Michael Erdely
7b0b703510
Replace all references to Splunk Add-on with Technical Add-on Replace URLs Remove splunkbase stuff Add copyright
788 lines
35 KiB
Text
788 lines
35 KiB
Text
##
|
|
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
|
|
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
##
|
|
##
|
|
|
|
#####################
|
|
## Configuration Logs
|
|
#####################
|
|
[source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))]
|
|
sourcetype = config_file
|
|
CHECK_METHOD = modtime
|
|
|
|
[config_file]
|
|
LINE_BREAKER = ^((?!))$
|
|
TRUNCATE = 1000000
|
|
SHOULD_LINEMERGE = false
|
|
DATETIME_CONFIG = NONE
|
|
CHECK_METHOD = modtime
|
|
KV_MODE = none
|
|
pulldown_type = true
|
|
SEGMENTATION-all = whitespace-only
|
|
SEGMENTATION-inner = whitespace-only
|
|
SEGMENTATION-outer = whitespace-only
|
|
SEGMENTATION-standard = whitespace-only
|
|
LEARN_MODEL = false
|
|
LEARN_SOURCETYPE = false
|
|
|
|
|
|
#####################
|
|
## DHCP
|
|
#####################
|
|
[source::....dhcpd]
|
|
sourcetype = dhcpd
|
|
|
|
[dhcpd]
|
|
KV_MODE = none
|
|
SHOULD_LINEMERGE = false
|
|
# For Load Balancing on UF
|
|
EVENT_BREAKER_ENABLE = true
|
|
pulldown_type = true
|
|
category = Network & Security
|
|
description = DHCP Server system events
|
|
|
|
REPORT-dhcp_discover_extract = dhcp_discover_extract
|
|
|
|
REPORT-dhcp_offer_extract = dhcp_offer_extract
|
|
|
|
REPORT-dhcp_request_extract = dhcp_request_extract
|
|
|
|
REPORT-dhcp_ack_nak_extract_0 = dhcp_ack_nak_extract_0
|
|
|
|
REPORT-dhcp_ack_nak_extract_1 = dhcp_ack_nak_extract_1
|
|
|
|
REPORT-dhcp_decline_extract = dhcp_decline_extract
|
|
|
|
REPORT-dhcp_release_extract = dhcp_release_extract
|
|
|
|
REPORT-dhcp_inform_extract = dhcp_inform_extract
|
|
|
|
REPORT-dhcp_unable_to_add_forward_map_extract = dhcp_unable_to_add_forward_map_extract
|
|
|
|
REPORT-dhcp_add_new_forward_map_extract = dhcp_add_new_forward_map_extract
|
|
|
|
REPORT-dhcp_added_reverse_map_extract = dhcp_added_reverse_map_extract
|
|
|
|
REPORT-dhcp_abandon_ip_extract = dhcp_abandon_ip_extract
|
|
|
|
REPORT-dhcp_lease_duplicate_extract = dhcp_lease_duplicate_extract
|
|
|
|
REPORT-bind_update_fail_extract = bind_update_fail_extract
|
|
|
|
REPORT-dhcp_block_action = dhcp_block_action
|
|
|
|
REPORT-dhcp_icmp_echo_reply = dhcp_icmp_echo_reply
|
|
|
|
REPORT-dhcp_reuse_lease = dhcp_reuse_lease
|
|
|
|
EVAL-dest_ip = case(isnotnull(dest_ip),dest_ip,match(dest,"^(:?[0-9a-fA-F:]{0,4}:[0-9a-fA-F:]*[.\d]*)|^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), dest, 1==1, server_ip)
|
|
|
|
EVAL-action = if(isnotnull(block_action) or dhcp_type=="DHCPNAK" or dhcp_type=="DHCPDECLINE" or dhcp_type=="DHCPRELEASE", "blocked", "added")
|
|
|
|
FIELDALIAS-signature = dhcp_type as signature
|
|
|
|
FIELDALIAS-src_nt_host = src_host as src_nt_host
|
|
|
|
FIELDALIAS-dest_nt_host = dest_host as dest_nt_host
|
|
|
|
|
|
#########################
|
|
## Scripted Metric Inputs
|
|
#########################
|
|
|
|
[vmstat_metric]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = CSV
|
|
FIELD_DELIMITER=whitespace
|
|
TRANSFORMS-vmstat-metric-dimensions=eval_dimensions
|
|
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat
