## ## SPDX-FileCopyrightText: 2024 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## ## ###### Globals ###### ## Lookups [nix_action_lookup] filename = nix_vendor_actions.csv case_sensitive_match = false ## Aliases [host_as_dest] SOURCE_KEY = host REGEX = (.+) FORMAT = dest::"$1" [host_as_src] SOURCE_KEY = host REGEX = (.+) FORMAT = src::"$1" [src_dns_as_src] SOURCE_KEY = src_dns REGEX = (.+) FORMAT = src::"$1" [src_ip_as_src] SOURCE_KEY = src_ip REGEX = (.+) FORMAT = src::"$1" [dest_nt_host_as_dest] SOURCE_KEY = dest_nt_host REGEX = (.+) FORMAT = dest::"$1" [dest_mac_as_dest] SOURCE_KEY = dest_mac REGEX = (.+) FORMAT = dest::"$1" [dest_ip_as_dest] SOURCE_KEY = dest_ip REGEX = (.+) FORMAT = dest::"$1" ###### DHCP ###### [dhcp_prefix_dest] #when dhcp server is the dest, extract the dest and process fields #format as below (fields are within the angle brackets): # [process_id]|: REGEX=\s+(?\S+)\s+(?:(?[^\s\[\]]+)\[(?[^\]\s]+)\]|(?[^\s\[\]]+)):\s+ [dhcp_prefix_src] #when dhcp server is the src, extract the src and process fields #format as below (fields are within the angle brackets): # [process_id]|: REGEX=\s+(?\S+)\s+(?:(?[^\s\[\]]+)\[(?[^\]\s]+)\]|(?[^\s\[\]]+)):\s+ [dhcp_mac_hostname_for_dest] #extract mac address and hostname for dest #format as below (fields are within the angle brackets): # () #Note: dest_host may not exist REGEX=\s+(?\S+)\s+(?:\((?[^)]+)\)\s+)? [dhcp_mac_hostname_for_src] #extract mac address and hostname for src #format as below (fields are within the angle brackets): # () #Note: src_host may not exist REGEX=\s+(?\S+)\s+(?:\((?[^)]+)\)\s+)? [dhcp_relay] #extract relay field REGEX = (?[^\s:\\]+) [dhcp_block_action] #extract blocked actions REGEX = (?(REFUSED|Invalid|ignored|rejected|not authoritative|[uU]nable to add forward map)) [dhcp_discover_extract] # for event of DHCPDISCOVER, format as below (fields are within the angle brackets): # : DHCPDISCOVER from () via # Note: src_host may not exist REGEX=[[dhcp_prefix_dest]](?DHCPDISCOVER)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]] [dhcp_offer_extract] # for event of DHCPOFFER, format as below (fields are within the angle brackets): # : DHCPOFFER on to () via # Note: dest_host may not exist REGEX=[[dhcp_prefix_src]](?DHCPOFFER)\s+on\s+(?\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]] [dhcp_request_extract] # for event of DHCPREQUEST, format as below (fields are within the angle brackets): # : DHCPREQUEST for () from () via uid # Note: server_ip, src_host, uuid may not exist REGEX=[[dhcp_prefix_dest]](?DHCPREQUEST)\s+for\s+(?\S+)\s+(?:\((?[^)]+)\)\s+)?from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]](?:\s+uid\s+(?[^\s]+))? [dhcp_ack_nak_extract_0] # for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets): # : DHCPACK|DHCPNAK on to () via () relay lease-duration uid # Note: dest_host, relay_ip, lease_duration, uuid may not exist REGEX=[[dhcp_prefix_src]](?DHCPACK|DHCPNAK)\s+on\s+(?\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]](?:\s+relay\s+(?\S+)\s+lease-duration\s+(?\S+)\s+.*uid\s+(?\S+))? [dhcp_ack_nak_extract_1] # for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets): # : DHCPACK|DHCPNAK to () via REGEX=[[dhcp_prefix_src]](?DHCPACK|DHCPNAK)\s+to\s+(?\S+)\s+\((?[^)]+)\)\s+via\s+[[dhcp_relay]] [dhcp_decline_extract] # for event of DHCPDECLINE, format as below (fields are within the angle brackets): # : DHCPDECLINE of from () via # Note: src_host may not exist REGEX=[[dhcp_prefix_dest]](?DHCPDECLINE)\s+of\s+(?