admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add+update

Browse Source
master
admingit 3 years ago
parent 4c12c72ba6
commit bf94590e3f
22 changed files with 4682 additions and 1 deletions
Show Stats Download Patch File Download Diff File

2
deployment-apps/Splunk_TA_esxilogs/default/inputs.conf
Unescape View File

@ -1,7 +1,7 @@
# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
#Please uncomment below stanza to receive events using Syslog
#[udp://514]
#[monitor:///var/rsyslog/*/esxi/*/*/*.log]
#index = vmware-esxilog
#sourcetype = vmw-syslog
#connection_host = dns

15
deployment-apps/Splunk_TA_esxilogs/local/inputs.conf
Unescape View File

@ -0,0 +1,15 @@
# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
#Please uncomment below stanza to receive events using Syslog
[monitor:///var/rsyslog/*/esxi/*/*/*.log]
index = vmware-esxilog
sourcetype = vmw-syslog
#connection_host = dns
disabled = 0
#Please uncomment below stanza to receive events using Syslog
#[tcp://1514]
#index = vmware-esxilog
#sourcetype = vmw-syslog
#connection_host = dns
#disabled = 0

36
deployment-apps/Splunk_TA_esxilogs/local/props.conf
Unescape View File

@ -0,0 +1,36 @@
# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
####### INDEX TIME EXTRACTION ##########
[vmw-syslog]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:.*?(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{5})?)\s[^ ]+\s+[^ ]+\s+[^\->])|([\r\n]+)(?:.*?\w+\s+\d+\s+\d{2}:\d{2}:\d{2})(?:\s+[^ ]+\s+)+[^\->]
TZ = UTC
DATETIME_CONFIG = /etc/apps/Splunk_TA_esxilogs/default/syslog_datetime.xml
######### SYSLOG - DEFAULT DATETIME ###################
# When using syslog server if date time is not correctly extracted from events then use the default
# uncomment line below and remove custom date time above
#DATETIME_CONFIG = /etc/datetime.xml
#######################################################
TRANSFORMS-nullqueue = vmware_generic_level_null
TRANSFORMS-vmsyslogsourcetype = set_syslog_sourcetype,set_syslog_sourcetype_4x,set_syslog_sourcetype_sections
TRANSFORMS-vmsyslogsource = set_syslog_source
############ SYSLOG - HOST FIELD EXTRACTION #############
# When using syslog server host extraction can be done from event itself. For example if event has the following format: "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line
#TRANSFORMS-vmsysloghost = set_host
#########################################################
##### DEFAULT VMWARE SEARCH TIME FIELD EXTRACTION #####
# The stanzas below are used to extract fields for ESXi log browser at search time.
[source::vmware:esxlog:...]
REPORT-fields = esx_hostd_fields_5x,esx_hostd_fields_6x, esx_generic_fields,esx_hostd_fields_syslogserver,esx_generic_fields_syslogserver,esx_hostd_fields_4x,esx_generic_fields_4x
[vmware:esxlog:vmkernel]
REPORT-vmkernel = esx_vmkernel_fields,esx_vmkernel_fields_syslogserver,esx_vmkernel_fields_4x
[vmware:esxlog:vmkwarning]
REPORT-vmkwarning = esx_vmkernel_fields,esx_vmkernel_fields_syslogserver,esx_vmkernel_fields_4x

135
deployment-apps/Splunk_TA_esxilogs/local/syslog_datetime.xml
Unescape View File