|
|
|
|
[cpu_metric]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = CSV
|
|
FIELD_DELIMITER=whitespace
|
|
TRANSFORMS-cpu-metric-dimensions=eval_dimensions
|
|
TRANSFORMS-cpu-metric-field=extract_cpu_metric_field
|
|
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_cpu
|
|
|
|
[df_metric]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = TSV
|
|
TRANSFORMS-df-metrics=extract_df_metrics
|
|
TRANSFORMS-df-metric-dimensions=eval_dimensions
|
|
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_df
|
|
|
|
[interfaces_metric]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = CSV
|
|
FIELD_DELIMITER=whitespace
|
|
EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex)
|
|
TRANSFORMS-interfaces-metric-dimensions=eval_dimensions
|
|
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_interfaces
|
|
|
|
[iostat_metric]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = CSV
|
|
FIELD_DELIMITER=whitespace
|
|
TRANSFORMS-iostat-metrics-field=extract_iostat_metrics_field
|
|
TRANSFORMS-iostat-metric-dimensions=eval_dimensions
|
|
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_iostat
|
|
|
|
[ps_metric]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = none
|
|
INDEXED_EXTRACTIONS = CSV
|
|
FIELD_DELIMITER=whitespace
|
|
TRANSFORMS-ps-metric-dimensions=eval_dimensions
|
|
TRANSFORMS-ps-metric-field=extract_ps_metric_field
|
|
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps
|
|
|
|
#########################
|
|
## Scripted Event Inputs
|
|
#########################
|
|
[cpu]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
FIELDALIAS-dest_for_cpu = host as dest
|
|
FIELDALIAS-src_for_cpu = host as src
|
|
|
|
EVAL-CPU = coalesce(cpu,CPU)
|
|
EVAL-cpu = coalesce(cpu,CPU)
|
|
EVAL-cpu_instance = coalesce(cpu,CPU)
|
|
|
|
EVAL-pctIdle = coalesce(id,pctIdle)
|
|
EVAL-PercentIdleTime = coalesce(id,pctIdle)
|
|
EVAL-cpu_load_percent = if(isnull(pctIdle),100-id,100-pctIdle)
|
|
|
|
EVAL-pctNice = coalesce(pctNice,"0")
|
|
EVAL-PercentNiceTime = coalesce(pctNice,"0")
|
|
|
|
EVAL-pctUser = coalesce(us,pctUser)
|
|
EVAL-PercentUserTime = coalesce(us,pctUser)
|
|
EVAL-cpu_user_percent = coalesce(us,pctUser)
|
|
|
|
EVAL-pctSystem = coalesce(sy,pctSystem)
|
|
EVAL-PercentSystemTime = coalesce(sy,pctSystem)
|
|
|
|
EVAL-pctIowait = coalesce(wa,pctIowait)
|
|
EVAL-PercentWaitTime = coalesce(wa,pctIowait)
|
|
|
|
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
|
|
HEADER_MODE = always
|
|
|
|
[df]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
FIELDALIAS-dest_for_df = host as dest
|
|
FIELDALIAS-filesystem_for_df = Filesystem AS filesystem
|
|
FIELDALIAS-filesystem_type_for_df = Type as filesystem_type
|
|
FIELDALIAS-mount_for_df = MountedOn AS mount
|
|
EVAL-Type = coalesce('Type',"?")
|
|
EVAL-filesystem_type = coalesce('Type',"?")
|
|
EVAL-Size = coalesce('Size','1024_blocks')
|
|
EVAL-INodes = coalesce('INodes','Inodes')
|
|
EVAL-IUsePct = coalesce('IUsePct','IUse_')
|
|
EVAL-UsePct = coalesce('UsePct', 'Use_', 'Capacity')
|
|
EVAL-Avail = coalesce('Avail', 'Available')
|
|
EVAL-IUsed = coalesce('IUsed', 'Iused', 'iused')
|
|
EVAL-IFree = coalesce('IFree', 'ifree', 'Ifree')