\S+)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]] [dhcp_release_extract] # for event of DHCPRELEASE, format as below (fields are within the angle brackets): # : DHCPRELEASE of from () via # Note: src_host may not exist REGEX=[[dhcp_prefix_src]](?DHCPRELEASE)\s+of\s+(?\S+)\s+from[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]] [dhcp_inform_extract] # for event of DHCPINFORM, format as below (fields are within the angle brackets): # : DHCPINFORM from via REGEX=[[dhcp_prefix_dest]](?DHCPINFORM)\s+from\s+(?\S+)\s+via\s+[[dhcp_relay]] [dhcp_unable_to_add_forward_map_extract] # for event of unable to add forward map, format as below (fields are within the angle brackets): # : Unable to add forward map from to REGEX=[[dhcp_prefix_src]][uU]nable\s+to\s+add\s+forward\s+map\s+from\s+(?\S+)\s+to\s+(?[^\s:]+) [dhcp_add_new_forward_map_extract] # for event of add new forward map, format as below (fields are within the angle brackets): # : Added new forward map from to REGEX=[[dhcp_prefix_src]][aA]dded\s+new\s+forward\s+map\s+from\s+(?\S+)\s+to\s+(?[^\s:]+) [dhcp_added_reverse_map_extract] # for event of add reverse map, format as below (fields are within the angle brackets): # : [aA]dded reverse map from to REGEX=[[dhcp_prefix_dest]][aA]dded\s+reverse\s+map\s+from\s+(?\S+)\s+to\s+(?\S+) [dhcp_abandon_ip_extract] # for event of Abandon IP address, format as below (fields are within the angle brackets): # : Abandoning IP address REGEX=[[dhcp_prefix_src]]Abandoning\s+IP\s+address\s+(?[^\s:]+) [dhcp_lease_duplicate_extract] # for event of lease duplicate, format as below (fields are within the angle brackets): # : uid lease for client is duplicate on REGEX=\s+(?\S+)\s+(?[^\s:]+):\s+uid\s+lease\s+(?\S+)\s+for\s+client\s+(?\S+)\s+is\s+duplicate\s+on\s+(?\S+)/ [bind_update_fail_extract] # for event of bind update reject, format as below (fields are within the angle brackets): # : bind update on from rejected REGEX=[[dhcp_prefix_dest]]bind\s+update\s+on\s+(?\S+)\s+from\s+(?\S+)\s+rejected.* [dhcp_icmp_echo_reply] REGEX=[[dhcp_prefix_src]]ICMP\s+Echo\s+reply\s+while\s+lease\s+(?\S+) [dhcp_reuse_lease] REGEX=[[dhcp_prefix_src]]reuse_lease:\s+lease\s+age.*under.*threshold,\s+reply\s+with\s+unaltered,\s+existing\s+lease\s+for\s+(?[^$]+) ###### Scripted Metric Inputs ###### [eval_dimensions] # Support for omitting the IPv6 Address field when the script output doesn't include an IPv6 Address INGEST_EVAL = metric_name=sourcetype, entity_type="TA_Nix", OS_name=replace(OSName, "_", " "), IPv6_address = if(IPv6_Address=="?", null(), IPv6_Address) [extract_df_metrics] INGEST_EVAL = UsePct=coalesce('UsePct','Capacity','Use'), Size_KB=coalesce('Size','1K_blocks','1024_blocks'), Used_KB='Used', Avail_KB=coalesce('Avail','Available'), INodes=coalesce('INodes','Inodes'), IUsed=coalesce('IUsed','iused','Iused'), IFree=coalesce('IFree','ifree','Ifree'), IUsePct=coalesce('IUsePct','IUse'), Size=coalesce('Size','1K_blocks','1024_blocks'), Avail=coalesce('Avail','Available'), Type=coalesce('Type',"?") [metric-schema:extract_metrics_interfaces] METRIC-SCHEMA-MEASURES= Collisions,RXbytes,RXerrors,TXbytes,TXerrors,RXdropped,TXdropped METRIC-SCHEMA-BLACKLIST-DIMS= OSName, IPv6_Address # added extract_iostat_metrics_field for backward compatibility [extract_iostat_metrics_field] INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm, rAvgWaitMillis=r_await, rAvgReqSZkb=rareq_sz, wReq_PS=w_s, wKB_PS=coalesce(wkB_s, Kb_wrtn, kw_s), wrqmPct=wrqm, wAvgWaitMillis=w_await, wAvgReqSZkb=wareq_sz, avgQueueSZ=coalesce(aqu_sz, avgqu_sz), bandwUtilPct=coalesce(util, tm_act, ms_o, b), avgSvcMillis=coalesce(svctm, ms_w, asvc_t), avgWaitMillis=coalesce(await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), null()) [extract_ps_metric_field] INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB) [extract_cpu_metric_field] INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU) [metric-schema:extract_metrics_iostat] METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address