@ -0,0 +1,135 @@
<!-- Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved. -->
<!-- syslog_datetime.xml -->
<!-- This file contains the general formulas for parsing date/time formats. -->
<datetime>
<define name="_year" extract="year">
<text><![CDATA[(20\d\d|19\d\d|[9012]\d(?!\d))]]></text>
</define>
<define name="_month" extract="month">
<text><![CDATA[(0?[1-9]|1[012])(?!:)]]></text>
</define>
<define name="_litmonth" extract="litmonth">
<text><![CDATA[(?<![\d\w])(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)[a-z,\.;]*]]></text>
</define>
<define name="_allmonth" extract="litmonth, month">
<text><![CDATA[(?:]]></text>
<use name="_litmonth"/>
<text><![CDATA[|]]></text>
<use name="_month"/>
<text><![CDATA[)]]></text>
</define>
<define name="_day" extract="day">
<text><![CDATA[(0?[1-9]|[12]\d|3[01])]]></text>
</define>
<define name="_usday" extract="day">
<use name="_day"/>
<text><![CDATA[(?:st|nd|rd|th|[,\.;])?]]></text>
</define>
<define name="_hour" extract="hour">
<text><![CDATA[([01]?[1-9]|[012][0-3])(?!\d)]]></text>
</define>
<define name="_minute" extract="minute">
<text><![CDATA[([0-6]\d)(?!\d)]]></text>
</define>
<define name="_second" extract="second">
<text><![CDATA[([0-6]\d)(?!\d)]]></text>
</define>
<define name="_zone" extract="zone">
<text><![CDATA[((?:(?:UT|UTC|GMT(?![+-])|CET|CEST|CETDST|MET|MEST|METDST|MEZ|MESZ|EET|EEST|EETDST|WET|WEST|WETDST|MSK|MSD|IST|JST|KST|HKT|AST|ADT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|CAST|CADT|EAST|EADT|WAST|WADT|Z)|(?:GMT)?[+-]\d\d?:?(?:\d\d)?)(?!\w))?]]></text>
</define>
<define name="_time" extract="hour, minute, second, subsecond, zone">
<text><![CDATA[(?<=T)]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?:(?: \d{4})?[:,\.](\d+))? {0,2}]]></text>
<text><![CDATA[ {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[(?!:\d)]]></text>
</define>
<define name="_time_esxi_4x" extract="hour, minute, second, subsecond, zone">
<text><![CDATA[(?<=(?:[\./\-]\d{2}\s))]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?:(?: \d{4})?[:,\.](\d+))? {0,2}]]></text>
<text><![CDATA[ {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[(?!:\d)]]></text>
</define>
<!-- ESX 4x time format
<define name="_time_esx_4x" extract="hour, minute, second">
<text><![CDATA[(?<!\d)]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?!:\d)]]></text>
</define> -->
<!-- Date Format -->
<define name="_isodate" extract="year, ignored_sep, litmonth, month, day">
<text><![CDATA[(?<![\w\d])]]></text>
<use name="_year"/>
<text><![CDATA[([\./\- ])]]></text>
<use name="_allmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?=T)|(?!\w)(?!\.\d))]]></text>
</define>
<define name="_date_esxi_4x" extract="year, ignored_sep, litmonth, month, day">
<text><![CDATA[(?<=\s\[)]]></text>
<use name="_year"/>
<text><![CDATA[([\./\- ])]]></text>
<use name="_allmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?= )|(?!\w)(?!\.\d))]]></text>
</define>
<!-- ESX 4x time format
<define name="_date_esx_4x" extract="litmonth, day">
<text><![CDATA[(?<![\w\d])]]></text>
<use name="_litmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?= )|(?!\w)(?!\.\d))]]></text>
</define> -->
<timePatterns>
<use name="_time"/>
<use name="_time_esxi_4x"/>
<!-- Uncomment the below comments if ESX 4 exists in the environment
<use name="_time_esx_4x"/> -->
</timePatterns>
<datePatterns>
<use name="_isodate"/>
<use name="_date_esxi_4x"/>
<!-- Uncomment the below comments if ESX 4 exists in the environment
<use name="_date_esx_4x"/> -->
</datePatterns>
</datetime>

124
deployment-apps/Splunk_TA_esxilogs/local/transforms.conf
Unescape View File

@ -0,0 +1,124 @@
# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
#Set the sourcetype from syslog tag
#timestamp in RFC3339 format (syslog protocol spec) is:
#\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d+(\.\d+)?(?:Z|[\+\-]\d{2}:\d{2})?
[set_syslog_sourcetype]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<\d+>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([A-Za-z\-]+)(?:[^:]*)[:\[]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:esxlog:$1
#Setting source type for 4x, as this vpxa data for 4x esx is in different format
[set_syslog_sourcetype_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+([^\[\:]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:esxlog:$1
#Set source to identify report extractions
[set_syslog_source]
SOURCE_KEY = MetaData:Source
REGEX = (.+)
DEST_KEY = MetaData:Source
FORMAT = source::vmware:esxlog:$1
[set_syslog_sourcetype_sections]
REGEX = ^(?:<\d+>)Section.*
DEST_KEY = MetaData:Sourcetype
#TODO: this may need to be assigned to a particular log sourcetype
FORMAT = sourcetype::vmware:esxlog:section_headers
# the following is applicable to:
# hostd, vpxa, rhttpproxy, hostd-probe
[esx_hostd_fields_6x]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([^\[\:]+):\s(?:(?:[\d\-:TZ.]+)\s*)?(\w+)\s*(?:\S+\[\S+\])?\s*\[(?:[^\s\]]+)\s*(?:sub=([^\s\]]+))?\s*(?:opID=([^\s\]]+))?(?:[^]]+?)?\]\s*(.*)$
FORMAT = Pri::$1 Offset::$2 Application::$3 Level::$4 Object::$5 opID::$6 Message::$7
[esx_hostd_fields_5x]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([^\[\:]+): \[[^\s]+ (\w+) '([^']+)'(?: opID=([^\s\]]+))?(?:[^]]+?)?\]\s*(.*)$
FORMAT = Pri::$1 Offset::$2 Application::$3 Level::$4 Object::$5 opID::$6 Message::$7
[esx_hostd_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(?:[^\[\:]+)(?:\[\d+\])?:\s*(?:\[(?:'([^']+)'\s+)?(?:[-\d]{10}(?:\s+|T))?(?:[.:\dZ]+\s+)?(\w+)\s+(\w+)(?:\s+'([^']+)'(?:\s+opID=([^\s\x00-\x20]+))?)?\]\s+)?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Application::$1 Offset::$2 Level::$3 Object::$4 opID::$5 SubComp::$6 Message::$7
[esx_vmkernel_fields]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\s*(?:[^\s]+)?\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Pri::$1 Type::$2 HostUpTime::$3 Cpu::$4 WorldId::$5 SubComp::$6 Message::$7
[esx_vmkernel_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Type::$1 HostUpTime::$2 Cpu::$3 WorldId::$4 SubComp::$5 Message::$6
[esx_generic_fields]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([A-Za-z\-]+)(?:[^:]*):?(?:[^(]*\))?\s*(.*)$
FORMAT = Pri::$1 Application::$2 Message::$3
[esx_generic_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(?:[^\[\:]+)(?:\[\d+\])?:\s*(.*)
FORMAT = Message::$1
[esx_hostd_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*): \[([^\s]+) (\w+) '([^']+)'(?: opID=([^\]]+))?\] ?(.*)
FORMAT = Pri::$1 Application::$2 Offset::$3 Level::$4 Object::$5 opID::$6 Message::$7
[esx_vmkernel_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Pri::$1 Type::$2 HostUpTime::$3 Cpu::$4 WorldId::$5 SubComp::$6 Message::$7
[esx_generic_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*):?\s*(.*)$
FORMAT = Pri::$1 Application::$2 Message::$3
####### SYSLOG - HOST AND SOURCETYPE EXTRACTION #######
# When using syslog server, sourcetype extraction can be done from event itself For example if event has the following format: "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line and add stanza name "set_syslog_sourcetype_syslogserver" into props.conf "TRANSFORMS-vmsyslogsourcetype" list
#[set_syslog_sourcetype_syslogserver]
#REGEX = ^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*)[:\[]
#DEST_KEY = MetaData:Sourcetype
#FORMAT = sourcetype::vmware:esxlog:$1
# When using syslog server host extraction can be done from event itself. For example if event has the following format: "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line
#[set_host]
#REGEX = ^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?([^ ]+)\s+)
#DEST_KEY = MetaData:Host
#FORMAT = host::$1
########################################################
#########
#NullQueues
[vmware_generic_level_null]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = (?:verbose|trivia)[:\s]
[vmware_generic_level_null_4x]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s.*(?:verbose|trivia).*
# The below regex is used to support for ESX 4x version for syslog
# Please uncomment the below regEx if VC contains ESX 4x version, also update props.conf with these values
#[set_syslog_sourcetype_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?([^\[\:]+)
#DEST_KEY = MetaData:Sourcetype
#FORMAT = sourcetype::vmware:esxlog:$1
#[esx_hostd_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(?:[^\[\:]+)(?:\[\d+\])?:\s*(?:\[(?:'([^']+)'\s+)?(\w+)\s+(\w+)(?:\s+'([^']+)'(?:\s+opID=([^\s\x00-\x20]+))?)?\]\s+)?(?:\[([\:\w]+)\]\s+)?(.*)
#FORMAT = Application::$1 Offset::$2 Level::$3 Object::$4 opID::$5 SubComp::$6 Message::$7
#[esx_vmkernel_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
#FORMAT = Type::$1 HostUpTime::$2 Cpu::$3 WorldId::$4 SubComp::$5 Message::$6
#[esx_generic_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(?:[^\[\:]+)(?:\[\d+\])?:\s*(.*)
#FORMAT = Message::$1
#[vmware_generic_level_null_esx_4x]
#DEST_KEY = queue
#FORMAT = nullQueue
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?.*(verbose|trivia)

