admingit
/
Deployement_Server_VOLD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add for linux

Browse Source
master
JocelynPa 3 years ago
parent 0ebc7a7180
commit 0cc1444654
105 changed files with 11844 additions and 0 deletions
Show Stats Download Patch File Download Diff File

BIN
deployment-apps/Splunk_TA_linux/.DS_Store vendored
View File

Binary file not shown.

2
deployment-apps/Splunk_TA_linux/VERSION
Unescape View File

@ -0,0 +1,2 @@
2.1.0
2.1.0

63
deployment-apps/Splunk_TA_linux/app.manifest
Unescape View File

@ -0,0 +1,63 @@
{
"dependencies": null,
"incompatibleApps": null,
"info": {
"author": [
{
"name": "Splunk",
"email": null,
"company": null
}
],
"classification": {
"categories": [
"IT Operations"
],
"developmentStatus": "Production/Stable",
"intendedAudience": "IT"
},
"commonInformationModels": {
"Alerts": "==5.0.1",
"Authentication": "==5.0.1",
"Change": "==5.0.1",
"Intrusion Detection": "==5.0.1"
},
"description": "Splunk Add-on for Linux",
"id": {
"group": null,
"name": "Splunk_TA_linux",
"version": "2.1.0"
},
"license": {
"name": "Splunk Software License Agreement",
"text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"uri": "http://www.splunk.com/view/SP-CAAAAFA"
},
"privacyPolicy": {
"name": null,
"text": null,
"uri": null
},
"releaseDate": null,
"releaseNotes": {
"name": "README",
"text": "./README.txt",
"uri": "https://docs.splunk.com/Documentation/AddOns/released/Linux/Releasenotes"
},
"title": "Splunk Add-on for Linux"
},
"inputGroups": null,
"platformRequirements": null,
"schemaVersion": "2.0.0",
"supportedDeployments": [
"_standalone",
"_distributed",
"_search_head_clustering"
],
"targetWorkloads": [
"_search_heads",
"_indexers",
"_forwarders"
],
"tasks": null
}

28
deployment-apps/Splunk_TA_linux/default/app.conf
Unescape View File

@ -0,0 +1,28 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[install]
is_configured = false
state = enabled
build = 1658326316
[launcher]
author = Splunk
version = 2.1.0
description = Splunk Add-on for Linux
[ui]
is_visible = false
label = Splunk Add-on for Linux
docs_section_override = AddOns:released
[package]
id = Splunk_TA_linux
[id]
name = Splunk_TA_linux
version = 2.1.0

76
deployment-apps/Splunk_TA_linux/default/eventtypes.conf
Unescape View File

@ -0,0 +1,76 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[linux_collectd_cpu]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=cpu
#tags = performance oshost cpu inventory
[linux_collectd_memory]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=memory
#tags = performance oshost memory inventory
[linux_collectd_swap]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=swap
#tags = performance oshost memory
[linux_collectd_df]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=df
#tags = performance oshost storage inventory
[linux_collectd_interface]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=interface
#tags = performance oshost network inventory
[linux_collectd_disk]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=disk
#tags = performance oshost storage
[linux_collectd_load]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=load
#tags = performance oshost
[linux_collectd_processes]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=processes
#tags = performance oshost process cpu
[linux_collectd_protocols]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=protocols
#tags = performance oshost
[linux_collectd_irq]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=irq
#tags = performance oshost
[linux_collectd_tcpconns]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=tcpconns
#tags = performance oshost network
[linux_collectd_thermal]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=thermal
#tags = performance oshost
[linux_collectd_uptime]
search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=uptime
#tags = performance oshost os
[linux_audit_anomalies]
search = sourcetype=linux:audit type=ANOM_*
#tags = ids attack alert
[linux_audit_account_change]
search = sourcetype=linux:audit type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK")
#tags = change account
[linux_audit_authentication]
search = sourcetype=linux:audit type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ")
#tags = authentication
[linux_audit_endpoint]
search = sourcetype=linux:audit (type=USER_CMD)
#tags = process report
[linux_audit_endpoint_services]
search = sourcetype=linux:audit type IN ("SERVICE_START", "SERVICE_STOP")
#tags = service report

284
deployment-apps/Splunk_TA_linux/default/props.conf
Unescape View File

@ -0,0 +1,284 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[linux:collectd:graphite]
category = Operating System
description = Metrics collected from linux host using collectd-write_graphite plugin
pulldown_type = true
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = false
KV_MODE = none
TIME_PREFIX = \S+\s+\S+\s+
TIME_FORMAT = %s.%3N
MAX_TIMESTAMP_LOOKAHEAD = 12
EXTRACT-KVFORLINUX = ^[^\.]+[^\.\n]*\.[^\.]+\.(?<_KEY_1>\S+)\s+(?<_VAL_1>\S+)
EXTRACT-collectd_data = ^(?<collectd_host>[^.\s]+)\.(?<object>[^.\s]+)\.(?P<metric>\S+)\s+(?P<value>\S+)\s+(?<timestamp>\S+)
EXTRACT-plugin_info = (?<linux_collectd_plugin>[^\-]\w+)-*(?<plugin_instance>.*) in object
EXTRACT-metric_type = (?<type>[^\-\.]\w+)-*(?<type_instance>[^\.]\w+)?\.* in metric
FIELDALIAS-linux_collectd_plugin = linux_collectd_plugin AS plugin
EVAL-dsname = mvindex(split(metric, "."),1)
FIELDALIAS-linux_host = collectd_host as host
FIELDALIAS-linux_dest = collectd_host as dest
## HOST_OS Model.Performance.Memory
EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null())
EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null())
EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null())
EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null())
EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null())
## HOST_OS Model.Performance.Storage
EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null())
EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null())
## HOST_OS Model.Performance.Network
EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null())
EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null())
EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null())
## HOST_OS Model.Inventory.Machine Information
## HOST_OS Model.Inventory.Storage Information
EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null())
## HOST_OS Model.Performance.CPU
FIELDALIAS-cpu_interrupts = cpu_interrupt_value AS cpu_interrupts
FIELDALIAS-cpu_load_percent = cpu_system_value AS cpu_load_percent
FIELDALIAS-cpu_time = ps_cputime_syst AS cpu_time
FIELDALIAS-cpu_user_percent = cpu_user_value AS cpu_user_percent
## HOST_OS Model.Performance.Memory
FIELDALIAS-mem_free_percent = percent_free_value AS mem_free_percent
FIELDALIAS-mem_used_percent = percent_used_value AS mem_used_percent
## HOST_OS Model.Performance.Storage
FIELDALIAS-read_ops = disk_ops_read AS read_ops
FIELDALIAS-storage_free_percent = percent_bytes_free_value AS storage_free_percent
FIELDALIAS-storage_used_percent = percent_bytes_used_value AS storage_used_percent
FIELDALIAS-write_ops = disk_ops_write AS write_ops
## HOST_OS Model.Performance.Network
FIELDALIAS-packets_in = if_packets_rx AS packets_in
FIELDALIAS-packets_out = if_packets_tx AS packets_out
## HOST_OS Model.Performance.OS
FIELDALIAS-uptime = uptime_value AS uptime
## HOST_OS Model.Inventory.Storage Information
## HOST_OS Model.Inventory.Network Information
[linux:collectd:http:json]
category = Operating System
description = Metrics collected from linux host using collectd-write_http plugin in json
pulldown_type = true
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\[|\,]){\"values\":
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\[|\,]){\"values\":
SEDCMD-remove_tail = s/\}]$/}/
KV_MODE = json
TIME_PREFIX = "time":\s*
TIME_FORMAT = %s.%3N
TRANSFORMS-linux_one_fields = http_one_item_field, http_one_item_field_no_type_instance
TRANSFORMS-linux_two_fields = http_two_item_fields, http_two_item_fields_no_type_instance
TRANSFORMS-linux_three_fields = http_three_item_fields, http_three_item_fields_no_type_instance
EXTRACT-linux_collectd_host = \s*"host":\s*(?:"|)(?<collectd_host>[^"]*)(?:"|)
EXTRACT-linux_collectd_http_plugin = "plugin":\s*(?:"|)(?<linux_collectd_plugin>[^"]+)(?:"|),\s*"plugin_instance":
FIELDALIAS-dsnames = dsnames{} as dsname
FIELDALIAS-linux_value = values{} as value
FIELDALIAS-linux_host = collectd_host as host
FIELDALIAS-linux_dest = collectd_host as dest
## HOST_OS Model.Performance.CPU
FIELDALIAS-linux_cpu_interrupts = cpu_interrupt_value as cpu_interrupts
FIELDALIAS-linux_load_percent = cpu_system_value as cpu_load_percent
FIELDALIAS-linux_cpu_time = ps_cputime_syst as cpu_time
FIELDALIAS-linux_cpu_user_percent = cpu_user_value as cpu_user_percent
FIELDALIAS-system_threads_count = ps_count_threads as system_threads_count
## HOST_OS Model.Performance.Memory
FIELDALIAS-linux_mem_free_percent = percent_free_value as mem_free_percent
FIELDALIAS-linux_mem_used_percent = percent_used_value as mem_used_percent
EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null())
EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null())
EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null())
EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null())
EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null())
## HOST_OS Model.Performance.Storage
FIELDALIAS-linux_read_ops = disk_ops_read as read_ops
FIELDALIAS-linux_write_ops = disk_ops_write as write_ops
EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null())
EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null())
EVAL-storage_free_percent = percent_bytes_free_value
EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null())
EVAL-storage_used_percent = percent_bytes_used_value
EVAL-total_ops = disk_ops_read + disk_ops_write
## HOST_OS Model.Performance.Network
FIELDALIAS-linux_packets_in = if_packets_rx as packets_in
FIELDALIAS-linux_packets_out = if_packets_tx as packets_out
EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null())
EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null())
EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null())
EVAL-bytes = if(plugin=="interface" and isnotnull(if_octets_rx) and isnotnull(if_octets_tx), if(isnum(if_octets_rx), if_octets_rx, 0) + if(isnum(if_octets_tx), if_octets_tx, 0), null())
EVAL-packets = packets_in + packets_out
## HOST_OS Model.Performance.OS
FIELDALIAS-linux_uptime = uptime_value as uptime
[linux:collectd:http:metrics]
category = Operating System
description = Metrics collected from linux host using collectd-write_http plugin for metrics index
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = false
## uncomment METRICS_PROTOCOL property if you want to collect metrics data in metrics index
#METRICS_PROTOCOL = COLLECTD_HTTP
KV_MODE = json
TIME_PREFIX = "time":\s*
TIME_FORMAT = %s.%3N
# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog
#[syslog]
#TRANSFORMS-linux_syslog = linux_syslog_audit
[source::.../var/log/audit/audit.log(.\d+)?]
sourcetype = linux:audit
[linux:audit]
category = Operating System
description = Audit events from linux host using monitoring audit logs
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = false
TIME_PREFIX = msg=audit\(
TIME_FORMAT = %s.%3N
MAX_TIMESTAMP_LOOKAHEAD = 12
FIELDALIAS-subj = subj AS subject
FIELDALIAS-obj = obj AS object
REPORT-event_id = event_id
REPORT-op = op
REPORT-subject = subject
REPORT-object = object
REPORT-res = res
EVAL-vendor_product = "Linux Audit"
FIELDALIAS-host = host AS dest
# DM Endpoint.Processes
EVAL-process = if(type=="USER_CMD" AND isnotnull(cmd), if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd), null())
EVAL-process_current_directory = if(type=="USER_CMD" AND isnotnull(cwd), cwd, null())
EVAL-process_path = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0)
EVAL-process_exec = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0)
EVAL-process_name = mvindex(split(mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0),"/"),-1)
# DM Endpoint.Services
EVAL-service = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null())
EVAL-service_name = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null())
# # DM Authentication:Authentication
EVAL-src = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"),case(isnotnull(hostname) AND hostname!="?", hostname,isnotnull(addr) AND addr!="?", addr), null())
EVAL-src_ip = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(addr) AND addr!="?", addr, null())
EVAL-signature = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"), type, null())
EVAL-signature_id = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(event_id), event_id, null())
EVAL-app = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(exe), exe, null())
EVAL-reason = if(type IN ("USER_LOGIN") AND isnotnull(acct) AND match(acct,"^[0-9A-F]+$"), mvindex(split(mvindex(split(urldecode(replace(acct,"([0-9A-F]{2})","%\1")),"("),1),")"),0), null())
EVAL-src_user_id = if(type IN ("USER_START") AND isnotnull(auid), auid, null())
# DM Change:Account_Management
EVAL-change_type = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "AAA", null())
EVAL-command = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(exe), exe, null())
EVAL-dvc = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(dest), dest, null())
EVAL-result = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(res), res, null())
EVAL-object_id = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(id), id, null())
EVAL-linux_ev_ch_mgmt_user = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(AUID), AUID, if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(aiud), aiud, null()))
EVAL-user_name = case(type IN ("ADD_GROUP") AND isnotnull(AUID), AUID,\
type IN ("ADD_GROUP") AND isnotnull(auid), auid,\
type IN ("DEL_GROUP") AND isnotnull(AUID), AUID,\
type IN ("DEL_GROUP") AND isnotnull(auid), auid,\
type IN ("ADD_USER") AND isnotnull(acct), acct,\
type IN ("DEL_USER") AND isnotnull(ID), ID,\
type IN ("GRP_MGMT") AND isnotnull(AUID), AUID,\
type IN ("GRP_MGMT") AND isnotnull(auid), auid,\
type IN ("USER_ACCT") AND isnotnull(AUID), AUID,\
type IN ("USER_ACCT") AND isnotnull(auid), auid,\
((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\
((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\
((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID), AUID,\
((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\
true(), null())
EVAL-object = case(type IN ("USER_ACCT") AND isnotnull(acct), acct,\
((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER")) AND isnotnull(acct), acct,\
((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER")) AND isnotnull(ID), ID,\
type IN ("DEL_GROUP", "ADD_GROUP", "GRP_MGMT", "USER_CHAUTHTOK") AND isnotnull(ID), ID,\
true(), null())
EVAL-object_category = case(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "user",\
type=="USER_ACCT" AND op=="PAM:accounting", "user",\
type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT"), "group",\
true(), null())
EVAL-src_user_name = if(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK", "USER_ACCT") AND isnotnull(AUID), AUID, null())
# DM Authentication:Authentication, DM Endpoint.Processes, DM Change:Account_Management
EVAL-action = case(type=="USER_CMD" AND (res=="success" OR res=="1"), "allowed",\
type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="success" OR res=="1"), "success",\
type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="failed" OR res=="0"), "failure",\
(type IN ("GRP_MGMT", "USER_ACCT", "USER_CHAUTHTOK", "USER_MGMT") OR \
((type=="DEL_USER" AND op=="deleting user from group") OR \
(type=="ADD_USER" AND op=="adding user to group"))) AND (res=="success" OR res=="1"), "modified",\
type IN ("DEL_USER", "DEL_GROUP") AND (res=="success" OR res=="1"), "deleted",\
type IN ("ADD_GROUP", "ADD_USER") AND (res=="success" OR res=="1"), "created",\
true(), null())
# DM Authentication:Authentication, DM Endpoint.Processes, DM Endpoint.Services, DM Change:Account_Management
EVAL-user_id = case(type IN ("USER_CMD") AND isnotnull(auid), auid,\
type IN ("USER_START") AND isnotnull(uid), uid,\
type IN ("LOGIN", "USER_LOGIN", "CRED_ACQ") AND isnotnull(auid), auid,\
true(), null())
EVAL-user = case(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(UID), UID,\
type IN ("USER_LOGIN", "LOGIN", "USER_CMD", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_GROUP") AND isnotnull(AUID) AND AUID!="unset", AUID,\
type IN ("USER_START") AND isnotnull(acct), acct,\
type IN ("DEL_GROUP", "USER_ACCT", "GRP_MGMT", "ADD_GROUP") AND isnotnull(auid), auid,\
type IN ("ADD_USER") AND isnotnull(acct), acct,\
type IN ("DEL_USER") AND isnotnull(ID), ID,\
((type=="USER_MGMT" AND op=="deleting-user-from-group") OR \
(type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\
((type=="USER_MGMT" AND op=="add-user-to-group") OR \
(type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\
((type=="USER_MGMT" AND op=="changing-uid") OR \
(type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID) AND AUID!="unset", AUID,\
((type=="USER_MGMT" AND op=="changing-uid") OR \
(type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\
true(), null())
# DM Endpoint.Services, DM Endpoint.Processes
EVAL-process_id = if(type IN ("USER_CMD", "SERVICE_START", "SERVICE_STOP") AND isnotnull(pid), pid, null())
# DM Endpoint.Services, DM Change:Account_Management
EVAL-status = case(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \
isnotnull(res) AND (res=="success" OR res=="1"), "success",\
type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \
isnotnull(res) AND (res=="failed" OR res=="0"), "failure",\
type IN ("SERVICE_START") AND (res=="success" OR res=="1"), "started",\
type IN ("SERVICE_STOP") AND (res=="success" OR res=="1"), "stopped",\
true(), null())
# DM Authentication:Authentication, DM Change:Account_Management
EVAL-src_user = case(type IN ("ADD_USER", "DEL_USER", "USER_ACCT", "USER_CHAUTHTOK", "USER_START") AND isnotnull(AUID), AUID, true(), null())

90
deployment-apps/Splunk_TA_linux/default/tags.conf
Unescape View File

@ -0,0 +1,90 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[eventtype=linux_collectd_cpu]
performance = enabled
oshost = enabled
cpu = enabled
[eventtype=linux_collectd_memory]
performance = enabled
oshost = enabled
memory = enabled
[eventtype=linux_collectd_swap]
performance = enabled
oshost = enabled
memory = enabled
[eventtype=linux_collectd_df]
performance = enabled
oshost = enabled
storage = enabled
[eventtype=linux_collectd_interface]
performance = enabled
oshost = enabled
network = enabled
[eventtype=linux_collectd_disk]
performance = enabled
oshost = enabled
storage = enabled
[eventtype=linux_collectd_load]
performance = enabled
oshost = enabled
[eventtype=linux_collectd_processes]
performance = enabled
oshost = enabled
process = enabled
cpu = enabled
[eventtype=linux_collectd_protocols]
performance = enabled
oshost = enabled
[eventtype=linux_collectd_irq]
performance = enabled
oshost = enabled
[eventtype=linux_collectd_tcpconns]
performance = enabled
oshost = enabled
network = enabled
[eventtype=linux_collectd_thermal]
performance = enabled
oshost = enabled
[eventtype=linux_collectd_uptime]
performance = enabled
oshost = enabled
os = enabled
uptime = enabled
# [eventtype=linux_audit_anomalies]
# ids = enabled
# attack = enabled
# alert = enabled
[eventtype=linux_audit_account_change]
change = enabled
account = enabled
[eventtype=linux_audit_authentication]
authentication = enabled
[eventtype=linux_audit_endpoint]
process = enabled
report = enabled
# [eventtype=linux_audit_privileged]
# privileged = enabled
[eventtype=linux_audit_endpoint_services]
service = enabled
report = enabled

70
deployment-apps/Splunk_TA_linux/default/transforms.conf
Unescape View File

@ -0,0 +1,70 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[http_one_item_field]
# $1 = value[0], $2 = dsnames[0], $3 = type, $4 = type_instance
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\})
FORMAT = $3_$4_$2::$1
WRITE_META = true
[http_one_item_field_no_type_instance]
# $1 = value[0], $2 = dsnames[0], $3 = type
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\})
FORMAT = $3_$2::$1
WRITE_META = true
[http_two_item_fields]
# $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type,
# $6 = type_instance
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\})
FORMAT = $5_$6_$3::$1 $5_$6_$4::$2
WRITE_META = true
[http_two_item_fields_no_type_instance]
# $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\})
FORMAT = $5_$3::$1 $5_$4::$2
WRITE_META = true
[http_three_item_fields]
# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1],
# $6 = dsnames[2], $7 = type, $8 = type_instance
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\})
FORMAT = $7_$8_$4::$1 $7_$8_$5::$2 $7_$8_$6::$3
WRITE_META = true
[http_three_item_fields_no_type_instance]
# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1],
# $6 = dsnames[2], $7 = type
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\})
FORMAT = $7_$4::$1 $7_$5::$2 $7_$6::$3
WRITE_META = true
# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog
#[linux_syslog_audit]
#DEST_KEY = MetaData:Sourcetype
#REGEX = type=\S+\s+msg=audit
#FORMAT = sourcetype::linux:audit
[event_id]
REGEX = msg=audit\(([^:]+):(.+)\):
FORMAT = time_stamp::$1 event_id::$2
[op]
REGEX = op=([^=]+)\s+\S+=
FORMAT = op::$1
[subject]
REGEX = subj=([^:]+):([^:]+):([^:]+):(\S+)
FORMAT = subj_context_user::$1 subj_context_role::$2 subj_context_domain::$3 subj_context_sensitivity::$4
[object]
REGEX = obj=([^:]+):([^:]+):([^:]+):(\S+)
FORMAT = obj_context_user::$1 obj_context_role::$2 obj_context_type::$3 obj_context_sensitivity::$4
[res]
REGEX = res=(1|0|success|failed)
FORMAT = res::$1

7
deployment-apps/Splunk_TA_linux/metadata/default.meta
Unescape View File

@ -0,0 +1,7 @@
# Application-level permissions
[]
owner = admin
access = read : [ * ], write : [ admin, sc_admin ]
export = system

109
deployment-apps/Splunk_TA_linux/splunkbase.manifest
Unescape View File

@ -0,0 +1,109 @@
{
"version": "1.0",
"date": "2022-11-12T07:31:14.789702366Z",
"hashAlgorithm": "SHA-256",
"app": {
"id": 3412,
"version": "2.1.0",
"files": [
{
"path": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"hash": "a7fd78cf8a03b74da08c74b7254dba9b281cd064b7ec6426c3f1d40023286a69"
},
{
"path": "README.txt",
"hash": "3e3414a7d245704daea10ea69cea3eade4b69f4d1990d051898696726842a0e0"
},
{
"path": "VERSION",
"hash": "0e7ec8a6cdf156b6322154a30cc6b822575b36fa0c410231d0cf998b315d6c99"
},
{
"path": "app.manifest",
"hash": "921001dc7717a4080b1f7de2a58ecc688e89470754a793b55410bab8f3417a60"
},
{
"path": "default/app.conf",
"hash": "19cb8a0e5fc463929de77ea58ad4a98b0f71b8dca9e618004975dde4896b530b"
},
{
"path": "default/eventtypes.conf",
"hash": "19018d5b39843f06430411b18699c7bbd9b1504dacb1661215e35e4914e9670e"
},
{
"path": "default/props.conf",
"hash": "66a542ac33ef12e5840cfda4a024cf166b49e64c51a8e3f65aea0d16c86c7803"
},
{
"path": "default/tags.conf",
"hash": "1a011c718cf94f28101a18b93b7be8939e12ceef5939c6211203d0c718039cd7"
},
{
"path": "default/transforms.conf",
"hash": "653c460463dfb1833e80371ad1f92dd8799c86cd33151d531b0b81eede37854c"
},
{
"path": "metadata/default.meta",
"hash": "b6453d5bb2430c013ee89b765334cf788f0eddae7b9073fa31eb839eb1885d39"
},
{
"path": "static/appIcon.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "static/appIconAlt.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "static/appIconAlt_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
},
{
"path": "static/appIcon_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
}
]
},
"products": [
{
"platform": "splunk",
"product": "enterprise",
"versions": [
"8.1",
"8.2",
"9.0"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
},
{
"platform": "splunk",
"product": "cloud",
"versions": [
"8.1",
"8.2",
"9.0"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
}
]
}

BIN
deployment-apps/Splunk_TA_linux/static/appIcon.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
deployment-apps/Splunk_TA_linux/static/appIconAlt.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
deployment-apps/Splunk_TA_linux/static/appIconAlt_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
deployment-apps/Splunk_TA_linux/static/appIcon_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
deployment-apps/Splunk_TA_nix/.DS_Store vendored
View File

Binary file not shown.

12
deployment-apps/Splunk_TA_nix/README/restmap.conf.spec
Unescape View File

@ -0,0 +1,12 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[script:<uniqueName>]
python.version = {default|python|python2|python3}
* For Splunk 8.0.x and Python scripts only, selects which Python version to use.
* Either "default" or "python" select the system-wide default Python version.
* Optional.
* Default: not set; uses the system-wide Python version.

61
deployment-apps/Splunk_TA_nix/THIRDPARTY
Unescape View File

@ -0,0 +1,61 @@
================================================================================
================================================================================
Third-Party Software for splunk-add-on-for-unix-and-linux
--------------------------------------------------------------------------------
The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-unix-and-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means.
Date generated: 2023-6-13
Revision ID: 24640f0314996c138e17d8616e40d592c12ea444
================================================================================
================================================================================
================================================================================
Declared License
================================================================================
No declared license found for splunk-add-on-for-unix-and-linux
================================================================================
First Party Licenses
================================================================================
No licenses found
================================================================================
Dependencies
================================================================================
================================================================================
License
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Report Generated by FOSSA on 2023-6-13

2
deployment-apps/Splunk_TA_nix/VERSION
Unescape View File

@ -0,0 +1,2 @@
8.10.0
8.10.0

66
deployment-apps/Splunk_TA_nix/app.manifest
Unescape View File

@ -0,0 +1,66 @@
{
"dependencies": null,
"incompatibleApps": null,
"info": {
"author": [
{
"name": "Splunk",
"email": null,
"company": null
}
],
"classification": {
"categories": [
"IT Operations",
"Utilities"
],
"developmentStatus": "Production/Stable",
"intendedAudience": "IT"
},
"commonInformationModels": {
"Authentication": "==4.20.2",
"Change": "==4.20.2",
"Endpoint": "==4.20.2",
"Inventory": "==4.20.2",
"Network Sessions": "==4.20.2",
"Performance": "==4.20.2"
},
"description": "Splunk Add-on for Unix and Linux",
"id": {
"group": null,
"name": "Splunk_TA_nix",
"version": "8.10.0"
},
"license": {
"name": "Splunk Software License Agreement",
"text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"uri": "http://www.splunk.com/view/SP-CAAAAFA"
},
"privacyPolicy": {
"name": null,
"text": null,
"uri": null
},
"releaseDate": null,
"releaseNotes": {
"name": "README",
"text": "./README.txt",
"uri": "https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes"
},
"title": "Splunk Add-on for Unix and Linux"
},
"inputGroups": null,
"platformRequirements": null,
"schemaVersion": "2.0.0",
"supportedDeployments": [
"_standalone",
"_distributed",
"_search_head_clustering"
],
"targetWorkloads": [
"_search_heads",
"_forwarders",
"_indexers"
],
"tasks": null
}

BIN
deployment-apps/Splunk_TA_nix/appserver/static/appIcon.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

19
deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/common.js
Unescape View File

@ -0,0 +1,19 @@
/*
* SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
* SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*
*/
define([], function () {
var utils_namespaceFromProperties = function (props) {
return {
owner: props.acl.owner,
app: props.acl.app,
sharing: props.acl.sharing
}
}
return {
utils_namespaceFromProperties: utils_namespaceFromProperties
}
})

54
deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/monitor_inputs.js
Unescape View File

@ -0,0 +1,54 @@
/*
* SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
* SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*
*/
define([
'splunkjs/ready!', // for splunkjs global
'./common'
], function (mvc, sdkx_common) {
var root = {
Entity: splunkjs.Service.Entity,
Collection: splunkjs.Service.Collection
}
var utils_namespaceFromProperties = sdkx_common.utils_namespaceFromProperties
// -------------------------------------------------------------------------
// JS SDK Extension: Monitor Inputs
var Paths = {
monitorInputs: 'data/inputs/monitor'
}
root.MonitorInput = root.Entity.extend({
path: function () {
return Paths.monitorInputs + '/' + encodeURIComponent(this.name)
},
init: function (service, name, namespace) {
this.name = name
this._super(service, this.path(), namespace)
}
})
root.MonitorInputs = root.Collection.extend({
path: function () {
return Paths.monitorInputs
},
instantiateEntity: function (props) {
var entityNamespace = utils_namespaceFromProperties(props)
return new root.MonitorInput(this.service, props.name, entityNamespace)
},
init: function (service, namespace) {
this._super(service, this.path(), namespace)
}
})
// -------------------------------------------------------------------------
return root
})

68
deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/scripted_inputs.js
Unescape View File

@ -0,0 +1,68 @@
/*
* SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
* SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*
*/
define([
'splunkjs/ready!', // for splunkjs global
'./common'
], function (mvc, sdkx_common) {
var root = {
Entity: splunkjs.Service.Entity,
Collection: splunkjs.Service.Collection
}
var utils_namespaceFromProperties = sdkx_common.utils_namespaceFromProperties
// -------------------------------------------------------------------------
// JS SDK Extension: Scripted Inputs
var Paths = {
scriptedInputs: 'data/inputs/script'
}
root.ScriptedInput = root.Entity.extend({
path: function () {
// Approximate path - accepts reads only
// ex: data/inputs/script/%2FApplications%2Fsplunk_622light_unix%2Fetc%2Fapps%2FSplunk_TA_nix%2Fbin%2Fcpu.sh
return Paths.monitorInputs + '/' + encodeURIComponent(this.name)
},
init: function (service, name, namespace) {
this.name = name
this._super(service, this.path(), namespace)
},
_load: function (properties) {
this._super(properties)
// HACK: Patch path to be canonical version to enable updates
//
// Canonical path - accepts reads and updates
// ex: data/inputs/script/.%252Fbin%252Fcpu.sh
if (this.state().id) {
this.qualifiedPath = this.state().id.match(/\/servicesNS\/.*$/)[0]
}
}
})
root.ScriptedInputs = root.Collection.extend({
path: function () {
return Paths.scriptedInputs
},
instantiateEntity: function (props) {
var entityNamespace = utils_namespaceFromProperties(props)
return new root.ScriptedInput(this.service, props.name, entityNamespace)
},
init: function (service, namespace) {
this._super(service, this.path(), namespace)
}
})
// -------------------------------------------------------------------------
return root
})

64
deployment-apps/Splunk_TA_nix/appserver/static/setup.css
Unescape View File

@ -0,0 +1,64 @@
/*
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*/
/* Hide Simple XML dashboard controls: Edit, Export PDF, Print */
.dashboard-view-controls {
display: none !important;
}
#overview {
max-width: 500px;
text-align: justify;
}
.error-box {
display: none;
color: white;
background-color: #d85d3c; /* red */
padding: 0.5em;
margin-bottom: 1em;
}
.input-table th {
text-align: left;
}
.input-table th,
.input-table td {
padding: 0 10px 0 10px;
}
.input-table input[type='radio'] {
margin: 4px; /* override with symmetric margins */
}
.input-table .interval-field {
width: 4em; /* narrower than default */
text-align: right; /* make the numbers line up */
padding: 2px; /* reduce from default of 4 */
height: 30px; /* reduce height */
margin-top: 12.5px; /* inline with index dropdown */
}
#btn-bar {
margin-top: 1em; /* separate from table */
}
#btn-bar #save-btn {
padding-left: 3em;
padding-right: 3em; /* made it wider */
}
#index-selection .splunk-dropdown {
max-width: 50%; /* fix the width of dropdown */
width: 300px; /* default width of dropdown */
margin-left: 0; /* remove left margin for inlinement */
height: 30px; /* reduce height */
}
.table-header {
width: 150px;
}

