mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 15 Packages Wiki Activity Actions
TA-unix/default/transforms.conf
Michael Erdely 5551b8973d
Add script for docker events/metrics and support running TA outside of Splunk 
* Add docker.sh and docker_metric.sh for collecting docker events/metrics
* Add helper script to extra/ to run the TA commands on systems without
  a Splunk forwarder. The commands can be sent to a syslog server.
  This script is useful for systems with small or read-only filesystems that
  cannot support a Universal Forwarder.
* Add syslog_inputs_nix_ta app to extra/ for ingesting the data from syslog
2025-01-11 23:28:44 -05:00

538 lines
25 KiB
Text
Raw Blame History

##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
###### Globals ######
## Lookups
[nix_action_lookup]
filename = nix_vendor_actions.csv
case_sensitive_match = false
## Aliases
[host_as_dest]
SOURCE_KEY = host
REGEX = (.+)
FORMAT = dest::"$1"
[host_as_src]
SOURCE_KEY = host
REGEX = (.+)
FORMAT = src::"$1"
[src_dns_as_src]
SOURCE_KEY = src_dns
REGEX = (.+)
FORMAT = src::"$1"
[src_ip_as_src]
SOURCE_KEY = src_ip
REGEX = (.+)
FORMAT = src::"$1"
[dest_nt_host_as_dest]
SOURCE_KEY = dest_nt_host
REGEX = (.+)
FORMAT = dest::"$1"
[dest_mac_as_dest]
SOURCE_KEY = dest_mac
REGEX = (.+)
FORMAT = dest::"$1"
[dest_ip_as_dest]
SOURCE_KEY = dest_ip
REGEX = (.+)
FORMAT = dest::"$1"
###### DHCP ######
[dhcp_prefix_dest]
#when dhcp server is the dest, extract the dest and process fields
#format as below (fields are within the angle brackets):
#<dest> <dest_host>[process_id]|<process>:
REGEX=\s+(?<dest>\S+)\s+(?:(?<dest_host>[^\s\[\]]+)\[(?<process_id>[^\]\s]+)\]|(?<process>[^\s\[\]]+)):\s+
[dhcp_prefix_src]
#when dhcp server is the src, extract the src and process fields
#format as below (fields are within the angle brackets):
#<src> <src_host>[process_id]|<process>:
REGEX=\s+(?<src>\S+)\s+(?:(?<src_host>[^\s\[\]]+)\[(?<process_id>[^\]\s]+)\]|(?<process>[^\s\[\]]+)):\s+
[dhcp_mac_hostname_for_dest]
#extract mac address and hostname for dest
#format as below (fields are within the angle brackets):
#<dest_mac> (<dest_host>)
#Note: dest_host may not exist
REGEX=\s+(?<dest_mac>\S+)\s+(?:\((?<dest_host>[^)]+)\)\s+)?
[dhcp_mac_hostname_for_src]
#extract mac address and hostname for src
#format as below (fields are within the angle brackets):
#<src_mac> (<src_host>)
#Note: src_host may not exist
REGEX=\s+(?<mac_address>\S+)\s+(?:\((?<src_host>[^)]+)\)\s+)?
[dhcp_relay]
#extract relay field
REGEX = (?<relay>[^\s:\\]+)
[dhcp_block_action]
#extract blocked actions
REGEX = (?<block_action>(REFUSED|Invalid|ignored|rejected|not authoritative|[uU]nable to add forward map))
[dhcp_discover_extract]
# for event of DHCPDISCOVER, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPDISCOVER from <src_mac> (<src_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPDISCOVER)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]]
[dhcp_offer_extract]
# for event of DHCPOFFER, format as below (fields are within the angle brackets):
# <src> <process>: DHCPOFFER on <dest_ip> to <dest_mac> (<dest_host>) via <relay>
# Note: dest_host may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPOFFER)\s+on\s+(?<dest_ip>\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]]
[dhcp_request_extract]
# for event of DHCPREQUEST, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPREQUEST for <src> (<server_ip>) from <src_mac> (<src_host>) via <relay> uid <uuid>
# Note: server_ip, src_host, uuid may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPREQUEST)\s+for\s+(?<src>\S+)\s+(?:\((?<server_ip>[^)]+)\)\s+)?from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]](?:\s+uid\s+(?<uuid>[^\s]+))?