5
deployment-apps/Splunk_TA_esxilogs_other/README
Unescape View File

@ -0,0 +1,5 @@
Splunk_TA_esxilogs version = 4.2.1
For documentation, see: https://docs.splunk.com/Documentation/AddOns/released/VMWesxilogs/About
Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.

52
deployment-apps/Splunk_TA_esxilogs_other/app.manifest
Unescape View File

@ -0,0 +1,52 @@
{
"schemaVersion": "2.0.0",
"info": {
"title": "Add-on for VMware ESXi Logs",
"id": {
"group": null,
"name": "Splunk_TA_esxilogs",
"version": "4.2.1"
},
"author": [
{
"name": "Splunk, Inc.",
"email": "support@splunk.com",
"company": "Splunk, Inc."
}
],
"releaseDate": null,
"description": "Tools, Inputs, and extractions for VMware ESXi Log data received by syslog",
"classification": {
"intendedAudience": null,
"categories": ["IT Operations"],
"developmentStatus": null
},
"commonInformationModels": null,
"license": {
"name": "Splunk Software License Agreement",
"text": "license-eula.txt",
"uri": "https://www.splunk.com/en_us/legal/splunk-software-license-agreement.html"
},
"privacyPolicy": {
"name": null,
"text": null,
"uri": null
},
"releaseNotes": {
"name": "README",
"text": "README",
"uri": "https://docs.splunk.com/Documentation/AddOns/released/VMWesxilogs/ReleaseNotes"
}
},
"dependencies": null,
"tasks": null,
"inputGroups": null,
"incompatibleApps": null,
"platformRequirements": null,
"supportedDeployments": [
"_standalone",
"_distributed",
"_search_head_clustering"
],
"targetWorkloads": "*"
}

21
deployment-apps/Splunk_TA_esxilogs_other/default/app.conf
Unescape View File

@ -0,0 +1,21 @@
# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
#
# Splunk app configuration file
#
[install]
state = enabled
is_configured = false
build = 120
[launcher]
author=Splunk, Inc.
description=Tools, Inputs, and extractions for VMware ESXi Log data received by syslog
version=4.2.1
[ui]
is_visible = false
label = Add-on for VMware ESXi Logs
[package]
id = Splunk_TA_esxilogs

36
deployment-apps/Splunk_TA_esxilogs_other/default/props.conf
Unescape View File