METRIC-SCHEMA-BLACKLIST-DIMS= OSName [metric-schema:extract_metrics_vmstat] METRIC-SCHEMA-MEASURES= memTotalMB,memFreeMB,memUsedMB,memFreePct,memUsedPct,pgPageOut,swapUsedPct,pgSwapOut,cSwitches,interrupts,forks,processes,threads,loadAvg1mi,waitThreads,interrupts_PS,pgPageIn_PS,pgPageOut_PS METRIC-SCHEMA-BLACKLIST-DIMS= OSName [metric-schema:extract_metrics_df] METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address, Filesystem, Type, MountedOn, IPv6_Address, IPv6_address METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address [metric-schema:extract_metrics_cpu] METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OSName, OS_name, OS_version, IP_address, cpu, CPU METRIC-SCHEMA-BLACKLIST-DIMS= OSName [metric-schema:extract_metrics_ps] METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ ARGS,COMMAND,CPUTIME,ELAPSED,PID,PSR,S,STAT,START,STARTED,TT,TTY,USER,OSName,OS_name,OS_version,IP_address,IPv6_Address,IPv6_address METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address ###### Scripted Event Inputs ###### [vmstat_osx] REGEX = (?m)(?:Pages free:\s*(\d+)\.).*(?:Pages active:\s*(\d+)\.).*(?:Pages inactive:\s*(\d+)\.).*(?:Pages wired down:\s*(\d+)\.).*(?:Pageins:\s*(\d+)\.).*(?:Pageouts:\s*(\d+)\.) FORMAT = free::$1 active::$2 inactive::$3 wired::$4 pageins::$5 pageouts::$6 #procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu---- # r b swpd free inact active si so bi bo in cs us sy id wa # 0 0 24 4272 172660 67124 0 0 2 1 0 1 0 0 100 0 [vmstat_linux] REGEX = (\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+) FORMAT = proc_waiting::$1 proc_unitsleep::$2 swap::$3 free::$4 inactive::$5 active::$6 swap_in::$7 swap_out::$8 blocks_in::$9 blocks_out::$10 interrupts::$11 contextswitch::$12 usermode::$13 kernelmode::$14 idle::$15 waiting::$16 #memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS # 8192 4153 4039 50.7 49.3 1585619 5.0 ? ? ? ? 82 566 0.72 0.00 714.2 1.0 133.0 [fields_for_vmstat_sh] REGEX = \s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+) FORMAT = memTotalMB::"$1" memFreeMB::"$2" memUsedMB::"$3" memFreePct::"$4" memUsedPct::"$5" pgPageOut::"$6" swapUsedPct::"$7" pgSwapOut::"$8" cSwitches::"$9" interrupts::"$10" forks::"$11" processes::"$12" threads::"$13" loadAvg1mi::"$14" waitThreads::"$15" interrupts_PS::"$16" pgPageIn_PS::"$17" pgPageOut_PS::"$18" ###### System Logs ###### # General [loghost_as_dest] REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s(\S+)\s\w+[\w\s\[]* FORMAT = dest::$1 ## Account Management [useradd] REGEX = (useradd).*?(?:new (?:user|account))(?:: | (?:added) - )(?:name|account)=([^\,]+),(?:\s)(?:(?:UID|uid)=(\w+),)?(?:\s)(?:(?:GID|gid)=(\w+),)?(?:\s)*(?:home=((?:\/[^\/ ]*)+\/?),)?(?:.*uid=(\d+))? FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"user" user::$2 change_type::"AAA" object_id::$3 object_path::$5 status::"success" object_attrs::$4 src_user_id::$6 [userdel] REGEX = (userdel).*?(?:(?:delete)(?:\s)*(?:user|account)) .(\S+). FORMAT = vendor_action::"delete" object_category::"user" action::"deleted" change_type::"AAA" command::$1 user::$2 status::"success" [userdel-grp] REGEX = (userdel).*?(?:(?:removed)(?:\s)*(?:\w+)?(?:\s)*(group))\s+\'(\S+)\'\s+owned\s+by\s+\'(\S+)\' FORMAT = action::"deleted" change_type::"AAA" command::$1 object_category::$2 object::$3 status::"success" "object_attrs"::$4 [groupdel] REGEX = (groupdel).