[dhcp_ack_nak_extract_0]
# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets):
# <src> <process>: DHCPACK|DHCPNAK on <dest_ip> to <dest_mac> (<dest_host>) via (<relay>) relay <relay_ip> lease-duration <lease_duration> uid <uuid>
# Note: dest_host, relay_ip, lease_duration, uuid may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPACK|DHCPNAK)\s+on\s+(?<dest_ip>\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]](?:\s+relay\s+(?<relay_ip>\S+)\s+lease-duration\s+(?<lease_duration>\S+)\s+.*uid\s+(?<uuid>\S+))?
[dhcp_ack_nak_extract_1]
# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets):
# <src> <process>: DHCPACK|DHCPNAK to <dest_ip> (<dest_mac>) via <relay>
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPACK|DHCPNAK)\s+to\s+(?<dest_ip>\S+)\s+\((?<dest_mac>[^)]+)\)\s+via\s+[[dhcp_relay]]
[dhcp_decline_extract]
# for event of DHCPDECLINE, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPDECLINE of <src> from <src_mac> (<src_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPDECLINE)\s+of\s+(?<src>\S+)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]]
[dhcp_release_extract]
# for event of DHCPRELEASE, format as below (fields are within the angle brackets):
# <src> <process>: DHCPRELEASE of <dest> from <dest_mac> (<dest_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPRELEASE)\s+of\s+(?<dest>\S+)\s+from[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]]
[dhcp_inform_extract]
# for event of DHCPINFORM, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPINFORM from <src> via <relay>
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPINFORM)\s+from\s+(?<src>\S+)\s+via\s+[[dhcp_relay]]
[dhcp_unable_to_add_forward_map_extract]
# for event of unable to add forward map, format as below (fields are within the angle brackets):
# <src> <process>: Unable to add forward map from <dest> to <dest_ip>
REGEX=[[dhcp_prefix_src]][uU]nable\s+to\s+add\s+forward\s+map\s+from\s+(?<dest>\S+)\s+to\s+(?<dest_ip>[^\s:]+)
[dhcp_add_new_forward_map_extract]
# for event of add new forward map, format as below (fields are within the angle brackets):
# <src> <process>: Added new forward map from <dest> to <dest_ip>
REGEX=[[dhcp_prefix_src]][aA]dded\s+new\s+forward\s+map\s+from\s+(?<dest>\S+)\s+to\s+(?<dest_ip>[^\s:]+)
[dhcp_added_reverse_map_extract]
# for event of add reverse map, format as below (fields are within the angle brackets):
# <dest> <process>: [aA]dded reverse map from <src_ptr> to <src>
REGEX=[[dhcp_prefix_dest]][aA]dded\s+reverse\s+map\s+from\s+(?<src_ptr>\S+)\s+to\s+(?<src>\S+)
[dhcp_abandon_ip_extract]
# for event of Abandon IP address, format as below (fields are within the angle brackets):
# <src> <process>: Abandoning IP address <dest_ip>
REGEX=[[dhcp_prefix_src]]Abandoning\s+IP\s+address\s+(?<dest_ip>[^\s:]+)
[dhcp_lease_duplicate_extract]
# for event of lease duplicate, format as below (fields are within the angle brackets):
# <server> <process>: uid lease <dest_ip> for client <dest_mac> is duplicate on <src>
REGEX=\s+(?<server>\S+)\s+(?<server_process>[^\s:]+):\s+uid\s+lease\s+(?<dest_ip>\S+)\s+for\s+client\s+(?<dest_mac>\S+)\s+is\s+duplicate\s+on\s+(?<src>\S+)/
[bind_update_fail_extract]
# for event of bind update reject, format as below (fields are within the angle brackets):
# <dest> <process>: bind update on <src> from <failover_peer> rejected
REGEX=[[dhcp_prefix_dest]]bind\s+update\s+on\s+(?<src>\S+)\s+from\s+(?<failover_peer>\S+)\s+rejected.*
[dhcp_icmp_echo_reply]
REGEX=[[dhcp_prefix_src]]ICMP\s+Echo\s+reply\s+while\s+lease\s+(?<dest>\S+)
[dhcp_reuse_lease]
REGEX=[[dhcp_prefix_src]]reuse_lease:\s+lease\s+age.*under.*threshold,\s+reply\s+with\s+unaltered,\s+existing\s+lease\s+for\s+(?<dest>[^$]+)
###### Scripted Metric Inputs ######
[eval_dimensions]
# Support for omitting the IPv6 Address field when the script output doesn't include an IPv6 Address
INGEST_EVAL = metric_name=sourcetype, entity_type="TA_Nix", OS_name=replace(OSName, "_", " "), IPv6_address = if(IPv6_Address=="?", null(), IPv6_Address)
#[extract_docker_metrics]
#INGEST_EVAL= CPUPct=CPUPct,MemUsage=MemUsage,MemTotal=MemTotal,MemPct=MemPct,NetRX=NetRX,RXps=RXps,NetTX=NetTX,TXps=TXps,BlockRead=BlockRead,BRps=BRps,BlockWrite=BlockWrite,BWps=BWps,Pids=Pids
[extract_df_metrics]
INGEST_EVAL = UsePct=coalesce('UsePct','Capacity','Use'), Size_KB=coalesce('Size','1K_blocks','1024_blocks'), Used_KB='Used', Avail_KB=coalesce('Avail','Available'), INodes=coalesce('INodes','Inodes'), IUsed=coalesce('IUsed','iused','Iused'), IFree=coalesce('IFree','ifree','Ifree'), IUsePct=coalesce('IUsePct','IUse'), Size=coalesce('Size','1K_blocks','1024_blocks'), Avail=coalesce('Avail','Available'), Type=coalesce('Type',"?")