|
|
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
|
|
HEADER_MODE = always
|
|
|
|
|
|
EVAL-storage = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
|
|
EVAL-storage_free = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
|
|
# Redundancy required here because calculated fields are not evaluated in sequence.
|
|
EVAL-storage_free_percent = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
|
|
EVAL-storage_used = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown")
|
|
EVAL-storage_used_percent = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
|
|
|
|
## Legacy fields
|
|
|
|
# Note we don't elimininate one layer of indirection here by
|
|
# eliminating the redundant FIELDALIAS from FreeMegabytes -> FreeMBytes, etc.
|
|
# which was previously used.
|
|
EVAL-FreeMBytes = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
|
|
EVAL-TotalMBytes = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
|
|
EVAL-UsedMBytes = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown")
|
|
EVAL-PercentUsedSpace = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
|
|
# Redundancy required here because calculated fields are not evaluated in sequence.
|
|
EVAL-PercentFreeSpace = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
|
|
|
|
[hardware]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
EVENT_BREAKER_ENABLE=true
|
|
EVENT_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
EXTRACT-RealMemory = (?i)MEMORY_REAL\s+(?P<RealMemory>[^\s]*)[ ]?
|
|
EXTRACT-SwapMemory = (?i)MEMORY_SWAP\s+(?P<SwapMemory>[^\s]*)[ ]?
|
|
EXTRACT-Unit = (?i)MEMORY_REAL\s+\d+\.?\d*\s*(?P<Unit>\w+)?
|
|
EVAL-RealMemoryMB = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown")
|
|
EVAL-SwapMemoryMB = case(match(Unit, "kB"), SwapMemory*pow(1024,-1), match(Unit, "KB"), SwapMemory*pow(1024,-1), match(Unit, "mB"), SwapMemory, match(Unit, "MB"), SwapMemory, match(Unit, "gB"), SwapMemory*pow(1024,1), match(Unit, "GB"), SwapMemory*pow(1024,1), match(Unit, "tB"), SwapMemory*pow(1024,2), match(Unit, "TB"), SwapMemory*pow(1024,2), match(Unit, "pB"), SwapMemory*pow(1024,3), match(Unit, "PB"), SwapMemory*pow(1024,3), 1==1, "unknown")
|
|
EXTRACT-cpu_cores = (?i)CPU_COUNT\s+(?P<cpu_cores>[^ \n]*)?
|
|
EXTRACT-cpu_type = (?i)CPU_TYPE\s+(?P<cpu_type>[^\n]*)?
|
|
EXTRACT-cpu_freq = (?<cpu_freq>[^\s]+)(?<cpu_freq_unit>[G|M]Hz)
|
|
EVAL-cpu_mhz = case(match(cpu_freq_unit,"GHz"),cpu_freq*1000,match(cpu_freq_unit,"MHz"),cpu_freq)
|
|
EVAL-mem = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown")
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
|
|
[interfaces]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
EVENT_BREAKER_ENABLE=true
|
|
EVENT_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE=multi
|
|
EVAL-enabled = "true"
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
EVAL-ip = if(isnull(inetAddr), inet6Addr, inetAddr)
|
|
EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex)
|
|
FIELDALIAS-interface = Name as interface
|
|
FIELDALIAS-mac = MAC as mac
|
|
|
|
[iostat]
|
|
SHOULD_LINEMERGE = false
|
|
LINE_BREAKER = (^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
|
|
HEADER_MODE = always
|
|
# coalesce command is used to normalizes field names with the same value and for backward compatibility
|
|
EVAL-mount = coalesce(Device, Device_, device, "?")
|
|
EVAL-read_ops = coalesce(rReq_PS, r_s, "?")
|
|
EVAL-write_ops = coalesce(wReq_PS, w_s, "?")
|
|
EVAL-latency = coalesce(avgWaitMillis, await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?")
|
|
EVAL-total_ops = case(rReq_PS == "?", "?", wReq_PS == "?", "?", isnotnull(rReq_PS) AND isnotnull(wReq_PS), rReq_PS + wReq_PS, isnull(r_s), "?", isnull(w_s), "?", 1==1, r_s + w_s)
|
|
|
|
EVAL-Device = coalesce(Device, Device_, device, "?")
|
|
EVAL-rReq_PS = coalesce(rReq_PS, r_s, "?")
|
|
EVAL-rKB_PS = coalesce(rKB_PS, rkB_s, Kb_read, kr_s, "?")
|
|
EVAL-rrqmPct = coalesce(rrqmPct, rrqm, "?")