*(?:group)\s+'(\S+)'\s+removed(?:\s)*(?:(?:from\s+))?(\S+)? FORMAT = action::"deleted" change_type::"AAA" command::$1 object::$2 object_category::"group" status::"success" object_path::$3 [groupadd] REGEX = (groupadd).*?(?:group added to |new group: )(?:((?:\/[^\/ ]*)+\/?):)?\s*(?:name=(\w+))?(?:,\s*GID=(\w+))? FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"group" object::$3 change_type::"AAA" object_id::$4 object_path::$2 status::"success" [groupadd-suse] REGEX = (useradd).*?(?:account added to group -)\s*(?:account=([^,]+))?(?:,\s*)?(?:group=([^,]+))(?:,\s*)?(?:gid=(?:[^,]+))?\,\s+(?:by\s+\(uid=(\d+)\))? FORMAT = vendor_action::"account added to group" action::"modified" command::$1 object_category::"user" user::$2 change_type::"AAA" object_attrs::$3 status::"success" src_user_id::$4 ## password change [pam-passwd-ok] REGEX = (passwd).*pam_unix\((?:passwd):chauthtok\): password changed for (\S+) FORMAT = action::"modified" change_type::"AAA" command::$1 object_attrs::"password" object_category::"user" status::"success" user::$2 [passwd-change-fail] REGEX = (passwd).*(?:password change failed).*(?:account=)([^,\s]+),\s+uid=([^,\s]+)\,\s+by(?:\s+\(uid=(\d+)\))? FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs::"password" object_category::"user" status::"failure" object_id::$3 src_user_id::$4 [command_for_linux_audit] REGEX = exe=.*\/(\S+)\" FORMAT = command::$1 ## Authentication # Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2 # Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2 [ssh-login-accepted] REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5 # Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX # Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2 [ssh-login-failed] REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5 # Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX [ssh-invalid-user] REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5 # Jan 11 03:16:49 crest-aix-dev auth|security:info syslog: ssh: failed login attempt for root from XXX.XXX.XX.XXX # Jan 8 06:00:56 crest-aix-dev auth|security:info syslog: pts/2: failed login attempt for root from qa-centos7x64-267.sv.splunk.com [failed_login1] REGEX = (?:syslog):.*(?:failed login attempt for)\s+(\S+)\s+from\s+(\S+) FORMAT = app::"nix" action::"failure" src::$2 user::$1 reason::"failed login" # Mar 18 16:54:02 splunk5 sshd(pam_unix)[17183]: session opened for user mark by (uid=0) # Mar 18 16:58:23 splunk5 sshd(pam_unix)[31639]: session closed for user mark # Apr 30 17:45:35 magnum.google.com sshd[5019]: Connection closed by XXX.XXX.XX.XXX [ssh-session-close] REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(?: by \(uid=(\d+)\))?(?: by ((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)))? FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4 # Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye [ssh-disconnect] REGEX = (Received disconnect) from ([^\s]+): FORMAT = name::$1 src_ip::$2 [sshd_authentication_kerberos_success] REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authorized\s+to)\s+([^,]+)\,\s+krb5\s+principal\s+([^@]+) FORMAT = app::$1 vendor_action::"$2" user::"$3" src_user::"$4" [sshd_authentication_refused] REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+refused)\:.*?directory\s+\/home\/([^\/]+) FORMAT = app::$1 vendor_action::"$2" user::"$3" [sshd_authentication_tried] REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+tried)\s+for\s+([^\s]+)(?:.