@ -0,0 +1,36 @@
# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
####### INDEX TIME EXTRACTION ##########
[vmw-syslog]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:.*?(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{5})?)\s[^ ]+\s+[^ ]+\s+[^\->])|([\r\n]+)(?:.*?\w+\s+\d+\s+\d{2}:\d{2}:\d{2})(?:\s+[^ ]+\s+)+[^\->]
TZ = UTC
DATETIME_CONFIG = /etc/apps/Splunk_TA_esxilogs/default/syslog_datetime.xml
######### SYSLOG - DEFAULT DATETIME ###################
# When using syslog server if date time is not correctly extracted from events then use the default
# uncomment line below and remove custom date time above
#DATETIME_CONFIG = /etc/datetime.xml
#######################################################
TRANSFORMS-nullqueue = vmware_generic_level_null
TRANSFORMS-vmsyslogsourcetype = set_syslog_sourcetype,set_syslog_sourcetype_4x,set_syslog_sourcetype_sections
TRANSFORMS-vmsyslogsource = set_syslog_source
############ SYSLOG - HOST FIELD EXTRACTION #############
# When using syslog server host extraction can be done from event itself. For example if event has the following format: "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line
#TRANSFORMS-vmsysloghost = set_host
#########################################################
##### DEFAULT VMWARE SEARCH TIME FIELD EXTRACTION #####
# The stanzas below are used to extract fields for ESXi log browser at search time.
[source::vmware:esxlog:...]
REPORT-fields = esx_hostd_fields_5x,esx_hostd_fields_6x, esx_generic_fields,esx_hostd_fields_syslogserver,esx_generic_fields_syslogserver,esx_hostd_fields_4x,esx_generic_fields_4x
[vmware:esxlog:vmkernel]
REPORT-vmkernel = esx_vmkernel_fields,esx_vmkernel_fields_syslogserver,esx_vmkernel_fields_4x
[vmware:esxlog:vmkwarning]
REPORT-vmkwarning = esx_vmkernel_fields,esx_vmkernel_fields_syslogserver,esx_vmkernel_fields_4x

135
deployment-apps/Splunk_TA_esxilogs_other/default/syslog_datetime.xml
Unescape View File

@ -0,0 +1,135 @@
<!-- Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved. -->
<!-- syslog_datetime.xml -->
<!-- This file contains the general formulas for parsing date/time formats. -->
<datetime>
<define name="_year" extract="year">
<text><![CDATA[(20\d\d|19\d\d|[9012]\d(?!\d))]]></text>
</define>
<define name="_month" extract="month">
<text><![CDATA[(0?[1-9]|1[012])(?!:)]]></text>
</define>
<define name="_litmonth" extract="litmonth">
<text><![CDATA[(?<![\d\w])(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)[a-z,\.;]*]]></text>
</define>
<define name="_allmonth" extract="litmonth, month">
<text><![CDATA[(?:]]></text>
<use name="_litmonth"/>
<text><![CDATA[|]]></text>
<use name="_month"/>
<text><![CDATA[)]]></text>
</define>
<define name="_day" extract="day">
<text><![CDATA[(0?[1-9]|[12]\d|3[01])]]></text>
</define>
<define name="_usday" extract="day">
<use name="_day"/>
<text><![CDATA[(?:st|nd|rd|th|[,\.;])?]]></text>
</define>
<define name="_hour" extract="hour">
<text><![CDATA[([01]?[1-9]|[012][0-3])(?!\d)]]></text>
</define>
<define name="_minute" extract="minute">
<text><![CDATA[([0-6]\d)(?!\d)]]></text>
</define>
<define name="_second" extract="second">
<text><![CDATA[([0-6]\d)(?!\d)]]></text>
</define>
<define name="_zone" extract="zone">
<text><![CDATA[((?:(?:UT|UTC|GMT(?![+-])|CET|CEST|CETDST|MET|MEST|METDST|MEZ|MESZ|EET|EEST|EETDST|WET|WEST|WETDST|MSK|MSD|IST|JST|KST|HKT|AST|ADT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|CAST|CADT|EAST|EADT|WAST|WADT|Z)|(?:GMT)?[+-]\d\d?:?(?:\d\d)?)(?!\w))?]]></text>
</define>
<define name="_time" extract="hour, minute, second, subsecond, zone">
<text><![CDATA[(?<=T)]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?:(?: \d{4})?[:,\.](\d+))? {0,2}]]></text>
<text><![CDATA[ {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[(?!:\d)]]></text>
</define>
<define name="_time_esxi_4x" extract="hour, minute, second, subsecond, zone">
<text><![CDATA[(?<=(?:[\./\-]\d{2}\s))]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?:(?: \d{4})?[:,\.](\d+))? {0,2}]]></text>
<text><![CDATA[ {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[(?!:\d)]]></text>
</define>
<!-- ESX 4x time format
<define name="_time_esx_4x" extract="hour, minute, second">
<text><![CDATA[(?<!\d)]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?!:\d)]]></text>
</define> -->
<!-- Date Format -->
<define name="_isodate" extract="year, ignored_sep, litmonth, month, day">
<text><![CDATA[(?<![\w\d])]]></text>
<use name="_year"/>
<text><![CDATA[([\./\- ])]]></text>
<use name="_allmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?=T)|(?!\w)(?!\.\d))]]></text>
</define>
<define name="_date_esxi_4x" extract="year, ignored_sep, litmonth, month, day">
<text><![CDATA[(?<=\s\[)]]></text>
<use name="_year"/>
<text><![CDATA[([\./\- ])]]></text>
<use name="_allmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?= )|(?!\w)(?!\.\d))]]></text>
</define>
<!-- ESX 4x time format
<define name="_date_esx_4x" extract="litmonth, day">
<text><![CDATA[(?<![\w\d])]]></text>
<use name="_litmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?= )|(?!\w)(?!\.\d))]]></text>
</define> -->
<timePatterns>
<use name="_time"/>
<use name="_time_esxi_4x"/>
<!-- Uncomment the below comments if ESX 4 exists in the environment
<use name="_time_esx_4x"/> -->
</timePatterns>
<datePatterns>
<use name="_isodate"/>
<use name="_date_esxi_4x"/>
<!-- Uncomment the below comments if ESX 4 exists in the environment
<use name="_date_esx_4x"/> -->
</datePatterns>
</datetime>