|
|
EVAL-rAvgWaitMillis = coalesce(rAvgWaitMillis, r_await, "?")
|
|
EVAL-rAvgReqSZkb = coalesce(rAvgReqSZkb, rareq_sz, "?")
|
|
|
|
EVAL-wReq_PS = coalesce(wReq_PS, w_s, "?")
|
|
EVAL-wKB_PS = coalesce(wKB_PS, wkB_s, Kb_wrtn, kw_s, "?")
|
|
EVAL-wrqmPct = coalesce(wrqmPct, wrqm, "?")
|
|
EVAL-wAvgWaitMillis = coalesce(wAvgWaitMillis, w_await, "?")
|
|
EVAL-wAvgReqSZkb = coalesce(wAvgReqSZkb, wareq_sz, "?")
|
|
|
|
EVAL-avgQueueSZ = coalesce(avgQueueSZ, aqu_sz, avgqu_sz, "?")
|
|
EVAL-bandwUtilPct = coalesce(bandwUtilPct, util, tm_act, ms_o, b, "?")
|
|
EVAL-avgSvcMillis = coalesce(avgSvcMillis, svctm, ms_w, asvc_t, "?")
|
|
EVAL-avgWaitMillis = coalesce(avgWaitMillis, await, wsvc_t, if(isnotnull(ms_o), "?", null()), if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?")
|
|
|
|
[source::...(nfsiostat)]
|
|
sourcetype = nfsiostat
|
|
HEADER_MODE = always
|
|
SHOULD_LINEMERGE = false
|
|
|
|
[nfsiostat]
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
LINE_BREAKER = (^$|[\r\n]+[\r\n]+)
|
|
|
|
FIELDALIAS-mount = Mount as mount
|
|
FIELDALIAS-read_latency = r_avg_exe as read_latency
|
|
FIELDALIAS-write_latency = w_avg_exe as write_latency
|
|
FIELDALIAS-read_ops = r_op_s as read_ops
|
|
FIELDALIAS-write_ops = w_op_s as write_ops
|
|
EVAL-total_ops = read_ops + write_ops
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
|
|
[lastlog]
|
|
## Override system/default lastlog sourcetype invalidation
|
|
invalid_cause =
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
|
|
[lsof]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
EVENT_BREAKER_ENABLE=true
|
|
EVENT_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
|
|
[netstat]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
EVAL-src_port = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvindex(split(ForeignAddress, "."), -1),mvindex(split(ForeignAddress, ":"), -1))
|
|
EVAL-src = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvjoin(mvindex(split(ForeignAddress, "."), 0, -2), "."),mvjoin(mvindex(split(ForeignAddress, ":"), 0, -2), ":"))
|
|
EVAL-dest_port = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvindex(split(LocalAddress, "."), -1),mvindex(split(LocalAddress, ":"), -1))
|
|
EVAL-dest = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvjoin(mvindex(split(LocalAddress, "."), 0, -2), "."),mvjoin(mvindex(split(LocalAddress, ":"), 0, -2), ":"))
|
|
FIELDALIAS-transport=Proto as transport
|
|
FIELDALIAS-state=State as state
|
|
EVAL-state = case(state=="LISTEN","listening",state=="ESTAB","established",true(),lower(state))
|
|
EVAL-vendor_product = "nix"
|
|
|
|
[bandwidth]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
|
|
EVAL-bytes=(rxKB_PS+txKB_PS)*1024
|
|
EVAL-bytes_in=rxKB_PS*1024
|
|
EVAL-thruput=rxKB_PS*1024 + txKB_PS*1024
|
|
EVAL-bytes_out=txKB_PS*1024
|
|
EVAL-packets=rxPackets_PS+txPackets_PS
|
|
FIELDALIAS-packets_in=rxPackets_PS as packets_in
|
|
FIELDALIAS-packets_out=txPackets_PS as packets_out
|
|
|
|
[openPorts]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
|
|
FIELDALIAS-dest_port_for_open_ports_sh = Port AS dest_port
|
|
FIELDALIAS-dest_for_open_ports_sh = host AS dest
|
|
FIELDALIAS-transport_for_open_ports_sh = Proto AS transport
|
|
EVAL-transport_dest_port = Proto + "/" + Port
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
|
|
# extraction for sourcetype unix:listeningports
|
|
[Unix:ListeningPorts]
|
|
EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P<file_hash>[a-fA-F0-9]+)
|
|
|
|
[package]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
EVENT_BREAKER_ENABLE=true
|
|
EVENT_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
|
|
[protocol]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE=multi
|
|