*?host\=([^,]+),\s+ip=((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)))? FORMAT = app::$1 vendor_action::$2 user::"$3" src_dns::"$4" src_ip::"$5" [sshd_login_restricted] REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Login\s+restricted)\s+for\s+([^:]+) FORMAT = app::$1 vendor_action::"$2" user::"$3" [pam_unix_authentication_failure] REGEX = pam_unix\((?:[^:]+):\w+\)\:\s+authentication\s+(failure)\;\s+logname\=(?:[^\s]+)?\s+uid\=(?:[^\s]+)?\s+euid=(?:[^\s]+)?\s+tty=(?:[^\s]+)?\s+ruser=([^\s]+)?\s+rhost=([^\s]+)?\s*(?:user=([^\s]+)?)? FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2 [pam_unix_authentication_success] REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))? FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6 [passwd-auth-failure] REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure) FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure" [sudo_cannot_identify] REGEX = pam_unix\(([^:]+):\w+\)\:\s+auth\s+(could\s+not\s+identify\s+password)\s+for\s+\[([^]]+) FORMAT = app::"$1" vendor_action::"$2" user::"$3" reason::"could not identify password" [remote_login_allowed] REGEX = (pam_rhosts_auth)\[\d+\]:\s+allowed\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+) FORMAT = action::"success" app::$1 user::$2 vendor_action::"allowed" [remote_login_failure] REGEX = (pam_rhosts_auth)\[\d+\]:\s+denied\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+) FORMAT = action::"failure" app::$1 user::$2 vendor_action::"denied" reason::"access not allowed" [failed-su] REGEX = \'(?:su)\s+(?:[^']+)\'\s+(failed)\s+for\s+([^\s]+) FORMAT = vendor_action::$1 action::"failure" app::"nix" user::$2 reason::"other" [bad-su] REGEX = (?:su):\s+BAD\s+SU\s+dcid\s+to\s+(\w+)\s+on\s+(?:(?:\/[^\/ \n]*)+) FORMAT = action::"failure" app::"nix" user::$1 reason::"BAD SU dcid" [bad-su2] REGEX = (?:su):\s+BAD\s+SU\s+from\s+(\S+)\s+to\s+(\S+)\s+at\s+(?:(?:\/[^\/ \n]*)+) FORMAT = action::"failure" app::"nix" user::$2 src_user::$1 reason::"BAD SU" [ksu_authentication] REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?\'ksu\s+([^']+)\'\s+(authentication\s+failed|authenticated).*?for\s+(\w+) FORMAT = app::$1 user::"$2" vendor_action::"$3" src_user::$4 [ksu_authorization] REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?Account\s+([^:]+)\:\s+authorization\s+for\s+([^@]+).*?(failed|successful) FORMAT = app::$1 user::"$2" src_user::"$3" vendor_action::$4 [login_authentication] REGEX = (login)\:.*(failure).*from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\,\s+(\S+))? FORMAT = app::$1 action::$2 user::$4 src::$3 reason::"login failure" [su_simple] REGEX = (?:su)\:\s+(?:\[[^]]+]\s+)?from\s+([^\s]+)\s+to\s+([^\s]+) FORMAT = app::"nix" src_user::$1 user::$2 action::"success" [su_authentication] REGEX = \'(?:su)\s+([^']+)\'\s+(succeeded|failed)\s+for\s+([^\s]+) FORMAT = app::"nix" user::"$1" vendor_action::$2 src_user::$3 [su_successful] REGEX = (Successful)\s+(?:su)\s+for\s+([^\s]+)\s+by\s+([^\s]+) FORMAT = app::"nix" vendor_action::$1 user::$2 src_user::$3 [wksh_authentication] REGEX = (wksh):\s+(HANDLING\s+TELNET\s+CALL)\s+\(User:\s+([^,]+),\s+Branch:\s+(?:[^,]+),\s+Client:\s+([^)]+) FORMAT = app::$1 vendor_action::"$2" user::$3 src_dns::$4 [ftpd_authentication] REGEX = (ftpd)\[\d+\]\:.*(FTP\s+LOGIN)\s+FROM\s+([^\s]+)\s+\[((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))\]\,\s+(.