mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 15 Packages Wiki Activity Actions
TA-unix/bin/rlog.sh
Michael Erdely 07122cafad
Use ip command to determine IP address ('hostname -I' does not work on all Linux systems) 
Filter out multiple listing of the same btrfs volume
Use mktemp for temp files (for times when the TA may be run outside of Splunk)
If running rlog.sh outside of Splunk, use $HOME to store seek file
Debian also uses apt
Arch Linux uses pacman
Add use of sudo -n for 'apt update' and 'pacman -Syy'
vmstat uses "K paged out"
Replace the use of 'sar' with netstat and vm_stat for MacOS
2025-01-08 18:21:51 -05:00

67 lines
2.9 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
#
# credit for improvement to http://splunk-base.splunk.com/answers/41391/rlogsh-using-too-much-cpu
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
if [ -n "$SPLUNK_DB" ]; then
OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios
SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime
else
# handle the case where this is not being run by the Splunk user from Splunk
OLD_SEEK_FILE=$HOME/.splunk_unix_audit_seekfile # For handling upgrade scenarios
SEEK_FILE=$HOME/.splunk_unix_audit_seektime
fi
CURRENT_AUDIT_FILE=/var/log/audit/audit.log # For handling upgrade scenarios
TMP_ERROR_FILTER_FILE=$(mktemp) # For filering out "no matches" error from stderr
AUDIT_FILE="/var/log/audit/audit.log*"
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand service
assertHaveCommandGivenPath /sbin/ausearch
if [ -n "$(service auditd status 2>/dev/null)" ] && [ "$(service auditd status 2>/dev/null)" ] ; then
CURRENT_TIME=$(date --date="1 seconds ago" "+%x %T") # 1 second ago to avoid data loss
if [ -e "$SEEK_FILE" ] ; then
SEEK_TIME=$(head -1 "$SEEK_FILE")
# shellcheck disable=SC2086
awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -ts $SEEK_TIME -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" < $TMP_ERROR_FILTER_FILE 1>&2
elif [ -e "$OLD_SEEK_FILE" ] ; then
rm -rf "$OLD_SEEK_FILE" # remove previous checkpoint
# start ingesting from the first entry of current audit file
# shellcheck disable=SC2086
awk ' { print } ' $CURRENT_AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" <$TMP_ERROR_FILTER_FILE 1>&2
else
# no checkpoint found
# shellcheck disable=SC2086
awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" <$TMP_ERROR_FILTER_FILE 1>&2
fi
echo "$CURRENT_TIME" > "$SEEK_FILE" # Checkpoint+
else # Added this condition to get error logs
echo "error occured while running 'service auditd status' command in rlog.sh script. Output : $(service auditd status). Command exited with exit code $?" 1>&2
fi
# remove temporary error redirection file if it exists
# shellcheck disable=SC2086
rm $TMP_ERROR_FILTER_FILE 2>/dev/null
elif [ "$KERNEL" = "SunOS" ] ; then
:
elif [ "$KERNEL" = "Darwin" ] ; then
:
elif [ "$KERNEL" = "HP-UX" ] ; then
:
elif [ "$KERNEL" = "FreeBSD" ] ; then
:
fi
Reference in a new issue View git blame Copy permalink