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
|
|
HEADER_MODE = always
|
|
|
|
[ps]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
EVENT_BREAKER_ENABLE=true
|
|
EVENT_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE = multi
|
|
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
|
|
HEADER_MODE = always
|
|
|
|
EVAL-pctCPU = coalesce(CPU, pctCPU)
|
|
EVAL-PercentProcessorTime = coalesce(CPU, pctCPU)
|
|
EVAL-cpu_load_percent = coalesce(CPU, pctCPU)
|
|
EVAL-process_cpu_used_percent = coalesce(CPU, pctCPU)
|
|
|
|
FIELDALIAS-dest_for_ps = host as dest
|
|
FIELDALIAS-src_for_ps = host as src
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
|
|
FIELDALIAS-process_id_for_ps = PID AS pid,PID as process_id
|
|
|
|
EVAL-pctMEM = coalesce(MEM, pctMEM)
|
|
EVAL-PercentMemory = coalesce(MEM, pctMEM)
|
|
|
|
EVAL-RSZ_KB = coalesce(RSS, RSZ_KB)
|
|
EVAL-rss = coalesce(RSS, RSZ_KB)
|
|
EVAL-process_mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
|
|
# UsedBytes is calculated as RSZ_KB*1024. Previously it was calculated using
|
|
# %MEM and the "Mem:" header from "top -bn 1", which tended to underestimate
|
|
# compared to this value. This is a rough measure of resident set size (i.e.,
|
|
# physical memory in use).
|
|
EVAL-mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
|
|
EVAL-UsedBytes = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
|
|
|
|
EVAL-VSZ_KB = coalesce(VSZ, VSZ_KB)
|
|
EVAL-vsz = coalesce(VSZ, VSZ_KB)
|
|
|
|
EVAL-TTY = coalesce(TTY, TT)
|
|
EVAL-tty = coalesce(TTY, TT)
|
|
|
|
EVAL-S = coalesce(S, STAT)
|
|
EVAL-stat = coalesce(S, STAT)
|
|
|
|
FIELDALIAS-user_for_ps = USER AS user
|
|
|
|
# The "app" field is the conjunction of COMMAND plus ARGS
|
|
# Note that the UNIX app joins arguments with an underscore.
|
|
EVAL-app = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
|
|
EVAL-process = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
|
|
EVAL-process_name = replace(COMMAND, "[\[\]()]", "")
|
|
|
|
EVAL-CPUTIME = coalesce(TIME, CPUTIME)
|
|
# Truncate needless leading zeroes from the cumulative CPU time field.
|
|
EVAL-cpu_time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", ""))
|
|
EVAL-time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", ""))
|
|
|
|
# Incorporating CIM review changes
|
|
EVAL-action = "allowed"
|
|
EVAL-process_exec = replace(COMMAND, "[\[\]()]", "")
|
|
|
|
|
|
[time]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
EVENT_BREAKER_ENABLE=true
|
|
EVENT_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
|
|
[top]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
EVENT_BREAKER_ENABLE=true
|
|
EVENT_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE=multi
|
|
FIELDALIAS-user = USER as user
|
|
FIELDALIAS-process = COMMAND as process
|
|
FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
|
|
HEADER_MODE = always
|
|
|
|
[usersWithLoginPrivs]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE=multi
|
|
|
|
[who]
|
|
SHOULD_LINEMERGE=false
|
|
LINE_BREAKER=^((?!))$
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
KV_MODE=multi
|
|
|
|
[vmstat]
|
|
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
|
|
TRUNCATE=1000000
|
|
DATETIME_CONFIG = CURRENT
|
|
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
|
|
HEADER_MODE = always
|
|
|
|
REPORT-0kv_for_vmstat = fields_for_vmstat_sh,vmstat_linux,vmstat_osx
|
|
FIELDALIAS-dest_for_vmstat = host as dest
|
|
EVAL-mem = if(isnotnull(memFreeMB) AND isnotnull(memUsedMB),(memFreeMB)+(memUsedMB),null())
|
|
EVAL-mem_free = if(isnotnull(memFreeMB),memFreeMB,null())
|
|
EVAL-mem_used = if(isnotnull(memUsedMB),memUsedMB,null())
|
|
EVAL-mem_page_ops = pgPageIn_PS + pgPageOut_PS
|
|