124
deployment-apps/Splunk_TA_esxilogs_other/default/transforms.conf
Unescape View File

@ -0,0 +1,124 @@
# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
#Set the sourcetype from syslog tag
#timestamp in RFC3339 format (syslog protocol spec) is:
#\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d+(\.\d+)?(?:Z|[\+\-]\d{2}:\d{2})?
[set_syslog_sourcetype]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<\d+>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([A-Za-z\-]+)(?:[^:]*)[:\[]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:esxlog:$1
#Setting source type for 4x, as this vpxa data for 4x esx is in different format
[set_syslog_sourcetype_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+([^\[\:]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:esxlog:$1
#Set source to identify report extractions
[set_syslog_source]
SOURCE_KEY = MetaData:Source
REGEX = (.+)
DEST_KEY = MetaData:Source
FORMAT = source::vmware:esxlog:$1
[set_syslog_sourcetype_sections]
REGEX = ^(?:<\d+>)Section.*
DEST_KEY = MetaData:Sourcetype
#TODO: this may need to be assigned to a particular log sourcetype
FORMAT = sourcetype::vmware:esxlog:section_headers
# the following is applicable to:
# hostd, vpxa, rhttpproxy, hostd-probe
[esx_hostd_fields_6x]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([^\[\:]+):\s(?:(?:[\d\-:TZ.]+)\s*)?(\w+)\s*(?:\S+\[\S+\])?\s*\[(?:[^\s\]]+)\s*(?:sub=([^\s\]]+))?\s*(?:opID=([^\s\]]+))?(?:[^]]+?)?\]\s*(.*)$
FORMAT = Pri::$1 Offset::$2 Application::$3 Level::$4 Object::$5 opID::$6 Message::$7
[esx_hostd_fields_5x]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([^\[\:]+): \[[^\s]+ (\w+) '([^']+)'(?: opID=([^\s\]]+))?(?:[^]]+?)?\]\s*(.*)$
FORMAT = Pri::$1 Offset::$2 Application::$3 Level::$4 Object::$5 opID::$6 Message::$7
[esx_hostd_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(?:[^\[\:]+)(?:\[\d+\])?:\s*(?:\[(?:'([^']+)'\s+)?(?:[-\d]{10}(?:\s+|T))?(?:[.:\dZ]+\s+)?(\w+)\s+(\w+)(?:\s+'([^']+)'(?:\s+opID=([^\s\x00-\x20]+))?)?\]\s+)?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Application::$1 Offset::$2 Level::$3 Object::$4 opID::$5 SubComp::$6 Message::$7
[esx_vmkernel_fields]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\s*(?:[^\s]+)?\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Pri::$1 Type::$2 HostUpTime::$3 Cpu::$4 WorldId::$5 SubComp::$6 Message::$7
[esx_vmkernel_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Type::$1 HostUpTime::$2 Cpu::$3 WorldId::$4 SubComp::$5 Message::$6
[esx_generic_fields]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([A-Za-z\-]+)(?:[^:]*):?(?:[^(]*\))?\s*(.*)$
FORMAT = Pri::$1 Application::$2 Message::$3
[esx_generic_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(?:[^\[\:]+)(?:\[\d+\])?:\s*(.*)
FORMAT = Message::$1
[esx_hostd_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*): \[([^\s]+) (\w+) '([^']+)'(?: opID=([^\]]+))?\] ?(.*)
FORMAT = Pri::$1 Application::$2 Offset::$3 Level::$4 Object::$5 opID::$6 Message::$7
[esx_vmkernel_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Pri::$1 Type::$2 HostUpTime::$3 Cpu::$4 WorldId::$5 SubComp::$6 Message::$7
[esx_generic_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*):?\s*(.*)$
FORMAT = Pri::$1 Application::$2 Message::$3
####### SYSLOG - HOST AND SOURCETYPE EXTRACTION #######
# When using syslog server, sourcetype extraction can be done from event itself For example if event has the following format: "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line and add stanza name "set_syslog_sourcetype_syslogserver" into props.conf "TRANSFORMS-vmsyslogsourcetype" list
#[set_syslog_sourcetype_syslogserver]
#REGEX = ^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*)[:\[]
#DEST_KEY = MetaData:Sourcetype
#FORMAT = sourcetype::vmware:esxlog:$1
# When using syslog server host extraction can be done from event itself. For example if event has the following format: "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line
#[set_host]
#REGEX = ^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?([^ ]+)\s+)
#DEST_KEY = MetaData:Host
#FORMAT = host::$1
########################################################
#########
#NullQueues
[vmware_generic_level_null]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = (?:verbose|trivia)[:\s]
[vmware_generic_level_null_4x]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s.*(?:verbose|trivia).*
# The below regex is used to support for ESX 4x version for syslog
# Please uncomment the below regEx if VC contains ESX 4x version, also update props.conf with these values
#[set_syslog_sourcetype_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?([^\[\:]+)
#DEST_KEY = MetaData:Sourcetype
#FORMAT = sourcetype::vmware:esxlog:$1
#[esx_hostd_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(?:[^\[\:]+)(?:\[\d+\])?:\s*(?:\[(?:'([^']+)'\s+)?(\w+)\s+(\w+)(?:\s+'([^']+)'(?:\s+opID=([^\s\x00-\x20]+))?)?\]\s+)?(?:\[([\:\w]+)\]\s+)?(.*)
#FORMAT = Application::$1 Offset::$2 Level::$3 Object::$4 opID::$5 SubComp::$6 Message::$7
#[esx_vmkernel_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
#FORMAT = Type::$1 HostUpTime::$2 Cpu::$3 WorldId::$4 SubComp::$5 Message::$6
#[esx_generic_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(?:[^\[\:]+)(?:\[\d+\])?:\s*(.*)
#FORMAT = Message::$1
#[vmware_generic_level_null_esx_4x]
#DEST_KEY = queue
#FORMAT = nullQueue
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?.*(verbose|trivia)