*) FORMAT = app::$1 vendor_action::"$2" src::$3 src_ip::$4 user::"$5" ## Firewall [ipfw] REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*(\d+) (Deny|Accept) (UDP|TCP) \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? (in|out) via ([^\s]+) FORMAT = rule_number::$1 action::$2 proto::$3 dest_ip::$4 dest_port::$5 src_ip::$6 src_port::$7 direction::$8 interface::$9 [ipfw-stealth] REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*Stealth Mode connection (attempt) to (UDP|TCP) \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? from \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? FORMAT = action::$1 proto::$2 src_ip::$3 src_port::$4 dest_ip::$5 dest_port::$6 [ipfw-icmp] #REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via ([^\s])*\s* REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP|ICMPv6):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via (.*) FORMAT = rule_number::$1 action::$2 proto::$3 application::$4 src_ip::$5 dest_ip::$6 direction::$7 interface::$8 [pf] REGEX = rule ([-\d]+\/\d+)\(.*?\): (pass|block) (in|out) on (\w+): \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:[:\]]+)?(\d+)? [<>] \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:[:\]]+)?(\d+)?: (?:.*) FORMAT = rule_number::$1 action::$2 direction::$3 interface::$4 src_ip::$5 src_port::$6 dest_ip::$7 dest_port::$8 ## Routing # Mar 26 11:03:20 splunk4 kernel: BLOCK IN=eth0 OUT= MAC=00:15:c5:e0:ba:45:00:10:db:ff:20:70:08:00 SRC=10.1.5.78 DST=10.2.1.44 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=64317 DF PROTO=TCP SPT=57293 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0 [iptables] REGEX = kernel:\s+(\w+ ?\w*) IN=(\w+) OUT=(\w*) .*SRC=((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) DST=((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)).*PROTO=(\w+) SPT=(\w+) DPT=(\w+) FORMAT = action::"$1" inbound_interface::$2 outbound_interface::$3 src_ip::$4 dest_ip::$5 proto::$6 src_port::$7 dest_port::$8 ## bash [bash_user] SOURCE_KEY=source REGEX=^\/home\/([^\/]+)\/ FORMAT=user_name::$1 [bash_user_root] SOURCE_KEY=source REGEX=^\/(root)\/ FORMAT=user_name::$1 ## Time synchronization [signature_for_nix_timesync] REGEX = ((?:Adjusting\s+system\s+clock)|(?:synchronized\s+to)|(?:step\s+time\s+server)|(?:adjust\s+time\s+server)|(?:NTP\s+Server\s+Unreachable)) FORMAT = signature::$1 ###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ###### # Stanzas in this section are legacy configuration stanzas # intended to support parsing of data created by scripts in # TA-deploymentapps, which has since been retired. Systems that use # TA-unix on the search head but which may be searching data # from forwarders on which the older scripts are still in use should # be able to search new and old data seamlessly. ###### Scripted Inputs ###### ## Global ## [force_host_for_linux_eventgen] DEST_KEY = MetaData:Host REGEX = . FORMAT = host::ACME-001 [force_host_for_osx_eventgen] DEST_KEY = MetaData:Host REGEX = . FORMAT = host::ACME-002 [force_host_for_solaris_eventgen] DEST_KEY = MetaData:Host REGEX = . FORMAT = host::ACME-003 [force_host_for_unix_eventgen] DEST_KEY = MetaData:Host REGEX = . FORMAT = host::ACME-004 ## Service [nix_linux_service_startmode_lookup] filename = nix_linux_service_startmodes.csv ## Update [nix_da_update_status_lookup] filename = nix_da_update_status.csv [Description_for_installedupdates] REGEX = ^Description=([^\r\n]+) FORMAT = Description::$1 ## Version [nix_da_version_range_lookup] filename = nix_da_version_ranges.csv [nix_linux_audit_action_lookup] filename = nix_linux_audit_action_object_category.csv [force_host_for_linux_cpu] DEST_KEY=MetaData:Host REGEX=^\S+\s+\S+\s+\S+\s+(\S+) FORMAT=host::$1 [force_host_for_linux_memory] DEST_KEY=MetaData:Host REGEX=^\S+\s+\S+\s+\S+\s+(\S+) FORMAT=host::$1 [force_host_for_linux_io] DEST_KEY=MetaData:Host REGEX=^\S+\s+\S+\s+\S+\s+(\S+) FORMAT=host::$1 [force_host_for_linux_disk] DEST_KEY=MetaData:Host REGEX=^\S+\s+\S+\s+\S+\s+(\S+) FORMAT=host::$1 ###### END CONTENT IMPORTED FROM TA-deploymentapps ######