FIELDALIAS-mem_free_percent = memFreePct as mem_free_percent
|
|
FIELDALIAS-wait_threads_count = waitThreads as wait_threads_count
|
|
FIELDALIAS-system_threads_count = threads as system_threads_count
|
|
FIELDALIAS-src_for_vmstat = host as src
|
|
FIELDALIAS-cpu_interrupts = interrupts_PS as cpu_interrupts
|
|
FIELDALIAS-swap_percent = swapUsedPct as swap_percent
|
|
|
|
## Legacy fields
|
|
FIELDALIAS-FreeMBytes = memFreeMB AS FreeMBytes
|
|
EVAL-UsedBytes = tonumber(memUsedMB, 10)*1048756
|
|
FIELDALIAS-UsedMBytes = memUsedMB AS UsedMBytes
|
|
FIELDALIAS-TotalMBytes = memTotalMB AS TotalMBytes
|
|
|
|
##Memoey Paging per second fields
|
|
FIELDALIAS-mem_page_in = pgPageIn_PS AS mem_page_in
|
|
FIELDALIAS-mem_page_out = pgPageOut_PS AS mem_page_out
|
|
|
|
[Unix:UserAccounts]
|
|
EVAL-description = "/etc/passwd file"
|
|
EVAL-enabled = "yes"
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
FIELDALIAS-dest = host as dest
|
|
|
|
#####################
|
|
## BEGIN SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps
|
|
#####################
|
|
|
|
# Stanzas in this section are legacy configuration stanzas
|
|
# intended to support parsing of data created by scripts in
|
|
# TA-deploymentapps, which has since been retired. Systems that use
|
|
# TA-unix on the search head but which may be searching data
|
|
# from forwarders on which the older scripts are still in use should
|
|
# be able to search new and old data seamlessly.
|
|
|
|
###### Global ######
|
|
# [source::...(linux.*|sample.*.linux)]
|
|
# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen
|
|
|
|
# [source::...(osx.*|sample.*.osx)]
|
|
# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen
|
|
|
|
# [source::...(solaris.*|sample.*.solaris)]
|
|
# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen
|
|
|
|
# [source::...sample.*.unix]
|
|
# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen
|
|
|
|
## support for linux only
|
|
[Linux:SELinuxConfig]
|
|
EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules"
|
|
|
|
[linux_audit]
|
|
LINE_BREAKER = ([\r\n]+)
|
|
SHOULD_LINEMERGE = false
|
|
TIME_PREFIX = audit\(
|
|
MAX_TIMESTAMP_LOOKAHEAD=23
|
|
MAX_DAYS_AGO=3650
|
|
REPORT-command = command_for_linux_audit
|
|
EVAL-status = if('res'=="failed","failure",'res')
|
|
FIELDALIAS-object = id as object
|
|
FIELDALIAS-dvc = hostname as dvc
|
|
FIELDALIAS-dest = hostname as dest
|
|
FIELDALIAS-object_id = id as object_id
|
|
EVAL-op = if(op=="PAM:authentication", res, op)
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
LOOKUP-action = nix_linux_audit_action_lookup op OUTPUT action,object_category
|
|
EVAL-object_attrs= case(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER",grp)
|
|
EVAL-app = "nix"
|
|
EVAL-change_type = "AAA"
|
|
EVAL-object = if((type="GRP_MGMT" OR type="DEL_GROUP" or type=="ADD_GROUP") AND isnotnull('grp'),'grp','object')
|
|
EVAL-user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user')
|
|
EVAL-user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user')
|
|
EVAL-user_id = if(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP" ,'uid','id')
|
|
EVAL-src_user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user')
|
|
EVAL-src_user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user')
|
|
EVAL-src_user_id = if(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ,'uid','src_user_id')
|
|
EVAL-reason = if(type="USER_AUTH" AND (res=="failed" OR res=="failure"),"other",'reason')
|
|
|
|
[source::...Unix:Service]
|
|
SHOULD_LINEMERGE = false
|
|
EVENT_BREAKER_ENABLE = true
|
|
EVAL-service = coalesce(UNIT, app)
|
|
EVAL-service_name = coalesce(UNIT, app)
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