314
deployment-apps/Splunk_TA_nix/appserver/static/setup.js
Unescape View File

@ -0,0 +1,314 @@
/*
* SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
* SPDX-License-Identifier: LicenseRef-Splunk-8-2021
*
*/
require([
'splunkjs/ready!',
'splunkjs/mvc/simplexml/ready!',
'underscore',
'jquery',
'../app/Splunk_TA_nix/components/js_sdk_extensions/scripted_inputs',
'../app/Splunk_TA_nix/components/js_sdk_extensions/monitor_inputs'
], function (mvc, ignored, _, $, sdkx_scripted_inputs, sdkx_monitor_inputs) {
var ScriptedInputs = sdkx_scripted_inputs.ScriptedInputs
var MonitorInputs = sdkx_monitor_inputs.MonitorInputs
var service = mvc.createService()
var cleaned_data = {}
// -------------------------------------------------------------------------
// Prerequisite Checks
// Error if running on unrecognized unix
//
service.get('/services/SetupService', cleaned_data, function (err, response) {
if (err) {
console.error('Problem fetching data', err)
} else if (response.status === 200) {
var isRecognizedUnix = JSON.parse(response.data)
if (!isRecognizedUnix) {
$('#not-unix-error').show()
$('#save-btn').addClass('disabled')
}
} else {
console.error('Problem checking whether splunkweb is running on Unix.')
}
})
// -------------------------------------------------------------------------
// Populate Tables
var INPUT_ROW_TEMPLATE = _.template(
'<tr class="input" data-fullname="<%- fullname %>">\n' +
' <td><%- name %></td>\n' +
' <td><input class="enable-btn" type="radio" name="<%- name %>" <% if (enabled) { %>checked="checked"<% } %> /></td>\n' +
' <td><input class="disable-btn" type="radio" name="<%- name %>" <% if (!enabled) { %>checked="checked"<% } %> /></td>\n' +
'<% if (interval != -1) { %>\n' +
' <td><input class="interval-field" type="number" value="<%- interval %>" /></td>\n' +
'<% } %>\n' +
'<% if (index != -1) { %>\n' +
' <% if (index == "") { %>\n' +
' <td>' +
' <splunk-search-dropdown name="metric_index_selector" id="index-selection" label-field="title" value-field="title" search="| rest services/data/indexes datatype=metric | dedup title | search title!=_* | table title"/>' +
' </td>\n' +
' <% }else { %>\n' +
' <td>' +
' <splunk-search-dropdown name="metric_index_selector" id="index-selection" label-field="title" value-field="title" value="<%- index %>" search="| rest services/data/indexes datatype=metric | dedup title | search title!=_* | table title"/>' +
' </td>\n' +
' <% } %>\n' +
'<% } %>\n' +
'</tr>\n'
)
// Populate monitor input table
var monitorInputs = {}
new MonitorInputs(service, {
owner: '-',
app: 'Splunk_TA_nix',
sharing: 'app'
}).fetch(function (err, inputs) {
var inputsList = _.filter(inputs.list(), function (input) {
return input.namespace.app === 'Splunk_TA_nix'
})
_.each(inputsList, function (input) {
$('#monitor-input-table').append(
$(
INPUT_ROW_TEMPLATE({
fullname: input.name,
name: input.name,
enabled: !input.properties().disabled,
interval: -1,
index: -1
})
)
)
monitorInputs[input.name] = input
})
})
// Populate scripted Event inputs table
var scriptedMetricInputs = {}
new ScriptedInputs(service, {
owner: '-',
app: 'Splunk_TA_nix',
sharing: 'app'
}).fetch(function (err, inputs) {
var inputsList = _.filter(inputs.list(), function (input) {
var input_name = input.name
.substring(input.name.lastIndexOf('/') + 1)
.split('_')
return (
input.namespace.app === 'Splunk_TA_nix' &&
input_name[input_name.length - 1] === 'metric.sh'
)
})
_.each(inputsList, function (input) {
$('#scripted-metric-input-table').append(
$(
INPUT_ROW_TEMPLATE({
fullname: input.name,
name: input.name.substring(input.name.lastIndexOf('/') + 1),
enabled: !input.properties().disabled,
interval: input.properties().interval,
index:
input.properties().index === 'default'
? ''
: input.properties().index
})
)
)
scriptedMetricInputs[input.name] = input
})
})
// Populate scripted Event inputs table
var scriptedEventInputs = {}
new ScriptedInputs(service, {
owner: '-',
app: 'Splunk_TA_nix',
sharing: 'app'
}).fetch(function (err, inputs) {
var inputsList = _.filter(inputs.list(), function (input) {
var input_name = input.name
.substring(input.name.lastIndexOf('/') + 1)
.split('_')
return (
input.namespace.app === 'Splunk_TA_nix' &&
input_name[input_name.length - 1] !== 'metric.sh'
)
})
_.each(inputsList, function (input) {
$('#scripted-event-input-table').append(
$(
INPUT_ROW_TEMPLATE({
fullname: input.name,
name: input.name.substring(input.name.lastIndexOf('/') + 1),
enabled: !input.properties().disabled,
interval: input.properties().interval,
index: -1
})
)
)
scriptedEventInputs[input.name] = input
})
})
// -------------------------------------------------------------------------
// Buttons
// Enable All button
$('.enable-all-btn').click(function (e) {
e.preventDefault()
var table = $(e.target).closest('.input-table')
$('.input .enable-btn', table).prop('checked', true)
})
// Disable All button
$('.disable-all-btn').click(function (e) {
e.preventDefault()
var table = $(e.target).closest('.input-table')
$('.input .disable-btn', table).prop('checked', true)
})
// Save button
$('#save-btn').click(function (e) {
e.preventDefault()
if ($('#save-btn').hasClass('disabled')) {
return
}
var savesPending = 0
var saveErrors = []
// Save monitor inputs
_.each($('#monitor-input-table .input'), function (inputElem) {
var fullname = $(inputElem).data('fullname')
var enabled = $('.enable-btn', inputElem).prop('checked')
var input = monitorInputs[fullname]
savesPending += 1
input.update(
{
disabled: !enabled
},
saveDone
)
})
var invalidIndex = 0 // invalid index flag
var invalidInterval = 0 // invalid interval flag
var numbers = /^[0-9]+$/
// Save scripted Metric inputs
_.each($('#scripted-metric-input-table .input'), function (inputElem) {
var fullname = $(inputElem).data('fullname')
var enabled = $('.enable-btn', inputElem).prop('checked')
var interval = $('.interval-field', inputElem).val()
var index = $('#index-selection', inputElem)[0].innerText
// Handling internationalization transalation due to ticket ADDON-30736
if (
index.includes('...') ||
index.includes('Search produced no results.')
) {
index = enabled === true ? index : '' // Setting index="" if input is disable, so it allows to save.
if (enabled) {
invalidIndex = 1
}
}
if (!interval.match(numbers)) {
// Check for the interval, Interval must contain only numeric values
if (interval.charAt(0) === '-' || interval.includes('.')) {
interval = 'invalid'
}
invalidInterval = 1
}
var input = scriptedMetricInputs[fullname]
savesPending += 1
input.update(
{
disabled: !enabled,
interval: interval,
index: index
},
saveDone
)
})
// Save scripted Event inputs
_.each($('#scripted-event-input-table .input'), function (inputElem) {
var fullname = $(inputElem).data('fullname')
var enabled = $('.enable-btn', inputElem).prop('checked')
var interval = $('.interval-field', inputElem).val()
if (!interval.match(numbers)) {
if (interval.charAt(0) === '-' || interval.includes('.')) {
interval = 'invalid'
}
invalidInterval = 1
}
var input = scriptedEventInputs[fullname]
savesPending += 1
input.update(
{
disabled: !enabled,
interval: interval
},
saveDone
)
})
//Set is_configured=true in app.conf
service.post('/services/SetupService', cleaned_data, function (
err,
response
) {
if (err) {
console.log('Error saving configuration in app.conf')
}
})
// After saves are completed...
function saveDone (err) {
$('#index-not-selected-error').hide()
$('#generic-save-error').hide()
$('#invalid-interval-error').hide()
if (err) {
saveErrors.push(err)
}
savesPending -= 1
if (savesPending > 0) {
return
}
if (saveErrors.length === 0) {
// Save successful. Provide feedback in form of page reload.
window.location.reload()
} else {
// invalid index or interval failure
if (invalidIndex || invalidInterval) {
if (invalidInterval) {
invalidInterval = 0
// invalid interval failure
$('#invalid-interval-error').show()
}
if (invalidIndex) {
invalidIndex = 0
// invalid index failure
$('#index-not-selected-error').show()
}
} else {
// Unexpected failure.
$('#generic-save-error').show()
}
// (Allow Support to debug if necessary.)
console.log('Errors while saving inputs:')
console.log(saveErrors)
}
}
})
})

92
deployment-apps/Splunk_TA_nix/bin/bandwidth.sh
Unescape View File

@ -0,0 +1,92 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# jscpd:ignore-start
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Name rxPackets_PS txPackets_PS rxKB_PS txKB_PS'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%s %s %s %s %s\n", Name, rxPackets_PS, txPackets_PS, rxKB_PS, txKB_PS}'
# Note: For FreeBSD, bsdsar package needs to be installed. Output matches linux equivalent
if [ "$KERNEL" = "Linux" ] ; then
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
FILTER='($0 !~ "Average" || $0 ~ "sar" || $2 ~ "lo|IFACE") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$4; rxKB_PS=$5; txKB_PS=$6}'
elif [ "$KERNEL" = "SunOS" ] ; then
if [ "$SOLARIS_10" = "true" ] ; then
CMD='netstat -i 1 2'
FILTER='(NR==2||NR==3){next}'
# shellcheck disable=SC2016
EXTRACT_NAME='NR==1 {for (i=0; i< NF/3 -1; i++) { name[i]=$(i*3 + 2); location[name[i]]=i }}'
# shellcheck disable=SC2016
EXTRACT_FIELDS=' NR==4 { for (each in name){ printf "%s %s %s %s %s\n",name[each], $(5*location[name[each]]+1), $(5*location[name[each]]+3), "<n/a>","<n/a>"; }}'
PRINTF=''
FORMAT="$EXTRACT_NAME $EXTRACT_FIELDS"
elif [ "$SOLARIS_11" = "true" ] ; then
if ! dlstat 1 1 > /dev/null 2>&1 ; then
CMD='netstat -i 1 2'
FILTER='(NR==2||NR==3){next}'
# shellcheck disable=SC2016
EXTRACT_NAME='NR==1 {for (i=0; i< NF/3 -1; i++) { name[i]=$(i*3 + 2); location[name[i]]=i }}'
# shellcheck disable=SC2016
EXTRACT_FIELDS=' NR==4 { for (each in name){ printf "%s %s %s %s %s\n",name[each], $(5*location[name[each]]+1), $(5*location[name[each]]+3), "<n/a>","<n/a>"; }}'
PRINTF=''
FORMAT="$EXTRACT_NAME $EXTRACT_FIELDS"
else
CMD='dlstat 1 2'
FILTER='(NR==1||NR==2){next}'
# shellcheck disable=SC2016
FORMAT='
function to_kbps(KBPS_param){
if(KBPS_param ~ /[Kk]$/){ sub(/[A-Za-z]/,"",KBPS_param); return(KBPS_param); }
else if(KBPS_param ~ /[Gg]$/){ sub(/[A-Za-z]/,"",KBPS_param); return(KBPS_param*1024*1024); }
else if(KBPS_param ~ /[Mm]$/){ sub(/[A-Za-z]/,"",KBPS_param); return(KBPS_param*1024); }
sub(/[a-zA-Z]/,"",KBPS_param); return(KBPS_param/1024);
}
{Name=$1; rxPackets_PS=$2; txPackets_PS=$4; rxKB_PS=to_kbps($3); txKB_PS=to_kbps($5);}'
fi
else
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
FILTER='($0 ~ "Time|sar| lo") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$2; rxPackets_PS=$5; txPackets_PS=$6; rxKB_PS=$3; txKB_PS=$4}'
fi
elif [ "$KERNEL" = "AIX" ] ; then
# Sample output: http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.performance/nestat_in.htm
CMD='eval netstat -i -Z; sleep 1; netstat -in'
# shellcheck disable=SC2016
FILTER='($0 ~ "Name|sar|lo") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS="?"; txKB_PS="?"}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
FILTER='($0 !~ "Average" || $0 ~ "sar" || $2~/lo[0-9]|IFACE/) {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$6/1024}'
elif [ "$KERNEL" = "HP-UX" ] ; then
# Sample output: http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02263324
CMD='netstat -i 1 2'
# shellcheck disable=SC2016
FILTER='($0 ~ "Name|sar| lo") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS=?; txKB_PS=?}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
FILTER='($0 !~ "Average" || $0 ~ "sar" || $2 ~ "lo|IFACE") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$4; rxKB_PS=$5; txKB_PS=$6}'
fi
assertHaveCommand "$CMD"
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
# jscpd:ignore-end

138
deployment-apps/Splunk_TA_nix/bin/common.sh
Unescape View File

@ -0,0 +1,138 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1000-SC9999 # Reason: This script is used in all the scripts and any change in this script would require a higher effort in testing all the scripts. Hence ignoring whole file.
# # # we don't want to point OS's utilities -- e.g. ntpdate(1) -- to libraries which Splunk bundles in SPLUNK_HOME/lib/
unset LD_PRELOAD LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH
# # # NIX-203 - set LANG env variable set to en_US to avoid parsing problems in other locales
EngLocale=`locale -a | grep -i "en_US.utf"`
if [ ! -z "$EngLocale" ]; then
LANG=`echo $EngLocale | awk 'NR==1 {printf $1}'`
export LANG
fi
# # # are we in debug mode?
if [ $# -ge 1 -a "x$1" = "x--debug" ] ; then
DEBUG=1
TEE_DEST=`dirname $0`/debug--`basename $0`--`date | sed 's/ /_/g;s/:/-/g'`
else
DEBUG=0
TEE_DEST=/dev/null
fi
DMESG_FILE=/var/log/dmesg
OS_FILE=/etc/os-release
# # # what OS is this?
KERNEL=`uname -s`
# # # what is the Kernel version?
KERNEL_RELEASE=`uname -r`
# # # assert we are in a supported OS
AWK=awk
case "x$KERNEL" in
"xLinux")
if [ -e $OS_FILE ]; then
UBUNTU_MAJOR_VERSION=`awk -F'[".]' '/VERSION_ID=/ {print $2} ' $OS_FILE`;
else
UBUNTU_MAJOR_VERSION="";
echo "$OS_FILE does not exist. UBUNTU_MAJOR_VERSION will be empty." > $TEE_DEST
fi
# # # enable check for OS versions, if needed later
if [ -e /etc/debian_version ]; then DEBIAN=true; else DEBIAN=false; fi
# # # /sbin/ is often absent in non-root users' PATH, and we want it for ifconfig(8)
PATH=$PATH:/sbin/
;;
"xSunOS")
# # # enable check for OS versions, if needed later
if [ `uname -r` = "5.8" ]; then SOLARIS_8=true; else SOLARIS_8=false; fi
if [ `uname -r` = "5.9" ]; then SOLARIS_9=true; else SOLARIS_9=false; fi
if [ `uname -r` = "5.10" ]; then SOLARIS_10=true; else SOLARIS_10=false; fi
if [ `uname -r` = "5.11" ]; then SOLARIS_11=true; else SOLARIS_11=false; fi
# # # eschew the antedeluvial awk
AWK=nawk
;;
"xDarwin")
OSX_MINOR_VERSION=`sw_vers | sed -En '/ProductVersion/ s/^[^.]+\.([0-9]+)(\.[^.])?$/\1/p'`
OSX_MAJOR_VERSION=`sw_vers | sed -En '/ProductVersion/ s/^[^0-9]+([0-9]+)\.[0-9]+(\.[^.]+)?$/\1/p'`
# OSX_GE_SNOW_LEOPARD is for backward compatiblity.
# Recommend that new code just use $OSX_MINOR_VERSION directly.
if [ "$OSX_MAJOR_VERSION" == 10 ] && [ "$OSX_MINOR_VERSION" -ge 6 ]; then
OSX_GE_SNOW_LEOPARD=true;
else
OSX_GE_SNOW_LEOPARD=false;
fi
;;
"xFreeBSD")
;;
"xAIX")
;;
"xHP-UX")
;;
*)
echo "UNIX flavor [$KERNEL] unsupported for Splunk *NIX App, quitting" > $TEE_DEST
exit 1
;;
esac
# # # check for presence of required commands; we do not assume that which(1) exists, and roll our own
queryHaveCommand () # returns 0 if found, 1 if not
{
[ "x$1" = "xeval" ] && shift
for directory in `echo $PATH | sed 's/:/ /g'`
do
[ -x $directory/$1 ] && return 0
done
return 1
}
failLackCommand ()
{
echo "Not found command [$1] on this host, quitting" > $TEE_DEST
exit 1
}
failLackMultipleCommands ()
{
echo "Not found any of commands [$*] on this host, quitting" > $TEE_DEST
exit 1
}
assertHaveCommand ()
{
queryHaveCommand $1
if [ $? -eq 1 ] ; then
failLackCommand $1
fi
}
assertHaveCommandGivenPath ()
{
[ "x$1" = "xeval" ] && shift
[ -x $1 ] && return
echo "Not found commandGivenPath [$1] on this host, quitting" > $TEE_DEST
exit 1
}
failUnsupportedScript ()
{
echo "UNIX flavor [$KERNEL] unsupported for this script, quitting" > $TEE_DEST
exit 0
}
assertInvokerIsSuperuser ()
{
[ `id -u` -eq 0 ] && return
echo "Must be superuser to run this script, quitting" > $TEE_DEST
exit 1
}
# # # check for presence of a few basic commands ubiquitous in our scripts
assertHaveCommand $AWK
assertHaveCommand egrep

184
deployment-apps/Splunk_TA_nix/bin/cpu.sh
Unescape View File

@ -0,0 +1,184 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s %9s %9s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}'
if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
queryHaveCommand mpstat
FOUND_MPSTAT=$?
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -P ALL 1 1'
# shellcheck disable=SC2016
FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}'
elif [ $FOUND_MPSTAT -eq 0 ] ; then
CMD='mpstat -P ALL 1 1'
# shellcheck disable=SC2016
FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}'
else
failLackMultipleCommands sar mpstat
fi
# shellcheck disable=SC2016
FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}'
elif [ "$KERNEL" = "SunOS" ] ; then
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r'
else
CMD='eval mpstat -aq -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -q -p 1 2 | tail -r'
fi
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($1=="CPU") {exit 1}'
# shellcheck disable=SC2016
FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}'
elif [ "$KERNEL" = "AIX" ] ; then
queryHaveCommand mpstat
queryHaveCommand lparstat
FOUND_MPSTAT=$?
FOUND_LPARSTAT=$?
if [ $FOUND_MPSTAT -eq 0 ] && [ $FOUND_LPARSTAT -eq 0 ] ; then
# Get extra fields from lparstat
COUNT=$(lparstat | grep " app" | wc -l)
if [ $COUNT -gt 0 ] ; then
# Fetch value from "app" column of lparstat output
FETCH_APP_COL_NUM='BEGIN {app_col_num = 8}
{
if($0 ~ /System configuration|^$/) {next}
if($0 ~ / app/)
{
for(i=1; i<=NF; i++)
{
if($i == "app")
{
app_col_num = i;
break;
}
}
print app_col_num;
exit 0;
}
}'
APP_COL_NUM=$(lparstat | awk "$FETCH_APP_COL_NUM")
CPUPool=$(lparstat | tail -1 | awk -v APP_COL_NUM=$APP_COL_NUM -F " " '{print $APP_COL_NUM}')
else
CPUPool=0
fi
# Fetch other required fields from lparstat output
OnlineVirtualCPUs=$(lparstat -i | grep "Online Virtual CPUs" | awk -F " " '{print $NF}')
EntitledCapacity=$(lparstat -i | grep "Entitled Capacity " | awk -F " " '{print $NF}')
DEFINE="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity"
# Get cpu stats using mpstat command and manipulate the output for adding extra fields
CMD='mpstat -a 1 1'
# shellcheck disable=SC2016
FORMAT='BEGIN {flag = 0}
{
if($0 ~ /System configuration|^$/) {next}
if(flag == 1)
{
# Prepend extra field values from lparstat
for(i=NF+4; i>=4; i--)
{
$i = $(i-3);
}
if($0 ~ /ALL/)
{
$1 = CPUPool;
$2 = OnlineVirtualCPUs;
$3 = EntitledCapacity;
}
else
{
$1 = "-";
$2 = "-";
$3 = "-";
}
}
if($0 ~ /cpu /)
{
# Prepend extra field headers from lparstat
for(i=NF+4; i>=4; i--)
{
$i = $(i-3);
}
$1 = "CPUPool";
$2 = "OnlineVirtualCPUs";
$3 = "EntitledCapacity";
flag = 1;
}
for(i=1; i<=NF; i++)
{
printf "%17s ", $i;
}
print "";
}'
fi
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST"
exit
elif [ "$KERNEL" = "Darwin" ] ; then
HEADER='CPU pctUser pctSystem pctIdle'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s \n", cpu, pctUser, pctSystem, pctIdle}'
# top command here is used to get a single instance of cpu metrics
CMD='top -l 1'
assertHaveCommand "$CMD"
# FILTER here skips all the rows that doesn't match "CPU".
# shellcheck disable=SC2016
FILTER='($1 !~ "CPU") {next;}'
# FORMAT here removes '%'in the end of the metrics.
# shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) {
sub(char_to_remove, "", string);
return string;
}
{
cpu="all";
pctUser = remove_char($3, "%");
pctSystem = remove_char($5, "%");
pctIdle = remove_char($7, "%");
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='eval top -P -d2 c; top -d2 c'
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($1 !~ "CPU") { next; }'
# shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) {
sub(char_to_remove, "", string);
return string;
}
{
if ($1 == "CPU:") {
cpu = "all";
} else {
cpu = remove_char($2, ":");
}
}
{
pctUser = remove_char($(NF-9), "%");
pctNice = remove_char($(NF-7), "%");
pctSystem = remove_char($(NF-5), "%");
pctIdle = remove_char($(NF-1), "%");
pctIowait = "0.0";
}'
elif [ "$KERNEL" = "HP-UX" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -M 1 1 ALL'
fi
FILTER='/HP-UX|^$|%/ {next}'
# shellcheck disable=SC2016
FORMAT='{k=0; if(5<NF) k=1} {cpu=$(1+k); pctUser=$(2+k); pctNice="0"; pctSystem=$(3+k); pctIowait=$(4+k); pctIdle=$(5+k)}'
fi
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

211
deployment-apps/Splunk_TA_nix/bin/cpu_metric.sh
Unescape View File

@ -0,0 +1,211 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle OSName OS_version IP_address'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle, OSName, OS_version, IP_address}'
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}'
if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
queryHaveCommand mpstat
FOUND_MPSTAT=$?
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)"
fi
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -P ALL 1 1'
# shellcheck disable=SC2016
FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
elif [ $FOUND_MPSTAT -eq 0 ] ; then
CMD='mpstat -P ALL 1 1'
# shellcheck disable=SC2016
FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
else
failLackMultipleCommands sar mpstat
fi
# shellcheck disable=SC2016
FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}'
elif [ "$KERNEL" = "SunOS" ] ; then
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r'
else
CMD='eval mpstat -aq -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -q -p 1 2 | tail -r'
fi
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($1=="CPU") {exit 1}'
# shellcheck disable=SC2016
FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
elif [ "$KERNEL" = "AIX" ] ; then
queryHaveCommand mpstat
queryHaveCommand lparstat
FOUND_MPSTAT=$?
FOUND_LPARSTAT=$?
DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
if [ $FOUND_MPSTAT -eq 0 ] && [ $FOUND_LPARSTAT -eq 0 ] ; then
# Get extra fields from lparstat
COUNT=$(lparstat | grep " app" | wc -l)
if [ $COUNT -gt 0 ] ; then
# Fetch value from "app" column of lparstat output
FETCH_APP_COL_NUM='BEGIN {app_col_num = 8}
{
if($0 ~ /System configuration|^$/) {next}
if($0 ~ / app/)
{
for(i=1; i<=NF; i++)
{
if($i == "app")
{
app_col_num = i;
break;
}
}
print app_col_num;
exit 0;
}
}'
APP_COL_NUM=$(lparstat | awk "$FETCH_APP_COL_NUM")
CPUPool=$(lparstat | tail -1 | awk -v APP_COL_NUM=$APP_COL_NUM -F " " '{print $APP_COL_NUM}')
else
CPUPool=0
fi
# Fetch other required fields from lparstat output
OnlineVirtualCPUs=$(lparstat -i | grep "Online Virtual CPUs" | awk -F " " '{print $NF}')
EntitledCapacity=$(lparstat -i | grep "Entitled Capacity " | awk -F " " '{print $NF}')
DEFINE_LPARSTAT_FIELDS="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity"
# Get cpu stats using mpstat command and manipulate the output for adding extra fields
CMD='mpstat -a 1 1'
# shellcheck disable=SC2016
FORMAT='BEGIN {flag = 0}
{
if($0 ~ /System configuration|^$/) {next}
if(flag == 1)
{
for(i=NF+7; i>=7; i--)
{
$i = $(i-6);
}
# Prepend OSName, OS_version, IP_address values
$1 = OSName;
$2 = OSVersion/1000;
$3 = IP_address;
# Prepend lparstat field values
if($0 ~ /ALL/)
{
$4 = CPUPool;
$5 = OnlineVirtualCPUs;
$6 = EntitledCapacity;
}
else
{
$4 = "-";
$5 = "-";
$6 = "-";
}
}
if($0 ~ /cpu /)
{
for(i=NF+7; i>=7; i--)
{
$i = $(i-6);
}
# Prepend OSName, OS_version, IP_address headers
$1 = "OSName";
$2 = "OS_version";
$3 = "IP_address";
# Prepend lparstat field headers
$4 = "CPUPool";
$5 = "OnlineVirtualCPUs";
$6 = "EntitledCapacity";
flag = 1;
}
for(i=1; i<=NF; i++)
{
printf "%17s ", $i;
}
print "";
}'
fi
$CMD | tee "$TEE_DEST" | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS "$FORMAT $FILL_DIMENSIONS"
echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST"
exit
elif [ "$KERNEL" = "Darwin" ] ; then
HEADER='CPU pctUser pctSystem pctIdle OSName OS_version IP_address'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-3s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address}'
# top command here is used to get a single instance of cpu metrics
CMD='top -l 1'
assertHaveCommand "$CMD"
# FILTER here skips all the rows that doesn't match "CPU".
# shellcheck disable=SC2016
FILTER='($1 !~ "CPU") {next;}'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# FORMAT here removes '%'in the end of the metrics.
# shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) {
sub(char_to_remove, "", string);
return string;
}
{
cpu="all";
pctUser = remove_char($3, "%");
pctSystem = remove_char($5, "%");
pctIdle = remove_char($7, "%");
OSName=OSName;
OS_version=OS_version;
IP_address=IP_address;
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='eval top -P -d2 c; top -d2 c'
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($1 !~ "CPU") { next; }'
# shellcheck disable=SC2016
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
FORMAT='function remove_char(string, char_to_remove) {
sub(char_to_remove, "", string);
return string;
}
{
if ($1 == "CPU:") {
cpu = "all";
} else {
cpu = remove_char($2, ":");
}
}
{
pctUser = remove_char($(NF-9), "%");
pctNice = remove_char($(NF-7), "%");
pctSystem = remove_char($(NF-5), "%");
pctIdle = remove_char($(NF-1), "%");
pctIowait = "0.0";
OSName=OSName;
OS_version=OS_version;
IP_address=IP_address;
}'
elif [ "$KERNEL" = "HP-UX" ] ; then
queryHaveCommand sar
FOUND_SAR=$?
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -M 1 1 ALL'
fi
FILTER='/HP-UX|^$|%/ {next}'
# shellcheck disable=SC2016
FORMAT='{k=0; if(5<NF) k=1} {cpu=$(1+k); pctUser=$(2+k); pctNice="0"; pctSystem=$(3+k); pctIowait=$(4+k); pctIdle=$(5+k); OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
fi
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $FILTER $FORMAT $FILL_DIMENSIONS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $FILTER $FORMAT $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >>"$TEE_DEST"

318
deployment-apps/Splunk_TA_nix/bin/df.sh
Unescape View File

@ -0,0 +1,318 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# jscpd:ignore-start
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand df
CMD='df -h --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
# shellcheck disable=SC2016
FILTER_POST='/(devtmpfs|tmpfs)/ {next}'
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("Mounted on","MountedOn",$0);
}
match($0,/^(.*[^ ]) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+%|-) +(.*)$/,a);
if (length(a) != 0)
{ printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", a[1],a[2],a[3],a[4],a[5],a[6],a[7],a[8],a[9],a[10],a[11];}
}'
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/bin/df
CMD_1='eval /usr/bin/df -n ; /usr/bin/df -g'
CMD_2='/usr/bin/df -h'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Filters out Inode info from df -g output -> inodes = Value just before "total files" & ifree = Value just before "free files"
# shellcheck disable=SC2016
INODE_FILTER='
/^\// {key=$1}
{
for(i=1;i<=NF;i++)
{
if($i == "total" && $(i+1) == "files")
{
inodes=$(i-1)
}
if($i == "free" && $(i+1) == "files")
{
ifree=$(i-1)
}
}
}
{if(NR%5==0) sub("\\(.*\\)?", "", key); print "INODE:" key, inodes, ifree}'
CMD="${CMD_1} | ${AWK} '${INODE_FILTER}'; ${CMD_2}"
FILTER_PRE='/libc_psr/ {next}'
#Maps fsType and inode info from the output of INODE_FILTER
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/INODE:/ {MoInodes[$1] = $2; MoIFree[$1] = $3;} /: / {
for(i=1;i<=NF;i++){
if($i ~ /^\/.*/)
keyCol=i;
else if($i ~ /[a-zA-Z0-9]/)
valueCol=i;
}
if($keyCol ~ /^\/.*:/)
fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol;
else
fsTypes[$keyCol]=$valueCol;
}'
#Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
for(i=1;i<=NF;i++){
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="IUsed";
$(NF+1)="IFree";
$(NF+1)="IUsePct";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=MoInodes["INODE:"$mountedCol];
$(NF+1)=MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol];
$(NF+1)=MoIFree["INODE:"$mountedCol];
if(MoInodes["INODE:"$mountedCol]>0)
{
$(NF+1)=int(((MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol])*100)/MoInodes["INODE:"$mountedCol])"%";
}
else
{
$(NF+1)="0";
}
print $0;
}
}
}'
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/bin/df
CMD='eval /usr/sysv/bin/df -n ; /usr/bin/df -kP -F %u %f %z %l %n %p %m'
# Normalize Size, Used and Avail columns
# shellcheck disable=SC2016
NORMALIZE='
function fromKB(KB) {
MB = KB/1024;
if (MB<1024) return MB "M";
GB = MB/1024;
if (GB<1024) return GB "G";
TB = GB/1024; return TB "T"
}
{
if($0 ~ /^Filesystem.*/){
for(i=1;i<=NF;i++){
if($i=="1024-blocks") {sizeCol=i; sizeFlag=1;}
if($i=="Used") {usedCol=i; usedFlag=1;}
if($i=="Available") {availCol=i; availFlag=1;}
}
}
if(!($0 ~ /^Filesystem.*/) && sizeFlag==1)
$sizeCol=fromKB($sizeCol);
if(!($0 ~ /^Filesystem.*/) && usedFlag==1)
$usedCol=fromKB($usedCol);
if(!($0 ~ /^Filesystem.*/) && availFlag==1)
$availCol=fromKB($availCol);
}'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/: / {
for(i=1;i<=NF;i++){
if($i ~ /^\/.*/)
keyCol=i;
else if($i ~ /[a-zA-Z0-9]/)
valueCol=i;
}
if($keyCol ~ /^\/.*:/)
fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol;
else
fsTypes[$keyCol]=$valueCol;
}'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%Iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="Iused") iusedCol=i;
if($i=="Ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
print $0;
}
}
}'
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand df
assertHaveCommand fstyp
CMD='df -Pk'
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='{c="fstyp " $1; c | getline ft; close(c);}'
# shellcheck disable=SC2016
HEADER='Filesystem\tType\tSize\tUsed\tAvail\tUsePct\tINodes\tIUsed\tIFree\tIUsePct\tMountedOn'
# shellcheck disable=SC2016
HEADERIZE='/^Filesystem/ {print header; next}'
# shellcheck disable=SC2016
FORMAT='{size=$2; used=$3; avail=$4; usePct=$5; mountedOn=$6; $2=ft; $3=size; $4=used; $5=avail; $6=usePct; $7=mountedOn}'
# shellcheck disable=SC2016
FILTER_POST='($2 ~ /^(tmpfs)$/) {next}'
# shellcheck disable=SC2016
PRINTF='{printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11}'
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nocddafs,autofs,devfs,fdesc,nfs; df -h -T nocddafs,autofs,devfs,fdesc,nfs'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
fsTypes[key]=value;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /^\/dev\/.*s[0-9]+$/){
sub("^/dev/", "", $i);
sub("s[0-9]+$", "", $i);
}
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
print $0;
}
}
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ih -t nodevfs,nonfs,noswap,nocd9660'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
fsTypes[key]=value;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
print $0;
}
}
}'
fi
# jscpd:ignore-end
$CMD | tee "$TEE_DEST" | $AWK "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

