"),"Runlevels 0 and 6 are reserved for halt and reboot respectively",null()) EVAL-start_mode=case(isnotnull(StartMode),StartMode,1=1,"Auto") FIELDALIAS-start_mode_for_solaris_service = StartMode as start_mode FIELDALIAS-status_for_solaris_service = State as status FIELDALIAS-dest = host as dest # extraction for sourcetype Unix:Service [Unix:Service] EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P[a-fA-F0-9]+) # Incorporating CIM review changes EVAL-status = case(ACTIVE=="active","started",ACTIVE=="inactive","stopped",ACTIVE=="activating","stopped",ACTIVE=="reloading","stopped",ACTIVE=="failed","critical",ACTIVE=="deactivating","stopped") ## no windows application at this time [source::*:SSHDConfig] EVAL-note = if(match(sshd_protocol,"1"),"SSH-1 has inherent design flaws which make it vulnerable (e.g., man-in-the-middle attacks)",null()) ###### Update ###### [source::...Unix:Update] EVENT_BREAKER_ENABLE = true FIELDALIAS-signature_for_update = package as signature LOOKUP-status_for_update = nix_da_update_status_lookup sourcetype OUTPUTNEW status ###### Uptime ###### [source::...Unix:Uptime] FIELDALIAS-uptime_for_unix_uptime = SystemUpTime as uptime FIELDALIAS-dest = host as dest ###### Version ###### [source::...Unix:Version] SHOULD_LINEMERGE = false FIELDALIAS-family_for_nix_version = os_name as family LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range FIELDALIAS-version_for_nix_version = os_release as version FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null()) EVAL-vendor_product = if(isnotnull(os_name),os_name,null()) FIELDALIAS-dest_for_nix_version = host as dest ###### VSFTPD Config ###### ## no windows application at this time [source::*:VSFTPDConfig] EVAL-note = "FTP uses clear text to pass authentication credentials. Consider using SSH instead." ##################### ## END SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps ##################### ##################### ## System Logs ##################### ###### Global ###### [source::....nix] sourcetype = linux_secure [source::/etc/passwd*] sourcetype = ignored_type [source::/etc/shadow*] sourcetype = ignored_type ## Custom Sourcetype #[source::....] #sourcetype = #[] ### Event extractions by type #REPORT-0authentication_for_your_sourcetype = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication #EVAL-action = if(app="su" AND isnull(action),"success",action) #REPORT-account_management_for_your_sourcetype = useradd, userdel #REPORT-firewall_for_your_sourcetype = ipfw, ipfw-stealth, ipfw-icmp, pf #REPORT-routing_for_your_sourcetype = iptables #EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) #REPORT-signature_for_your_sourcetype_timesync = signature_for_nix_timesync #REPORT-dest_for_your_sourcetype = host_as_dest #LOOKUP-action_for_your_sourcetype = nix_action_lookup vendor_action OUTPUTNEW action #REPORT-pid-process_for_your_sourcetype = syslog-extractions #REPORT-src_for_your_sourcetype = src_dns_as_src, src_ip_as_src, host_as_src ###### AIX Sourcetype ###### [source::....aix_secure] sourcetype = aix_secure [aix_secure] EVENT_BREAKER_ENABLE = true REPORT-0authentication_for_aix_secure = failed_login1, bad-su2, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication EVAL-action = if(app="su" AND isnull(action),"success",action) REPORT-dest_for_aix_secure = loghost_as_dest FIELDALIAS-dvc = dest as dvc LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action REPORT-src_for_aix_secure = src_dns_as_src, src_ip_as_src ###### OSX Security ###### [source::....osx_secure] sourcetype = osx_secure [osx_secure] EVENT_BREAKER_ENABLE = true ## Event extractions by type REPORT-0authentication_for_osx_secure = ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication EVAL-action = if(app="su" AND isnull(action),"success",action) REPORT-dest_for_osx_secure = host_as_dest LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action REPORT-src_for_osx_secure = src_dns_as_src, src_ip_as_src ###### Linux Security ###### [source::....linux_secure] sourcetype = linux_secure [linux_secure] EVENT_BREAKER_ENABLE = true ## Event extractions by type EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app) REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication EVAL-action = if(app="su" AND isnull(action),"success",action) REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf REPORT-routing = iptables EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) REPORT-dest_for_linux_secure = loghost_as_dest LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action REPORT-src_for_linux_secure = src_dns_as_src, src_ip_as_src EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) EVAL-object = case((command=="useradd" OR command=="userdel" OR command=="passwd") AND isnotnull(user), user, true(), object) FIELDALIAS-dvc = dest as dvc EVAL-src_user = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user') FIELDALIAS-user_name = user as user_name EVAL-src_user_name = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user') ###### Syslog ###### [source::....syslog] sourcetype = syslog [syslog] EVENT_BREAKER_ENABLE = true ## Event extractions by type REPORT-0authentication_for_syslog = remote_login_failure, bad-su2, passwd-auth-failure, failed_login1, bad-su, failed-su, ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication EVAL-action = if(app="su" AND isnull(action),"success",action) REPORT-account_management_for_syslog = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse REPORT-password_change_for_syslog = pam-passwd-ok, passwd-change-fail REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf REPORT-routing = iptables EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) REPORT-signature_for_syslog_timesync = signature_for_nix_timesync REPORT-dest_for_syslog = host_as_dest LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action REPORT-src_for_syslog = src_dns_as_src, src_ip_as_src FIELDALIAS-dvc = dest as dvc EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) ###### bash history ###### [bash_history] SHOULD_LINEMERGE=FALSE EVENT_BREAKER_ENABLE = true DATETIME_CONFIG=CURRENT REPORT-bhist=bash_user,bash_user_root FIELDALIAS-bhist=_raw AS bash_command FIELDALIAS-dest_for_history = host as dest ###### auditd ###### [auditd] LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false TIME_PREFIX = audit\( MAX_TIMESTAMP_LOOKAHEAD=23 MAX_DAYS_AGO=3650