LOOKUP-StartMode_for_linux_service = nix_linux_service_startmode_lookup runlevel0,runlevel1,runlevel2,runlevel3,runlevel4,runlevel5,runlevel6 OUTPUTNEW StartMode
|
|
EVAL-note = if(match(_raw,"runlevel[06]\=on"),"Runlevels 0 and 6 are reserved for halt and reboot respectively",null())
|
|
EVAL-start_mode=case(isnotnull(StartMode),StartMode,1=1,"Auto")
|
|
FIELDALIAS-start_mode_for_solaris_service = StartMode as start_mode
|
|
FIELDALIAS-status_for_solaris_service = State as status
|
|
FIELDALIAS-dest = host as dest
|
|
|
|
# extraction for sourcetype Unix:Service
|
|
[Unix:Service]
|
|
EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P<file_hash>[a-fA-F0-9]+)
|
|
|
|
# Incorporating CIM review changes
|
|
EVAL-status = case(ACTIVE=="active","started",ACTIVE=="inactive","stopped",ACTIVE=="activating","stopped",ACTIVE=="reloading","stopped",ACTIVE=="failed","critical",ACTIVE=="deactivating","stopped")
|
|
|
|
## no windows application at this time
|
|
[source::*:SSHDConfig]
|
|
EVAL-note = if(match(sshd_protocol,"1"),"SSH-1 has inherent design flaws which make it vulnerable (e.g., man-in-the-middle attacks)",null())
|
|
|
|
###### Update ######
|
|
|
|
[source::...Unix:Update]
|
|
EVENT_BREAKER_ENABLE = true
|
|
FIELDALIAS-signature_for_update = package as signature
|
|
LOOKUP-status_for_update = nix_da_update_status_lookup sourcetype OUTPUTNEW status
|
|
|
|
###### Uptime ######
|
|
|
|
[source::...Unix:Uptime]
|
|
FIELDALIAS-uptime_for_unix_uptime = SystemUpTime as uptime
|
|
FIELDALIAS-dest = host as dest
|
|
|
|
###### Version ######
|
|
|
|
[source::...Unix:Version]
|
|
SHOULD_LINEMERGE = false
|
|
FIELDALIAS-family_for_nix_version = os_name as family
|
|
LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range
|
|
FIELDALIAS-version_for_nix_version = os_release as version
|
|
FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture
|
|
EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null())
|
|
EVAL-vendor_product = if(isnotnull(os_name),os_name,null())
|
|
FIELDALIAS-dest_for_nix_version = host as dest
|
|
|
|
###### VSFTPD Config ######
|
|
## no windows application at this time
|
|
|
|
[source::*:VSFTPDConfig]
|
|
EVAL-note = "FTP uses clear text to pass authentication credentials. Consider using SSH instead."
|
|
|
|
#####################
|
|
## END SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps
|
|
#####################
|
|
|
|
|
|
#####################
|
|
## System Logs
|
|
#####################
|
|
|
|
###### Global ######
|
|
[source::....nix]
|
|
sourcetype = linux_secure
|
|
|
|
[source::/etc/passwd*]
|
|
sourcetype = ignored_type
|
|
|
|
[source::/etc/shadow*]
|
|
sourcetype = ignored_type
|
|
|
|
## Custom Sourcetype
|
|
#[source::....<your_sourcetype>]
|
|
#sourcetype = <your_sourcetype>
|
|
|
|
#[<your_sourcetype>]
|
|
### Event extractions by type
|
|
#REPORT-0authentication_for_your_sourcetype = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
|
|
#EVAL-action = if(app="su" AND isnull(action),"success",action)
|
|
#REPORT-account_management_for_your_sourcetype = useradd, userdel
|
|
#REPORT-firewall_for_your_sourcetype = ipfw, ipfw-stealth, ipfw-icmp, pf
|
|
#REPORT-routing_for_your_sourcetype = iptables
|
|
#EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
|
|
#REPORT-signature_for_your_sourcetype_timesync = signature_for_nix_timesync
|
|
|
|
#REPORT-dest_for_your_sourcetype = host_as_dest
|
|
#LOOKUP-action_for_your_sourcetype = nix_action_lookup vendor_action OUTPUTNEW action
|
|
#REPORT-pid-process_for_your_sourcetype = syslog-extractions
|
|
#REPORT-src_for_your_sourcetype = src_dns_as_src, src_ip_as_src, host_as_src
|
|
|
|
###### AIX Sourcetype ######
|
|
[source::....aix_secure]
|
|
sourcetype = aix_secure
|
|
|
|
[aix_secure]