364
deployment-apps/Splunk_TA_nix/bin/df_metric.sh
Unescape View File

@ -0,0 +1,364 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2016
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?";length(IPv6_Address) || IPv6_Address = "?"}'
# jscpd:ignore-start
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand df
CMD='df -k --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target'
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
fi
BEGIN='BEGIN { OFS = "\t" }'
FORMAT='{OSName=OSName;OS_version=OS_version;IP_address=IP_address;IPv6_Address=IPv6_Address}'
# shellcheck disable=SC2016
FILTER_POST='/(devtmpfs|tmpfs)/ {next}'
# shellcheck disable=SC2016
PRINTF='
function rem_pcent(val)
{
if(substr(val, length(val), 1)=="%")
{val=substr(val, 1, length(val)-1); return val}
}
{
if($0 ~ /^Filesystem.*/){
sub("Mounted on","MountedOn",$0);
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
match($0,/^(.*[^ ]) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+%|-) +(.*)$/,a);
if (length(a) != 0)
{ printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", a[1], a[2], a[3], a[4], a[5], rem_pcent(a[6]), a[7], a[8], a[9], rem_pcent(a[10]), a[11], OSName, OS_version, IP_address, IPv6_Address}
}'
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/bin/df
CMD_1='eval /usr/bin/df -n; /usr/bin/df -g'
CMD_2='/usr/bin/df -k'
#Filters out Inode info from df -g output -> inodes = Value just before "total files" & ifree = Value just before "free files"
# shellcheck disable=SC2016
INODE_FILTER='
/^\// {key=$1}
{
for(i=1;i<=NF;i++)
{
if($i == "total" && $(i+1) == "files")
{
inodes=$(i-1)
}
if($i == "free" && $(i+1) == "files")
{
ifree=$(i-1)
}
}
}
{if(NR%5==0) sub("\\(.*\\)?", "", key); print "INODE:" key, inodes, ifree}'
CMD="${CMD_1} | ${AWK} '${INODE_FILTER}'; ${CMD_2}"
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
FILTER_PRE='/libc_psr/ {next}'
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType and inode info from the output of INODE_FILTER
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/INODE:/ {MoInodes[$1] = $2; MoIFree[$1] = $3;} /: / {
for(i=1;i<=NF;i++){
if($i ~ /^\/.*/)
keyCol=i;
else if($i ~ /[a-zA-Z0-9]/)
valueCol=i;
}
if($keyCol ~ /^\/.*:/)
fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol;
else
fsTypes[$keyCol]=$valueCol;
}'
#Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
for(i=1;i<=NF;i++){
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="IUsed";
$(NF+1)="IFree";
$(NF+1)="IUsePct";
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /.*\%$/)
$i=substr($i, 1, length($i)-1);
if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=MoInodes["INODE:"$mountedCol];
$(NF+1)=MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol];
$(NF+1)=MoIFree["INODE:"$mountedCol];
if(MoInodes["INODE:"$mountedCol]>0)
{
$(NF+1)=int(((MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol])*100)/MoInodes["INODE:"$mountedCol]);
}
else
{
$(NF+1)="0";
}
$(NF+1)=OSName;
$(NF+1)=OS_version;
$(NF+1)=IP_address;
$(NF+1)=IPv6_Address;
print $0;
}
}
}'
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/bin/df
CMD='eval /usr/sysv/bin/df -n ; /usr/bin/df -kP -F %u %f %z %l %n %p %m'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/: / {
for(i=1;i<=NF;i++){
if($i ~ /^\/.*/)
keyCol=i;
else if($i ~ /[a-zA-Z0-9]/)
valueCol=i;
}
if($keyCol ~ /^\/.*:/)
fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol;
else
fsTypes[$keyCol]=$valueCol;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%Iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="Iused") iusedCol=i;
if($i=="Ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /.*\%$/)
$i=substr($i, 1, length($i)-1);
if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
$(NF+1)=OSName;
OS_version=OSVersion/1000;
$(NF+1)=OS_version;
$(NF+1)=IP_address;
$(NF+1)=IPv6_Address;
print $0;
}
}
}'
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand df
assertHaveCommand fstyp
CMD='df -Pk'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
HEADER='Filesystem\tType\tSize\tUsed\tAvail\tUsePct\tINodes\tIUsed\tIFree\tIUsePct\tOSName\tOS_version\tIP_address\tMountedOn'
# shellcheck disable=SC2016
HEADERIZE='/^Filesystem/ {print header; next}'
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='{c="fstyp " $1; c | getline ft; close(c);}'
# shellcheck disable=SC2016
FORMAT='{size=$2; used=$3; avail=$4; usePct=$5; mountedOn=$6; $2=ft; $3=size; $4=used; $5=avail; if(substr(usePct,length(usePct),1)=="%") $6=substr(usePct, 1, length(usePct)-1); else $6=usePct; $7=mountedOn; OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
# shellcheck disable=SC2016
FILTER_POST='($2 ~ /^(tmpfs)$/) {next}'
# shellcheck disable=SC2016
PRINTF='{printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, OSName, OS_version, IP_address, $11}'
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nocddafs,autofs,devfs,fdesc,nfs; df -k -T nocddafs,autofs,devfs,fdesc,nfs'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
fsTypes[key]=value;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /.*\%$/)
$i=substr($i, 1, length($i)-1);
if($i ~ /^\/dev\/.*s[0-9]+$/){
sub("^/dev/", "", $i);
sub("s[0-9]+$", "", $i);
}
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
$(NF+1)=OSName;
$(NF+1)=OS_version;
$(NF+1)=IP_address;
$(NF+1)=IPv6_Address;
print $0;
}
}
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ik -t nodevfs,nonfs,noswap,nocd9660'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
fsTypes[key]=value;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /.*\%$/)
$i=substr($i, 1, length($i)-1);
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
$(NF+1)=OSName;
$(NF+1)=OS_version;
$(NF+1)=IP_address;
$(NF+1)=IPv6_Address;
print $0;
}
}
}'
fi
# jscpd:ignore-end
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >>"$TEE_DEST"

193
deployment-apps/Splunk_TA_nix/bin/hardware.sh
Unescape View File

@ -0,0 +1,193 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2016
FORMAT='{key = $1; if (NF == 1) {value = "<notAvailable>"} else {value = $2; for (i=3; i <= NF; i++) value = value " " $i}}'
PRINTF='{printf("%-20s %-s\n", key, value)}'
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand dmesg
queryHaveCommand ip
FOUND_IP=$?
# CPUs
CPU_TYPE=$(awk -F: '/model name/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST")
CPU_CACHE=$(awk -F: '/cache size/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST")
CPU_COUNT=$(grep -c processor /proc/cpuinfo 2>>"$TEE_DEST")
# HDs
# shellcheck disable=SC2010
for deviceBasename in $(ls /sys/block | grep -E -v '^(dm|md|ram|sr|loop)')
do
DEVICE="/sys/block/$deviceBasename" HARD_DRIVES="$HARD_DRIVES $deviceBasename"
if [ -e "$DEVICE"/device/model ] ; then HARD_DRIVES="$HARD_DRIVES ($(sed 's/ *$//' "$DEVICE"/device/model))"; fi
if [ -e "$DEVICE"/size ] ; then HARD_DRIVES="$HARD_DRIVES $((($(cat "$DEVICE"/size)*512)/(1024*1024*1024))) GB; "; fi
done
# NICs
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
NIC_TYPE=$(cat "$DMESG_FILE"* | awk '/Ethernet/ {sub("[^a-zA-Z]*Ethernet.*$", ""); sub("^[^:]*: ", ""); print; exit}')
else
NIC_TYPE=$(dmesg | awk '/Ethernet/ {sub("[^a-zA-Z]*Ethernet.*$", ""); sub("^[^:]*: ", ""); print; exit}')
fi
if [ $FOUND_IP -eq 0 ]; then
NIC_COUNT=$(ip a | awk '!length() || $2 ~/lo/ || /^ / {next} {ct++} END {print ct}')
else
assertHaveCommand ifconfig
NIC_COUNT=$(ifconfig | awk '!length() || /^( |lo)/ {next} {ct++} END {print ct}')
fi
# memory
MEMORY_REAL=$(awk -F: '/MemTotal/ {print $2; exit}' /proc/meminfo 2>>"$TEE_DEST")
MEMORY_SWAP=$(awk -F: '/SwapTotal/ {print $2; exit}' /proc/meminfo 2>>"$TEE_DEST")
elif [ "$KERNEL" = "SunOS" ] ; then
UNAME_PLATFORM=$(uname -i)
assertHaveCommand mpstat
assertHaveCommand iostat
assertHaveCommand dmesg
assertHaveCommandGivenPath /usr/sbin/prtconf
assertHaveCommandGivenPath /usr/sbin/swap
# CPUs and NIC count
if [ -x /usr/sbin/prtdiag ] ; then
if [ "$SOLARIS_10" = "true" ] || [ "$SOLARIS_11" = "true" ] ; then
# shellcheck disable=SC2016
CPU_TYPE=$(/usr/sbin/prtdiag | $AWK 'BEGIN {leftToSkip=-1} /Processor Sockets/ {leftToSkip=3; next} (leftToSkip>0) {leftToSkip-=1; next} (!leftToSkip) {sub("[0-9]$", "", $0); sub(" CPU socket #$", "", $0); print $0; exit}')
else
# shellcheck disable=SC2016
CPU_TYPE=$(/usr/sbin/prtdiag | $AWK 'BEGIN {leftToSkip=-1} /Processor Sockets/ {leftToSkip=3; next} (leftToSkip>0) {leftToSkip-=1; next} (!leftToSkip) {sub("[0-9]$", "", $0); sub(" [A-Za-z]+ ?$", "", $0); print $0; exit}')
fi
NIC_COUNT=$(/usr/sbin/prtdiag | grep -c NIC)
elif [ -x /usr/platform/"$UNAME_PLATFORM"/sbin/prtdiag ]; then
# shellcheck disable=SC2016
CPU_TYPE=$(/usr/platform/"$UNAME_PLATFORM"/sbin/prtdiag | $AWK 'BEGIN {leftToSkip=-1} /Processor Sockets/ {leftToSkip=3; next} (leftToSkip>0) {leftToSkip-=1; next} (!leftToSkip) {sub("[0-9]$", "", $0); sub(" [A-Za-z]+ ?$", "", $0); print $0; exit}')
NIC_COUNT=$(/usr/platform/"$UNAME_PLATFORM"/sbin/prtdiag | grep -c NIC)
else
echo "Not found commandGivenPath [ /usr/sbin/prtdiag or /usr/platform/$UNAME_PLATFORM/sbin/prtdiag ] on this host, quitting" >> "$TEE_DEST"
exit 1
fi
# shellcheck disable=SC2016
CPU_CACHE=$(/usr/sbin/prtconf -v | $AWK 'function hexToDecKB (hex, digitsAll, idx, curDigit, dec) {sub("^value=", "", hex); for (idx=1; idx<=length(hex); idx++) {curDigit = index("0123456789abcdef", substr(hex,idx,1)); dec=(16*dec)+curDigit-1} if (debug) printf "hexToDec:%s->%d ", hex, dec; dec /= 1024; return dec} BEGIN {L2=L1i=L1d=0} (L2) {strL2=$1; L2=0} /l2-cache-size/ {L2=1} (L1i) {strL1i=$1; L1i=0} /l1-icache-size/ {L1i=1} (L1d) {strL1d=$1; L1d=0} /l1-dcache-size/ {L1d=1} END {if (debug) printf "strL2:%s strL1i:%s strL1d:%s ", strL2, strL1i, strL1d; nL2=hexToDecKB(strL2); nL1=hexToDecKB(strL1i)+hexToDecKB(strL1d); printf "L1:%dKB L2:%dKB", nL1, nL2}' debug="$DEBUG")
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
CPU_COUNT=$(mpstat | grep -cv CPU)
else
CPU_COUNT=$(mpstat -q | grep -cv CPU)
fi
# # # that gives # of cores; `/usr/sbin/psrinfo -p` gives # of chips
# HDs
# shellcheck disable=SC2016
HARD_DRIVES=$(iostat -E | $AWK '/Soft Errors:/ {name=$1} /^Vendor:/ {info = $2 " " $4} /^Size:/ {sizeGB=0+$2; if (sizeGB>0) drives[name]=info " " $2} END {for (d in drives) printf("%s %s; ", d, drives[d])}')
# NICs
NIC_TYPE=$(dmesg | grep 'mac address' | sed -n 's/^.*] [a-z]*[0-9]*: //;s/mac address .*$//;p' | uniq)
# memory
MEMORY_REAL=$(/usr/sbin/prtconf | awk '/^Memory size:/ {print $3 " MB"; exit}')
# shellcheck disable=SC2016
MEMORY_SWAP=$(/usr/sbin/swap -s | $AWK '{used=0+$(NF-3); free=0+$(NF-1); total=(used+free)/1024; print int(total) " MB"}')
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sbin/prtconf
assertHaveCommandGivenPath /usr/sbin/lsattr
assertHaveCommandGivenPath /usr/sbin/lsdev
assertHaveCommandGivenPath /usr/sbin/lscfg
assertHaveCommandGivenPath /usr/sbin/lspv
assertHaveCommandGivenPath /usr/sbin/lsps
# CPUs
# shellcheck disable=SC2016
CPU_TYPE=$(/usr/sbin/prtconf | $AWK -F: '/^Processor Type:/{type=$2} /^Processor Clock Speed:/ {clock=$2}END {printf("%s %s",type,clock)}')
# shellcheck disable=SC2016
CPU_CACHE=$(/usr/sbin/lsattr -EHl L2cache0 | $AWK '/^size/{print "L2:" $2 " KB" }')
CPU_COUNT=$(/usr/sbin/lsdev -Cc processor | grep -c proc)
# HDs
HDD_NAME=$(/usr/sbin/lsdev -Cc disk | awk '{print $1}')
HARD_DRIVES=""
for disk in $HDD_NAME
do
# shellcheck disable=SC2016
HARD_INFO=$(/usr/sbin/lscfg -vpl "$disk" | $AWK -F . '/Manufacturer/ {name = $NF } /Machine Type and Model/ {info = $(NF)} END {printf("%s %s", name, info)}')
ACTIVE_STATUS=$(/usr/sbin/lspv | awk -v pat="$disk" '$0~pat{print $NF}')
VOLUME_GROUP=$(/usr/sbin/lspv | awk -v pat="$disk" '$0~pat{print $3}')
if [ "${ACTIVE_STATUS}" != "active" ] || [ "${VOLUME_GROUP}" = "None" ]; then # lspv cannot get disk-size as disk is inactive or not in any volume group
HARD_MB=$(getconf DISK_SIZE /dev/"$disk")" MB"
else
HARD_MB=$(/usr/sbin/lspv -L "$disk" | awk -F \( '{print $2}'| awk '/VG DESCRIPTORS/{print $1" MB"}')
fi
HARD_DRIVES="$HARD_DRIVES$disk $HARD_INFO $HARD_MB; "
done
# NICs
NIC_TYPE=$(/usr/sbin/lsdev -Cc adapter | grep ent | awk -F" " '{print $1" "$3"; "}')
NIC_COUNT=$(/usr/sbin/lsdev -Cc adapter | grep -c ent)
# memory
# shellcheck disable=SC2016
MEMORY_REAL=$(/usr/sbin/lsattr -EHl mem0 | $AWK '/^size/ {print $2 " MB"}')
# shellcheck disable=SC2016
MEMORY_SWAP=$(/usr/sbin/lsps -s | $AWK -F MB '/MB/ {print $1" MB"}')
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand sysctl
assertHaveCommand df
assertHaveCommand system_profiler
assertHaveCommand ifconfig
# CPUs
CPU_TYPE=$(sysctl machdep.cpu.brand_string | sed -E 's/^.*: //;s/[ ]+/ /g')
CPU_CACHE=$(sysctl hw.cachesize | awk '{L1=$3/1024; L2=$4/(1024*1024); printf "L1:%d KB; L2:%d MB", L1, L2}')
CPU_COUNT=$(sysctl hw.ncpu | sed 's/^.*: //')
# HDs
HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}')
# NICs
NIC_TYPE=$(system_profiler SPNetworkDataType | awk '/Media Subtype:/ {print $3; exit}')
NIC_COUNT=$(ifconfig | grep -c 'supported media:.*baseT')
# memory
MEMORY_REAL=$(sysctl hw.memsize | awk '{print $2/(1024*1024) " MB"}')
MEMORY_SWAP=$(sysctl vm.swapusage | awk '{print 0+$4 " MB"}')
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ioscan
assertHaveCommand iostat
assertHaveCommand lanscan
assertHaveCommand machinfo
assertHaveCommand swapinfo
OUTPUT=$(machinfo)
CPU_TYPE=$(echo "$OUTPUT" | awk '/processor family/ { for(i=4; i<=NF; i++) printf("%s ", $i); exit}')
CPU_CACHE=$(echo "$OUTPUT" | awk '/L[123]/ {cache+=$5} END {print cache " KB"}')
CPU_COUNT=$(echo "$OUTPUT" | awk '/CPUs/ {print $5; exit}')
HARD_DRIVES=$(iostat 2 1 | wc -l)
# shellcheck disable=SC2307,2003
HARD_DRIVES=$(expr "$HARD_DRIVES"-4)
NIC_COUNT=$(lanscan -i | wc -l)
NIC_TYPE=$(ioscan -u | grep lan | awk 'NF>2 {for(i=3; i<=NF; i++) printf("%s", $i); exit}')
OUTPUT=$(swapinfo -tm)
MEMORY_REAL=$(echo "$OUTPUT" | awk '$1=="memory" {print $2 " MB"; exit}')
MEMORY_SWAP=$(echo "$OUTPUT" | awk '$1=="dev" {print $2 " MB"; exit}')
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand sysctl
assertHaveCommand df
assertHaveCommand ifconfig
assertHaveCommand dmesg
assertHaveCommand top
# CPUs
CPU_TYPE=$(sysctl hw.model | sed 's/^.*: //')
CPU_CACHE=
CPU_COUNT=$(sysctl hw.ncpu | sed 's/^.*: //')
# HDs
HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}')
# NICs
IFACE_NAME=$(ifconfig -a | awk '!/^[a-z]/ {next} /LOOPBACK/ {next} {print $1}' | head -1)
NIC_TYPE=$(dmesg | awk '(index($0, iface) && index($0, " port ")) {sub("^.*<", ""); sub(">.*$", ""); print $0}' iface="$IFACE_NAME" | head -1)
NIC_COUNT=$(ifconfig -a | grep -c media)
# memory
MEMORY_REAL=$(sysctl hw.physmem | awk '{print $2/(1024*1024) "MB"}')
MEMORY_SWAP=$(top -Sb 0 | awk '/^Swap: / {print $2 "B"}')
fi
formatAndPrint ()
{
# shellcheck disable=SC2086
echo $1 | awk "$FORMAT $PRINTF"
}
formatAndPrint "KEY VALUE"
formatAndPrint "CPU_TYPE $CPU_TYPE"
formatAndPrint "CPU_CACHE $CPU_CACHE"
formatAndPrint "CPU_COUNT $CPU_COUNT"
formatAndPrint "HARD_DRIVES $HARD_DRIVES"
formatAndPrint "NIC_TYPE $NIC_TYPE"
formatAndPrint "NIC_COUNT $NIC_COUNT"
formatAndPrint "MEMORY_REAL $MEMORY_REAL"
formatAndPrint "MEMORY_SWAP $MEMORY_SWAP"

512
deployment-apps/Splunk_TA_nix/bin/interfaces.sh
Unescape View File

@ -0,0 +1,512 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# jscpd:ignore-start
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex'
FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}'
if [ "$KERNEL" = "Linux" ] ; then
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex}'
queryHaveCommand ip
FOUND_IP=$?
if [ $FOUND_IP -eq 0 ]; then
CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# shellcheck disable=SC2016
CMD='eval ip addr show $iface; ip -s link show'
# shellcheck disable=SC2016
GET_IPv4='{if ($0 ~ /inet /) {split($2, a, " "); IPv4 = a[1]}}'
# shellcheck disable=SC2016
GET_IPv6='{if ($0 ~ /inet6 /) { IPv6 = $2 }}'
# shellcheck disable=SC2016
GET_TXbytes='{
if($0 ~ /TX: /){
tx_row_count=NR+1;
for(i=1;i<=NF;i++){
if($i=="bytes"){
TX_bytes_column=i;
}
else if($i=="errors"){
TX_errors_column=i;
}
else if($i=="dropped"){
TX_dropped_column=i;
}
else if($i=="collsns"){
TX_collsns_column=i;
}
}
next;
}
if(NR==tx_row_count){
(TX_bytes_column == "") ? TXbytes = 0 : TXbytes = $(TX_bytes_column - 1);
(TX_errors_column == "") ? TXerrors = "<n/a>" : TXerrors = $(TX_errors_column - 1);
(TX_dropped_column == "") ? TXdropped = "<n/a>" : TXdropped = $(TX_dropped_column - 1);
(TX_collsns_column == "") ? collisions = 0 : collisions = $(TX_collsns_column - 1);
}
}'
# shellcheck disable=SC2016
GET_RXbytes='{
if($0 ~ /RX: /){
rx_row_count=NR+1;
for(i=1;i<=NF;i++){
if($i=="bytes"){
RX_bytes_column=i;
}
else if($i=="errors"){
RX_errors_column=i;
}
else if($i=="dropped"){
RX_dropped_column=i;
}
}next;
}
if(NR==rx_row_count){
(RX_bytes_column == "") ? RXbytes = 0 : RXbytes = $(RX_bytes_column - 1);
(RX_errors_column == "") ? RXerrors = "<n/a>" : RXerrors = $(RX_errors_column - 1);
(RX_dropped_column == "") ? RXdropped = "<n/a>" : RXdropped = $(RX_dropped_column - 1);
}
}'
else
assertHaveCommand ifconfig
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval ifconfig | tee $TEE_DEST | grep 'Link encap:\|mtu' | grep -Ev lo | tee -a $TEE_DEST | cut -d' ' -f1 | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
CMD='ifconfig'
# shellcheck disable=SC2016
GET_IPv4='{if ($0 ~ /inet addr:/) {split($2, a, ":"); IPv4 = a[2]} else if ($0 ~ /inet /) {IPv4 = $2}}'
# shellcheck disable=SC2016
GET_IPv6='{if ($0 ~ /inet6 addr:/) { IPv6 = $3 } else if ($0 ~ /inet6 /) { IPv6 = $2 }}'
# shellcheck disable=SC2016
GET_COLLISIONS='{
if ($0 ~ /collisions:/){
for(i=1;i<=NF;i++){
if($i ~ /collisions:/){
collisions_col_no = i;
break;
}
}
if(collisions_col_no==""){
collisions=0;
}
else
split($collisions_col_no, a, ":");
collisions=a[2];
}
else if($0 ~ /collisions /){
for(i=1;i<=NF;i++){
if($i=="collisions"){
collisions_column=i+1;
}
}
(collisions_column != "") ? collisions = $collisions_column : collisions = 0;
}
}'
# shellcheck disable=SC2016
GET_RXbytes='{
if ($0 ~ /RX bytes:/){
for(i=1;i<=NF;i++){
if($i ~ /bytes:/){
rxbytes_col_no = i;
break;
}
}
if(rxbytes_col_no==""){
RXbytes=0;
}
else
split($rxbytes_col_no, a, ":");
RXbytes=a[2];
}
else if($0 ~ /RX/ && $0 ~ /bytes/){
for(i=1;i<=NF;i++){
if($i=="bytes"){
RXbytes_column=i+1;
row = NR;
}
}
if(NR == row){
if(RXbytes_column != ""){
RXbytes = $RXbytes_column;
}
else
RXbytes = 0;
}
}
}'
# shellcheck disable=SC2016
GET_RXerrors='{
if ($0 ~ /RX packets:/){
for(i=1;i<=NF;i++){
if($i ~ /errors:/){
rxerrors_col_no = i;
}
else if($i ~ /dropped:/){
rxdropped_col_no = i;
}
}
if(rxerrors_col_no != ""){
split($rxerrors_col_no, a, ":");
RXerrors=a[2];
}
else
RXerrors="<n/a>";
if(rxdropped_col_no != ""){
split($rxdropped_col_no, b, ":");
RXdropped=b[2];
}
else
RXdropped="<n/a>";
}
else if($0 ~ /RX/ && ($0 ~ /errors/)){
for(i=1;i<=NF;i++){
if($i=="errors"){
RXerrors_column=i+1;
}
if($i=="dropped"){
RXdropped_column=i+1;
}
}
(RXerrors_column != "") ? RXerrors=$RXerrors_column : RXerrors = "<n/a>";
(RXdropped_column != "") ? RXdropped = $RXdropped_column : RXdropped = "<n/a>";
}
}'
# shellcheck disable=SC2016
GET_TXbytes='{
if ($0 ~ /TX bytes:/){
for(i=1;i<=NF;i++){
if($i ~ /bytes:/){
txbytes_col_no = i;
}
}
if(txbytes_col_no==""){
TXbytes=0;
}
else
split($txbytes_col_no, a, ":");
TXbytes=a[2];
}
else if($0 ~ /TX/ && $0 ~ /bytes/){
for(i=1;i<=NF;i++){
if($i=="bytes"){
TXbytes_column=i+1;
row = NR;
}
}
if(NR == row){
if(TXbytes_column != ""){
TXbytes = $TXbytes_column;
}
else
TXbytes = 0;
}
}
}'
# shellcheck disable=SC2016
GET_TXerrors='{
if ($0 ~ /TX packets:/){
for(i=1;i<=NF;i++){
if($i ~ /errors:/){
txerrors_col_no = i;
}
if($i ~ /dropped:/){
txdropped_col_no = i;
}
}
if(txerrors_col_no != ""){
split($txerrors_col_no, a, ":");
TXerrors=a[2];
}
else
TXerrors="<n/a>";
if(txdropped_col_no != ""){
split($txdropped_col_no, b, ":");
TXdropped=b[2];
}
else
TXdropped="<n/a>";
}
else if($0 ~ /TX/ && $0 ~ /errors/){
for(i=1;i<=NF;i++){
if($i=="errors"){
TXerrors_column=i+1;
}
if($i=="dropped"){
TXdropped_column=i+1;
}
}
(TXerrors_column != "") ? TXerrors = $TXerrors_column : TXerrors = "<n/a>";
(TXdropped_column != "") ? TXdropped = $TXdropped_column : TXdropped = "<n/a>";
}
}'
fi
GET_ALL="$GET_IPv4 $GET_IPv6 $GET_COLLISIONS $GET_RXbytes $GET_RXerrors $GET_TXbytes $GET_TXerrors"
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; length(TXdropped) || TXdropped = "<n/a>";length(RXdropped) || RXdropped = "<n/a>"; length(IPv4) || IPv4 = "<n/a>"; length(IPv6) || IPv6= "<n/a>"}'
BEGIN='BEGIN {RXbytes = TXbytes = collisions = 0}'
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
if [ -r /sys/class/net/"$iface"/duplex ]; then
DUPLEX=$(cat /sys/class/net/"$iface"/duplex 2>/dev/null || echo 'error')
if [ "$DUPLEX" != 'error' ]; then
DUPLEX=$(echo "$DUPLEX" | sed 's/./\u&/')
if [ -r /sys/class/net/"$iface"/speed ]; then
SPEED=$(cat /sys/class/net/"$iface"/speed 2>/dev/null || echo 'error')
[ -n "$SPEED" ] && [ "$SPEED" != 'error' ] && SPEED="${SPEED}Mb/s"
else
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
else
assertHaveCommand dmesg
SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
fi
fi
else
DUPLEX=""
fi
fi
if [ "$DUPLEX" = "" ] || [ "$SPEED" = "" ] ; then
assertHaveCommand dmesg
# Get Duplex only if still null
if [ "$DUPLEX" = "" ] ; then
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
DUPLEX=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d')
else
DUPLEX=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d')
fi
fi
# Get Speed only if still null
if [ "$SPEED" = "" ] ; then
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
else
SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
fi
fi
fi
if [ $FOUND_IP -eq 0 ]; then
# shellcheck disable=SC2016
GET_MAC='{if ($0 ~ /ether /) { mac = $2 }}'
elif [ -r /sys/class/net/"$iface"/address ]; then
MAC=$(cat /sys/class/net/"$iface"/address)
else
# shellcheck disable=SC2016
GET_MAC='{if ($0 ~ /ether /) { mac = $2; } else if ( NR == 1 ) { mac = $5; }}'
fi
if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then
$CMD "$iface" | tee -a "$TEE_DEST" | awk "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC"
echo "Cmd = [$CMD $iface]; | awk '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST"
else
echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST"
fi
done
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommand kstat
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# shellcheck disable=SC2016
GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX='($1=="collisions") {collisions=$2} ($1=="duplex" || $1=="link_duplex") {duplex=$2} ($1=="rbytes") {RXbytes=$2} ($1=="obytes") {TXbytes=$2} ($1=="ierrors") {RXerrors=$2} ($1=="oerrors") {TXerrors=$2} ($1=="ifspeed") {speed=$2; speed/=1000000; speed=speed "Mb/s"}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_MAC='{if ($1 == "ether") {split($2, submac, ":"); mac=sprintf("%02s:%02s:%02s:%02s:%02s:%02s", submac[1], submac[2], submac[3], submac[4], submac[5], submac[6])}}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX $GET_IP $GET_MAC $FILL_BLANKS"
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST"
NODE=$(uname -n)
# shellcheck disable=SC2050
if [ SOLARIS_8 = false ] && [ SOLARIS_9 = false ] ; then
CMD_DESCRIBE_INTERFACE="eval kstat -c net -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
else
CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
fi
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommandGivenPath /usr/bin/netstat
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask|inet6|tcp_sendspace' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# shellcheck disable=SC2016
GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS='($1=="Single"){collisions_s=$4} ($1=="Multiple"){collisions=collisions_s+$4} ($1=="Bytes:") {RXbytes=$4 ; TXbytes=$2} ($1=="Media" && $3=="Running:") {speed=$4"Mb/s" ; duplex=$6} ($1="Transmit" && $2="Errors:") {TXerrors=$3 ; RXerrors=$6}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_MAC='/^Hardware Address:/{mac=$3}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS $GET_IP $GET_MAC $FILL_BLANKS"
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST"
NODE=$(uname -n)
CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -u'
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /status: active/ {print iface}'
# shellcheck disable=SC2016
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "ether" && mac = $2}'
# shellcheck disable=SC2016
GET_IPv4='{$1 == "inet" && IPv4 = $2}'
# shellcheck disable=SC2016
GET_IPv6='{if ($1 == "inet6") {sub("%.*$", "", $2);IPv6 = $2}}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='{if ($1 == "media:") {gsub("[^0-9]", "", $3); speed=$3 "Mb/s"; sub("-duplex.*", "", $4); sub("<", "", $4); duplex=$4}}'
# shellcheck disable=SC2016
GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{
if ($0 ~ /Name/)
{
for (i=1; i<=NF; i++)
{
if ($i == "Address") {address_column = i;}
else if ($i == "Ibytes") {ibytes_column = i;}
else if ($i == "Ierrs") {ierrs_column = i;}
else if ($i == "Obytes") {obytes_column = i;}
else if ($i == "Oerrs") {oerrs_column = i;}
else if ($i == "Coll") {coll_column = i;}
}
flag = 1;
}
if(flag == 1){
if ($address_column == mac)
{
(ibytes_column == "") ? RXbytes = "<n/a>" : RXbytes = $(ibytes_column);
(ierrs_column == "") ? RXerrors = "<n/a>" : RXerrors = $(ierrs_column);
(obytes_column == "") ? TXbytes = "<n/a>" : TXbytes = $(obytes_column);
(oerrs_column == "") ? TXerrors = "<n/a>" : TXerrors = $(oerrs_column);
(coll_column == "") ? collisions = "<n/a>" : collisions = $(coll_column);
}
}
}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_MAC $GET_IPv4 $GET_IPv6 $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS"
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ifconfig
assertHaveCommand lanadmin
assertHaveCommand lanscan
assertHaveCommand netstat
CMD='lanscan'
# shellcheck disable=SC2016
LANSCAN_AWK='/^Hardware/ {next} /^Path/ {next} {mac=$2; ifnum=$3; ifstate=$4; name=$5; type=$8}'
# shellcheck disable=SC2016
GET_IP4='{c="netstat -niwf inet | grep "name; c | getline; close(c); if (NF==10) {next} mtu=$2; IPv4=$4; RXbytes=$5; RXerrors=$6; TXbytes=$7; TXerrors=$8; collisions=$9}'
# shellcheck disable=SC2016
GET_IP6='{c="netstat -niwf inet6 | grep "name" "; c| getline; close(c); IPv6=$3}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='{c="lanadmin -x "ifnum ; c | getline; close(c); if (NF==4) speed=$3"Mb/s"; sub("\-.*", "", $4); duplex=tolower($4)}'
PRINTF='{printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
echo "$out"
fi
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -a'
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/LOOPBACK/ {next} !/RUNNING/ {next} /^[a-z0-9]+: / {sub(":$", "", $1); print $1}'
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "ether" && mac = $2}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='/media: / {sub("\134(", "", $4); speed=$4; sub("-duplex.*", "", $5); sub("<", "", $5); duplex=$5}'
# shellcheck disable=SC2016
GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{
if ($0 ~ /Name/)
{
for (i=1; i<=NF; i++)
{
if ($i == "Address") {address_column = i;}
else if ($i == "Ibytes") {ibytes_column = i;}
else if ($i == "Ierrs") {ierrs_column = i;}
else if ($i == "Obytes") {obytes_column = i;}
else if ($i == "Oerrs") {oerrs_column = i;}
else if ($i == "Coll") {coll_column = i;}
}
flag = 1;
}
if(flag == 1){
if ($address_column == mac)
{
(ibytes_column == "") ? RXbytes = "<n/a>" : RXbytes = $(ibytes_column);
(ierrs_column == "") ? RXerrors = "<n/a>" : RXerrors = $(ierrs_column);
(obytes_column == "") ? TXbytes = "<n/a>" : TXbytes = $(obytes_column);
(oerrs_column == "") ? TXerrors = "<n/a>" : TXerrors = $(oerrs_column);
(coll_column == "") ? collisions = "<n/a>" : collisions = $(coll_column);
}
}
}'
FILL_BLANKS='{length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_MAC $GET_IP $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS"
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
fi
# jscpd:ignore-end