3580
deployment-apps/Splunk_TA_esxilogs_other/license-eula.rtf
View File

File diff suppressed because it is too large Load Diff

1
deployment-apps/Splunk_TA_esxilogs_other/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

36
deployment-apps/Splunk_TA_esxilogs_other/local/props.conf
Unescape View File

@ -0,0 +1,36 @@
# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
####### INDEX TIME EXTRACTION ##########
[vmw-syslog]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:.*?(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{5})?)\s[^ ]+\s+[^ ]+\s+[^\->])|([\r\n]+)(?:.*?\w+\s+\d+\s+\d{2}:\d{2}:\d{2})(?:\s+[^ ]+\s+)+[^\->]
TZ = UTC
DATETIME_CONFIG = /etc/apps/Splunk_TA_esxilogs_other/default/syslog_datetime.xml
######### SYSLOG - DEFAULT DATETIME ###################
# When using syslog server if date time is not correctly extracted from events then use the default
# uncomment line below and remove custom date time above
#DATETIME_CONFIG = /etc/datetime.xml
#######################################################
TRANSFORMS-nullqueue = vmware_generic_level_null
TRANSFORMS-vmsyslogsourcetype = set_syslog_sourcetype,set_syslog_sourcetype_4x,set_syslog_sourcetype_sections
TRANSFORMS-vmsyslogsource = set_syslog_source
############ SYSLOG - HOST FIELD EXTRACTION #############
# When using syslog server host extraction can be done from event itself. For example if event has the following format: "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line
#TRANSFORMS-vmsysloghost = set_host
#########################################################
##### DEFAULT VMWARE SEARCH TIME FIELD EXTRACTION #####
# The stanzas below are used to extract fields for ESXi log browser at search time.
[source::vmware:esxlog:...]
REPORT-fields = esx_hostd_fields_5x,esx_hostd_fields_6x, esx_generic_fields,esx_hostd_fields_syslogserver,esx_generic_fields_syslogserver,esx_hostd_fields_4x,esx_generic_fields_4x
[vmware:esxlog:vmkernel]
REPORT-vmkernel = esx_vmkernel_fields,esx_vmkernel_fields_syslogserver,esx_vmkernel_fields_4x
[vmware:esxlog:vmkwarning]
REPORT-vmkwarning = esx_vmkernel_fields,esx_vmkernel_fields_syslogserver,esx_vmkernel_fields_4x

135
deployment-apps/Splunk_TA_esxilogs_other/local/syslog_datetime.xml
Unescape View File

@ -0,0 +1,135 @@
<!-- Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved. -->
<!-- syslog_datetime.xml -->
<!-- This file contains the general formulas for parsing date/time formats. -->
<datetime>
<define name="_year" extract="year">
<text><![CDATA[(20\d\d|19\d\d|[9012]\d(?!\d))]]></text>
</define>
<define name="_month" extract="month">
<text><![CDATA[(0?[1-9]|1[012])(?!:)]]></text>
</define>
<define name="_litmonth" extract="litmonth">
<text><![CDATA[(?<![\d\w])(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)[a-z,\.;]*]]></text>
</define>
<define name="_allmonth" extract="litmonth, month">
<text><![CDATA[(?:]]></text>
<use name="_litmonth"/>
<text><![CDATA[|]]></text>
<use name="_month"/>
<text><![CDATA[)]]></text>
</define>
<define name="_day" extract="day">
<text><![CDATA[(0?[1-9]|[12]\d|3[01])]]></text>
</define>
<define name="_usday" extract="day">
<use name="_day"/>
<text><![CDATA[(?:st|nd|rd|th|[,\.;])?]]></text>
</define>
<define name="_hour" extract="hour">
<text><![CDATA[([01]?[1-9]|[012][0-3])(?!\d)]]></text>
</define>
<define name="_minute" extract="minute">
<text><![CDATA[([0-6]\d)(?!\d)]]></text>
</define>
<define name="_second" extract="second">
<text><![CDATA[([0-6]\d)(?!\d)]]></text>
</define>
<define name="_zone" extract="zone">
<text><![CDATA[((?:(?:UT|UTC|GMT(?![+-])|CET|CEST|CETDST|MET|MEST|METDST|MEZ|MESZ|EET|EEST|EETDST|WET|WEST|WETDST|MSK|MSD|IST|JST|KST|HKT|AST|ADT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|CAST|CADT|EAST|EADT|WAST|WADT|Z)|(?:GMT)?[+-]\d\d?:?(?:\d\d)?)(?!\w))?]]></text>
</define>
<define name="_time" extract="hour, minute, second, subsecond, zone">
<text><![CDATA[(?<=T)]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?:(?: \d{4})?[:,\.](\d+))? {0,2}]]></text>
<text><![CDATA[ {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[(?!:\d)]]></text>
</define>
<define name="_time_esxi_4x" extract="hour, minute, second, subsecond, zone">
<text><![CDATA[(?<=(?:[\./\-]\d{2}\s))]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?:(?: \d{4})?[:,\.](\d+))? {0,2}]]></text>
<text><![CDATA[ {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[(?!:\d)]]></text>
</define>
<!-- ESX 4x time format
<define name="_time_esx_4x" extract="hour, minute, second">
<text><![CDATA[(?<!\d)]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?!:\d)]]></text>
</define> -->
<!-- Date Format -->
<define name="_isodate" extract="year, ignored_sep, litmonth, month, day">
<text><![CDATA[(?<![\w\d])]]></text>
<use name="_year"/>
<text><![CDATA[([\./\- ])]]></text>
<use name="_allmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?=T)|(?!\w)(?!\.\d))]]></text>
</define>
<define name="_date_esxi_4x" extract="year, ignored_sep, litmonth, month, day">
<text><![CDATA[(?<=\s\[)]]></text>
<use name="_year"/>
<text><![CDATA[([\./\- ])]]></text>
<use name="_allmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?= )|(?!\w)(?!\.\d))]]></text>
</define>
<!-- ESX 4x time format
<define name="_date_esx_4x" extract="litmonth, day">
<text><![CDATA[(?<![\w\d])]]></text>
<use name="_litmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?= )|(?!\w)(?!\.\d))]]></text>
</define> -->
<timePatterns>
<use name="_time"/>
<use name="_time_esxi_4x"/>
<!-- Uncomment the below comments if ESX 4 exists in the environment
<use name="_time_esx_4x"/> -->
</timePatterns>
<datePatterns>
<use name="_isodate"/>
<use name="_date_esxi_4x"/>
<!-- Uncomment the below comments if ESX 4 exists in the environment
<use name="_date_esx_4x"/> -->
</datePatterns>
</datetime>