|
|
EVENT_BREAKER_ENABLE = true
|
|
REPORT-0authentication_for_aix_secure = failed_login1, bad-su2, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
|
|
EVAL-action = if(app="su" AND isnull(action),"success",action)
|
|
|
|
REPORT-dest_for_aix_secure = loghost_as_dest
|
|
FIELDALIAS-dvc = dest as dvc
|
|
LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action
|
|
REPORT-src_for_aix_secure = src_dns_as_src, src_ip_as_src
|
|
|
|
###### OSX Security ######
|
|
[source::....osx_secure]
|
|
sourcetype = osx_secure
|
|
|
|
[osx_secure]
|
|
EVENT_BREAKER_ENABLE = true
|
|
|
|
## Event extractions by type
|
|
REPORT-0authentication_for_osx_secure = ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
|
|
EVAL-action = if(app="su" AND isnull(action),"success",action)
|
|
|
|
REPORT-dest_for_osx_secure = host_as_dest
|
|
LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action
|
|
REPORT-src_for_osx_secure = src_dns_as_src, src_ip_as_src
|
|
|
|
###### Linux Security ######
|
|
[source::....linux_secure]
|
|
sourcetype = linux_secure
|
|
|
|
[linux_secure]
|
|
EVENT_BREAKER_ENABLE = true
|
|
|
|
## Event extractions by type
|
|
EVAL-app = case(app="ssh", "ssh", app="nix", "nix", true(), app)
|
|
REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
|
|
EVAL-action = if(app="su" AND isnull(action),"success",action)
|
|
REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
|
|
REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail
|
|
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
|
|
REPORT-routing = iptables
|
|
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
|
|
|
|
REPORT-dest_for_linux_secure = loghost_as_dest
|
|
LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
|
|
REPORT-src_for_linux_secure = src_dns_as_src, src_ip_as_src
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
EVAL-object = case((command=="useradd" OR command=="userdel" OR command=="passwd") AND isnotnull(user), user, true(), object)
|
|
FIELDALIAS-dvc = dest as dvc
|
|
EVAL-src_user = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user')
|
|
FIELDALIAS-user_name = user as user_name
|
|
EVAL-src_user_name = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user')
|
|
|
|
###### Syslog ######
|
|
[source::....syslog]
|
|
sourcetype = syslog
|
|
|
|
[syslog]
|
|
EVENT_BREAKER_ENABLE = true
|
|
|
|
## Event extractions by type
|
|
REPORT-0authentication_for_syslog = remote_login_failure, bad-su2, passwd-auth-failure, failed_login1, bad-su, failed-su, ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
|
|
EVAL-action = if(app="su" AND isnull(action),"success",action)
|
|
REPORT-account_management_for_syslog = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
|
|
REPORT-password_change_for_syslog = pam-passwd-ok, passwd-change-fail
|
|
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
|
|
REPORT-routing = iptables
|
|
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
|
|
REPORT-signature_for_syslog_timesync = signature_for_nix_timesync
|
|
|
|
REPORT-dest_for_syslog = host_as_dest
|
|
LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action
|
|
REPORT-src_for_syslog = src_dns_as_src, src_ip_as_src
|
|
FIELDALIAS-dvc = dest as dvc
|
|
|
|
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
|
|
|
|
###### bash history ######
|
|
[bash_history]
|
|
SHOULD_LINEMERGE=FALSE
|
|
EVENT_BREAKER_ENABLE = true
|
|
DATETIME_CONFIG=CURRENT
|
|
REPORT-bhist=bash_user,bash_user_root
|
|
FIELDALIAS-bhist=_raw AS bash_command
|
|
FIELDALIAS-dest_for_history = host as dest
|
|
|
|
###### auditd ######
|
|
[auditd]
|
|
LINE_BREAKER = ([\r\n]+)
|
|
SHOULD_LINEMERGE = false
|
|
TIME_PREFIX = audit\(
|
|
MAX_TIMESTAMP_LOOKAHEAD=23
|
|
MAX_DAYS_AGO=3650
|