535
deployment-apps/Splunk_TA_nix/bin/interfaces_metric.sh
Unescape View File

@ -0,0 +1,535 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# jscpd:ignore-start
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex OSName OS_version IP_address IPv6_Address'
FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s %-35s %15s %-16s %-42s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex, OSName, OS_version, IP_address, IPv6_Address}'
if [ "$KERNEL" = "Linux" ] ; then
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex OSName OS_version IP_address IPv6_Address'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s %-35s %15s %-16s %-42s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex, OSName, OS_version, IP_address, IPv6_Address}'
queryHaveCommand ip
FOUND_IP=$?
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
fi
if [ $FOUND_IP -eq 0 ]; then
CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# shellcheck disable=SC2016
CMD='eval ip addr show $iface; ip -s link show'
# shellcheck disable=SC2016
GET_IPv4='{if ($0 ~ /inet /) {split($2, a, " "); IPv4 = a[1]}}'
# shellcheck disable=SC2016
GET_IPv6='{if ($0 ~ /inet6 /) { IPv6 = $2 }}'
# shellcheck disable=SC2016
GET_TXbytes='{
if($0 ~ /TX: /){
tx_row_count=NR+1;
for(i=1;i<=NF;i++){
if($i=="bytes"){
TX_bytes_column=i;
}
else if($i=="errors"){
TX_errors_column=i;
}
else if($i=="dropped"){
TX_dropped_column=i;
}
else if($i=="collsns"){
TX_collsns_column=i;
}
}
next;
}
if(NR==tx_row_count){
(TX_bytes_column == "") ? TXbytes = 0 : TXbytes = $(TX_bytes_column - 1);
(TX_errors_column == "") ? TXerrors = "<n/a>" : TXerrors = $(TX_errors_column - 1);
(TX_dropped_column == "") ? TXdropped = "<n/a>" : TXdropped = $(TX_dropped_column - 1);
(TX_collsns_column == "") ? collisions = 0 : collisions = $(TX_collsns_column - 1);
}
}'
# shellcheck disable=SC2016
GET_RXbytes='{
if($0 ~ /RX: /){
rx_row_count=NR+1;
for(i=1;i<=NF;i++){
if($i=="bytes"){
RX_bytes_column=i;
}
else if($i=="errors"){
RX_errors_column=i;
}
else if($i=="dropped"){
RX_dropped_column=i;
}
}next;
}
if(NR==rx_row_count){
(RX_bytes_column == "") ? RXbytes = 0 : RXbytes = $(RX_bytes_column - 1);
(RX_errors_column == "") ? RXerrors = "<n/a>" : RXerrors = $(RX_errors_column - 1);
(RX_dropped_column == "") ? RXdropped = "<n/a>" : RXdropped = $(RX_dropped_column - 1);
}
}'
else
assertHaveCommand ifconfig
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval ifconfig | tee $TEE_DEST | grep 'Link encap:\|mtu' | grep -Ev lo | tee -a $TEE_DEST | cut -d' ' -f1 | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
CMD='ifconfig'
# shellcheck disable=SC2016
GET_IPv4='{if ($0 ~ /inet addr:/) {split($2, a, ":"); IPv4 = a[2]} else if ($0 ~ /inet /) {IPv4 = $2}}'
# shellcheck disable=SC2016
GET_IPv6='{if ($0 ~ /inet6 addr:/) { IPv6 = $3 } else if ($0 ~ /inet6 /) { IPv6 = $2 }}'
# shellcheck disable=SC2016
GET_COLLISIONS='{
if ($0 ~ /collisions:/){
for(i=1;i<=NF;i++){
if($i ~ /collisions:/){
collisions_col_no = i;
break;
}
}
if(collisions_col_no==""){
collisions=0;
}
else
split($collisions_col_no, a, ":");
collisions=a[2];
}
else if($0 ~ /collisions /){
for(i=1;i<=NF;i++){
if($i=="collisions"){
collisions_column=i+1;
}
}
(collisions_column != "") ? collisions = $collisions_column : collisions = 0;
}
}'
# shellcheck disable=SC2016
GET_RXbytes='{
if ($0 ~ /RX bytes:/){
for(i=1;i<=NF;i++){
if($i ~ /bytes:/){
rxbytes_col_no = i;
break;
}
}
if(rxbytes_col_no==""){
RXbytes=0;
}
else
split($rxbytes_col_no, a, ":");
RXbytes=a[2];
}
else if($0 ~ /RX/ && $0 ~ /bytes/){
for(i=1;i<=NF;i++){
if($i=="bytes"){
RXbytes_column=i+1;
row = NR;
}
}
if(NR == row){
if(RXbytes_column != ""){
RXbytes = $RXbytes_column;
}
else
RXbytes = 0;
}
}
}'
# shellcheck disable=SC2016
GET_RXerrors='{
if ($0 ~ /RX packets:/){
for(i=1;i<=NF;i++){
if($i ~ /errors:/){
rxerrors_col_no = i;
}
else if($i ~ /dropped:/){
rxdropped_col_no = i;
}
}
if(rxerrors_col_no != ""){
split($rxerrors_col_no, a, ":");
RXerrors=a[2];
}
else
RXerrors="<n/a>";
if(rxdropped_col_no != ""){
split($rxdropped_col_no, b, ":");
RXdropped=b[2];
}
else
RXdropped="<n/a>";
}
else if($0 ~ /RX/ && ($0 ~ /errors/)){
for(i=1;i<=NF;i++){
if($i=="errors"){
RXerrors_column=i+1;
}
if($i=="dropped"){
RXdropped_column=i+1;
}
}
(RXerrors_column != "") ? RXerrors=$RXerrors_column : RXerrors = "<n/a>";
(RXdropped_column != "") ? RXdropped = $RXdropped_column : RXdropped = "<n/a>";
}
}'
# shellcheck disable=SC2016
GET_TXbytes='{
if ($0 ~ /TX bytes:/){
for(i=1;i<=NF;i++){
if($i ~ /bytes:/){
txbytes_col_no = i;
}
}
if(txbytes_col_no==""){
TXbytes=0;
}
else
split($txbytes_col_no, a, ":");
TXbytes=a[2];
}
else if($0 ~ /TX/ && $0 ~ /bytes/){
for(i=1;i<=NF;i++){
if($i=="bytes"){
TXbytes_column=i+1;
row = NR;
}
}
if(NR == row){
if(TXbytes_column != ""){
TXbytes = $TXbytes_column;
}
else
TXbytes = 0;
}
}
}'
# shellcheck disable=SC2016
GET_TXerrors='{
if ($0 ~ /TX packets:/){
for(i=1;i<=NF;i++){
if($i ~ /errors:/){
txerrors_col_no = i;
}
if($i ~ /dropped:/){
txdropped_col_no = i;
}
}
if(txerrors_col_no != ""){
split($txerrors_col_no, a, ":");
TXerrors=a[2];
}
else
TXerrors="<n/a>";
if(txdropped_col_no != ""){
split($txdropped_col_no, b, ":");
TXdropped=b[2];
}
else
TXdropped="<n/a>";
}
else if($0 ~ /TX/ && $0 ~ /errors/){
for(i=1;i<=NF;i++){
if($i=="errors"){
TXerrors_column=i+1;
}
if($i=="dropped"){
TXdropped_column=i+1;
}
}
(TXerrors_column != "") ? TXerrors = $TXerrors_column : TXerrors = "<n/a>";
(TXdropped_column != "") ? TXdropped = $TXdropped_column : TXdropped = "<n/a>";
}
}'
fi
GET_ALL="$GET_IPv4 $GET_IPv6 $GET_COLLISIONS $GET_RXbytes $GET_RXerrors $GET_TXbytes $GET_TXerrors"
FILL_BLANKS='{length(TXdropped) || TXdropped = "<n/a>";length(RXdropped) || RXdropped = "<n/a>";length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; length(IPv4) || IPv4 = "<n/a>"; length(IPv6) || IPv6= "<n/a>"}'
BEGIN='BEGIN {RXbytes = RXerrors = RXdropped = TXbytes = TXerrors = TXdropped = collisions = 0}'
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
if [ -r /sys/class/net/"$iface"/duplex ]; then
DUPLEX=$(cat /sys/class/net/"$iface"/duplex 2>/dev/null || echo 'error')
if [ "$DUPLEX" != 'error' ]; then
DUPLEX=$(echo "$DUPLEX" | sed 's/./\u&/')
if [ -r /sys/class/net/"$iface"/speed ]; then
SPEED=$(cat /sys/class/net/"$iface"/speed 2>/dev/null || echo 'error')
[ -n "$SPEED" ] && [ "$SPEED" != 'error' ] && SPEED="${SPEED}Mb/s"
else
# For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd.
if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
else
assertHaveCommand dmesg
SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
fi
fi
else
DUPLEX=""
fi
fi
if [ "$DUPLEX" = "" ] || [ "$SPEED" = "" ] ; then
# Get Duplex only if still null
if [ "$DUPLEX" = "" ] ; then
if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
DUPLEX=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d')
else
assertHaveCommand dmesg
DUPLEX=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d')
fi
fi
# Get Speed only if still null
if [ "$SPEED" = "" ] ; then
if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then
SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
else
assertHaveCommand dmesg
SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d')
fi
fi
fi
if [ $FOUND_IP -eq 0 ]; then
# shellcheck disable=SC2016
GET_MAC='{if ($0 ~ /ether /) { mac = $2 }}'
elif [ -r /sys/class/net/"$iface"/address ]; then
MAC=$(cat /sys/class/net/"$iface"/address)
else
# shellcheck disable=SC2016
GET_MAC='{if ($0 ~ /ether /) { mac = $2; } else if ( NR == 1 ) { mac = $5; }}'
fi
if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then
# shellcheck disable=SC2086
$CMD "$iface" | tee -a "$TEE_DEST" | awk $DEFINE "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC"
echo "Cmd = [$CMD $iface]; | awk $DEFINE '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST"
else
echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST"
fi
done
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommand kstat
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX='($1=="collisions") {collisions=$2} ($1=="duplex" || $1=="link_duplex") {duplex=$2} ($1=="rbytes") {RXbytes=$2} ($1=="obytes") {TXbytes=$2} ($1=="ierrors") {RXerrors=$2} ($1=="oerrors") {TXerrors=$2} ($1=="ifspeed") {speed=$2; speed/=1000000; speed=speed "Mb/s"}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_MAC='{if ($1 == "ether") {split($2, submac, ":"); mac=sprintf("%02s:%02s:%02s:%02s:%02s:%02s", submac[1], submac[2], submac[3], submac[4], submac[5], submac[6])}}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>";IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX $GET_IP $GET_MAC $FILL_BLANKS"
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST"
NODE=$(uname -n)
# shellcheck disable=SC2050
if [ SOLARIS_8 = false ] && [ SOLARIS_9 = false ] ; then
CMD_DESCRIBE_INTERFACE="eval kstat -c net -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
else
CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
fi
# shellcheck disable=SC2086
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommandGivenPath /usr/bin/netstat
# shellcheck disable=SC2089
CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask|inet6|tcp_sendspace' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS='($1=="Single"){collisions_s=$4} ($1=="Multiple"){collisions=collisions_s+$4} ($1=="Bytes:") {RXbytes=$4 ; TXbytes=$2} ($1=="Media" && $3=="Running:") {speed=$4"Mb/s" ; duplex=$6} ($1="Transmit" && $2="Errors:") {TXerrors=$3 ; RXerrors=$6}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_MAC='/^Hardware Address:/{mac=$3}'
GET_OS_VERSION='{OS_version=OSVersion/1000}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS $GET_IP $GET_MAC $GET_OS_VERSION $FILL_BLANKS"
# shellcheck disable=SC2090
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST"
NODE=$(uname -n)
CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface"
# shellcheck disable=SC2086
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -u'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /status: active/ {print iface}'
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "ether" && mac = $2}'
# shellcheck disable=SC2016
GET_IPv4='{$1 == "inet" && IPv4 = $2}'
# shellcheck disable=SC2016
GET_IPv6='{if ($1 == "inet6") {sub("%.*$", "", $2);IPv6 = $2}}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='{if ($1 == "media:") {gsub("[^0-9]", "", $3); speed=$3 "Mb/s"; sub("-duplex.*", "", $4); sub("<", "", $4); duplex=$4}}'
# shellcheck disable=SC2016
GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{
if ($0 ~ /Name/)
{
for (i=1; i<=NF; i++)
{
if ($i == "Address") {address_column = i;}
else if ($i == "Ibytes") {ibytes_column = i;}
else if ($i == "Ierrs") {ierrs_column = i;}
else if ($i == "Obytes") {obytes_column = i;}
else if ($i == "Oerrs") {oerrs_column = i;}
else if ($i == "Coll") {coll_column = i;}
}
flag = 1;
}
if(flag == 1){
if ($address_column == mac)
{
(ibytes_column == "") ? RXbytes = "<n/a>" : RXbytes = $(ibytes_column);
(ierrs_column == "") ? RXerrors = "<n/a>" : RXerrors = $(ierrs_column);
(obytes_column == "") ? TXbytes = "<n/a>" : TXbytes = $(obytes_column);
(oerrs_column == "") ? TXerrors = "<n/a>" : TXerrors = $(oerrs_column);
(coll_column == "") ? collisions = "<n/a>" : collisions = $(coll_column);
}
}
}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_MAC $GET_IPv4 $GET_IPv6 $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS"
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
# shellcheck disable=SC2086
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ifconfig
assertHaveCommand lanadmin
assertHaveCommand lanscan
assertHaveCommand netstat
CMD='lanscan'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
LANSCAN_AWK='/^Hardware/ {next} /^Path/ {next} {mac=$2; ifnum=$3; ifstate=$4; name=$5; type=$8}'
# shellcheck disable=SC2016
GET_IP4='{c="netstat -niwf inet | grep "name; c | getline; close(c); if (NF==10) {next} mtu=$2; IPv4=$4; RXbytes=$5; RXerrors=$6; TXbytes=$7; TXerrors=$8; collisions=$9}'
# shellcheck disable=SC2016
GET_IP6='{c="netstat -niwf inet6 | grep "name" "; c| getline; close(c); IPv6=$3}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='{c="lanadmin -x "ifnum ; c | getline; close(c); if (NF==4) speed=$3"Mb/s"; sub("\-.*", "", $4); duplex=tolower($4)}'
PRINTF='{printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s %-35s %15s %-16s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex, OSName, OS_version, IP_address}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?";length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
echo "$out"
fi
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -a'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/LOOPBACK/ {next} !/RUNNING/ {next} /^[a-z0-9]+: / {sub(":$", "", $1); print $1}'
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "ether" && mac = $2}'
# shellcheck disable=SC2016
GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
# shellcheck disable=SC2016
GET_SPEED_DUPLEX='/media: / {sub("\134(", "", $4); speed=$4; sub("-duplex.*", "", $5); sub("<", "", $5); duplex=$5}'
# shellcheck disable=SC2016
GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{
if ($0 ~ /Name/)
{
for (i=1; i<=NF; i++)
{
if ($i == "Address") {address_column = i;}
else if ($i == "Ibytes") {ibytes_column = i;}
else if ($i == "Ierrs") {ierrs_column = i;}
else if ($i == "Obytes") {obytes_column = i;}
else if ($i == "Oerrs") {oerrs_column = i;}
else if ($i == "Coll") {coll_column = i;}
}
flag = 1;
}
if(flag == 1){
if ($address_column == mac)
{
(ibytes_column == "") ? RXbytes = "<n/a>" : RXbytes = $(ibytes_column);
(ierrs_column == "") ? RXerrors = "<n/a>" : RXerrors = $(ierrs_column);
(obytes_column == "") ? TXbytes = "<n/a>" : TXbytes = $(obytes_column);
(oerrs_column == "") ? TXerrors = "<n/a>" : TXerrors = $(oerrs_column);
(coll_column == "") ? collisions = "<n/a>" : collisions = $(coll_column);
}
}
}'
FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = "<n/a>"; length(duplex) || duplex = "<n/a>"; IPv4 = IPv4 ? IPv4 : "<n/a>"; IPv6 = IPv6 ? IPv6 : "<n/a>"}'
GET_ALL="$GET_MAC $GET_IP $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS"
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
# shellcheck disable=SC2086
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
fi
# jscpd:ignore-end

52
deployment-apps/Splunk_TA_nix/bin/iostat.sh
Unescape View File

@ -0,0 +1,52 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# suggested command for testing reads: $ find / -type f 2>/dev/null | xargs wc &> /dev/null &
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
if [ "$KERNEL" = "Linux" ] ; then
CMD='iostat -xky 1 1'
assertHaveCommand "$CMD"
# considers the device, r/s and w/s columns and returns output of the first interval
FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f'
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='iostat -xn 1 2'
assertHaveCommand "$CMD"
# considers the device, r/s and w/s columns and returns output of the second interval
FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2'
elif [ "$KERNEL" = "AIX" ] ; then
CMD='iostat 1 2'
assertHaveCommand "$CMD"
# considers the disks, kb_read and kb_wrtn columns and returns output of the second interval
FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='iostat -x -c 2'
assertHaveCommand "$CMD"
# considers the device, r/s and w/s columns and returns output of the second interval
FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD="eval $SPLUNK_HOME/bin/darwin_disk_stats ; sleep 2; echo Pause; $SPLUNK_HOME/bin/darwin_disk_stats"
# shellcheck disable=SC2086
assertHaveCommandGivenPath $CMD
# shellcheck disable=SC2016
HEADER='Device rReq_PS wReq_PS rKB_PS wKB_PS avgWaitMillis avgSvcMillis bandwUtilPct'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-10s %11s %11s %12s %12s %13s %13s %13s\n", device, rReq_PS, wReq_PS, rKB_PS, wKB_PS, avgWaitMillis, avgSvcMillis, bandwUtilPct}'
# shellcheck disable=SC2016
FILTER='BEGIN {FS="|"; after=0} /^Pause$/ {after=1; next} !/Bytes|Operations/ {next} {devices[$1]=$1; values[after,$1,$2]=$3; next}'
FORMAT='avgSvcMillis=bandwUtilPct="?";'
FUNC1='function getDeltaPS(disk, metric) {delta=values[1,disk,metric]-values[0,disk,metric]; return delta/2.0}'
# Calculates the latency by pulling the read and write latency fields from darwin__disk_stats and evaluating their sum
LATENCY='function getLatency(disk) {read=getDeltaPS(disk,"Latency Time (Read)"); write=getDeltaPS(disk,"Latency Time (Write)"); return expr read + write;}'
FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}'
SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}"
$CMD | tee "$TEE_DEST" | awk "$SCRIPT" header="$HEADER"
echo "Cmd = [$CMD]; | awk '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST"
exit 0
fi
$CMD | tee "$TEE_DEST" | $AWK "$FILTER"
echo "Cmd = [$CMD]; | $AWK '$FILTER'" >> "$TEE_DEST"

67
deployment-apps/Splunk_TA_nix/bin/iostat_metric.sh
Unescape View File

@ -0,0 +1,67 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# suggested command for testing reads: $ find / -type f 2>/dev/null | xargs wc &> /dev/null &
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
if [ "$KERNEL" = "Linux" ] ; then
CMD='iostat -xky 1 1'
assertHaveCommand "$CMD"
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)"
fi
FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f'
# shellcheck disable=SC2016
PRINTF='{if ($0~/Device/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version, IP_address}}'
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='iostat -xn 1 2'
# jscpd:ignore-start
assertHaveCommand "$CMD"
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2'
# shellcheck disable=SC2016
PRINTF='{if ($0~/device/ && /r\/s/ && /w\/s/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version, IP_address}}'
# jscpd:ignore-end
elif [ "$KERNEL" = "AIX" ] ; then
CMD='iostat 1 2'
assertHaveCommand "$CMD"
DEFINE="-v OSName=$(uname -s) -v OS_version=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2'
# shellcheck disable=SC2016
PRINTF='{if ($0~/Disks/ && /Kb_read/ && /Kb_wrtn/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version/1000, IP_address}}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='iostat -x -c 2'
assertHaveCommand "$CMD"
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2'
# shellcheck disable=SC2016
PRINTF='{if ($0~/device/ && /r\/s/ && /w\/s/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version, IP_address}}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD="eval $SPLUNK_HOME/bin/darwin_disk_stats ; sleep 2; echo Pause; $SPLUNK_HOME/bin/darwin_disk_stats"
# shellcheck disable=SC2086
assertHaveCommandGivenPath $CMD
HEADER='Device rReq_PS wReq_PS rKB_PS wKB_PS avgWaitMillis avgSvcMillis bandwUtilPct OSName OS_version IP_address'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-10s %11s %11s %12s %12s %13s %13s %13s %-35s %15s %-16s\n", device, rReq_PS, wReq_PS, rKB_PS, wKB_PS, avgWaitMillis, avgSvcMillis, bandwUtilPct, OSName, OS_version, IP_address}'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
FILTER='BEGIN {FS="|"; after=0} /^Pause$/ {after=1; next} !/Bytes|Operations/ {next} {devices[$1]=$1; values[after,$1,$2]=$3; next}'
FORMAT='{avgSvcMillis=bandwUtilPct="?";OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
FUNC1='function getDeltaPS(disk, metric) {delta=values[1,disk,metric]-values[0,disk,metric]; return delta/2.0}'
# Calculates the latency by pulling the read and write latency fields from darwin__disk_stats and evaluating their sum
LATENCY='function getLatency(disk) {read=getDeltaPS(disk,"Latency Time (Read)"); write=getDeltaPS(disk,"Latency Time (Write)"); return expr read + write;}'
FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}'
SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}"
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | awk $DEFINE "$SCRIPT" header="$HEADER"
echo "Cmd = [$CMD]; | awk $DEFINE '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST"
exit 0
fi
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FILTER $PRINTF"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$FILTER'" >> "$TEE_DEST"

53
deployment-apps/Splunk_TA_nix/bin/lastlog.sh
Unescape View File

@ -0,0 +1,53 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='USERNAME FROM LATEST'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-30s %-30.30s %-s\n", username, from, latest}'
if [ "$KERNEL" = "Linux" ] ; then
CMD='last -iw'
# shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='last -n 999'
# shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'
elif [ "$KERNEL" = "AIX" ] ; then
failUnsupportedScript
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='last -99'
# shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = ($0 !~ / /) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='lastb -Rx'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = ($2=="console") ? $2 : $3; latest = $(NF-3) " " $(NF-2)" " $(NF-1)}'
# shellcheck disable=SC2016
FILTER='{if ($1 == "BTMPS_FILE") next; if (NF==0) next; if (NF<=6) next;}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='lastlogin'
# shellcheck disable=SC2016
FORMAT='{username = $1; from = (NF==8) ? $3 : "<console>"; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $(NF-1) " " $NF}'
fi
assertHaveCommand $CMD
out=$($CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 1 ]; then
echo "$out"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
else
echo "No data is present" >> "$TEE_DEST"
fi

60
deployment-apps/Splunk_TA_nix/bin/lsof.sh
Unescape View File

@ -0,0 +1,60 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand lsof
HEADER='COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME'
# shellcheck disable=SC2016
HEADERIZE='{NR == 1 && $0 = header}'
CMD='lsof -nPs'
# shellcheck disable=SC2016
PRINTF='{printf "%-15.15s %-10s %-15.15s %-8s %-8s %-15.15s %15s %-20.20s %-s\n", $1,$2,$3,$4,$5,$6,$7,$8,$9}'
if [ "$KERNEL" = "Linux" ] ; then
# shellcheck disable=SC2016
HEADERIZE='NR == 1 {match($0, "USER"); separator=RSTART+RLENGTH; match($0, "NAME"); name_start=RSTART; mid_length=RSTART-separator; }
{ first_part=substr($0, 0, separator);
mid_part=substr($0, separator, mid_length);
last_part=substr($0, name_start);
split(first_part, first, " ");
split(mid_part, mid, " ");
split(last_part, last, " ");
if (length(last) > 1 ) { for(ptr=2; ptr<=length(last); ptr++) { $(NF+1-length(last)) = $(NF+1-length(last)) FS last[ptr]; } }
if (length(first) == 4) { $3=$4; $4=$5; $5=$6; $6=$7; $7=$8; $8=$9; $9=$10; }
}
NR==1 { $0 = header;}'
# shellcheck disable=SC2016
FILTER='/Permission denied/ {next} {if ($4 == "NOFD" || $5 == "unknown") next}'
# shellcheck disable=SC2016
FILL_BLANKS='{ if(length(mid) == 4) {$9=$8; $8=$7; $7="?" } else if(length(mid) == 3) {$9=$7; $8=$6; $7="?"; $6="?"; } }'
elif [ "$KERNEL" = "HP-UX" ] ; then
# shellcheck disable=SC2016
FILTER='/Permission denied/ {next} {if ($4 == "NOFD" || $5 == "unknown") next}'
# shellcheck disable=SC2016
FILL_BLANKS='{if (NF<9) {node=$7; name=$8; $7="?"; $8=node; $9=name}}'
elif [ "$KERNEL" = "SunOS" ] ; then
failUnsupportedScript
elif [ "$KERNEL" = "AIX" ] ; then
failUnsupportedScript
elif [ "$KERNEL" = "Darwin" ] ; then
# shellcheck disable=SC2016
FILTER='{if ($5 ~ /KQUEUE|PIPE|PSXSEM/) next}'
# shellcheck disable=SC2016
FILL_BLANKS='{if (NF<9) {name=$8; $8="?"; $9=name}}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# the below syntax is valid when using zsh, bash, ksh
if [[ $KERNEL_RELEASE =~ 11.* ]] || [[ $KERNEL_RELEASE =~ 12.* ]] || [[ $KERNEL_RELEASE =~ 13.* ]]; then
# empty condition to allow the execution of script as is
echo > /dev/null
else
failUnsupportedScript
fi
fi
assertHaveCommand "$CMD"
# shellcheck disable=SC2094
$CMD 2>"$TEE_DEST" | tee "$TEE_DEST" | awk "$HEADERIZE $FILTER $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD 2>$TEE_DEST]; | awk '$HEADERIZE $FILTER $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

52
deployment-apps/Splunk_TA_nix/bin/netstat.sh
Unescape View File

@ -0,0 +1,52 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Proto Recv-Q Send-Q LocalAddress ForeignAddress State'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
PRINTF='{printf "%-5s %6s %6s %-30.30s %-30.30s %-s\n", $1, $2, $3, $4, $5, $6}'
# shellcheck disable=SC2016
FILL_BLANKS='($1=="udp") {$6="<n/a>"}'
if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand ss
FOUND_SS=$?
if [ $FOUND_SS -eq 0 ] ; then
CMD='eval ss -antu 2>/dev/null | egrep "tcp|udp"'
# shellcheck disable=SC2016
FORMAT='{ state=$2; $2=$3; $3=$4; $4=$5; $5=$6; $6=state}'
else
CMD='eval netstat -aenp 2>/dev/null | egrep "tcp|udp"'
fi
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='netstat -an -f inet -f inet6'
FIGURE_SECTION='NR==1 {inUDP=1;inTCP=0} /^TCP: IPv/ {inUDP=0;inTCP=1} /^SCTP:/ {exit}'
FILTER='/: IPv|Local Address|^$|^-----/ {next}'
# shellcheck disable=SC2016
FORMAT_UDP='(inUDP) {localAddr=$1; $1="udp"; $2=$3=0; $4=localAddr; $5="*.*"}'
# shellcheck disable=SC2016
FORMAT_TCP='(inTCP) {localAddr=$1; foreignAddr=$2; sendQ=$4; recvQ=$6; state=$7; $1="tcp"; $2=recvQ; $3=sendQ; $4=localAddr; $5=foreignAddr; $6=state}'
FORMAT="$FORMAT_UDP $FORMAT_TCP"
elif [ "$KERNEL" = "AIX" ] ; then
CMD='eval netstat -an 2>/dev/null | egrep "tcp|udp"'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='eval netstat -anW | egrep "tcp|udp"'
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1)}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='eval netstat -an | egrep "tcp|udp"'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2089
CMD='eval netstat -an | egrep "tcp|udp"'
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1)}'
fi
assertHaveCommand "$CMD"
# shellcheck disable=SC2090
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $FILTER $FORMAT $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $FILTER $FORMAT $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

163
deployment-apps/Splunk_TA_nix/bin/nfsiostat.sh
Unescape View File

@ -0,0 +1,163 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Mount Path r_op/s w_op/s r_KB/s w_KB/s rpc_backlog r_avg_RTT w_avg_RTT r_avg_exe w_avg_exe'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# We can have the multiple mounts for the nfs. So we have to parse mount separately.
# For CentOS and RHEL the number of lines for each mount is 9, while for the ubuntu it is 22
# due to the bug mentioned in this link. https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1584719
# So, we are handling the case of Ubuntu separately.
# When awk iterates through each line, using modulo operator we are checking the line number
# And extracting the particular value from that line and assigning it to the variable
# which we will use when the output of modulo is 0 as it will be the last line of that mount.
# We are also removing last character in the line "path=substr($4, 1, length($4)-1)"
# as last character of the path is ":"
if [ "$KERNEL" = "Linux" ] ; then
CMD='nfsiostat'
assertHaveCommand $CMD
no_of_lines=$($CMD| wc -l)
# If there are no mount, exit
if [ "$no_of_lines" -eq 1 ];
then
$CMD >> "$TEE_DEST"
exit 1
fi
OS_FILE=/etc/os-release
# Below condition is added to handle the case of Ubuntu OS
if [ -e $OS_FILE ] && (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q ubuntu);
then
# shellcheck disable=SC2016
OS_RELEASE=$($AWK -F= '/VERSION_ID=/ {print $2}' $OS_FILE)
if [ "$OS_RELEASE" = "\"18.04\"" ] || [ "$OS_RELEASE" = "\"20.04\"" ] || [ "$OS_RELEASE" = "\"22.04\"" ] ; then # Ubuntu 18.04, 20.04 and 22.04
# shellcheck disable=SC2016
FORMAT='{
if (NR%10==2){
echo "device"
device=$1
path=substr($4, 1, length($4)-1)
}
else if (NR%10==5){
rpc_backlog=$2
}
else if (NR%10==8){
r_op_s=$1
r_kb_s=$2
r_avg_rtt=$6
r_avg_exe=$7
}
else if (NR%10==0){
w_op_s=$1
w_kb_s=$2
w_avg_rtt=$6
w_avg_exe=$7
printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe
}
}'
else
# shellcheck disable=SC2016
FORMAT='{
if (NR%22==2){
echo "device"
device=$1
path=substr($4, 1, length($4)-1)
}
else if (NR%22==6){
rpc_backlog=$1
}
else if (NR%22==9){
r_op_s=$1
}
else if (NR%22==10){
r_kb_s=$1
}
else if (NR%22==13){
r_avg_rtt=$1
}
else if (NR%22==14){
r_avg_exe=$1
}
else if (NR%22==17){
w_op_s=$1
}
else if (NR%22==18){
w_kb_s=$1
}
else if (NR%22==21){
w_avg_rtt=$1
}
else if (NR%22==0){
w_avg_exe=$1
printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe
}
}'
fi
# For CentOS and RHEL
else
#For RHEL 8.x
if [ -e $OS_FILE ] && ( ( (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q rhel) && (awk -F'=' '/VERSION_ID=/ {print $2}' $OS_FILE | grep -Eq 8.7\|8.6\|8.5\|8.4\|8.3\|9) ) || ( (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q cent) && (awk -F'=' '/VERSION_ID=/ {print $2}' $OS_FILE | grep -Eq 8) ) );
then
# shellcheck disable=SC2016
FORMAT='{
if (NR%10==2){
device=$1
path=substr($4, 1, length($4)-1)
}
else if (NR%10==5){
rpc_backlog=$2
}
else if (NR%10==8){
r_op_s=$1
r_kb_s=$2
r_avg_rtt=$6
r_avg_exe=$7
}
else if (NR%10==0){
w_op_s=$1
w_kb_s=$2
w_avg_rtt=$6
w_avg_exe=$7
printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe
}
}'
else
# shellcheck disable=SC2016
FORMAT='{
if (NR%9==2){
device=$1
path=substr($4, 1, length($4)-1)
}
else if (NR%9==5){
rpc_backlog=$2
}
else if (NR%9==7){
r_op_s=$1
r_kb_s=$2
r_avg_rtt=$6
r_avg_exe=$7
}
else if (NR%9==0){
w_op_s=$1
w_kb_s=$2
w_avg_rtt=$6
w_avg_exe=$7
printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe
}
}'
fi
fi
$CMD | tee "$TEE_DEST" | awk "$HEADERIZE $FORMAT" | column -t
echo "Cmd = [$CMD]; | awk '$HEADERIZE $FORMAT' header=\"$HEADER\"" >> "$TEE_DEST"
else
failUnsupportedScript
fi