124
deployment-apps/Splunk_TA_esxilogs_other/local/transforms.conf
Unescape View File

@ -0,0 +1,124 @@
# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved.
#Set the sourcetype from syslog tag
#timestamp in RFC3339 format (syslog protocol spec) is:
#\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d+(\.\d+)?(?:Z|[\+\-]\d{2}:\d{2})?
[set_syslog_sourcetype]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<\d+>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([A-Za-z\-]+)(?:[^:]*)[:\[]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:esxlog:$1
#Setting source type for 4x, as this vpxa data for 4x esx is in different format
[set_syslog_sourcetype_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+([^\[\:]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:esxlog:$1
#Set source to identify report extractions
[set_syslog_source]
SOURCE_KEY = MetaData:Source
REGEX = (.+)
DEST_KEY = MetaData:Source
FORMAT = source::vmware:esxlog:$1
[set_syslog_sourcetype_sections]
REGEX = ^(?:<\d+>)Section.*
DEST_KEY = MetaData:Sourcetype
#TODO: this may need to be assigned to a particular log sourcetype
FORMAT = sourcetype::vmware:esxlog:section_headers
# the following is applicable to:
# hostd, vpxa, rhttpproxy, hostd-probe
[esx_hostd_fields_6x]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([^\[\:]+):\s(?:(?:[\d\-:TZ.]+)\s*)?(\w+)\s*(?:\S+\[\S+\])?\s*\[(?:[^\s\]]+)\s*(?:sub=([^\s\]]+))?\s*(?:opID=([^\s\]]+))?(?:[^]]+?)?\]\s*(.*)$
FORMAT = Pri::$1 Offset::$2 Application::$3 Level::$4 Object::$5 opID::$6 Message::$7
[esx_hostd_fields_5x]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([^\[\:]+): \[[^\s]+ (\w+) '([^']+)'(?: opID=([^\s\]]+))?(?:[^]]+?)?\]\s*(.*)$
FORMAT = Pri::$1 Offset::$2 Application::$3 Level::$4 Object::$5 opID::$6 Message::$7
[esx_hostd_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(?:[^\[\:]+)(?:\[\d+\])?:\s*(?:\[(?:'([^']+)'\s+)?(?:[-\d]{10}(?:\s+|T))?(?:[.:\dZ]+\s+)?(\w+)\s+(\w+)(?:\s+'([^']+)'(?:\s+opID=([^\s\x00-\x20]+))?)?\]\s+)?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Application::$1 Offset::$2 Level::$3 Object::$4 opID::$5 SubComp::$6 Message::$7
[esx_vmkernel_fields]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\s*(?:[^\s]+)?\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Pri::$1 Type::$2 HostUpTime::$3 Cpu::$4 WorldId::$5 SubComp::$6 Message::$7
[esx_vmkernel_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Type::$1 HostUpTime::$2 Cpu::$3 WorldId::$4 SubComp::$5 Message::$6
[esx_generic_fields]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([A-Za-z\-]+)(?:[^:]*):?(?:[^(]*\))?\s*(.*)$
FORMAT = Pri::$1 Application::$2 Message::$3
[esx_generic_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(?:[^\[\:]+)(?:\[\d+\])?:\s*(.*)
FORMAT = Message::$1
[esx_hostd_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*): \[([^\s]+) (\w+) '([^']+)'(?: opID=([^\]]+))?\] ?(.*)
FORMAT = Pri::$1 Application::$2 Offset::$3 Level::$4 Object::$5 opID::$6 Message::$7
[esx_vmkernel_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Pri::$1 Type::$2 HostUpTime::$3 Cpu::$4 WorldId::$5 SubComp::$6 Message::$7
[esx_generic_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*):?\s*(.*)$
FORMAT = Pri::$1 Application::$2 Message::$3
####### SYSLOG - HOST AND SOURCETYPE EXTRACTION #######
# When using syslog server, sourcetype extraction can be done from event itself For example if event has the following format: "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line and add stanza name "set_syslog_sourcetype_syslogserver" into props.conf "TRANSFORMS-vmsyslogsourcetype" list
#[set_syslog_sourcetype_syslogserver]
#REGEX = ^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*)[:\[]
#DEST_KEY = MetaData:Sourcetype
#FORMAT = sourcetype::vmware:esxlog:$1
# When using syslog server host extraction can be done from event itself. For example if event has the following format: "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line
#[set_host]
#REGEX = ^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?([^ ]+)\s+)
#DEST_KEY = MetaData:Host
#FORMAT = host::$1
########################################################
#########
#NullQueues
[vmware_generic_level_null]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = (?:verbose|trivia)[:\s]
[vmware_generic_level_null_4x]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s.*(?:verbose|trivia).*
# The below regex is used to support for ESX 4x version for syslog
# Please uncomment the below regEx if VC contains ESX 4x version, also update props.conf with these values
#[set_syslog_sourcetype_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?([^\[\:]+)
#DEST_KEY = MetaData:Sourcetype
#FORMAT = sourcetype::vmware:esxlog:$1
#[esx_hostd_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(?:[^\[\:]+)(?:\[\d+\])?:\s*(?:\[(?:'([^']+)'\s+)?(\w+)\s+(\w+)(?:\s+'([^']+)'(?:\s+opID=([^\s\x00-\x20]+))?)?\]\s+)?(?:\[([\:\w]+)\]\s+)?(.*)
#FORMAT = Application::$1 Offset::$2 Level::$3 Object::$4 opID::$5 SubComp::$6 Message::$7
#[esx_vmkernel_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
#FORMAT = Type::$1 HostUpTime::$2 Cpu::$3 WorldId::$4 SubComp::$5 Message::$6
#[esx_generic_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(?:[^\[\:]+)(?:\[\d+\])?:\s*(.*)
#FORMAT = Message::$1
#[vmware_generic_level_null_esx_4x]
#DEST_KEY = queue
#FORMAT = nullQueue
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?.*(verbose|trivia)