[metric-schema:extract_metrics_interfaces]
METRIC-SCHEMA-MEASURES= Collisions,RXbytes,RXerrors,TXbytes,TXerrors,RXdropped,TXdropped
METRIC-SCHEMA-BLACKLIST-DIMS= OSName, IPv6_Address
# added extract_iostat_metrics_field for backward compatibility
[extract_iostat_metrics_field]
INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm, rAvgWaitMillis=r_await, rAvgReqSZkb=rareq_sz, wReq_PS=w_s, wKB_PS=coalesce(wkB_s, Kb_wrtn, kw_s), wrqmPct=wrqm, wAvgWaitMillis=w_await, wAvgReqSZkb=wareq_sz, avgQueueSZ=coalesce(aqu_sz, avgqu_sz), bandwUtilPct=coalesce(util, tm_act, ms_o, b), avgSvcMillis=coalesce(svctm, ms_w, asvc_t), avgWaitMillis=coalesce(await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), null())
[extract_ps_metric_field]
INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB)
[extract_cpu_metric_field]
INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU)
[metric-schema:extract_metrics_iostat]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_vmstat]
METRIC-SCHEMA-MEASURES= memTotalMB,memFreeMB,memUsedMB,memFreePct,memUsedPct,pgPageOut,swapUsedPct,pgSwapOut,cSwitches,interrupts,forks,processes,threads,loadAvg1mi,waitThreads,interrupts_PS,pgPageIn_PS,pgPageOut_PS
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_docker]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_version
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_df]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address, Filesystem, Type, MountedOn, IPv6_Address, IPv6_address
METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address
[metric-schema:extract_metrics_cpu]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OSName, OS_name, OS_version, IP_address, cpu, CPU
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_ps]
METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ ARGS,COMMAND,CPUTIME,ELAPSED,PID,PSR,S,STAT,START,STARTED,TT,TTY,USER,OSName,OS_name,OS_version,IP_address,IPv6_Address,IPv6_address
METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address
###### Scripted Event Inputs ######
[vmstat_osx]
REGEX = (?m)(?:Pages free:\s*(\d+)\.).*(?:Pages active:\s*(\d+)\.).*(?:Pages inactive:\s*(\d+)\.).*(?:Pages wired down:\s*(\d+)\.).*(?:Pageins:\s*(\d+)\.).*(?:Pageouts:\s*(\d+)\.)