66
deployment-apps/Splunk_TA_nix/bin/openPorts.sh
Unescape View File

@ -0,0 +1,66 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# a similar effect can be accomplished with: "nc -z 127.0.0.1 1-32768", and "nc -zu 127.0.0.1 1-32768"
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='Proto Port'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-5s %5d\n", proto, port}'
# shellcheck disable=SC2016
FILTER_INACTIVE='($NF ~ /^CLOSE/) {next}'
if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand ss
FOUND_SS=$?
if [ $FOUND_SS -eq 0 ] ; then
CMD='eval ss -lnut | egrep "^tcp|^udp"'
# shellcheck disable=SC2016
FORMAT='{proto=$1; sub("^.*:", "", $5); port=$5}'
else
CMD='eval netstat -ln | egrep "^tcp|^udp"'
# shellcheck disable=SC2016
FORMAT='{proto=$1; sub("^.*:", "", $4); port=$4}'
fi
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='netstat -an -f inet -f inet6'
FIGURE_SECTION='BEGIN {inUDP=1;inTCP=0} /^TCP: IPv/ {inUDP=0;inTCP=1} /^SCTP:/ {exit}'
FILTER='/: IPv|Local Address|^$|^-----/ {next} (! port) {next}'
# shellcheck disable=SC2016
FORMAT='{if (inUDP) proto="udp"; if (inTCP) proto="tcp"; sub("^.*[^0-9]", "", $1); port=$1}'
elif [ "$KERNEL" = "AIX" ] ; then
CMD='eval netstat -an | egrep "^tcp|^udp"'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}'
# shellcheck disable=SC2016
FILTER='{if ($4 == "") next}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='eval netstat -ln | egrep "^tcp|^udp"'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}'
# shellcheck disable=SC2016
FILTER='{if ($4 == "") next}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='eval netstat -an | egrep "^tcp|^udp"'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}'
# shellcheck disable=SC2016
FILTER='{if ($4 == "") next}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2089
CMD='eval netstat -ln | egrep "^tcp|^udp"'
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}'
fi
assertHaveCommand "$CMD"
# shellcheck disable=SC2090
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $FORMAT $FILTER $FILTER_INACTIVE $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $FORMAT $FILTER $FILTER_INACTIVE $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

125
deployment-apps/Splunk_TA_nix/bin/openPortsEnhanced.sh
Unescape View File

@ -0,0 +1,125 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# In AWK scripts in this file, the following are true:
# FULLTEXT is used to capture the output for SHA256 checksum generation.
# SPLUNKD is used to determine Splunk service status.
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand date
assertHaveCommand lsof
if [ -f /usr/sbin/lsof ] ; then
LSOF=/usr/sbin/lsof
elif [ -f /usr/bin/lsof ] ; then
# shellcheck disable=SC2034
LSOF=/usr/bin/lsof
fi
# shellcheck disable=SC2016
CMD='eval date ; ${LSOF} -i -P -n'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}'
# Only base the file hash on the listening ports, not on
# open connections.
# shellcheck disable=SC2016
PARSE_1='/LISTEN|[Uu][Dd][Pp]/ {
FULLTEXT = FULLTEXT $0 "\n"
idx=match($0, /\(LISTEN\)/)
if (idx>0) {
DATA=substr($0, 0, idx-1)
} else {
DATA=$0
}
fields = split(DATA, portarr)
# This compensates for varying field counts.
if (fields == 9) {
hostfields = split(portarr[9], hostarr, ":")
TRANSPORT="transport=" portarr[8]
} else if (fields == 8) {
hostfields = split(portarr[8], hostarr, ":")
TRANSPORT="transport=" portarr[7]
}
if (hostfields == 2 && hostarr[2] ~ /[0-9][0-9]*/) {
DESTIP="dest_ip=" hostarr[1]
DESTPORT="dest_port=" hostarr[2]
APP="app=" portarr[1]
PID="pid=" portarr[2]
USER="user=" portarr[3]
FD="fd=" portarr[4]
IPVERSION="ip_version=" substr(portarr[5],index(portarr[5],"v")+1)
DVCID="dvc_id=" portarr[6]
#printf "MATCH: %s\n", $0
printf "%s %s %s %s %s %s %s %s %s %s\n", DATE, APP, DESTIP, DESTPORT, PID, USER, FD, IPVERSION, DVCID, TRANSPORT
} else {
#printf "NOMATCH: %s\n", $0
;
}
}'
MASSAGE="$PARSE_0 $PARSE_1"
# Send the collected full text to openssl; this avoids any timing discrepancies
# between when the information is collected and when we process it.
# shellcheck disable=SC2016
POSTPROCESS='END {
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommand date
assertHaveCommand netstat
CMD='eval date ; netstat -an -f inet -f inet6'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}'
# shellcheck disable=SC2016
PARSE_1='/^[Tt][Cc][Pp]|[Uu][Dd][Pp]/ {
split($0, protoarr, ":")
TRANSPORT="transport=" protoarr[1]
IPVERSION="ip_version=" substr(protoarr[2],index(protoarr[2],"v")+1)
next
}'
# shellcheck disable=SC2016
PARSE_3='NR>1 && $0 !~ /Local|^-|^$/ {
FULLTEXT = FULLTEXT $0 "\n"
split($0, arr)
num = split(arr[1], hostarr, "\.")
if ( TRANSPORT ~ /[Tt][Cc][Pp]/) {
DESTIP="dest_ip="hostarr[1]
} else {
DESTIP="dest_dns="hostarr[1]
}
DESTPORT=hostarr[num]
for (i=2; i<num; i++) {
DESTIP=DESTIP"."hostarr[i]
}
if ( $0 !~ /[Uu][Nn][Bb][Oo][Uu][Nn][Dd]/ && DESTPORT != "*" ) {
DESTPORT="dest_port="DESTPORT
printf "%s %s %s %s %s \n", DATE, DESTIP, DESTPORT, IPVERSION, TRANSPORT
}
}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_3"
# Send the collected full text to openssl; this avoids any timing discrepancies
# between when the information is collected and when we process it.
# shellcheck disable=SC2016
POSTPROCESS='END {
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
else
# Exits
failUnsupportedScript
fi
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $POSTPROCESS"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $POSTPROCESS'" >> "$TEE_DEST"

67
deployment-apps/Splunk_TA_nix/bin/package.sh
Unescape View File

@ -0,0 +1,67 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='NAME VERSION RELEASE ARCH VENDOR GROUP'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-55.55s %-20.20s %-20.20s %-10.10s %-30.30s %-20s\n", name, version, release, arch, vendor, group}'
CMD='echo There is no flavor-independent command...'
if [ "$KERNEL" = "Linux" ] ; then
if $DEBIAN; then
CMD1="eval dpkg-query -W -f='"
# shellcheck disable=SC2016
CMD2='${Package} ${Version} ${Architecture} ${Homepage}\n'
CMD3="'"
CMD=$CMD1$CMD2$CMD3
# shellcheck disable=SC2016
FORMAT='{name=$1;version=$2;sub("\\.?[^0-9\\.:\\-].*$", "", version); release=$2; sub("^[0-9\\.:\\-]*","",release); if(release=="") {release="?"}; arch=$3; if (NF>3) {sub("^.*:\\/\\/", "", $4); sub("^www\\.", "", $4); sub("\\/.*$", "", $4); vendor=$4} else {vendor="?"} group="?"}'
else
CMD='eval rpm --query --all --queryformat "%-56{name} %-21{version} %-21{release} %-11{arch} %-31{vendor} %-{group}\n"'
# shellcheck disable=SC2016
PRINTF='{print $0}'
fi
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='pkginfo -l'
# shellcheck disable=SC2016
FORMAT='/PKGINST:/ {name=$2 ":"} /NAME:/ {for (i=2;i<=NF;i++) name = name " " $i} /CATEGORY:/ {group=$2} /ARCH:/ {arch=$2} /VERSION:/ {split($2,a,",REV="); version=a[1]; release=a[2]} /VENDOR:/ {vendor=$2; for(i=3;i<=NF;i++) vendor = vendor " " $i}'
SEPARATE_RECORDS='!/^$/ {next} {release = release ? release : "?"}'
elif [ "$KERNEL" = "AIX" ] ; then
CMD='eval lslpp -icq | sed "s,:, ," | sed "s,:.*,,"'
# shellcheck disable=SC2016
FORMAT='{name=$2 ; version=$3 ; vendor=release=arch=group="?"}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='system_profiler SPApplicationsDataType'
FILTER='{ if (NR<3) next}'
# shellcheck disable=SC2016
FORMAT='{gsub("[^\40-\176]", "", $0)} /:$/ {sub("^[ ]*", "", $0); sub(":$", "", $0); name=$0} /Last Modified: / {vendor=""} /Version: / {version=$2} /Kind: / {arch=$2} /Get Info String: / {sub("^.*: ", "", $0); sub("[Aa]ll [Rr]ights.*$", "", $0); sub("^.*[Cc]opyright", "", $0); sub("^[^a-zA-Z_]*[0-9][0-9[0-9][0-9]", "", $0); sub("^[ ]*", "", $0); vendor=$0}'
SEPARATE_RECORDS='!/Location:/ {next} {release = "?"; vendor = vendor ? vendor : "?"; group = "?"}'
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand swlist
CMD='swlist -a revision -a architecture -a vendor_tag'
# shellcheck disable=SC2016
FILTER='/^#/ {next} $1=="" {next}'
# shellcheck disable=SC2016
FORMAT='{release="?"; group="?"; vendor="?"; name=$1; version=$2; arch=$3} NF==4 {vendor=$4}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# the below syntax is valid when using zsh, bash, ksh
if [[ $KERNEL_RELEASE =~ 10.* ]] || [[ $KERNEL_RELEASE =~ 11.* ]] || [[ $KERNEL_RELEASE =~ 12.* ]] || [[ $KERNEL_RELEASE =~ 13.* ]]; then
CMD='eval pkg info --raw --all | grep "^name:\|^version:\|^arch:" | cut -d\" -f2'
HEADER='NAME VERSION ARCH '
HEADERIZE="BEGIN {print \"$HEADER\"}"
# shellcheck disable=SC2016
PRINTF='{ printf "%-50.50s" (NR%3==0 ? RS:FS),$1}'
else
CMD='pkg_info -da'
# shellcheck disable=SC2016
FORMAT='/^Information for / {vendor=""; sub(":$", "", $3); name=$3} /^WWW: / {sub("^.*//", "", $2); sub("/.*$", "", $2); sub("^www\134.", "", $2); vendor=$2} /^$/ {blanks+=1} !/^$/ {blanks=0}'
SEPARATE_RECORDS='(blanks<3) {next} {vendor = vendor ? vendor : "?"; version=release=arch=group="?"}'
fi
fi
assertHaveCommand "$CMD"
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

30
deployment-apps/Splunk_TA_nix/bin/passwd.sh
Unescape View File

@ -0,0 +1,30 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
PRINTF='END {printf "%s %s\n", DATE, FILEHASH}'
# shellcheck disable=SC2034
PASSWD_FILE=/etc/passwd
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "x$KERNEL" != "xHP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand date
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $PASSWD_FILE ; cat $PASSWD_FILE'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
PARSE_1='NR==2 {FILEHASH="file_hash=" $2}'
# Note the inline print in the next PARSE statement.
# Comments are eliminated from the output, but included in FILEHASH.
# shellcheck disable=SC2016
PARSE_2='NR>2 && /^[^#]/ { split($0, arr, ":") ; printf "%s user=%s password=x user_id=%s user_group_id=%s home=%s shell=%s\n", DATE, arr[1], arr[3], arr[4], arr[6], arr[7]}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2"
fi
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST"

71
deployment-apps/Splunk_TA_nix/bin/protocol.sh
Unescape View File

@ -0,0 +1,71 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
CMD='netstat -s'
HEADER=' IPdropped TCPrexmits TCPreorder TCPpktRecv TCPpktSent UDPpktLost UDPunkPort UDPpktRecv UDPpktSent'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='END {printf " %10d %10d %10d %10d %10d %10d %10d %10d %10d\n", IPdropped, TCPrexmits, TCPreorder, TCPpktRecv, TCPpktSent, UDPpktLost, UDPunkPort, UDPpktRecv, UDPpktSent}'
if [ "$KERNEL" = "Linux" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^Ip:$/ {inIP=1;inTCP=0;inUDP=0} /^Tcp(Ext)?:$/ {inIP=0;inTCP=1;inUDP=0} /^Udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^Ip:$|^Udp:$|^Tcp(Ext)?:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /outgoing packets dropped/ {IPdropped=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /segments retransmited/ {TCPrexmits=$1} inTCP && /Detected reordering/ {TCPreorder=$3} inTCP && /[0-9] segments received$/ {TCPpktRecv=$1} inTCP && /segments send out/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /packets received/ {UDPpktRecv=$1} inUDP && /packets sent/ {UDPpktSent=$1} inUDP && /packet receive errors/ {UDPpktLost=$1} inUDP && /packets to unknown port received/ {UDPunkPort=$1}'
elif [ "$KERNEL" = "SunOS" ] ; then
# shellcheck disable=SC2016
COMMON='{gsub("=", "", $0)}'
# shellcheck disable=SC2016
SECTION_IP='/ipOutDiscards/ {IPdropped+=$2} /ipOutNoRoutes/ {IPdropped+=$4} /ipv6OutNoRoutes/ {IPdropped+=$2} /ipv6OutDiscards/ {IPdropped+=$4}'
# shellcheck disable=SC2016
SECTION_TCP='/tcpRetransSegs/ {TCPrexmits=$2} /tcpInUnorderSegs/ {TCPreorder=$2} /tcpInSegs/ {TCPpktRecv=$2} /tcpOutSegs/ {TCPpktSent=$4}'
# shellcheck disable=SC2016
SECTION_UDP='/udpOutErrors/ {UDPpktLost=$4} /udpInErrors/ {UDPunkPort=$5} /udpInDatagrams/ {UDPpktRecv=$3} /udpOutDatagrams/ {UDPpktSent=$2}'
elif [ "$KERNEL" = "AIX" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /output packets? (dropped|discarded)/ {IPdropped+=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /data packet.* bytes\) retransmitted$/ {TCPrexmits=$1} inTCP && /out-of-order packets?/ {TCPreorder=$1} inTCP && /packets? received$/ {TCPpktRecv=$1} inTCP && /packets? sent/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /datagrams? received$/ {UDPpktRecv=$1} inUDP && /datagrams? output$/ {UDPpktSent=$1} inUDP && /dropped due to full socket buffers$/ {UDPpktLost=$1} inUDP && /dropped due to no socket$/ {UDPunkPort=$1}'
elif [ "$KERNEL" = "Darwin" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /output packets? (dropped|discarded)/ {IPdropped+=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /data packets? .* retransmitted/ {TCPrexmits=$1} inTCP && /out-of-order packets?/ {TCPreorder=$1} inTCP && /packets? received$/ {TCPpktRecv=$1} inTCP && /packets? sent/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /datagrams? received$/ {UDPpktRecv=$1} inUDP && /datagrams? output$/ {UDPpktSent=$1} inUDP && /dropped due to full socket buffers$/ {UDPpktLost=$1} inUDP && /dropped due to no socket$/ {UDPunkPort=$1}'
elif [ "$KERNEL" = "HP-UX" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp(Ext)?:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp(Ext)?:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /fragments dropped/ {IPdropped=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /retransmited$/ {TCPrexmits=$1} inTCP && /out of order/ {TCPreorder=$1} inTCP && /[0-9] packets received$/ {TCPpktRecv=$1} inTCP && /[0-9] packets sent$/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /packets received/ {UDPpktRecv=$1} inUDP && /packets sent/ {UDPpktSent=$1} inUDP && /packet receive errors/ {UDPpktLost=$1} inUDP && /packets to unknown port received/ {UDPunkPort=$1}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
SECTION_IP='inIP && /output packets? (dropped|discarded)/ {IPdropped+=$1}'
# shellcheck disable=SC2016
SECTION_TCP='inTCP && /data packet.* bytes\) retransmitted$/ {TCPrexmits=$1} inTCP && /out-of-order packets?/ {TCPreorder=$1} inTCP && /packets? received$/ {TCPpktRecv=$1} inTCP && /packets? sent/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /datagrams? received$/ {UDPpktRecv=$1} inUDP && /datagrams? output$/ {UDPpktSent=$1} inUDP && /dropped due to full socket buffers$/ {UDPpktLost=$1} inUDP && /dropped due to no socket$/ {UDPunkPort=$1}'
fi
assertHaveCommand "$CMD"
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

76
deployment-apps/Splunk_TA_nix/bin/ps.sh
Unescape View File

@ -0,0 +1,76 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2166
if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ps
CMD='ps auxww'
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sysv/bin/ps
CMD='/usr/sysv/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args'
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/bin/ps
CMD='/usr/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args'
elif [ "$KERNEL" = "HP-UX" ] ; then
HEADER='USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS'
# shellcheck disable=SC2016
FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args="<noArgs>"; sub("^[^\134[: -]*/", "", $12)}'
# shellcheck disable=SC2016
PRINTF='{if (NR == 1) {print $0} else {printf "%32.32s %6s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %12s %-100.100s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, args}}'
# shellcheck disable=SC2016
HEADERIZE='{NR == 1 && $0 = header}'
assertHaveCommand ps
export UNIX95=1
CMD='ps -e -o ruser,pid,pset,pcpu,time,vsz,tty,state,etime,args'
# shellcheck disable=SC2016
FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args="<noArgs>"; sub("^[\[\]]", "", $11)}'
# shellcheck disable=SC2016
PRINTF='{if (NR == 1) {print $0} else {printf "%-14.14s %6s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %12s %-18.18s %s\n", $1, $2, $3, $4, $5, "?", "?", $6, $7, $8, $9, $10, $11, arg}}'
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
exit
fi
# shellcheck disable=SC2016
# awk logic for adding extra field ARGS with underscore delimiter
ARGS_FORMAT='BEGIN {OFS = " ";} # specify output field separator
{
if (NR == 1) # Add extra header/field ARGS in first (header) row
{
command_column = NF;
$(NF+1) = "ARGS";
}
else
{
# If arguments exist, then append all with underscore delimeter, else specify <noArgs>
if ($(command_column+1) != "")
{
args = $(command_column+1);
for (i=command_column+2; i<=NF; i++)
{
args = args "_" $i;
$i = "";
}
$(command_column+1) = args;
}
else
{
$(command_column+1) = "<noArgs>";
}
# Remove trailing white spaces if any
sub(/[ \t]+$/,"",$0);
}
print;
}'
# Execute the command
$CMD | tee "$TEE_DEST" | $AWK "$ARGS_FORMAT"
echo "Cmd = [$CMD]; $AWK '$ARGS_FORMAT'" >> "$TEE_DEST"

110
deployment-apps/Splunk_TA_nix/bin/ps_metric.sh
Unescape View File

@ -0,0 +1,110 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# jscpd:ignore-start
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2166
if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ps
CMD='ps auxww'
if [ "$KERNEL" = "Linux" ] ; then
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
fi
elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
fi
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sysv/bin/ps
CMD='/usr/sysv/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/bin/ps
CMD='/usr/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
elif [ "$KERNEL" = "HP-UX" ] ; then
HEADER='USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED OSName OS_version IP_address COMMAND ARGS'
# shellcheck disable=SC2016
FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args="<noArgs>"; sub("^[^\134[: -]*/", "", $12);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
# shellcheck disable=SC2016
PRINTF='{if (NR == 1) {print $0} else {printf "%-32.32s %8s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %15s %-35s %15s %-16s %-100.100s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, OSName, OS_version, IP_address, $12, args}}'
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}'
# shellcheck disable=SC2016
HEADERIZE='{NR == 1 && $0 = header}'
assertHaveCommand ps
export UNIX95=1
CMD='ps -e -o ruser,pid,pset,pcpu,time,vsz,tty,state,etime,args'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args="<noArgs>"; sub("^[\[\]]", "", $11);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}'
# shellcheck disable=SC2016
PRINTF='if (NR == 1) {print $0} else {printf "%-14.14s %6s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %12s %-35s %15s %-16s %-18.18s %s\n", $1, $2, $3, $4, $5, "?", "?", $6, $7, $8, $9, $10, OSName, OS_version, IP_address, $11, arg}}'
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $FILL_DIMENSIONS $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $FILL_DIMENSIONS $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
exit
fi
# shellcheck disable=SC2016
# awk logic for adding extra field ARGS with underscore delimiter and OSName, OS_version, IP_address
FORMAT='BEGIN {OFS = " ";} # specify output field separator
{
if (NR == 1) # Add extra headers/fields - ARGS,OSName,OS_version,IP_address in first (header) row
{
# Replace TIME with CPUTIME to solve field extraction issue (metrics index)
sub("TIME","CPUTIME",$0);
command_column = NF;
$(NF+1) = "ARGS";
$(NF+1) = "OSName";
$(NF+1) = "OS_version";
$(NF+1) = "IP_address";
$(NF+1) = "IPv6_Address";
}
else
{
# If arguments exist, then append all with underscore delimeter, else specify <noArgs>
if ($(command_column+1) != "")
{
args = $(command_column+1);
for (i=command_column+2; i<=NF; i++)
{
args = args "_" $i;
$i = "";
}
$(command_column+1) = args;
}
else
{
$(command_column+1) = "<noArgs>";
}
# Append OSName, OS_version, IP_address values in the last three columns
if (OSName == "") {$(command_column+2) = "?";} else {$(command_column+2) = OSName;}
if (OS_version == "") {$(command_column+3) = "?";} else {$(command_column+3) = OS_version;}
if (IP_address == "") {$(command_column+4) = "?";} else {$(command_column+4) = IP_address;}
if (IPv6_Address == "") {$(command_column+5) = "?";} else {$(command_column+5) = IPv6_Address;}
# Remove trailing white spaces if any
sub(/[ \t]+$/,"",$0);
}
print;
}'
# shellcheck disable=SC2086
# Execute the command
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT"
echo "Cmd = [$CMD]; $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST"
# jscpd:ignore-end

61
deployment-apps/Splunk_TA_nix/bin/rlog.sh
Unescape View File

@ -0,0 +1,61 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
#
# credit for improvement to http://splunk-base.splunk.com/answers/41391/rlogsh-using-too-much-cpu
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios
CURRENT_AUDIT_FILE=/var/log/audit/audit.log # For handling upgrade scenarios
SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_rlog_error_tmpfile # For filering out "no matches" error from stderr
AUDIT_FILE="/var/log/audit/audit.log*"
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand service
assertHaveCommandGivenPath /sbin/ausearch
if [ -n "$(service auditd status 2>/dev/null)" ] && [ "$(service auditd status 2>/dev/null)" ] ; then
CURRENT_TIME=$(date --date="1 seconds ago" +"%m/%d/%Y %T") # 1 second ago to avoid data loss
if [ -e "$SEEK_FILE" ] ; then
SEEK_TIME=$(head -1 "$SEEK_FILE")
# shellcheck disable=SC2086
awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -ts $SEEK_TIME -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" < $TMP_ERROR_FILTER_FILE 1>&2
elif [ -e "$OLD_SEEK_FILE" ] ; then
rm -rf "$OLD_SEEK_FILE" # remove previous checkpoint
# start ingesting from the first entry of current audit file
# shellcheck disable=SC2086
awk ' { print } ' $CURRENT_AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" <$TMP_ERROR_FILTER_FILE 1>&2
else
# no checkpoint found
# shellcheck disable=SC2086
awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" <$TMP_ERROR_FILTER_FILE 1>&2
fi
echo "$CURRENT_TIME" > "$SEEK_FILE" # Checkpoint+
else # Added this condition to get error logs
echo "error occured while running 'service auditd status' command in rlog.sh script. Output : $(service auditd status). Command exited with exit code $?" 1>&2
fi
# remove temporary error redirection file if it exists
# shellcheck disable=SC2086
rm $TMP_ERROR_FILTER_FILE 2>/dev/null
elif [ "$KERNEL" = "SunOS" ] ; then
:
elif [ "$KERNEL" = "Darwin" ] ; then
:
elif [ "$KERNEL" = "HP-UX" ] ; then
:
elif [ "$KERNEL" = "FreeBSD" ] ; then
:
fi

48
deployment-apps/Splunk_TA_nix/bin/selinuxChecker.sh
Unescape View File

@ -0,0 +1,48 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
PRINTF='END {printf "%s app=selinux %s %s %s %s\n", DATE, FILEHASH, SELINUX, SELINUXTYPE, SETLOCALDEFS}'
if [ "$KERNEL" = "Linux" ] ; then
if [ -f /etc/sysconfig/selinux ] ; then
SELINUX_FILE=/etc/sysconfig/selinux
elif [ -f /etc/selinux/config ] ; then
# shellcheck disable=SC2034
SELINUX_FILE=/etc/selinux/config
else
echo "SELinux not configured." >> "$TEE_DEST"
exit 1
fi
assertHaveCommand cat
# Get file hash
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $SELINUX_FILE ; cat $SELINUX_FILE'
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Try to use cross-platform case-insensitive matching for text. Note
# that "match", "tolower", IGNORECASE and other common awk commands or
# options are actually nawk/gawk extensions so avoid them if possible.
# shellcheck disable=SC2016
PARSE_1='/^[Ss][Ee][Ll][Ii][Nn][Uu][Xx]\=/ { SELINUX="selinux=" substr($0,index($0,"=")+1,length($0)) } '
# shellcheck disable=SC2016
PARSE_2='/^[Ss][Ee][Ll][Ii][Nn][Uu][Xx][Tt][Yy][Pp][Ee]\=/ { SELINUXTYPE="selinuxtype=" substr($0,index($0,"=")+1,length($0)) } '
# shellcheck disable=SC2016
PARSE_3='/^[Ss][Ee][Tt][Ll][Oo][Cc][Aa][Ll][Dd][Ee][Ff][Ss]\=/ { SETLOCALDEFS="setlocaldefs=" substr($0,index($0,"=")+1,length($0)) } '
# shellcheck disable=SC2016
PARSE_4='/^SHA256/ {FILEHASH="file_hash=" $2}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4"
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST"
fi

196
deployment-apps/Splunk_TA_nix/bin/service.sh
Unescape View File

@ -0,0 +1,196 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# In AWK scripts in this file, the following are true:
# FULLTEXT is used to capture the output for SHA256 checksum generation.
# SPLUNKD is used to determine Splunk service status.
if [ "$KERNEL" = "Linux" ] ; then
if ! queryHaveCommand systemctl; then
assertHaveCommand date
assertHaveCommand chkconfig
CMD='eval date ; /sbin/chkconfig --list'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}'
# shellcheck disable=SC2016
PARSE_1='NR>1 {
FULLTEXT = FULLTEXT $0 "\n"
split($0, ARR)
EVT="app=" ARR[1]
for (i=0 ; i<7 ; i++) {
split(ARR[i+2], STATE, ":")
EVT = EVT " runlevel" i "=" STATE[2]
}
if (ARR[1] ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 }
printf "%s type=chkconfig %s\n", DATE, EVT
}'
MASSAGE="$PARSE_0 $PARSE_1"
# Send the collected full text to openssl; this avoids any timing discrepancies
# between when the information is collected and when we process it.
# shellcheck disable=SC2016
POSTPROCESS='END {
if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE }
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
else
assertHaveCommand systemctl
assertHaveCommand date
# Run the systemctl command to get all units and their state
CMD='eval date; systemctl list-units --type=service --all'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
PARSE_1='
# On header row, get lengths to the fields
NR==2 {
match($0, /^ */); leading=RLENGTH;
match($0, /^.*DESC/); desclen=RLENGTH-4;
FULLTEXT="";
next;
}'
# shellcheck disable=SC2016
PARSE_2='(NR > 2){
# Stop at the empty line
if ( !NF ) { exit; }
# Skip the leading spaces
$0 = substr( $0, leading );
# the description spans fields so catch it seperately
desc=substr( $0, desclen );
FULLTEXT = FULLTEXT $0 "\n"
if ($1 ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 }
printf "%s type=systemctl UNIT=%s, LOADED=%s, ACTIVE=%s, SUB=%s, DESCRIPTION=\"%s\" \n",DATE, $1, $2, $3, $4, desc
}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2"
# shellcheck disable=SC2016
POSTPROCESS='END {
if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE }
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
fi
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommand date
assertHaveCommand svcs
CMD='eval date ; svcs -H -a -o STATE,FMRI'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}'
# shellcheck disable=SC2016
PARSE_1='NR>1 {
STATE="State=\""$1"\""
idx=index($2,":")
STARTNAME="StartName=\""substr($2,0,idx-1)"\""
APP="app=\""substr($2,idx+1)"\""
FULLTEXT=FULLTEXT $0 "\n"
}'
PARSE_2='/^legacy_run/ {
STARTMODE="StartMode=\"Auto\""
}'
PARSE_3='/^online/ {
STARTMODE="StartMode=\"Auto\""
STATE="State=\"Running\""
}'
PARSE_4='/^disabled/ {
STARTMODE="StartMode=\"Disabled\""
STATE="State=\"Stopped\""
}'
INLINE_PRINT='NR>1 && APP!=0 {printf "%s %s %s %s %s\n", DATE, APP, STARTMODE, STARTNAME, STATE}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $INLINE_PRINT"
# Send the collected full text to openssl; this avoids any timing discrepancies
# between when the information is collected and when we process it.
# shellcheck disable=SC2016
POSTPROCESS='END {
if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE }
printf "%s %s", DATE, "file_hash="
printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256"
}'
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand date
assertHaveCommand defaults
assertHaveCommand dscl
assertHaveCommand find
assertHaveCommand ls
# Get startup items
CMD='eval date ; ls -1 /System/Library/StartupItems/ /Library/StartupItems/'
# Get per-user startup items
# shellcheck disable=SC2044
for PLIST_FILE in $(find /Users -name "loginwindow.plist") ; do
CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE
done
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Retrieve path for system startup items
# shellcheck disable=SC2016
PARSE_1='/^\/(System|Library)/ {
split($0, tmparr, ":")
PATH="file_path=\""tmparr[1]
USER=0
START_MODE="StartMode=Auto"
START_TYPE="StartType=startup"
}'
# Retrieve user information for user startup items.
# shellcheck disable=SC2016
PARSE_2='/^\/Users/ {
split($0, tmparr, "/")
USER="user=" tmparr[3]
START_MODE="StartMode=Auto"
START_TYPE="StartType=login"
}'
# Retrieve the path for user startup items.
# shellcheck disable=SC2016
PARSE_3='/[[:blank:]]*Path/ {
split($0, path_arr, "=")
num=split(path_arr[2], app_arr, "/")
split(app_arr[num], app_final, ".")
split(path_arr[2], path_final, "\"")
APP="app=\"" app_final[1] "\""
FILE_PATH="file_path=\"" path_final[2] "\""
# Only print if we find a path.
printf "%s %s %s %s %s %s\n", DATE, APP, START_MODE, START_TYPE, FILE_PATH, USER
# Note that we found splunkd if app matches
if (APP ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 }
}'
# Retrieve the system startup item name from the output of "ls -1"
# shellcheck disable=SC2016
PARSE_4='/^[^\/]/ {
if (NR>1 && USER==0 && NF > 0) {
APP="app=\""$0"\""
PATH=PATH$0"\""
printf "%s %s %s %s %s\n", DATE, APP, START_MODE, START_TYPE, PATH
}
# Note that we found splunkd if app matches
if (APP ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 }
}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4"
POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }'
else
# Exits
failUnsupportedScript
fi
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $POSTPROCESS"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $POSTPROCESS'" >> "$TEE_DEST"