11
deployment-apps/Splunk_TA_esxilogs_other/metadata/default.meta
Unescape View File

@ -0,0 +1,11 @@
## shared Application-level permissions
[]
access = read : [ * ], write : [ admin ]
export = system
[savedsearches]
owner = admin
## Exclude export of custom alert actions
[alert_actions/email]
export = none

111
deployment-apps/Splunk_TA_esxilogs_other/splunkbase.manifest
Unescape View File

@ -0,0 +1,111 @@
{
"version": "1.0",
"date": "2022-11-12T08:08:43.106657742Z",
"hashAlgorithm": "SHA-256",
"app": {
"id": 5603,
"version": "4.2.1",
"files": [
{
"path": "app.manifest",
"hash": "6c237f44d6cbb549d19ae703c3ac76fa8f4f94d64f7a2eb22259639ac63ab5e7"
},
{
"path": "default/app.conf",
"hash": "a7ff5b24e3e535dddd0c6f07d96c1c938ae742391b372411732f7fb33b885d0d"
},
{
"path": "default/inputs.conf",
"hash": "78e122868739e5c748b72f293c0d37ae1741ad505f222b3165d8aa2e4966cee7"
},
{
"path": "default/props.conf",
"hash": "a2adcf5a35ad3aabc41495e5e28e1c686a2fdcaef81b6b7088dcfbc5cd612718"
},
{
"path": "default/syslog_datetime.xml",
"hash": "42844fe4e14e123dbc58c406fcb5f11032c719f90d80c93e941fb8f7629a3815"
},
{
"path": "default/transforms.conf",
"hash": "d90af78156b4076db9778fd2e8840f7cd3263bd64bfd317484bcc9fe881d9bf0"
},
{
"path": "license-eula.rtf",
"hash": "8bc3fc5f9908c20081d3569b9d84114bcec6371acc520ee7324abf39e8107c73"
},
{
"path": "license-eula.txt",
"hash": "14a0a52e51f8d42465e5bc56d07b6f4ea6e0a159a96fb574410a0de0e700fdba"
},
{
"path": "metadata/default.meta",
"hash": "dcb9ea46d5f6697b8147ab2f85fcc4fc09149f8b5a8b657dcbbb6a9a9b513fe8"
},
{
"path": "README",
"hash": "ed5c49417dfcd0ec692560d86729f1a7f5f701076b3988b416bc7e8bb6bdd24e"
},
{
"path": "static/appIcon_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
},
{
"path": "static/appIcon.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "static/appIconAlt_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
},
{
"path": "static/appIconAlt.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
}
]
},
"products": [
{
"platform": "splunk",
"product": "enterprise",
"versions": [
"8.0",
"8.1",
"8.2",
"9.0"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
},
{
"platform": "splunk",
"product": "cloud",
"versions": [
"8.0",
"8.1",
"8.2",
"9.0"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
}
]
}

BIN
deployment-apps/Splunk_TA_esxilogs_other/static/appIcon.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
deployment-apps/Splunk_TA_esxilogs_other/static/appIconAlt.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
deployment-apps/Splunk_TA_esxilogs_other/static/appIconAlt_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
deployment-apps/Splunk_TA_esxilogs_other/static/appIcon_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

Write Preview
Loading…
Cancel
Save