FORMAT = free::$1 active::$2 inactive::$3 wired::$4 pageins::$5 pageouts::$6
#procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
# r b swpd free inact active si so bi bo in cs us sy id wa
# 0 0 24 4272 172660 67124 0 0 2 1 0 1 0 0 100 0
[vmstat_linux]
REGEX = (\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)
FORMAT = proc_waiting::$1 proc_unitsleep::$2 swap::$3 free::$4 inactive::$5 active::$6 swap_in::$7 swap_out::$8 blocks_in::$9 blocks_out::$10 interrupts::$11 contextswitch::$12 usermode::$13 kernelmode::$14 idle::$15 waiting::$16
#memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS
# 8192 4153 4039 50.7 49.3 1585619 5.0 ? ? ? ? 82 566 0.72 0.00 714.2 1.0 133.0
[fields_for_vmstat_sh]
REGEX = \s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)
FORMAT = memTotalMB::"$1" memFreeMB::"$2" memUsedMB::"$3" memFreePct::"$4" memUsedPct::"$5" pgPageOut::"$6" swapUsedPct::"$7" pgSwapOut::"$8" cSwitches::"$9" interrupts::"$10" forks::"$11" processes::"$12" threads::"$13" loadAvg1mi::"$14" waitThreads::"$15" interrupts_PS::"$16" pgPageIn_PS::"$17" pgPageOut_PS::"$18"
###### System Logs ######
# General
[loghost_as_dest]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s(\S+)\s\w+[\w\s\[]*
FORMAT = dest::$1
## Account Management
[useradd]
REGEX = (useradd).*?(?:new (?:user|account))(?:: | (?:added) - )(?:name|account)=([^\,]+),(?:\s)(?:(?:UID|uid)=(\w+),)?(?:\s)(?:(?:GID|gid)=(\w+),)?(?:\s)*(?:home=((?:\/[^\/ ]*)+\/?),)?(?:.*uid=(\d+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"user" user::$2 change_type::"AAA" object_id::$3 object_path::$5 status::"success" object_attrs::$4 src_user_id::$6
[userdel]
REGEX = (userdel).*?(?:(?:delete)(?:\s)*(?:user|account)) .(\S+).
FORMAT = vendor_action::"delete" object_category::"user" action::"deleted" change_type::"AAA" command::$1 user::$2 status::"success"
[userdel-grp]
REGEX = (userdel).*?(?:(?:removed)(?:\s)*(?:\w+)?(?:\s)*(group))\s+\'(\S+)\'\s+owned\s+by\s+\'(\S+)\'
FORMAT = action::"deleted" change_type::"AAA" command::$1 object_category::$2 object::$3 status::"success" "object_attrs"::$4
[groupdel]
REGEX = (groupdel).*(?:group)\s+'(\S+)'\s+removed(?:\s)*(?:(?:from\s+))?(\S+)?
FORMAT = action::"deleted" change_type::"AAA" command::$1 object::$2 object_category::"group" status::"success" object_path::$3
[groupadd]
REGEX = (groupadd).*?(?:group added to |new group: )(?:((?:\/[^\/ ]*)+\/?):)?\s*(?:name=(\w+))?(?:,\s*GID=(\w+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"group" object::$3 change_type::"AAA" object_id::$4 object_path::$2 status::"success"
[groupadd-suse]
REGEX = (useradd).*?(?:account added to group -)\s*(?:account=([^,]+))?(?:,\s*)?(?:group=([^,]+))(?:,\s*)?(?:gid=(?:[^,]+))?\,\s+(?:by\s+\(uid=(\d+)\))?
FORMAT = vendor_action::"account added to group" action::"modified" command::$1 object_category::"user" user::$2 change_type::"AAA" object_attrs::$3 status::"success" src_user_id::$4
## password change
[pam-passwd-ok]
REGEX = (passwd).*pam_unix\((?:passwd):chauthtok\): password changed for (\S+)
FORMAT = action::"modified" change_type::"AAA" command::$1 object_attrs::"password" object_category::"user" status::"success" user::$2
[passwd-change-fail]
REGEX = (passwd).*(?:password change failed).*(?:account=)([^,\s]+),\s+uid=([^,\s]+)\,\s+by(?:\s+\(uid=(\d+)\))?
FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs::"password" object_category::"user" status::"failure" object_id::$3 src_user_id::$4
[command_for_linux_audit]
REGEX = exe=.*\/(\S+)\"
FORMAT = command::$1
## Authentication
# Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2
# Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2
[ssh-login-accepted]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5
# Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX
# Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2
[ssh-login-failed]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5
# Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player from XXX.XXX.XX.XXX port 343 ssh2
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX
[ssh-invalid-user]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5
# Jan 11 03:16:49 crest-aix-dev auth|security:info syslog: ssh: failed login attempt for root from XXX.XXX.XX.XXX
# Jan 8 06:00:56 crest-aix-dev auth|security:info syslog: pts/2: failed login attempt for root from qa-centos7x64-267.sv.splunk.com
[failed_login1]
REGEX = (?:syslog):.*(?:failed login attempt for)\s+(\S+)\s+from\s+(\S+)
FORMAT = app::"nix" action::"failure" src::$2 user::$1 reason::"failed login"
# Mar 18 16:54:02 splunk5 sshd(pam_unix)[17183]: session opened for user mark by (uid=0)
# Mar 18 16:58:23 splunk5 sshd(pam_unix)[31639]: session closed for user mark
# Apr 30 17:45:35 magnum.google.com sshd[5019]: Connection closed by XXX.XXX.XX.XXX
[ssh-session-close]
REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^\s\(]+))?(?: by \(uid=(\d+)\))?(?: by ((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)))?
FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye
[ssh-disconnect]
REGEX = (Received disconnect) from ([^\s]+):
FORMAT = name::$1 src_ip::$2
[sshd_authentication_kerberos_success]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authorized\s+to)\s+([^,]+)\,\s+krb5\s+principal\s+([^@]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3" src_user::"$4"
[sshd_authentication_refused]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+refused)\:.*?directory\s+\/home\/([^\/]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3"
[sshd_authentication_tried]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+tried)\s+for\s+([^\s]+)(?:.*?host\=([^,]+),\s+ip=((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)))?
FORMAT = app::$1 vendor_action::$2 user::"$3" src_dns::"$4" src_ip::"$5"
[sshd_login_restricted]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Login\s+restricted)\s+for\s+([^:]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3"
[pam_unix_authentication_failure]
REGEX = pam_unix\((?:[^:]+):\w+\)\:\s+authentication\s+(failure)\;\s+logname\=(?:[^\s]+)?\s+uid\=(?:[^\s]+)?\s+euid=(?:[^\s]+)?\s+tty=(?:[^\s]+)?\s+ruser=([^\s]+)?\s+rhost=([^\s]+)?\s*(?:user=([^\s]+)?)?
FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2
[pam_unix_authentication_success]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s\(]+)(?:\(uid=(\d+)\))?\s+by\s+([^\s\(]+)(?:\(uid=(\d+)\))?
FORMAT = app::"$1" vendor_action::"$2" user::$3 user_id::$4 src_user::$5 action::"success" src_user_id::$6
[passwd-auth-failure]
REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure)
FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure"
[sudo_cannot_identify]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+auth\s+(could\s+not\s+identify\s+password)\s+for\s+\[([^]]+)
FORMAT = app::"$1" vendor_action::"$2" user::"$3" reason::"could not identify password"
[remote_login_allowed]
REGEX = (pam_rhosts_auth)\[\d+\]:\s+allowed\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+)
FORMAT = action::"success" app::$1 user::$2 vendor_action::"allowed"
[remote_login_failure]
REGEX = (pam_rhosts_auth)\[\d+\]:\s+denied\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+)
FORMAT = action::"failure" app::$1 user::$2 vendor_action::"denied" reason::"access not allowed"
[failed-su]
REGEX = \'(?:su)\s+(?:[^']+)\'\s+(failed)\s+for\s+([^\s]+)
FORMAT = vendor_action::$1 action::"failure" app::"nix" user::$2 reason::"other"
[bad-su]
REGEX = (?:su):\s+BAD\s+SU\s+dcid\s+to\s+(\w+)\s+on\s+(?:(?:\/[^\/ \n]*)+)
FORMAT = action::"failure" app::"nix" user::$1 reason::"BAD SU dcid"
[bad-su2]
REGEX = (?:su):\s+BAD\s+SU\s+from\s+(\S+)\s+to\s+(\S+)\s+at\s+(?:(?:\/[^\/ \n]*)+)
FORMAT = action::"failure" app::"nix" user::$2 src_user::$1 reason::"BAD SU"
[ksu_authentication]
REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?\'ksu\s+([^']+)\'\s+(authentication\s+failed|authenticated).*?for\s+(\w+)
FORMAT = app::$1 user::"$2" vendor_action::"$3" src_user::$4
[ksu_authorization]
REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?Account\s+([^:]+)\:\s+authorization\s+for\s+([^@]+).*?(failed|successful)
FORMAT = app::$1 user::"$2" src_user::"$3" vendor_action::$4
[login_authentication]
REGEX = (login)\:.*(failure).*from\s+((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:\,\s+(\S+))?