1276
deployment-apps/Splunk_TA_nix/bin/setup.sh
View File

File diff suppressed because it is too large Load Diff

38
deployment-apps/Splunk_TA_nix/bin/setupservice.py
Unescape View File

@ -0,0 +1,38 @@
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
import json
import sys
import splunk
import splunk.bundle as bundle
class SetupService(splunk.rest.BaseRestHandler):
def handle_GET(self):
try:
is_recognized_unix = not sys.platform.startswith("win")
self.response.write(json.dumps(is_recognized_unix))
except Exception as e:
self.response.write(e)
def handle_POST(self):
sessionKey = self.sessionKey
try:
conf = bundle.getConf(
"app", sessionKey, namespace="Splunk_TA_nix", owner="nobody"
)
stanza = conf.stanzas["install"].findKeys("is_configured")
if stanza:
if stanza["is_configured"] == "0" or stanza["is_configured"] == "false":
conf["install"]["is_configured"] = "true"
splunk.rest.simpleRequest(
"/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey
)
else:
conf["install"]["is_configured"] = "true"
splunk.rest.simpleRequest(
"/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey
)
except Exception as e:
self.response.write(e)

98
deployment-apps/Splunk_TA_nix/bin/sshdChecker.sh
Unescape View File

@ -0,0 +1,98 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
SSH_CONFIG_FILE=""
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] ; then
SSH_CONFIG_FILE=/etc/ssh/sshd_config
elif [ "$KERNEL" = "Darwin" ] ; then
SSH_CONFIG_FILE=/etc/sshd_config
else
failUnsupportedScript
fi
FILL_BLANKS='END {
if (SSHD_PROTOCOL == 0) {
SSHD_PROTOCOL=SSHD_DEFAULT_PROTOCOL
}'
PRINTF='{printf "%s app=sshd %s %s\n", DATE, FILEHASH, SSHD_PROTOCOL}}'
if [ "x$SOLARIS_11" != "xtrue" ] ; then
# If $SSH_CONFIG_FILE file exists and is a regular file.
if [ -f "$SSH_CONFIG_FILE" ] ; then
assertHaveCommand cat
# Get file hash
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $SSH_CONFIG_FILE ; cat $SSH_CONFIG_FILE'
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Try to use cross-platform case-insensitive matching for text. Note
# that "match", "tolower", IGNORECASE and other common awk commands or
# options are actually nawk/gawk extensions so avoid them if possible.
# shellcheck disable=SC2016
PARSE_1='/^[Pp][Rr][Oo][Tt][Oo][Cc][Oo][Ll]/ {
split($0, arr)
num = split(arr[2], protocols, ",")
if (num == 2) {
SSHD_PROTOCOL="sshd_protocol=" protocols[1] "/" protocols[2]
} else {
SSHD_PROTOCOL="sshd_protocol=" protocols[1]
}
}'
# shellcheck disable=SC2016
PARSE_2='/^#[[:blank:]]*[Pp][Rr][Oo][Tt][Oo][Cc][Oo][Ll]/ {
num=split($0, arr)
protonum = split(arr[num], protocols, ",")
if (protonum == 2) {
SSHD_DEFAULT_PROTOCOL="sshd_protocol=" protocols[1] "/" protocols[2]
} else {
SSHD_DEFAULT_PROTOCOL="sshd_protocol=" protocols[1]
}
}'
# shellcheck disable=SC2016
PARSE_3='/^SHA256/ {FILEHASH="file_hash=" $2}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3"
else
# shellcheck disable=SC2016
echo "SSHD configuration (file: $SSH_CONFIG_FILE) missing or unreadable." >> "$TEE_DEST"
exit 1
fi
else
if [ -f "$SSH_CONFIG_FILE" ] && [ -r "$SSH_CONFIG_FILE" ] ; then
# Solaris 11 only supports SSH protocol 2.
assertHaveCommand cat
# Get file hash
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $SSH_CONFIG_FILE'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0 ; SSHD_PROTOCOL="sshd_protocol=2"}'
# shellcheck disable=SC2016
PARSE_1='/^SHA256/ {FILEHASH="file_hash=" $2}'
MASSAGE="$PARSE_0 $PARSE_1"
else
echo "SSHD configuration (file: $SSH_CONFIG_FILE) missing or unreadable." >> "$TEE_DEST"
exit 1
fi
fi
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $FILL_BLANKS $PRINTF"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $FILL_BLANKS $PRINTF'" >> "$TEE_DEST"

67
deployment-apps/Splunk_TA_nix/bin/time.sh
Unescape View File

@ -0,0 +1,67 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
queryHaveCommand ntpdate
FOUND_NTPDATE=$?
queryHaveCommand sntp
FOUND_SNTP=$?
getServer ()
{
if [ -f /etc/ntp.conf ] ; then # Linux; FreeBSD; AIX; Mac OS X maybe
CONFIG=/etc/ntp.conf
elif [ -f /etc/inet/ntp.conf ] ; then # Solaris
CONFIG=/etc/inet/ntp.conf
elif [ -f /private/etc/ntp.conf ] ; then # Mac OS X
CONFIG=/private/etc/ntp.conf
else
CONFIG=
fi
SERVER_DEFAULT='0.pool.ntp.org'
if [ "$CONFIG" = "" ] ; then
SERVER=$SERVER_DEFAULT
else
# shellcheck disable=SC2016
SERVER=$($AWK '/^server / {print $2; exit}' "$CONFIG")
SERVER=${SERVER:-$SERVER_DEFAULT}
fi
}
#With ntpdate
if [ $FOUND_NTPDATE -eq 0 ] ; then
echo "Found ntpdate command" >> "$TEE_DEST"
getServer
CMD2="ntpdate -q $SERVER"
echo "CONFIG=$CONFIG, SERVER=$SERVER" >> "$TEE_DEST"
#With sntp
elif [ "$KERNEL" = "Darwin" ] && [ $FOUND_SNTP -eq 0 ] ; then # Mac OS 10.14.6 or higher version
echo "Found sntp command" >> "$TEE_DEST"
getServer
CMD2="sntp $SERVER"
echo "CONFIG=$CONFIG, SERVER=$SERVER" >> "$TEE_DEST"
#With Chrony
else
CMD2="chronyc -n sources"
fi
CMD1='date'
assertHaveCommand $CMD1
assertHaveCommand "$CMD2"
$CMD1 | tee -a "$TEE_DEST"
echo "Cmd1 = [$CMD1]" >> "$TEE_DEST"
$CMD2 | tee -a "$TEE_DEST"
echo "Cmd2 = [$CMD2]" >> "$TEE_DEST"

87
deployment-apps/Splunk_TA_nix/bin/top.sh
Unescape View File

@ -0,0 +1,87 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER=' PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND'
# shellcheck disable=SC2016
PRINTF='{printf "%6s %-14s %4s %4s %6s %6s %6s %2s %6s %6s %12s %-s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12}'
CMD='top'
if [ "$KERNEL" = "Linux" ] ; then
CMD='top -bn 1'
FILTER='{if (NR < 7) next}'
# shellcheck disable=SC2016
HEADERIZE='{NR == 7 && $0 = header}'
elif [ "$KERNEL" = "SunOS" ] ; then
CMD='prstat -n 999 1 1'
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='(NR==1) {next} /^Total:|^$/ {exit}'
# shellcheck disable=SC2016
FORMAT_DOMAIN='{virt=$3; res=$4; stateRaw=$5; pr=$6; ni=$7; cpuTIME=$8; pctCPU=0.0+$9; sub("/.*$", "", $10); command=$10 ? $10 : "<n/a>"}'
SPECIFY_STATES_MAP='BEGIN {map["sleep"]="S"; map["stop"]="T"; map["zombie"]="Z"; map["wait"]="D"; map["cpu"]="R"}'
MAP_STATE='{sub("[0-9]+$", "", stateRaw); state=map[stateRaw]}'
# shellcheck disable=SC2016
FORMAT_RANGE='{$3=pr; $4=ni; $5=virt; $6=res; $7="?"; $8=state; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
FORMAT="$FORMAT_DOMAIN $SPECIFY_STATES_MAP $MAP_STATE $FORMAT_RANGE"
elif [ "$KERNEL" = "AIX" ] ; then
CMD="eval /usr/sysv/bin/ps -eo pid,user,pri,nice,vsz,rss,s,s,pcpu,pmem,time,comm"
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='/PID/{next}'
# shellcheck disable=SC2016
FORMAT='{$7="?" ; sub("A","R",$8)}'
# Substitute ? for temporary [field 7] &
# Substitute R(running) for A(Active) on field 8 in AIX by Jacky Ho, Systex
elif [ "$KERNEL" = "Darwin" ] ; then
if [ "$OSX_MAJOR_VERSION" = 10 ] && [ "$OSX_MINOR_VERSION" -ge 9 ] || [ "$OSX_MAJOR_VERSION" -ge 11 ]; then
# OS X 10.9 does not report rshrd statistic (Resident Shared Address Space Size)
CMD="eval top -F -l 2 -ocpu -Otime -stats pid,username,vsize,rsize,cpu,time,command"
# shellcheck disable=SC2016
FORMAT='{gsub("[+-] ", " "); virt=$3; res=$4; shr="?"; pctCPU=$5; cpuTIME=$6; command=$7; $3="?"; $4="?"; $5=virt; $6=res; $7=shr; $8="?"; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
elif $OSX_GE_SNOW_LEOPARD; then
CMD="eval top -F -l 2 -ocpu -Otime -stats pid,username,vsize,rsize,rshrd,cpu,time,command"
# shellcheck disable=SC2016
FORMAT='{gsub("[+-] ", " "); virt=$3; res=$4; shr=$5; pctCPU=$6; cpuTIME=$7; command=$8; $3="?"; $4="?"; $5=virt; $6=res; $7=shr; $8="?"; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
else
CMD="eval top -F -l 2 -ocpu -Otime -t -R -p '^aaaaa ^nnnnnnnnnnnnnnnnnn ^lllll ^jjjjj ^ccccc ^ddddd ^bbbbbbbbbbbbbbbbbbbbbbbbbbbbb'"
# shellcheck disable=SC2016
FORMAT='{ virt=$3; res=$4; pctCPU=$5; cpuTIME=$6; command=$7; $3="?"; $4="?"; $5=virt; $6=res; $7="?"; $8="?"; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
fi
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='/ %CPU / {reportOrd++; next} {if ((reportOrd < 2) || !length) next}'
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ps
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='/PID/{next}'
export UNIX95=1
CMD='ps -e -o pid,user,pri,nice,vsz,state,pcpu,time,comm'
# shellcheck disable=SC2016
PRINTF='{q="?"; printf "%6s %-14s %4s %4s %6s %6s %6s %2s %6s %6s %12s %-s\n", $1, $2, $3, $4, $5, q, q, $6, $7, q, $8, $9}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
line=$(top -Sb 999 | grep -n -m 1 "PID" | cut -f1 -d:)
CMD='top -Sb 999'
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER='(NR<='$line') {next} /^$/ {next}'
# shellcheck disable=SC2016
FORMAT_DOMAIN='{pr=$4; ni=$5; virt=$6; res=$7; stateRaw=$8; cpuTIME=$10; pctCPU=0+$11; command=$12}'
SPECIFY_STATES_MAP='BEGIN {map["SLEEP"]="S"; map["STOP"]="T"; map["ZOMB"]="Z"; map["WAIT"]="D"; map["LOCK"]="D"; map["START"]="R"; map["RUN"]="R"; map["CPU"]="R"}'
MAP_STATE='{sub("[0-9]+$", "", stateRaw); state=map[stateRaw]; state=state ? state : "?"}'
# shellcheck disable=SC2016
FORMAT_RANGE='{$3=pr; $4=ni; $5=virt; $6=res; $7="?"; $8=state; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}'
FORMAT="$FORMAT_DOMAIN $SPECIFY_STATES_MAP $MAP_STATE $FORMAT_RANGE"
fi
# shellcheck disable=SC2086
assertHaveCommand $CMD
out=$($CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 1 ]; then
echo "$out"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
else
echo "No data is present" >> "$TEE_DEST"
fi

110
deployment-apps/Splunk_TA_nix/bin/update.sh
Unescape View File

@ -0,0 +1,110 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand date
OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2)
# Ubuntu doesn't have yum installed by default hence apt is being used to get the list of upgradable packages
if [ "$OSName" = "Ubuntu" ]; then
assertHaveCommand apt
assertHaveCommand sed
# sed command here replaces '/, [, ]' with ' '
CMD='eval date ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
PARSE_1='NR>2 { printf "%s package=%s ubuntu_update_stream=%s latest_package_version=%s ubuntu_architecture=%s current_package_version=%s\n", DATE, $1, $2, $3, $4, $7}'
MESSAGE="$PARSE_0 $PARSE_1"
else
assertHaveCommand yum
CMD='eval date ; yum check-update'
# shellcheck disable=SC2016
PARSE_0='NR==1 {
DATE=$0
PROCESS=0
UPDATES["addons"]=0
UPDATES["base"]=0
UPDATES["extras"]=0
UPDATES["updates"]=0
}'
# Skip extraneous text up to first blank line.
# shellcheck disable=SC2016
PARSE_1='NR>1 && PROCESS==0 && $0 ~ /^[[:blank:]]*$|^$/ {
PROCESS=1
}'
# shellcheck disable=SC2016
PARSE_2='NR>1 && PROCESS==1 {
num = split($0, update_array)
if (num == 3) {
# Record the update count
UPDATES[update_array[3]] = UPDATES[update_array[3]]+1
printf "%s package=\"%s\" package_type=\"%s\"\n", DATE, update_array[1], update_array[3]
} else if (num==2 && update_array[1] != "") {
printf "%s package=\"%s\"\n", DATE, update_array[1]
}
}'
PARSE_3='END {
TOTALS=""
for (key in UPDATES) {
TOTALS=TOTALS key "=" UPDATES[key] " "
}
printf "%s %s\n", DATE, TOTALS
}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3"
fi
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand date
assertHaveCommand softwareupdate
CMD='eval date ; softwareupdate -l'
# shellcheck disable=SC2016
PARSE_0='NR==1 {
DATE=$0
PROCESS=0
TOTAL=0
}'
# If the first non-space character is an asterisk, assume this is the name
# of the update. Otherwise, print the update.
# shellcheck disable=SC2016
PARSE_1='NR>1 && PROCESS==1 && $0 !~ /^[[:blank:]]*$/ {
if ( $0 ~ /^[[:blank:]]*\*/ ) {
PACKAGE="package=\"" $2 "\""
RECOMMENDED=""
RESTART=""
TOTAL=TOTAL+1
} else {
if ( $0 ~ /recommended/ ) { RECOMMENDED="is_recommended=\"true\"" }
if ( $0 ~ /restart/ ) { RESTART="restart_required=\"true\"" }
printf "%s %s %s %s\n", DATE, PACKAGE, RECOMMENDED, RESTART
}
}'
# Use sentinel value to skip all text prior to update list.
# shellcheck disable=SC2016
PARSE_2='NR>1 && PROCESS==0 && $0 ~ /found[[:blank:]]the[[:blank:]]following/ {
PROCESS=1
}'
PARSE_3='END {
printf "%s total_updates=%s\n", DATE, TOTAL
}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3"
else
# Exits
failUnsupportedScript
fi
$CMD | tee "$TEE_DEST" | $AWK "$MESSAGE"
echo "Cmd = [$CMD]; | $AWK '$MESSAGE'" >> "$TEE_DEST"

52
deployment-apps/Splunk_TA_nix/bin/uptime.sh
Unescape View File

@ -0,0 +1,52 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
PRINTF='END {printf "%s SystemUpTime=%s\n", DATE, UPTIME}'
# On HP-UX the `ps` command will only recognize the `-o` option if
# the `UNIX95` environment variable is set. So do it.
#
# Careful: The `UNIX95` environment variable affects other common
# commands like `cp`.
if [ "$KERNEL" = "HP-UX" ]; then
export UNIX95=1
fi
# This should work for any POSIX-compliant system, but in case it doesn't
# we have left the individual OS names here to be broken out later on.
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "$KERNEL" = "HP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand date
assertHaveCommand ps
CMD='eval date; LC_ALL=POSIX ps -o etime= -p 1'
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Parse timestamp using only POSIX AWK functions. The match, do/while,
# and exponentiation commands may not be available on some systems.
# shellcheck disable=SC2016
PARSE_1='NR==2 {
if (index($1,"-") != 0) {
split($1, array, "-")
UPTIME=86400*array[1]
num=split(array[2], TIME, ":")
} else {
UPTIME=0
num=split($1, TIME, ":")
}
for (i=num; i>0; i--) {
SECS=TIME[i]
for (j=num-i; j>0; j--) {
SECS = SECS * 60
}
UPTIME = UPTIME + SECS
}
}'
MASSAGE="$PARSE_0 $PARSE_1"
fi
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

45
deployment-apps/Splunk_TA_nix/bin/usersWithLoginPrivs.sh
Unescape View File

@ -0,0 +1,45 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
HEADER='USERNAME UID GID HOME_DIR USER_INFO'
HEADERIZE="BEGIN {print \"$HEADER\"}"
CMD='cat /etc/passwd'
AWK_IFS='-F:'
# shellcheck disable=SC2016
FILTER='($NF !~ /sh$/) {next}'
# shellcheck disable=SC2016
PRINTF='{printf "%-30.30s %-30.30s %-30.30s %-60.60s %s\n", $1, $3, $4, $6, $5}'
if [ "$KERNEL" = "Linux" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
elif [ "$KERNEL" = "SunOS" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
elif [ "$KERNEL" = "AIX" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
elif [ "$KERNEL" = "HP-UX" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='dscacheutil -q user'
AWK_IFS=''
# shellcheck disable=SC2016
MASSAGE='/^name: / {username = $2} /^uid: / {UID = $2} /^gid: / {GID = $2} /^dir: / {homeDir = $2} /^shell: / {shell = $2} /^gecos: / {userInfo = $2; for (i=3; i<=NF; i++) userInfo = userInfo " " $i} !/^gecos: / {next}'
FILTER='{if (shell !~ /sh$/) next; if (homeDir ~ /^[0-9]+$/) next}'
PRINTF='{printf "%-30.30s %-30.30s %-30.30s %-60.60s %s\n", username, length(UID) ? UID : "?", length(GID) ? GID : "?", length(homeDir) ? homeDir : "?", userInfo}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}'
fi
assertHaveCommand "$CMD"
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $AWK_IFS "$HEADERIZE $MASSAGE $FILTER $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $AWK_IFS '$HEADERIZE $MASSAGE $FILTER $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

44
deployment-apps/Splunk_TA_nix/bin/version.sh
Unescape View File

@ -0,0 +1,44 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
PRINTF='END {printf "%s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER}'
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand date
assertHaveCommand uname
CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p'
elif [ "$KERNEL" = "HP-UX" ] ; then
# HP-UX lacks -p switch.
assertHaveCommand date
assertHaveCommand uname
CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v'
elif [ "$KERNEL" = "AIX" ] ; then
# AIX uses oslevel for version and release switch.
assertHaveCommand date
assertHaveCommand uname
CMD='eval date ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel -s'
fi
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
PARSE_1='NR==2 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}'
# shellcheck disable=SC2016
PARSE_2='NR==3 {OS_REL="os_release=\"" $0 "\""}'
# shellcheck disable=SC2016
PARSE_3='NR==4 {OS_NAME="os_name=\"" $0 "\""}'
# shellcheck disable=SC2016
PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\""}'
# shellcheck disable=SC2016
PARSE_5='NR==6 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5"
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST"

181
deployment-apps/Splunk_TA_nix/bin/vmstat.sh
Unescape View File

@ -0,0 +1,181 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine
# the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so
# (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute.
HEADER='memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='END {printf "%10d %10d %10d %10.1f %10.1f %10s %10.1f %10s %10s %10s %10s %10s %10s %10.2f %10.2f %10.2f %10.2f %10.2f\n", memTotalMB, memFreeMB, memUsedMB, memFreePct, memUsedPct, pgPageOut, swapUsedPct, pgSwapOut, cSwitches, interrupts, forks, processes, threads, loadAvg1mi, waitThreads, interrupts_PS, pgPageIn_PS, pgPageOut_PS}'
DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsed ? (100.0*swapUsed)/(swapUsed+swapFree) : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}'
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand vmstat
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2'
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}'
# shellcheck disable=SC2016
PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}'
# shellcheck disable=SC2016
PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr[NR+3]} NR in nr {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$2; pgPageOut_PS=$3}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommand vmstat
assertHaveCommandGivenPath /usr/sbin/swap
assertHaveCommandGivenPath /usr/sbin/prtconf
assertHaveCommand prstat
assertHaveCommand sar
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
# shellcheck disable=SC2016
CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2; '
else
# shellcheck disable=SC2016
CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2'
fi
# shellcheck disable=SC2016
PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==5) {memFreeMB=$5 / 1024}'
# shellcheck disable=SC2016
PARSE_1='(NR==2) {swapUsed=0+$(NF-3); swapFree=0+$(NF-1)}'
# shellcheck disable=SC2016
PARSE_2='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1} / v?forks$/ {forks+=$1}'
# shellcheck disable=SC2016
PARSE_4='/^Total: / {processes=$2; threads=$4; loadAvg1mi=0+$(NF-2)}'
# shellcheck disable=SC2016
PARSE_5='/^CPU_COUNT/ {cpuCount=$2}'
# Sample output: http://opensolarisforum.org/man/man1/sar.html
if [ "$SOLARIS_10" = "true" ] || [ "$SOLARIS_11" = "true" ] ; then
# shellcheck disable=SC2016
PARSE_6='($1 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$3;}'
# shellcheck disable=SC2016
PARSE_7='($3 ~ "ppgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$3}'
else
# shellcheck disable=SC2016
PARSE_6='($3 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$5}'
# shellcheck disable=SC2016
PARSE_7='($3 ~ "pgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$4}'
fi
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE"
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand vmstat
assertHaveCommandGivenPath /usr/sbin/lsps
assertHaveCommandGivenPath /usr/bin/svmon
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; ps -em | wc -l ; /usr/sbin/lsps -s ; vmstat 1 1 | tail -1 ; vmstat -s ; svmon; `dirname $0`/hardware.sh;'
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1-processes }'
# ps -em inclundes processes with there threads ( at least one), so processes must be excluded to count threads #
# shellcheck disable=SC2016
PARSE_1='(NR==5) {swapUsedPercentage=substr( $NF, 1, length($NF)-1 )} (NR==6) {pgPageIn_PS=0+$(NF-13); pgPageOut_PS=0+$(NF-12)}'
# shellcheck disable=SC2016
PARSE_2='/^memory / {memTotalMB=$2 / 256 ; memFreeMB=$4 / 256}'
# shellcheck disable=SC2016
PARSE_3='/paging space page outs$/ {pgPageOut=$1 ; pgSwapOut="?" }'
# no pgSwapOut parameter and can't be monitored in AIX (by Jacky Ho, Systex)
# shellcheck disable=SC2016
PARSE_4='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1 ; forks="?" }'
# shellcheck disable=SC2016
PARSE_5='/^CPU_COUNT/ {cpuCount=$2}'
DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsedPercentage ? swapUsedPercentage : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $DERIVE"
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand /usr/sbin/swapinfo
assertHaveCommand vmstat
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; /usr/sbin/swapinfo -m; vmstat -f; vmstat -s; `dirname $0`/hardware.sh; vmstat 1 2'
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} {threads="?"}'
# shellcheck disable=SC2016
PARSE_1='NR==5 {swapUsed=$3; swapFree=$4}'
# shellcheck disable=SC2016
PARSE_2='/^memory / {memTotalMB=$2; memUsedMB=$3; memFreeMB=$4}'
# shellcheck disable=SC2016
PARSE_3='(NR>=8 && $2=="forks,") {forks=$1}'
# shellcheck disable=SC2016
PARSE_4='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_5='/interrupts$/ {interrupts=$1} /cpu context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# Sample output: http://ibgwww.colorado.edu/~lessem/psyc5112/usail/man/hpux/vmstat.1.html
# shellcheck disable=SC2016
PARSE_7='/^procs/ {nr[NR+3]} NR in nr {pgPageIn_PS=$8; pgPageOut_PS=$9; interrupts_PS=$13}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE"
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand sysctl
assertHaveCommand top
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2'
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/^PhysMem:/ {memFreeMB=toMB($6)+toMB($10)}' # we count "inactive" as "free", since it can be made available w/o a pagein/swapin
# shellcheck disable=SC2016
PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}'
# shellcheck disable=SC2016
PARSE_3='/^VM:/ {pgPageOut=0+$7}'
if $OSX_GE_SNOW_LEOPARD; then
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
else
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}'
fi
# shellcheck disable=SC2016
PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}'
# shellcheck disable=SC2016
PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}'
MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE"
FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='(NR==1) {memTotalMB=$2 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/pager pages paged out$/ {pgPageOut+=$1} /fork\(\) calls$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}'
# shellcheck disable=SC2016
PARSE_2='/load averages:/ {loadAvg1mi=$6} /^[0-9]+ processes: / {processes=$1}'
# shellcheck disable=SC2016
PARSE_3='/^Swap: / {if(NF <= 5){ swapTotal=toMB($2); swapFree=toMB($4); swapUsed=swapTotal-swapFree; } else{ swapUsed=toMB($4); swapFree=toMB($6)}} /^Mem: / {memFreeMB=toMB($4)+toMB($12)}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}'
MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
FILL_BLANKS='END {threads=pgSwapOut="?"}'
fi
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

193
deployment-apps/Splunk_TA_nix/bin/vmstat_metric.sh
Unescape View File

@ -0,0 +1,193 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine
# the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so
# (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute.
HEADER='memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS OSName OS_version IP_address'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='END {printf "%10d %10d %10d %10.1f %10.1f %10s %10.1f %10s %10s %10s %10s %10s %10s %10.2f %10.2f %13.2f %11.2f %12.2f %-35s %15s %-16s\n", memTotalMB, memFreeMB, memUsedMB, memFreePct, memUsedPct, pgPageOut, swapUsedPct, pgSwapOut, cSwitches, interrupts, forks, processes, threads, loadAvg1mi, waitThreads, interrupts_PS, pgPageIn_PS, pgPageOut_PS, OSName, OS_version, IP_address}'
DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsed ? (100.0*swapUsed)/(swapUsed+swapFree) : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}'
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}'
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand vmstat
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2'
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)"
fi
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}'
# shellcheck disable=SC2016
PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}'
# shellcheck disable=SC2016
PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr[NR+3]} NR in nr {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$2; pgPageOut_PS=$3}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommand vmstat
assertHaveCommandGivenPath /usr/sbin/swap
assertHaveCommandGivenPath /usr/sbin/prtconf
assertHaveCommand prstat
assertHaveCommand sar
if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then
# shellcheck disable=SC2016
CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2; '
else
# shellcheck disable=SC2016
CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2'
fi
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==5) {memFreeMB=$5 / 1024}'
# shellcheck disable=SC2016
PARSE_1='(NR==2) {swapUsed=0+$(NF-3); swapFree=0+$(NF-1)}'
# shellcheck disable=SC2016
PARSE_2='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1} / v?forks$/ {forks+=$1}'
# shellcheck disable=SC2016
PARSE_4='/^Total: / {processes=$2; threads=$4; loadAvg1mi=0+$(NF-2)}'
# shellcheck disable=SC2016
PARSE_5='/^CPU_COUNT/ {cpuCount=$2}'
# Sample output: http://opensolarisforum.org/man/man1/sar.html
if [ "$SOLARIS_10" = "true" ] || [ "$SOLARIS_11" = "true" ] ; then
# shellcheck disable=SC2016
PARSE_6='($1 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$3;}'
# shellcheck disable=SC2016
PARSE_7='($3 ~ "ppgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$3}'
else
# shellcheck disable=SC2016
PARSE_6='($3 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$5}'
# shellcheck disable=SC2016
PARSE_7='($3 ~ "pgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$4}'
fi
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE"
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand vmstat
assertHaveCommandGivenPath /usr/sbin/lsps
assertHaveCommandGivenPath /usr/bin/svmon
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; ps -em | wc -l ; /usr/sbin/lsps -s ; vmstat 1 1 | tail -1 ; vmstat -s ; svmon; `dirname $0`/hardware.sh;'
DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1-processes }'
# ps -em inclundes processes with there threads ( at least one), so processes must be excluded to count threads #
# shellcheck disable=SC2016
PARSE_1='(NR==5) {swapUsedPercentage=substr( $NF, 1, length($NF)-1 )} (NR==6) {pgPageIn_PS=0+$(NF-13); pgPageOut_PS=0+$(NF-12)}'
# shellcheck disable=SC2016
PARSE_2='/^memory / {memTotalMB=$2 / 256 ; memFreeMB=$4 / 256}'
# shellcheck disable=SC2016
PARSE_3='/paging space page outs$/ {pgPageOut=$1 ; pgSwapOut="?" }'
# no pgSwapOut parameter and can't be monitored in AIX (by Jacky Ho, Systex)
# shellcheck disable=SC2016
PARSE_4='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1 ; forks="?" }'
# shellcheck disable=SC2016
PARSE_5='/^CPU_COUNT/ {cpuCount=$2}'
PARSE_6='{OS_version=OSVersion/1000}'
DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsedPercentage ? swapUsedPercentage : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand uptime
assertHaveCommand ps
assertHaveCommand /usr/sbin/swapinfo
assertHaveCommand vmstat
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; /usr/sbin/swapinfo -m; vmstat -f; vmstat -s; `dirname $0`/hardware.sh; vmstat 1 2'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} {threads="?"}'
# shellcheck disable=SC2016
PARSE_1='NR==5 {swapUsed=$3; swapFree=$4}'
# shellcheck disable=SC2016
PARSE_2='/^memory / {memTotalMB=$2; memUsedMB=$3; memFreeMB=$4}'
# shellcheck disable=SC2016
PARSE_3='(NR>=8 && $2=="forks,") {forks=$1}'
# shellcheck disable=SC2016
PARSE_4='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_5='/interrupts$/ {interrupts=$1} /cpu context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# Sample output: http://ibgwww.colorado.edu/~lessem/psyc5112/usail/man/hpux/vmstat.1.html
# shellcheck disable=SC2016
PARSE_7='/^procs/ {nr[NR+3]} NR in nr {pgPageIn_PS=$8; pgPageOut_PS=$9; interrupts_PS=$13}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE"
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand sysctl
assertHaveCommand top
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/^PhysMem:/ {memFreeMB=toMB($6)+toMB($10)}' # we count "inactive" as "free", since it can be made available w/o a pagein/swapin
# shellcheck disable=SC2016
PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}'
# shellcheck disable=SC2016
PARSE_3='/^VM:/ {pgPageOut=0+$7}'
if $OSX_GE_SNOW_LEOPARD; then
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
else
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}'
fi
# shellcheck disable=SC2016
PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}'
# shellcheck disable=SC2016
PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}'
MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE"
FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='(NR==1) {memTotalMB=$2 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/pager pages paged out$/ {pgPageOut+=$1} /fork\(\) calls$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}'
# shellcheck disable=SC2016
PARSE_2='/load averages:/ {loadAvg1mi=$6} /^[0-9]+ processes: / {processes=$1}'
# shellcheck disable=SC2016
PARSE_3='/^Swap: / {if(NF <= 5){ swapTotal=toMB($2); swapFree=toMB($4); swapUsed=swapTotal-swapFree; } else{ swapUsed=toMB($4); swapFree=toMB($6)}} /^Mem: / {memFreeMB=toMB($4)+toMB($12)}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}'
MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
FILL_BLANKS='END {threads=pgSwapOut="?"}'
fi
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF " header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

65
deployment-apps/Splunk_TA_nix/bin/vsftpdChecker.sh
Unescape View File

@ -0,0 +1,65 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
# VSFTPD configuration file format is common to all platforms, but may be in one
# of several locations (and may also be restricted to root).
if [ -f /etc/vsftpd.conf ] ; then
VSFTPD_CONFIG_FILE=/etc/vsftpd.conf
elif [ -f /etc/vsftpd/vsftpd.conf ] ; then
VSFTPD_CONFIG_FILE=/etc/vsftpd/vsftpd.conf
elif [ -f /private/etc/vsftpd.conf ] ; then
# Usually MAC OS X
VSFTPD_CONFIG_FILE=/private/etc/vsftpd.conf
elif [ -f /usr/local/etc/vsftpd.conf ] ; then
# To support MAC OS 10.15
VSFTPD_CONFIG_FILE=/usr/local/etc/vsftpd.conf
fi
# Set the default. If the file is readable and has "anonymous_enable" commented
# out, the default behavior is to ALLOW anonymous FTP. Reset the value of
# anonymous_enable in the output if this is the case
# line, then the allowed protocols will be the default of "2,1".
FILL_BLANKS='END {
if (ANON_DEFAULT != 0) {
ANON_ENABLE=ANON_DEFAULT
}'
PRINTF='{printf "%s app=vsftp %s %s %s\n", DATE, FILEHASH, LOCAL_ENABLE, ANON_ENABLE}}'
# If $VSFTPD_CONFIG_FILE file exists and is a regular file.
if [ -f "$VSFTPD_CONFIG_FILE" ] ; then
assertHaveCommand cat
assertHaveCommand date
# Get file hash
# shellcheck disable=SC2016
CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $VSFTPD_CONFIG_FILE ; cat $VSFTPD_CONFIG_FILE'
# Get the date.
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Try to use cross-platform case-insensitive matching for text. Note
# that "match", "tolower", IGNORECASE and other common awk commands or
# options are actually nawk/gawk extensions so avoid them if possible.
# shellcheck disable=SC2016
PARSE_1='/[Ll][Oo][Cc][Aa][Ll][_][Ee][Nn][Aa][Bb][Ll][Ee]/ { split($0, arr, "=") ; LOCAL_ENABLE="local_enable=" arr[2] } '
# shellcheck disable=SC2016
PARSE_2='/^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss][_][Ee][Nn][Aa][Bb][Ll][Ee]/ { split($0, arr, "=") ; ANON_ENABLE="anonymous_enable=" arr[2] } '
# The default behavior is to permit anonymous FTP
PARSE_3='/^[#]+[[:blank:]]*[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss][_][Ee][Nn][Aa][Bb][Ll][Ee]/ { ANON_DEFAULT="anonymous_enable=YES"} '
# shellcheck disable=SC2016
PARSE_4='/^SHA256/ {FILEHASH="file_hash=" $2}'
MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4"
$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $FILL_BLANKS $PRINTF"
echo "Cmd = [$CMD]; | $AWK '$MASSAGE $FILL_BLANKS $PRINTF'" >> "$TEE_DEST"
else
echo "VSFTPD configuration file not found." >> "$TEE_DEST"
fi

41
deployment-apps/Splunk_TA_nix/bin/who.sh
Unescape View File

@ -0,0 +1,41 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
CMD='who -H'
HEADER='USERNAME LINE HOSTNAME TIME'
# shellcheck disable=SC2016
HEADERIZE='{NR == 1 && $0 = header}'
# shellcheck disable=SC2016
FORMAT='{length(hostname) || hostname=$NF; gsub("[)(]", "",hostname); time=$3; for (i=4; i<=lastTimeColumn; i++) time = time " " $i}'
# shellcheck disable=SC2016
PRINTF='{if (NR == 1) {print $0} else {printf "%-14s %-10s %-40.40s %-s\n", $1,$2,hostname,time}}'
if [ "$KERNEL" = "Linux" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 5) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "SunOS" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "AIX" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='who -HR'
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 5) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "Darwin" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = "<console>"; lastTimeColumn = NF}}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = "<console>"; lastTimeColumn = NF}}'
fi
assertHaveCommand "$CMD"
out=$($CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILL_BLANKS $FORMAT $PRINTF" header="$HEADER")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 1 ]; then
echo "$out"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILL_BLANKS $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
else
echo "No data is present" >> "$TEE_DEST"
fi

29
deployment-apps/Splunk_TA_nix/default/app.conf
Unescape View File

@ -0,0 +1,29 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[install]
is_configured = 0
state = enabled
build = 1686646279
[ui]
setup_view = ta_nix_configuration
is_visible = true
label = Splunk Add-on for Unix and Linux
docs_section_override = AddOns:released
[launcher]
author = Splunk
version = 8.10.0
description = Splunk Add-on for Unix and Linux
[package]
id = Splunk_TA_nix
[id]
name = Splunk_TA_nix
version = 8.10.0

8
deployment-apps/Splunk_TA_nix/default/data/ui/nav/default.xml
Unescape View File

@ -0,0 +1,8 @@
<!--
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<nav>
<view name="ta_nix_configuration" default='true' />
</nav>

17
deployment-apps/Splunk_TA_nix/default/data/ui/views/ta_nix_configuration.env_cloud.xml
Unescape View File

@ -0,0 +1,17 @@
<!--
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<dashboard version="1.1">
<label>Splunk Add-on for Unix and Linux: Setup</label>
<row>
<panel>
<html>
<p>Please set up this add-on on your forwarders. Documentation on how to configure this add-on is
<a target="_blank" href="http://docs.splunk.com/Documentation/UnixAddOn/latest/User/DeploytheSplunkAdd-onforUnixandLinuxinadistributedSplunkenvironment">here</a>
</p>
</html>
</panel>
</row>
</dashboard>

96
deployment-apps/Splunk_TA_nix/default/data/ui/views/ta_nix_configuration.xml
Unescape View File

@ -0,0 +1,96 @@
<!--
SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
SPDX-License-Identifier: LicenseRef-Splunk-8-2021
-->
<!--
|| NOTE: The `isVisible` property is a special Splunk Light only property
|| that prevents this dashboard from appearing on the page:
|| http://localhost:8000/en-US/app/search/dashboards .
|| It has no effect on Splunk Enterprise.
-->
<dashboard script="setup.js" stylesheet="setup.css" isVisible="false" version="1.1">
<label>Splunk Add-on for Unix and Linux: Setup</label>
<row>
<html>
<p id="overview">
The Splunk Add-on for Unix and Linux provides pre-built data inputs to facilitate
Linux and Unix system monitoring using Splunk. Check out the
<a href="http://apps.splunk.com/app/833/" target="_blank">
Splunk for Unix Technical Add-on
</a> page on <a href="http://apps.splunk.com/" target="_blank">Splunkbase</a>
for support information, the latest updates, and more.
</p>
<div id="not-unix-error" class="error-box">
This server is not running a known Unix or Linux operating system.
Install this add-on on Unix or Linux systems only.
</div>
<div>
<h2>File and Directory Inputs:</h2>
<table id="monitor-input-table" class="input-table">
<tr>
<th class="table-header">Name</th>
<th>Enable
<a href="#" class="enable-all-btn">(All)</a>
</th>
<th>Disable
<a href="#" class="disable-all-btn">(All)</a>
</th>
</tr>
<!-- Rows will be inserted here -->
</table>
</div>
<div>
<h2>Scripted Metric Inputs:</h2>
<table id="scripted-metric-input-table" class="input-table">
<tr>
<th class="table-header">Name</th>
<th>Enable
<a href="#" class="enable-all-btn">(All)</a>
</th>
<th>Disable
<a href="#" class="disable-all-btn">(All)</a>
</th>
<th>Interval (sec)</th>
<th>Index</th>
</tr>
<!-- Rows will be inserted here -->
</table>
<h2>Scripted Event Inputs:</h2>
<table id="scripted-event-input-table" class="input-table">
<tr>
<th class="table-header">Name</th>
<th>Enable
<a href="#" class="enable-all-btn">(All)</a>
</th>
<th>Disable
<a href="#" class="disable-all-btn">(All)</a>
</th>
<th>Interval (sec)</th>
</tr>
<!-- Rows will be inserted here -->
</table>
</div>
<div id="generic-save-error" class="error-box">
There was an unexpected problem while saving the inputs.
Please reload the page and try again.
</div>
<div id="index-not-selected-error" class="error-box">
Field 'Index' is empty or invalid for the metric inputs. Change the index or disable the input.
</div>
<div id="invalid-interval-error" class="error-box">
Field 'Interval' must be a positive integer value.
</div>
<div id="btn-bar">
<input id="save-btn" class="btn btn-primary" type="submit" value="Save" />
</div>
</html>
</row>
</dashboard>

722
deployment-apps/Splunk_TA_nix/default/eventtypes.conf
Unescape View File

@ -0,0 +1,722 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[nix_ta_custom_eventtype]
search = NOT *
[nix_ta_data]
search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
###### Globals ######
[nix_security]
search = sourcetype="*_secure"
#tags = os unix
[nix_configs]
search = eventtype=nix_ta_data AND (source="/etc/*" OR source="*.conf" OR source="*.cfg")
[nix_errors]
search = eventtype=nix_ta_data error OR critical OR failure OR fail OR failed OR fatal
#tags = error
###### DHCP ######
[dhcpd_server]
search = sourcetype=dhcpd (DHCPACK OR DHCPNAK OR DHCPRELEASE)
#tags = dhcp network session unix
[dhcpd_start]
search = sourcetype=dhcpd signature=DHCPACK
#tags = start
[dhcpd_unable_unexpected]
search = sourcetype=dhcpd unable OR unexpected
#tags = error
[dhcpd_server_dhcpack]
search = sourcetype=dhcpd DHCPACK
[dhcpd_server_dhcpdiscover]
search = sourcetype=dhcpd DHCPDISCOVER
[dhcpd_server_dhcpoffer]
search = sourcetype=dhcpd DHCPOFFER
[dhcpd_server_dhcprelease]
search = sourcetype=dhcpd DHCPRELEASE
#tags = end
[dhcpd_server_dhcprequest]
search = sourcetype=dhcpd DHCPREQUEST
###### Scripted Inputs ######
## CPU stats
[cpu]
search = sourcetype=cpu
#tags = performance os resource report unix cpu
[cpu_anomalous]
search = sourcetype=cpu PercentSystemTime>90
#tags = enabled
[df]
search = sourcetype=df
#tags = df host check success storage performance
[iostat]
search = sourcetype=iostat
[nfsiostat]
search = sourcetype=nfsiostat
[lsof]
search = sourcetype=lsof
[hardware]
search = sourcetype=hardware
[interfaces]
search = sourcetype=interfaces
# tags = Inventory Network
[lastlog]
search = sourcetype=lastlog
[netstat]
search = sourcetype=netstat
# listening port
[openPorts]
search = sourcetype=openPorts
[package]
search = sourcetype=package
[protocol]
search = sourcetype=protocol
[ps]
search = sourcetype=ps
#tags = process oshost success ps cpu performance
[top]
search = sourcetype=top
[time]
search = sourcetype=time
[usersWithLoginPrivs]
search = sourcetype=usersWithLoginPrivs
[vmstat]
search = sourcetype=vmstat
#tags = performance os avail unix report vmstat resource success memory
[who]
search = sourcetype=who
[bandwidth]
search = sourcetype=bandwidth
###### System Logs ######
#### Account Management
[useradd]
search = eventtype=nix_ta_data useradd user
#tags = account management add change
# Aug 20 20:21:12 host useradd[12811]: new account added - account=splunk, uid=1003, gid=1000, home=/opt/splunk, shell=/bin/false, by=0
[useradd-suse]
search = eventtype=nix_ta_data useradd new account added
#tags = account management add change
[userdel]
search = eventtype=nix_ta_data userdel user
#tags = account management delete change
[groupadd]
search = eventtype=nix_ta_data groupadd group
#tags = account management add change
#Aug 20 20:21:12 host useradd[12811]: account added to group - account=splunk, group=services, gid=33, by=0
[groupadd-suse]
search = eventtype=nix_ta_data useradd account added group
#tags = account management add change
[groupdel]
search = eventtype=nix_ta_data (NOT *deleting-user-from*) (groupdel OR userdel) group
#tags = account management delete change
[linux-password-change]
search = eventtype=nix_ta_data process=passwd password changed
#tags = account management password modify change
#Feb 21 11:24:45 host passwd[17805]: password change failed, pam error 11 - account=root, uid=0, by=0
[linux-password-change-failed]
search = eventtype=nix_ta_data process=passwd password change failed
#tags = account management password modify change
#### acpi
[nix_acpi]
search = eventtype=nix_ta_data ACPI:
#tags = os unix power
#### agpgart
[nix_agpgart]
search = eventtype=nix_ta_data agpgart:
#tags = os unix graphics
#### apm
[nix_apm]
search = eventtype=nix_ta_data apm:
#tags = os unix power
#### auditd
[auditd]
search = sourcetype=auditd
#tags = os unix resource file
[auditd_modify]
search = source=auditd PATH
#tags = modify
#### Authentication
## ksu
[ksu_authentication]
# NOTE: May want to restrict search `ksu` to `cmd="ksu"` to reduce false positives.
search = eventtype=nix_ta_data ksu ("authentication failed" OR authenticated OR (Account authorization (failed OR successful)))
#tags = authentication
## login
[login_authentication]
search = eventtype=nix_ta_data login: "Login failure on"
#tags = authentication
## pam
[pam_unix_authentication]
search = eventtype=nix_ta_data pam_unix (gdm OR sudo OR su) ("authentication failure" OR "session opened")
#tags = authentication
## passwd
#Oct 2 20:45:29 host passwd[15323]: User admin: Authentication failure
[passwd-auth-failure]
search = eventtype=nix_ta_data process=passwd Authentication failure punct="*__::_*_[]:__:__"
#tags = application authentication
## rlogin
[rlogin_too_many_failures]
search = eventtype=nix_ta_data "general syslog msg" "TOO MANY LOGIN TRIES"
#tags = application attack watchlist
## Detects a failed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
[remote_login_failure]
search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not allowed")
#tags = application authentication remote
## Detects a allowed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server.
[remote_login_allowed]
search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to"
#tags = application authentication remote
## sshd
[sshd_authentication]
# osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1
# Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host
search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT")
#tags = authentication remote
[ssh_login_postponed]
search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed
# no tags assigned to this eventtype
[ssh_open]
search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from)
#tags = communicate connect
# example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246
[ssh_close]
search = eventtype=nix_ta_data punct="*__::_*_[]:____*..." OR punct="*__::_*_[]:_(:):_____" OR punct="*__::_*_()[]:_____" sshd (Closing connection to) OR (Connection closed by) OR (session closed)
#tags = access stop logoff
# example = Dec 17 18:31:44 domU-12-31-39-03-01-11 sshd[31792]: Received disconnect from 74.53.187.50: 11: Bye Bye
[ssh_disconnect]
search = eventtype=nix_ta_data punct="*__::_*_[]:___*...:_:__" Bye Received disconnect
#tags = access stop logoff
[ssh_check_pass]
search = eventtype=nix_ta_data sshd check pass user unknown (punct="__*::_*_()[]:__;__" OR punct="*__::_*_[]:_(:):__;__")
#no tags assigned to this eventtype
## su
[su_authentication]
# Example event, from su on CentOS7
# type=USER_AUTH msg=audit(1611753517.687:2310): pid=10012 uid=0 auid=2024 ses=181 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=so1 addr=? terminal=pts/1 res=success'
search = eventtype=nix_ta_data NOT "USER_CMD" ((from to) OR succeeded OR success OR successful OR failed OR failure) (cmd="su" OR ("USER_AUTH" AND exe=*/su*) OR ((NOT BAD) su: from to at))
#tags = authentication
[su_failed]
search = eventtype=nix_ta_data (("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR ("BAD SU "))
#tags = authentication
[su_session]
search = eventtype=nix_ta_data su: session
#tags = session
[su_root_session]
search = eventtype=nix_ta_data su: session root
#tags = session privileged
## Telnet
[wksh_authentication]
search = eventtype=nix_ta_data wksh "HANDLING TELNET CALL"
# no tags assigned to this eventtype
#### automount
[nix_automount]
search = eventtype=nix_ta_data automount punct="::__::_*:_*"
#tags = os unix
#### Config
[nix_config_change]
search = eventtype=nix_ta_data Configuration changed
#tags = os unix host configuration modify
#### Console
[nix_console]
search = eventtype=nix_ta_data Console:
#tags = os unix
#### cron
[nix_cron]
search = eventtype=nix_ta_data cron OR crond punct="::__::_*:_*" NOT Install: NOT Updated: NOT Erased:
#tags = os unix
#### CUPS
[nix_cups_access]
search = eventtype=nix_ta_data punct="_-_-_[//:::_-]_\"_//._/.\"___-_-"
#tags = os unix access printer
[nix_cups_error]
search = eventtype=nix_ta_data punct="_[//:::_-]_*"
#tags = os unix printer
[nix_cups_page]
search = eventtype=nix_ta_data punct="___[//:::_-]___-_"
#tags = os unix printer
#### dhclient
[nix_dhclient]
search = eventtype=nix_ta_data dhclient punct="__::_*:_*" NOT punct="//_::_*:_*." NOT punct="\"///*\"" NOT Rule NOT Name
#tags = os unix
#### DMA
[nix_dma]
search = eventtype=nix_ta_data DMA zone:
#tags = os unix memory access
#### Firewall
# These firewall accept and deny rules are based on iptables logs. For additional firewalls the user must develop a device add
# on and tag their events with these tags
[iptables_firewall_accept]
search = eventtype=nix_ta_data signature=firewall action=PASS OR action=permit
#tags = os unix host firewall communicate success
[iptables_firewall_deny]
search = eventtype=nix_ta_data signature=firewall action=BLOCK OR action=dropped
#tags = os unix host firewall communicate failure
#### FTP
[nix_ftp_xferlog]
search = eventtype=nix_ta_data punct="___*::___...__///*"
#tags = os unix ftp transfer
[nix_ncftpd_logins]
search = eventtype=nix_ta_data ncftpd punct="*__::_*:_*"
#tags = os unix ftp authentication
#### Fingerprinting
[nix_fingerprinting]
search = eventtype=nix_ta_data Client OS detected:
#tags = os unix
#### gconfd
[nix_gconfd]
search = eventtype=nix_ta_data gconfd
#tags = os unix
[nix_gconfd_error]
search = eventtype=nix_ta_data gconfd Error
#tags = error
[nix_gconfd_exiting]
search = eventtype=nix_ta_data gconfd Exiting OR signal
#tags = stop
[nix_gconfd_resolved_address]
search = eventtype=nix_ta_data gconfd Resolved address
[nix_gconfd_starting]
search = eventtype=nix_ta_data gconfd starting
#tags = start
#### gdm
[nix_gdm]
search = eventtype=nix_ta_data gdm punct="*__::_*:_*" NOT scrollkeeper NOT Updated: NOT Installed: NOT Erased: NOT pam*
#tags = os unix
#### gpm
[nix_gpm]
search = eventtype=nix_ta_data gpm NOT Installed: NOT Updated: NOT Erased: NOT user NOT *.rpm punct="*__::_*:_*."
#tags = os unix
#### FreeBSD
[freebsd_refresh_na_answer]
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_-____...#_(_...#)"
#tags = os unix
[freebsd_refresh_retry_exceeded]
search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_____...#__(_...#)"
#tags = os unix
#### hald
[nix_hald]
search = eventtype=nix_ta_data hald punct="*__::_*:_*"
#tags = os unix
#### hpiod
[hpiod_Linux_syslog]
search = eventtype=nix_ta_data hpiod punct="*__::_*:_*"
#tags = os unix
#### kernel
[nix_kernel_attached]
search = eventtype=nix_ta_data kernel
#tags = os unix kernel
#### kill
[nix_process_kill]
search = eventtype=nix_ta_data exiting signal 15
#tags = os unix process stop
#### mDNSResponder
[nix_mDNSResponder]
search = eventtype=nix_ta_data mDNSResponder punct="*__::_*:_*"
#tags = os unix dns
#### named
[nix_named1]
search = eventtype=nix_ta_data named punct="*__::_/_[]:__*" OR punct="*__::_..._[]:_*"
#tags = os unix dns
[nix_named2]
search = eventtype=nix_ta_data named punct="*__::_*_[]:__*" NOT punct="__::_*_[]:_____..."
#tags = os unix dns
#### OSX Crash Log
[osx_crash_log]
search = eventtype=nix_ta_data Host Name Date/Time
#tags = os unix error
#### Netlabel
[nix_netlabel]
search = eventtype=nix_ta_data NetLabel:
#tags = os unix kernel
#### PCI
[nix_pci]
search = eventtype=nix_ta_data PCI: NOT BIOS
#tags = os unix
#### Plug-n-play
[nix_pnp]
search = eventtype=nix_ta_data pnp:
#tags = os unix
#### POP3
[nix_popper]
search = eventtype=nix_ta_data popper
#tags = os unix mail
#### postfix
[nix_postfix]
search = eventtype=nix_ta_data postfix punct="*__::_*:_*"
#tags = os unix
#### Prelink
[nix_prelink]
search = eventtype=nix_ta_data /usr/sbin/prelink: OR Prelinking
#tags = os unix
#### RPC
[nix_rpc_statd]
search = eventtype=nix_ta_data rpc.statd
#tags = os unix
#### RPM
[nix_rpm]
search = eventtype=nix_ta_data *.rpm punct="*-*.*."
#tags = os update
#### Runlevel
[nix_runlevel_change]
search = eventtype=nix_ta_data init: punct="*__::_*:_*"
#tags = os unix configuration modify
#### SNMPD
[snmpd]
search = eventtype=nix_ta_data snmpd
#tags = os unix snmp
[snmpd_failure]
search = eventtype=nix_ta_data snmpd SNMPD_*_FAILURE
#tags = failure
#### scrollkeeper
[nix_scrollkeeper]
search = eventtype=nix_ta_data scrollkeeper punct="__::__*"
#tags = os unix
## Shutdown
[nix_halt]
search = eventtype=nix_ta_data shutdown: system halt
#tags = os unix stop
[nix_restart]
search = eventtype=nix_ta_data shutdown: system reboot
#tags = os unix stop
#### smartd
[nix_smartd]
search = eventtype=nix_ta_data smartd punct="*__::_*:_*"
#tags = os unix
#### Time
[nix_timesync]
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR "MS Name/IP address") (("LastRx" AND "stratum") OR "Adjusting system clock" OR "synchronized to" OR "step time server" OR "adjust time server")
#tags = report time synchronize success
[nix_timesync_failure]
search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR 506) ("NTP Server Unreachable" OR "Cannot talk to daemon")
#tags = report time synchronize failure
#### Update
[nix_yum_update]
search = eventtype=nix_ta_data yum Updated
#tags = report update success
#### udevd
[nix_udevd]
search = eventtype=nix_ta_data udevd
#tags = os unix kernel
#### USB
[nix_usb]
search = eventtype=nix_ta_data usb*: NOT punct="<>:__*"
#tags = os unix usb
#### userhelper
[nix_userhelper]
search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*"
#tags = os unix
###### ADDED FROM UNIX APP ######
[failed_login]
search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for"
#tags = authentication
[Failed_SU]
search = eventtype=nix_ta_data ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ")
#tags = authentication
[nix-all-logs]
search = eventtype=nix_ta_data AND (source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog)
###### END FROM UNIX APP ######
###### ADDED FROM TA-deploymentapps ######
###### Scripted Inputs ######
## Global
[aix_scripted_input]
search = sourcetype=AIX:*
#tags = check report
[hpux_scripted_input]
search = sourcetype=HPUX:*
#tags = check report
[linux_scripted_input]
search = sourcetype=Linux:*
#tags = check report
[osx_scripted_input]
search = sourcetype=OSX:*
#tags = check report
[solaris_scripted_input]
search = sourcetype=Solaris:*
#tags = check report
[unix_scripted_input]
search = sourcetype=Unix:*
#tags = check report
## CPUTime
[cputime]
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime
#tags = performance os avail cpu
[cputime_anomalous]
search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime PercentSystemTime>90
#tags = anomalous
## Disk
[freediskspace]
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace
#tags = performance os avail disk storage
[freediskspace_anomalous]
search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace PercentFreeSpace<10
#tags = anomalous
## Listening Ports
[listeningports]
search = (NOT sourcetype=WMI:ListeningPorts) sourcetype=*:ListeningPorts (NOT file_hash=*)
#tags = os config report
## Local Processes
[localprocesses]
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses
#tags = os avail process
[localprocesses_anomalous]
search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses (PercentSystemTime>50 OR PercentMemory>50) NOT app=Total
#tags = anomalous
## Memory
[memory]
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory
#tags = performance os avail memory
[memory_anomalous]
search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory mem_free<104857600
#tags = anomalous
## SELinux Config
[selinuxconfig]
search = sourcetype=Linux:SELinuxConfig
#tags = application config selinux
## Service
[service]
search = (NOT sourcetype=WMI:Service) sourcetype=*:Service (NOT file_hash=*)
#tags = os config service report
[service_runlevel_anomalous]
search = sourcetype=*:Service (runlevel0=on OR runlevel6=on)
#tags = anomalous
## SSHD Config
[sshdconfig]
search = sourcetype=*:SSHDConfig
#tags = application config ssh
[sshd_insecure]
search = eventtype=nix_ta_data sshd_protocol=*1*
#tags = insecure
## Update
[update]
search = sourcetype=*:Update
#tags = os info update
[update_status]
search = sourcetype=*:Update NOT total_updates
#tags = status
## Uptime
[uptime]
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime
#tags = os info report uptime performance
[uptime_anomalous]
search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime SystemUpTime>2592000
#tags = anomalous
## User Accounts
[useraccounts]
search = sourcetype=*:UserAccounts (NOT file_hash=*)
#tags = (os) config user inventory
[useraccounts_anomalous]
search = sourcetype=*:UserAccounts NOT password=x NOT password=\* (NOT file_hash=*)
#tags = anomalous
## Version
[nix_version]
search = (NOT sourcetype=WMI:Version) sourcetype=*:Version
#tags = os info report system version inventory
## VSFTDP Config
[vsftpd_config]
search = sourcetype=*:VSFTPDConfig
#tags = application config ftp cleartext
[vsftpd_config_anonymous]
search = sourcetype=*:VSFTPDConfig anonymous_enable=YES
#tags = anonymous
###### END FROM TA-deploymentapps ######

270
deployment-apps/Splunk_TA_nix/default/inputs.conf
Unescape View File

@ -0,0 +1,270 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[script://./bin/vmstat_metric.sh]
sourcetype = vmstat_metric
source = vmstat
interval = 60
disabled = 1
[script://./bin/iostat_metric.sh]
sourcetype = iostat_metric
source = iostat
interval = 60
disabled = 1
[script://./bin/ps_metric.sh]
sourcetype = ps_metric
source = ps
interval = 30
disabled = 1
[script://./bin/df_metric.sh]
sourcetype = df_metric
source = df
interval = 300
disabled = 1
[script://./bin/interfaces_metric.sh]
sourcetype = interfaces_metric
source = interfaces
interval = 60
disabled = 1
[script://./bin/cpu_metric.sh]
sourcetype = cpu_metric
source = cpu
interval = 30
disabled = 1
################################################
############### Event Inputs ###################
################################################
[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat
source = vmstat
disabled = 1
[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
disabled = 1
[script://./bin/nfsiostat.sh]
interval = 60
sourcetype = nfsiostat
source = nfsiostat
disabled = 1
[script://./bin/ps.sh]
interval = 30
sourcetype = ps
source = ps
disabled = 1
[script://./bin/top.sh]
interval = 60
sourcetype = top
source = top
disabled = 1
[script://./bin/netstat.sh]
interval = 60
sourcetype = netstat
source = netstat
disabled = 1
[script://./bin/bandwidth.sh]
interval = 60
sourcetype = bandwidth
source = bandwidth
disabled = 1
[script://./bin/protocol.sh]
interval = 60
sourcetype = protocol
source = protocol
disabled = 1
[script://./bin/openPorts.sh]
interval = 300
sourcetype = openPorts
source = openPorts
disabled = 1
[script://./bin/time.sh]
interval = 21600
sourcetype = time
source = time
disabled = 1
[script://./bin/lsof.sh]
interval = 600
sourcetype = lsof
source = lsof
disabled = 1
[script://./bin/df.sh]
interval = 300
sourcetype = df
source = df
disabled = 1
# Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
disabled = 1
# Lists users who could login (i.e., they are assigned a login shell)
[script://./bin/usersWithLoginPrivs.sh]
sourcetype = usersWithLoginPrivs
source = usersWithLoginPrivs
interval = 3600
disabled = 1
# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
disabled = 1
# Shows stats per link-level Etherner interface (simply, NIC)
[script://./bin/interfaces.sh]
sourcetype = interfaces
source = interfaces
interval = 60
disabled = 1
# Shows stats per CPU (useful for SMP machines)
[script://./bin/cpu.sh]
sourcetype = cpu
source = cpu
interval = 30
disabled = 1
# This script reads the auditd logs translated with ausearch
[script://./bin/rlog.sh]
sourcetype = auditd
source = auditd
interval = 60
disabled = 1
# Run package management tool collect installed packages
[script://./bin/package.sh]
sourcetype = package
source = package
interval = 3600
disabled = 1
[script://./bin/hardware.sh]
sourcetype = hardware
source = hardware
interval = 36000
disabled = 1
[monitor:///Library/Logs]
disabled = 1
[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 1
[monitor:///var/adm]
whitelist=(\.log|log$|messages)
disabled = 1
[monitor:///etc]
whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)
disabled = 1
### bash history
[monitor:///root/.bash_history]
disabled = true
sourcetype = bash_history
[monitor:///home/*/.bash_history]
disabled = true
sourcetype = bash_history
##### Added for ES support
# Note that because the UNIX app uses a single script to retrieve information
# from multiple OS flavors, and is intended to run on Universal Forwarders,
# it is not possible to differentiate between OS flavors by assigning
# different sourcetypes for each OS flavor (e.g. Linux:SSHDConfig), as was
# the practice in the older deployment-apps included with ES. Instead,
# sourcetypes are prefixed with the generic "Unix".
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/openPortsEnhanced.sh]
disabled = true
interval = 3600
source = Unix:ListeningPorts
sourcetype = Unix:ListeningPorts
[script://./bin/passwd.sh]
disabled = true
interval = 3600
source = Unix:UserAccounts
sourcetype = Unix:UserAccounts
# Only applicable to Linux
[script://./bin/selinuxChecker.sh]
disabled = true
interval = 3600
source = Linux:SELinuxConfig
sourcetype = Linux:SELinuxConfig
# Currently only supports SunOS, Linux, OSX.
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/service.sh]
disabled = true
interval = 3600
source = Unix:Service
sourcetype = Unix:Service
# Currently only supports SunOS, Linux, OSX.
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/sshdChecker.sh]
disabled = true
interval = 3600
source = Unix:SSHDConfig
sourcetype = Unix:SSHDConfig
# Currently only supports Linux, OSX.
# May require Splunk forwarder to run as root on some platforms.
[script://./bin/update.sh]
disabled = true
interval = 86400
source = Unix:Update
sourcetype = Unix:Update
[script://./bin/uptime.sh]
disabled = true
interval = 86400
source = Unix:Uptime
sourcetype = Unix:Uptime
[script://./bin/version.sh]
disabled = true
interval = 86400
source = Unix:Version
sourcetype = Unix:Version
# This script may need to be modified to point to the VSFTPD configuration file.
[script://./bin/vsftpdChecker.sh]
disabled = true
interval = 86400
source = Unix:VSFTPDConfig
sourcetype = Unix:VSFTPDConfig

7
deployment-apps/Splunk_TA_nix/default/macros.conf
Unescape View File

@ -0,0 +1,7 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[nix-netmon-hosts-search]
definition = eventtype=netstat | stats count by host | sort +host