FORMAT = app::$1 action::$2 user::$4 src::$3 reason::"login failure"
[su_simple]
REGEX = (?:su)\:\s+(?:\[[^]]+]\s+)?from\s+([^\s]+)\s+to\s+([^\s]+)
FORMAT = app::"nix" src_user::$1 user::$2 action::"success"
[su_authentication]
REGEX = \'(?:su)\s+([^']+)\'\s+(succeeded|failed)\s+for\s+([^\s]+)
FORMAT = app::"nix" user::"$1" vendor_action::$2 src_user::$3
[su_successful]
REGEX = (Successful)\s+(?:su)\s+for\s+([^\s]+)\s+by\s+([^\s]+)
FORMAT = app::"nix" vendor_action::$1 user::$2 src_user::$3
[wksh_authentication]
REGEX = (wksh):\s+(HANDLING\s+TELNET\s+CALL)\s+\(User:\s+([^,]+),\s+Branch:\s+(?:[^,]+),\s+Client:\s+([^)]+)
FORMAT = app::$1 vendor_action::"$2" user::$3 src_dns::$4
[ftpd_authentication]
REGEX = (ftpd)\[\d+\]\:.*(FTP\s+LOGIN)\s+FROM\s+([^\s]+)\s+\[((?::?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))\]\,\s+(.*)
FORMAT = app::$1 vendor_action::"$2" src::$3 src_ip::$4 user::"$5"
## Firewall
[ipfw]
REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*(\d+) (Deny|Accept) (UDP|TCP) \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? (in|out) via ([^\s]+)
FORMAT = rule_number::$1 action::$2 proto::$3 dest_ip::$4 dest_port::$5 src_ip::$6 src_port::$7 direction::$8 interface::$9
[ipfw-stealth]
REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*Stealth Mode connection (attempt) to (UDP|TCP) \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)? from \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)|(?:[^:]+))(?:[:\]]+)?(\d+)?
FORMAT = action::$1 proto::$2 src_ip::$3 src_port::$4 dest_ip::$5 dest_port::$6
[ipfw-icmp]
#REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via ([^\s])*\s*
REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP|ICMPv6):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via (.*)
FORMAT = rule_number::$1 action::$2 proto::$3 application::$4 src_ip::$5 dest_ip::$6 direction::$7 interface::$8
[pf]
REGEX = rule ([-\d]+\/\d+)\(.*?\): (pass|block) (in|out) on (\w+): \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:[:\]]+)?(\d+)? [<>] \[?((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+))(?:[:\]]+)?(\d+)?: (?:.*)
FORMAT = rule_number::$1 action::$2 direction::$3 interface::$4 src_ip::$5 src_port::$6 dest_ip::$7 dest_port::$8
## Routing
# Mar 26 11:03:20 splunk4 kernel: BLOCK IN=eth0 OUT= MAC=00:15:c5:e0:ba:45:00:10:db:ff:20:70:08:00 SRC=10.1.5.78 DST=10.2.1.44 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=64317 DF PROTO=TCP SPT=57293 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
[iptables]
REGEX = kernel:\s+(\w+ ?\w*) IN=(\w+) OUT=(\w*) .*SRC=((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)) DST=((?:[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|(?:[\d+\.]+)).*PROTO=(\w+) SPT=(\w+) DPT=(\w+)
FORMAT = action::"$1" inbound_interface::$2 outbound_interface::$3 src_ip::$4 dest_ip::$5 proto::$6 src_port::$7 dest_port::$8
## bash
[bash_user]
SOURCE_KEY=source
REGEX=^\/home\/([^\/]+)\/
FORMAT=user_name::$1
[bash_user_root]
SOURCE_KEY=source
REGEX=^\/(root)\/
FORMAT=user_name::$1
## Time synchronization
[signature_for_nix_timesync]
REGEX = ((?:Adjusting\s+system\s+clock)|(?:synchronized\s+to)|(?:step\s+time\s+server)|(?:adjust\s+time\s+server)|(?:NTP\s+Server\s+Unreachable))
FORMAT = signature::$1
###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ######
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# TA-unix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Scripted Inputs ######
## Global
##
[force_host_for_linux_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-001
[force_host_for_osx_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-002
[force_host_for_solaris_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-003
[force_host_for_unix_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-004
## Service
[nix_linux_service_startmode_lookup]
filename = nix_linux_service_startmodes.csv
## Update
[nix_da_update_status_lookup]
filename = nix_da_update_status.csv
[Description_for_installedupdates]
REGEX = ^Description=([^\r\n]+)
FORMAT = Description::$1
## Version
[nix_da_version_range_lookup]
filename = nix_da_version_ranges.csv
[nix_linux_audit_action_lookup]
filename = nix_linux_audit_action_object_category.csv
[force_host_for_linux_cpu]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_memory]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_io]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_disk]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
###### END CONTENT IMPORTED FROM TA-deploymentapps ######
Reference in a new issue View git blame Copy permalink