774
deployment-apps/Splunk_TA_nix/default/props.conf
Unescape View File

@ -0,0 +1,774 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
#####################
## Configuration Logs
#####################
[source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))]
sourcetype = config_file
CHECK_METHOD = modtime
[config_file]
LINE_BREAKER = ^((?!))$
TRUNCATE = 1000000
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
CHECK_METHOD = modtime
KV_MODE = none
pulldown_type = true
SEGMENTATION-all = whitespace-only
SEGMENTATION-inner = whitespace-only
SEGMENTATION-outer = whitespace-only
SEGMENTATION-standard = whitespace-only
LEARN_MODEL = false
LEARN_SOURCETYPE = false
#####################
## DHCP
#####################
[source::....dhcpd]
sourcetype = dhcpd
[dhcpd]
KV_MODE = none
SHOULD_LINEMERGE = false
# For Load Balancing on UF
EVENT_BREAKER_ENABLE = true
pulldown_type = true
category = Network & Security
description = DHCP Server system events
REPORT-dhcp_discover_extract = dhcp_discover_extract
REPORT-dhcp_offer_extract = dhcp_offer_extract
REPORT-dhcp_request_extract = dhcp_request_extract
REPORT-dhcp_ack_nak_extract_0 = dhcp_ack_nak_extract_0
REPORT-dhcp_ack_nak_extract_1 = dhcp_ack_nak_extract_1
REPORT-dhcp_decline_extract = dhcp_decline_extract
REPORT-dhcp_release_extract = dhcp_release_extract
REPORT-dhcp_inform_extract = dhcp_inform_extract
REPORT-dhcp_unable_to_add_forward_map_extract = dhcp_unable_to_add_forward_map_extract
REPORT-dhcp_add_new_forward_map_extract = dhcp_add_new_forward_map_extract
REPORT-dhcp_added_reverse_map_extract = dhcp_added_reverse_map_extract
REPORT-dhcp_abandon_ip_extract = dhcp_abandon_ip_extract
REPORT-dhcp_lease_duplicate_extract = dhcp_lease_duplicate_extract
REPORT-bind_update_fail_extract = bind_update_fail_extract
REPORT-dhcp_block_action = dhcp_block_action
REPORT-dhcp_icmp_echo_reply = dhcp_icmp_echo_reply
REPORT-dhcp_reuse_lease = dhcp_reuse_lease
EVAL-dest_ip = case(isnotnull(dest_ip),dest_ip,match(dest,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), dest, 1==1, server_ip)
EVAL-action = if(isnotnull(block_action) or dhcp_type=="DHCPNAK" or dhcp_type=="DHCPDECLINE" or dhcp_type=="DHCPRELEASE", "blocked", "added")
FIELDALIAS-signature = dhcp_type as signature
FIELDALIAS-src_nt_host = src_host as src_nt_host
FIELDALIAS-dest_nt_host = dest_host as dest_nt_host
#########################
## Scripted Metric Inputs
#########################
[vmstat_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-vmstat-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat
[cpu_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-cpu-metric-dimensions=eval_dimensions
TRANSFORMS-cpu-metric-field=extract_cpu_metric_field
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_cpu
[df_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = TSV
TRANSFORMS-df-metrics=extract_df_metrics
TRANSFORMS-df-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_df
[interfaces_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex)
TRANSFORMS-interfaces-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_interfaces
[iostat_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-iostat-metrics-field=extract_iostat_metrics_field
TRANSFORMS-iostat-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_iostat
[ps_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = none
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER=whitespace
TRANSFORMS-ps-metric-dimensions=eval_dimensions
TRANSFORMS-ps-metric-field=extract_ps_metric_field
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps
#########################
## Scripted Event Inputs
#########################
[cpu]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_for_cpu = host as dest
FIELDALIAS-src_for_cpu = host as src
EVAL-CPU = coalesce(cpu,CPU)
EVAL-cpu = coalesce(cpu,CPU)
EVAL-cpu_instance = coalesce(cpu,CPU)
EVAL-pctIdle = coalesce(id,pctIdle)
EVAL-PercentIdleTime = coalesce(id,pctIdle)
EVAL-cpu_load_percent = if(isnull(pctIdle),100-id,100-pctIdle)
EVAL-pctNice = coalesce(pctNice,"0")
EVAL-PercentNiceTime = coalesce(pctNice,"0")
EVAL-pctUser = coalesce(us,pctUser)
EVAL-PercentUserTime = coalesce(us,pctUser)
EVAL-cpu_user_percent = coalesce(us,pctUser)
EVAL-pctSystem = coalesce(sy,pctSystem)
EVAL-PercentSystemTime = coalesce(sy,pctSystem)
EVAL-pctIowait = coalesce(wa,pctIowait)
EVAL-PercentWaitTime = coalesce(wa,pctIowait)
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
[df]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_for_df = host as dest
FIELDALIAS-filesystem_for_df = Filesystem AS filesystem
FIELDALIAS-filesystem_type_for_df = Type as filesystem_type
FIELDALIAS-mount_for_df = MountedOn AS mount
EVAL-Type = coalesce('Type',"?")
EVAL-filesystem_type = coalesce('Type',"?")
EVAL-Size = coalesce('Size','1024_blocks')
EVAL-INodes = coalesce('INodes','Inodes')
EVAL-IUsePct = coalesce('IUsePct','IUse_')
EVAL-UsePct = coalesce('UsePct', 'Use_', 'Capacity')
EVAL-Avail = coalesce('Avail', 'Available')
EVAL-IUsed = coalesce('IUsed', 'Iused', 'iused')
EVAL-IFree = coalesce('IFree', 'ifree', 'Ifree')
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
EVAL-storage = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-storage_free = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
# Redundancy required here because calculated fields are not evaluated in sequence.
EVAL-storage_free_percent = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
EVAL-storage_used = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-storage_used_percent = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
## Legacy fields
# Note we don't elimininate one layer of indirection here by
# eliminating the redundant FIELDALIAS from FreeMegabytes -> FreeMBytes, etc.
# which was previously used.
EVAL-FreeMBytes = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-TotalMBytes = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-UsedMBytes = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown")
EVAL-PercentUsedSpace = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
# Redundancy required here because calculated fields are not evaluated in sequence.
EVAL-PercentFreeSpace = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10)
[hardware]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
EXTRACT-RealMemory = (?i)MEMORY_REAL\s+(?P<RealMemory>[^\s]*)[ ]?
EXTRACT-SwapMemory = (?i)MEMORY_SWAP\s+(?P<SwapMemory>[^\s]*)[ ]?
EXTRACT-Unit = (?i)MEMORY_REAL\s+\d+\.?\d*\s*(?P<Unit>\w+)?
EVAL-RealMemoryMB = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown")
EVAL-SwapMemoryMB = case(match(Unit, "kB"), SwapMemory*pow(1024,-1), match(Unit, "KB"), SwapMemory*pow(1024,-1), match(Unit, "mB"), SwapMemory, match(Unit, "MB"), SwapMemory, match(Unit, "gB"), SwapMemory*pow(1024,1), match(Unit, "GB"), SwapMemory*pow(1024,1), match(Unit, "tB"), SwapMemory*pow(1024,2), match(Unit, "TB"), SwapMemory*pow(1024,2), match(Unit, "pB"), SwapMemory*pow(1024,3), match(Unit, "PB"), SwapMemory*pow(1024,3), 1==1, "unknown")
EXTRACT-cpu_cores = (?i)CPU_COUNT\s+(?P<cpu_cores>[^ \n]*)?
EXTRACT-cpu_type = (?i)CPU_TYPE\s+(?P<cpu_type>[^\n]*)?
EXTRACT-cpu_freq = (?<cpu_freq>[^\s]+)(?<cpu_freq_unit>[G|M]Hz)
EVAL-cpu_mhz = case(match(cpu_freq_unit,"GHz"),cpu_freq*1000,match(cpu_freq_unit,"MHz"),cpu_freq)
EVAL-mem = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown")
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
[interfaces]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
EVAL-enabled = "true"
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
EVAL-ip = if(isnull(inetAddr), inet6Addr, inetAddr)
EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex)
FIELDALIAS-interface = Name as interface
FIELDALIAS-mac = MAC as mac
[iostat]
SHOULD_LINEMERGE = false
LINE_BREAKER = (^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
# coalesce command is used to normalizes field names with the same value and for backward compatibility
EVAL-mount = coalesce(Device, Device_, device, "?")
EVAL-read_ops = coalesce(rReq_PS, r_s, "?")
EVAL-write_ops = coalesce(wReq_PS, w_s, "?")
EVAL-latency = coalesce(avgWaitMillis, await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?")
EVAL-total_ops = case(rReq_PS == "?", "?", wReq_PS == "?", "?", isnotnull(rReq_PS) AND isnotnull(wReq_PS), rReq_PS + wReq_PS, isnull(r_s), "?", isnull(w_s), "?", 1==1, r_s + w_s)
EVAL-Device = coalesce(Device, Device_, device, "?")
EVAL-rReq_PS = coalesce(rReq_PS, r_s, "?")
EVAL-rKB_PS = coalesce(rKB_PS, rkB_s, Kb_read, kr_s, "?")
EVAL-rrqmPct = coalesce(rrqmPct, rrqm, "?")
EVAL-rAvgWaitMillis = coalesce(rAvgWaitMillis, r_await, "?")
EVAL-rAvgReqSZkb = coalesce(rAvgReqSZkb, rareq_sz, "?")
EVAL-wReq_PS = coalesce(wReq_PS, w_s, "?")
EVAL-wKB_PS = coalesce(wKB_PS, wkB_s, Kb_wrtn, kw_s, "?")
EVAL-wrqmPct = coalesce(wrqmPct, wrqm, "?")
EVAL-wAvgWaitMillis = coalesce(wAvgWaitMillis, w_await, "?")
EVAL-wAvgReqSZkb = coalesce(wAvgReqSZkb, wareq_sz, "?")
EVAL-avgQueueSZ = coalesce(avgQueueSZ, aqu_sz, avgqu_sz, "?")
EVAL-bandwUtilPct = coalesce(bandwUtilPct, util, tm_act, ms_o, b, "?")
EVAL-avgSvcMillis = coalesce(avgSvcMillis, svctm, ms_w, asvc_t, "?")
EVAL-avgWaitMillis = coalesce(avgWaitMillis, await, wsvc_t, if(isnotnull(ms_o), "?", null()), if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?")
[source::...(nfsiostat)]
sourcetype = nfsiostat
HEADER_MODE = always
SHOULD_LINEMERGE = false
[nfsiostat]
DATETIME_CONFIG = CURRENT
KV_MODE = multi
LINE_BREAKER = (^$|[\r\n]+[\r\n]+)
FIELDALIAS-mount = Mount as mount
FIELDALIAS-read_latency = r_avg_exe as read_latency
FIELDALIAS-write_latency = w_avg_exe as write_latency
FIELDALIAS-read_ops = r_op_s as read_ops
FIELDALIAS-write_ops = w_op_s as write_ops
EVAL-total_ops = read_ops + write_ops
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
[lastlog]
## Override system/default lastlog sourcetype invalidation
invalid_cause =
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
[lsof]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
[netstat]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
EVAL-src_port = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvindex(split(ForeignAddress, "."), -1),mvindex(split(ForeignAddress, ":"), -1))
EVAL-src = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvjoin(mvindex(split(ForeignAddress, "."), 0, -2), "."),mvjoin(mvindex(split(ForeignAddress, ":"), 0, -2), ":"))
EVAL-dest_port = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvindex(split(LocalAddress, "."), -1),mvindex(split(LocalAddress, ":"), -1))
EVAL-dest = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvjoin(mvindex(split(LocalAddress, "."), 0, -2), "."),mvjoin(mvindex(split(LocalAddress, ":"), 0, -2), ":"))
FIELDALIAS-transport=Proto as transport
FIELDALIAS-state=State as state
EVAL-state = case(state=="LISTEN","listening",state=="ESTAB","established",true(),lower(state))
EVAL-vendor_product = "nix"
[bandwidth]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
EVAL-bytes=(rxKB_PS+txKB_PS)*1024
EVAL-bytes_in=rxKB_PS*1024
EVAL-thruput=rxKB_PS*1024 + txKB_PS*1024
EVAL-bytes_out=txKB_PS*1024
EVAL-packets=rxPackets_PS+txPackets_PS
FIELDALIAS-packets_in=rxPackets_PS as packets_in
FIELDALIAS-packets_out=txPackets_PS as packets_out
[openPorts]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
FIELDALIAS-dest_port_for_open_ports_sh = Port AS dest_port
FIELDALIAS-dest_for_open_ports_sh = host AS dest
FIELDALIAS-transport_for_open_ports_sh = Proto AS transport
EVAL-transport_dest_port = Proto + "/" + Port
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
# extraction for sourcetype unix:listeningports
[Unix:ListeningPorts]
EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P<file_hash>[a-fA-F0-9]+)
[package]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
[protocol]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
[ps]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
EVAL-pctCPU = coalesce(CPU, pctCPU)
EVAL-PercentProcessorTime = coalesce(CPU, pctCPU)
EVAL-cpu_load_percent = coalesce(CPU, pctCPU)
EVAL-process_cpu_used_percent = coalesce(CPU, pctCPU)
FIELDALIAS-dest_for_ps = host as dest
FIELDALIAS-src_for_ps = host as src
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
FIELDALIAS-process_id_for_ps = PID AS pid,PID as process_id
EVAL-pctMEM = coalesce(MEM, pctMEM)
EVAL-PercentMemory = coalesce(MEM, pctMEM)
EVAL-RSZ_KB = coalesce(RSS, RSZ_KB)
EVAL-rss = coalesce(RSS, RSZ_KB)
EVAL-process_mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
# UsedBytes is calculated as RSZ_KB*1024. Previously it was calculated using
# %MEM and the "Mem:" header from "top -bn 1", which tended to underestimate
# compared to this value. This is a rough measure of resident set size (i.e.,
# physical memory in use).
EVAL-mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
EVAL-UsedBytes = if(isnull(RSS), RSZ_KB*1024, RSS*1024)
EVAL-VSZ_KB = coalesce(VSZ, VSZ_KB)
EVAL-vsz = coalesce(VSZ, VSZ_KB)
EVAL-TTY = coalesce(TTY, TT)
EVAL-tty = coalesce(TTY, TT)
EVAL-S = coalesce(S, STAT)
EVAL-stat = coalesce(S, STAT)
FIELDALIAS-user_for_ps = USER AS user
# The "app" field is the conjunction of COMMAND plus ARGS
# Note that the UNIX app joins arguments with an underscore.
EVAL-app = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process_name = replace(COMMAND, "[\[\]()]", "")
EVAL-CPUTIME = coalesce(TIME, CPUTIME)
# Truncate needless leading zeroes from the cumulative CPU time field.
EVAL-cpu_time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", ""))
EVAL-time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", ""))
# Incorporating CIM review changes
EVAL-action = "allowed"
EVAL-process_exec = replace(COMMAND, "[\[\]()]", "")
[time]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
[top]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
FIELDALIAS-user = USER as user
FIELDALIAS-process = COMMAND as process
FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
[usersWithLoginPrivs]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
[who]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
[vmstat]
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive
HEADER_MODE = always
REPORT-0kv_for_vmstat = fields_for_vmstat_sh,vmstat_linux,vmstat_osx
FIELDALIAS-dest_for_vmstat = host as dest
EVAL-mem = if(isnotnull(memFreeMB) AND isnotnull(memUsedMB),(memFreeMB)+(memUsedMB),null())
EVAL-mem_free = if(isnotnull(memFreeMB),memFreeMB,null())
EVAL-mem_used = if(isnotnull(memUsedMB),memUsedMB,null())
EVAL-mem_page_ops = pgPageIn_PS + pgPageOut_PS
FIELDALIAS-mem_free_percent = memFreePct as mem_free_percent
FIELDALIAS-wait_threads_count = waitThreads as wait_threads_count
FIELDALIAS-system_threads_count = threads as system_threads_count
FIELDALIAS-src_for_vmstat = host as src
FIELDALIAS-cpu_interrupts = interrupts_PS as cpu_interrupts
FIELDALIAS-swap_percent = swapUsedPct as swap_percent
## Legacy fields
FIELDALIAS-FreeMBytes = memFreeMB AS FreeMBytes
EVAL-UsedBytes = tonumber(memUsedMB, 10)*1048756
FIELDALIAS-UsedMBytes = memUsedMB AS UsedMBytes
FIELDALIAS-TotalMBytes = memTotalMB AS TotalMBytes
##Memoey Paging per second fields
FIELDALIAS-mem_page_in = pgPageIn_PS AS mem_page_in
FIELDALIAS-mem_page_out = pgPageOut_PS AS mem_page_out
[Unix:UserAccounts]
EVAL-description = "/etc/passwd file"
EVAL-enabled = "yes"
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
FIELDALIAS-dest = host as dest
#####################
## BEGIN SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps
#####################
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Global ######
# [source::...(linux.*|sample.*.linux)]
# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen
# [source::...(osx.*|sample.*.osx)]
# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen
# [source::...(solaris.*|sample.*.solaris)]
# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen
# [source::...sample.*.unix]
# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen
## support for linux only
[Linux:SELinuxConfig]
EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules"
[linux_audit]
REPORT-command = command_for_linux_audit
EVAL-status = if('res'=="failed","failure",'res')
FIELDALIAS-object = id as object
FIELDALIAS-dvc = hostname as dvc
FIELDALIAS-dest = hostname as dest
FIELDALIAS-object_id = id as object_id
EVAL-op = if(op=="PAM:authentication", res, op)
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
LOOKUP-action = nix_linux_audit_action_lookup op OUTPUT action,object_category
EVAL-object_attrs= case(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER",grp)
EVAL-app = "nix"
EVAL-change_type = "AAA"
EVAL-object = if((type="GRP_MGMT" OR type="DEL_GROUP" or type=="ADD_GROUP") AND isnotnull('grp'),'grp','object')
EVAL-user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user')
EVAL-user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user')
EVAL-user_id = if(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP" ,'uid','id')
EVAL-src_user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user')
EVAL-src_user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user')
EVAL-src_user_id = if(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ,'uid','src_user_id')
EVAL-reason = if(type="USER_AUTH" AND (res=="failed" OR res=="failure"),"other",'reason')
[source::...Unix:Service]
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true
EVAL-service = coalesce(UNIT, app)
EVAL-service_name = coalesce(UNIT, app)
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
LOOKUP-StartMode_for_linux_service = nix_linux_service_startmode_lookup runlevel0,runlevel1,runlevel2,runlevel3,runlevel4,runlevel5,runlevel6 OUTPUTNEW StartMode
EVAL-note = if(match(_raw,"runlevel[06]\=on"),"Runlevels 0 and 6 are reserved for halt and reboot respectively",null())
EVAL-start_mode=case(isnotnull(StartMode),StartMode,1=1,"Auto")
FIELDALIAS-start_mode_for_solaris_service = StartMode as start_mode
FIELDALIAS-status_for_solaris_service = State as status
FIELDALIAS-dest = host as dest
# extraction for sourcetype Unix:Service
[Unix:Service]
EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P<file_hash>[a-fA-F0-9]+)
# Incorporating CIM review changes
EVAL-status = case(ACTIVE=="active","started",ACTIVE=="inactive","stopped",ACTIVE=="activating","stopped",ACTIVE=="reloading","stopped",ACTIVE=="failed","critical",ACTIVE=="deactivating","stopped")
## no windows application at this time
[source::*:SSHDConfig]
EVAL-note = if(match(sshd_protocol,"1"),"SSH-1 has inherent design flaws which make it vulnerable (e.g., man-in-the-middle attacks)",null())
###### Update ######
[source::...Unix:Update]
EVENT_BREAKER_ENABLE = true
FIELDALIAS-signature_for_update = package as signature
LOOKUP-status_for_update = nix_da_update_status_lookup sourcetype OUTPUTNEW status
###### Uptime ######
[source::...Unix:Uptime]
FIELDALIAS-uptime_for_unix_uptime = SystemUpTime as uptime
FIELDALIAS-dest = host as dest
###### Version ######
[source::...Unix:Version]
SHOULD_LINEMERGE = false
FIELDALIAS-family_for_nix_version = os_name as family
LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range
FIELDALIAS-version_for_nix_version = os_release as version
FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture
EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null())
EVAL-vendor_product = if(isnotnull(os_name),os_name,null())
FIELDALIAS-dest_for_nix_version = host as dest
###### VSFTPD Config ######
## no windows application at this time
[source::*:VSFTPDConfig]
EVAL-note = "FTP uses clear text to pass authentication credentials. Consider using SSH instead."
#####################
## END SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps
#####################
#####################
## System Logs
#####################
###### Global ######
[source::....nix]
sourcetype = linux_secure
[source::/etc/passwd*]
sourcetype = ignored_type
[source::/etc/shadow*]
sourcetype = ignored_type
## Custom Sourcetype
#[source::....<your_sourcetype>]
#sourcetype = <your_sourcetype>
#[<your_sourcetype>]
### Event extractions by type
#REPORT-0authentication_for_your_sourcetype = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
#EVAL-action = if(app="su" AND isnull(action),"success",action)
#REPORT-account_management_for_your_sourcetype = useradd, userdel
#REPORT-firewall_for_your_sourcetype = ipfw, ipfw-stealth, ipfw-icmp, pf
#REPORT-routing_for_your_sourcetype = iptables
#EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
#REPORT-signature_for_your_sourcetype_timesync = signature_for_nix_timesync
#REPORT-dest_for_your_sourcetype = host_as_dest
#LOOKUP-action_for_your_sourcetype = nix_action_lookup vendor_action OUTPUTNEW action
#REPORT-pid-process_for_your_sourcetype = syslog-extractions
#REPORT-src_for_your_sourcetype = src_dns_as_src, src_ip_as_src, host_as_src
###### AIX Sourcetype ######
[source::....aix_secure]
sourcetype = aix_secure
[aix_secure]
EVENT_BREAKER_ENABLE = true
REPORT-0authentication_for_aix_secure = failed_login1, bad-su2, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-dest_for_aix_secure = loghost_as_dest
FIELDALIAS-dvc = dest as dvc
LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_aix_secure = src_dns_as_src, src_ip_as_src
###### OSX Security ######
[source::....osx_secure]
sourcetype = osx_secure
[osx_secure]
EVENT_BREAKER_ENABLE = true
## Event extractions by type
REPORT-0authentication_for_osx_secure = ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-dest_for_osx_secure = host_as_dest
LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_osx_secure = src_dns_as_src, src_ip_as_src
###### Linux Security ######
[source::....linux_secure]
sourcetype = linux_secure
[linux_secure]
EVENT_BREAKER_ENABLE = true
## Event extractions by type
REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
REPORT-dest_for_linux_secure = loghost_as_dest
LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_linux_secure = src_dns_as_src, src_ip_as_src
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
EVAL-object = case((command=="useradd" OR command=="userdel" OR command=="passwd") AND isnotnull(user), user, true(), object)
FIELDALIAS-dvc = dest as dvc
EVAL-src_user = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user')
FIELDALIAS-user_name = user as user_name
EVAL-src_user_name = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user')
###### Syslog ######
[source::....syslog]
sourcetype = syslog
[syslog]
EVENT_BREAKER_ENABLE = true
## Event extractions by type
REPORT-0authentication_for_syslog = remote_login_failure, bad-su2, passwd-auth-failure, failed_login1, bad-su, failed-su, ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_syslog = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse
REPORT-password_change_for_syslog = pam-passwd-ok, passwd-change-fail
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
REPORT-signature_for_syslog_timesync = signature_for_nix_timesync
REPORT-dest_for_syslog = host_as_dest
LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-src_for_syslog = src_dns_as_src, src_ip_as_src
FIELDALIAS-dvc = dest as dvc
EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product)
###### bash history ######
[bash_history]
SHOULD_LINEMERGE=FALSE
EVENT_BREAKER_ENABLE = true
DATETIME_CONFIG=CURRENT
REPORT-bhist=bash_user,bash_user_root
FIELDALIAS-bhist=_raw AS bash_command
FIELDALIAS-dest_for_history = host as dest

9
deployment-apps/Splunk_TA_nix/default/restmap.conf
Unescape View File

@ -0,0 +1,9 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[script:setup]
python.version = python3
match=/SetupService
handler=setupservice.SetupService

851
deployment-apps/Splunk_TA_nix/default/tags.conf
Unescape View File

@ -0,0 +1,851 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
###### Globals ######
[eventtype=nix_security]
os = enabled
unix = enabled
[eventtype=nix_errors]
error = enabled
[eventtype=interfaces]
inventory = enabled
network = enabled
###### DHCP ######
[eventtype=dhcpd_server]
dhcp = enabled
network = enabled
session = enabled
unix = enabled
[eventtype=dhcpd_start]
start = enabled
[eventtype=dhcpd_unable_unexpected]
error = enabled
[eventtype=dhcpd_server_dhcprelease]
end = enabled
###### Scripted Inputs ######
[eventtype=cpu]
os = enabled
resource = enabled
report = enabled
unix = enabled
cpu = enabled
avail = enabled
performance = enabled
oshost = enabled
[eventtype=cpu_anomalous]
anomalous = enabled
[eventtype=df]
df = enabled
host = enabled
check = enabled
success = enabled
storage = enabled
performance = enabled
oshost = enabled
[eventtype=iostat]
report = enabled
resource = enabled
iostat = enabled
performance = enabled
cpu = enabled
storage = enabled
success = enabled
oshost = enabled
[eventtype=nfsiostat]
storage = enabled
performance = enabled
[eventtype=lsof]
report = enabled
lsof = enabled
resource = enabled
file = enabled
success = enabled
[eventtype=netstat]
report = enabled
netstat = enabled
os = enabled
cpu = enabled
success = enabled
listening = enabled
port = enabled
[eventtype=ps]
performance = enabled
cpu = enabled
success = enabled
ps = enabled
oshost = enabled
process = enabled
[eventtype=top]
top = enabled
os = enabled
success = enabled
process = enabled
[eventtype=time]
report = enabled
os = enabled
success = enabled
time = enabled
[eventtype=vmstat]
report = enabled
vmstat = enabled
resource = enabled
success = enabled
cpu = enabled
memory = enabled
performance = enabled
oshost = enabled
[eventtype=bandwidth]
network = enabled
resource = enabled
success = enabled
performance = enabled
oshost = enabled
[eventtype=hardware]
inventory = enabled
oshost = enabled
cpu = enabled
memory = enabled
# For ESS:
os = enabled
avail = enabled
unix = enabled
###### System Logs ######
#### Account Management
[eventtype=useradd]
account = enabled
management = enabled
add = enabled
change = enabled
[eventtype=useradd-suse]
account = enabled
management = enabled
add = enabled
change = enabled
[eventtype=userdel]
account = enabled
management = enabled
delete = enabled
change = enabled
[eventtype=groupadd]
management = enabled
add = enabled
change = enabled
[eventtype=groupadd-suse]
management = enabled
add = enabled
change = enabled
account = enabled
[eventtype=groupdel]
management = enabled
delete = enabled
change = enabled
[eventtype=linux-password-change]
account = enabled
management = enabled
password = enabled
modify = enabled
change = enabled
[eventtype=linux-password-change-failed]
account = enabled
management = enabled
password = enabled
modify = enabled
change = enabled
#### acpi
[eventtype=nix_acpi]
os = enabled
unix = enabled
power = enabled
#### agpgart
[eventtype=nix_agpgart]
os = enabled
unix = enabled
graphics = enabled
#### apm
[eventtype=nix_apm]
os = enabled
unix = enabled
power = enabled
#### auditd
[eventtype=auditd]
os = enabled
unix = enabled
resource = enabled
file = enabled
[eventtype=auditd_modify]
modify = enabled
#### Authentication
## ksu
[eventtype=ksu_authentication]
authentication = enabled
[app=ksu]
local = enabled
privileged = enabled
[app=ksudo]
local = enabled
privileged = enabled
## login
[eventtype=login_authentication]
authentication = enabled
## pam
[eventtype=pam_unix_authentication]
authentication = enabled
## passwd
[eventtype=passwd-auth-failure]
application = enabled
authentication = enabled
## rlogin
[eventtype=rlogin_too_many_failures]
application = enabled
attack = enabled
watchlist = enabled
[eventtype=remote_login_failure]
application = enabled
authentication = enabled
remote = enabled
[eventtype=remote_login_allowed]
application = enabled
authentication = enabled
remote = enabled
## sshd
[eventtype=sshd_authentication]
authentication = enabled
remote = enabled
[eventtype=ssh_open]
communicate = enabled
connect = enabled
[eventtype=ssh_close]
access = enabled
stop = enabled
logoff = enabled
[eventtype=ssh_disconnect]
access = enabled
stop = enabled
logoff = enabled
[eventtype=failed_login]
authentication = enabled
[eventtype=Failed_SU]
authentication = enabled
## su
[eventtype=su_authentication]
authentication = enabled
[app=su]
local = enabled
privileged = enabled
[app=sudo]
local = enabled
privileged = enabled
[eventtype=su_failed]
authentication = enabled
[eventtype=su_session]
session = enabled
[eventtype=su_root_session]
session = enabled
privileged = enabled
## Telnet
[app=wksh]
cleartext = enabled
#### automount
[eventtype=nix_automount]
os = enabled
unix = enabled
#### Config
[eventtype=nix_config_change]
os = enabled
unix = enabled
host = enabled
configuration = enabled
modify = enabled
#### Console
[eventtype=nix_console]
os = enabled
unix = enabled
#### cron
[eventtype=nix_cron]
os = enabled
unix = enabled
#### CUPS
[eventtype=nix_cups_access]
os = enabled
unix = enabled
access = enabled
printer = enabled
[eventtype=nix_cups_error]
os = enabled
unix = enabled
printer = enabled
[eventtype=nix_cups_page]
os = enabled
unix = enabled
printer = enabled
#### dhclient
[eventtype=nix_dhclient]
os = enabled
unix = enabled
#### DMA
[eventtype=nix_dma]
os = enabled
unix = enabled
memory = enabled
access = enabled
#### Firewall
[eventtype=iptables_firewall_accept]
os = enabled
unix = enabled
host = enabled
firewall = enabled
communicate = enabled
success = enabled
[eventtype=iptables_firewall_deny]
os = enabled
unix = enabled
host = enabled
firewall = enabled
communicate = enabled
failure = enabled
#### FTP
[eventtype=nix_ftp_xferlog]
os = enabled
unix = enabled
ftp = enabled
transfer = enabled
[eventtype=nix_ncftpd_logins]
os = enabled
unix = enabled
ftp = enabled
authentication = enabled
#### Fingerprinting
[eventtype=nix_fingerprinting]
os = enabled
unix = enabled
#### gconfd
[eventtype=nix_gconfd]
os = enabled
unix = enabled
[eventtype=nix_gconfd_error]
error = enabled
[eventtype=nix_gconfd_exiting]
stop = enabled
[eventtype=nix_gconfd_starting]
start = enabled
## gdm
[eventtype=nix_gdm]
os = enabled
unix = enabled
#### gpm
[eventtype=nix_gpm]
os = enabled
unix = enabled
#### FreeBSD
[eventtype=freebsd_refresh_na_answer]
os = enabled
unix = enabled
[eventtype=freebsd_refresh_retry_exceeded]
os = enabled
unix = enabled
#### hald
[eventtype=nix_hald]
os = enabled
unix = enabled
#### hpiod
[eventtype=hpiod_Linux_syslog]
os = enabled
unix = enabled
#### kernel
[eventtype=nix_kernel_attached]
os = enabled
unix = enabled
kernel = enabled
#### kill
[eventtype=nix_process_kill]
os = enabled
unix = enabled
process = enabled
stop = enabled
#### mDNSResponder
[eventtype=nix_mDNSResponder]
os = enabled
unix = enabled
dns = enabled
#### named
[eventtype=nix_named1]
os = enabled
unix = enabled
dns = enabled
[eventtype=nix_named2]
os = enabled
unix = enabled
dns = enabled
#### OSX
[eventtype=osx_crash_log]
os = enabled
unix = enabled
error = enabled
#### Netlabel
[eventtype=nix_netlabel]
os = enabled
unix = enabled
kernel = enabled
#### PCI
[eventtype=nix_pci]
os = enabled
unix = enabled
#### Plug-n-play
[eventtype=nix_pnp]
os = enabled
unix = enabled
#### POP3
[eventtype=nix_popper]
os = enabled
unix = enabled
mail = enabled
#### postfix
[eventtype=nix_postfix]
os = enabled
unix = enabled
#### Prelink
[eventtype=nix_prelink]
os = enabled
unix = enabled
#### RPC
[eventtype=nix_rpc_statd]
os = enabled
unix = enabled
#### RPM
[eventtype=nix_rpm]
os = enabled
unix = enabled
update = enabled
#### Runlevel
[eventtype=nix_runlevel_change]
os = enabled
unix = enabled
configuration = enabled
modify = enabled
#### SNMPD
[eventtype=snmpd]
os = enabled
unix = enabled
snmp = enabled
[eventtype=snmpd_failure]
failure = enabled
#### scrollkeeper
[eventtype=nix_scrollkeeper]
os = enabled
unix = enabled
## Shutdown
[eventtype=nix_halt]
os = enabled
unix = enabled
stop = enabled
[eventtype=nix_restart]
os = enabled
unix = enabled
stop = enabled
#### smartd
[eventtype=nix_smartd]
os = enabled
unix = enabled
#### Time
[eventtype=nix_timesync]
report = enabled
time = enabled
synchronize = enabled
success = enabled
os = enabled
performance = enabled
[eventtype=nix_timesync_failure]
report = enabled
time = enabled
synchronize = enabled
failure = enabled
os = enabled
performance = enabled
#### Update
[eventtype=nix_yum_update]
report = enabled
update = enabled
success = enabled
#### udevd
[eventtype=nix_udevd]
os = enabled
unix = enabled
kernel = enabled
#### USB
[eventtype=nix_usb]
os = enabled
unix = enabled
usb = enabled
#### userhelper
[eventtype=nix_userhelper]
os = enabled
unix = enabled
#### Open ports
[eventtype=openPorts]
unix = enabled
report = enabled
os = enabled
###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ######
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Scripted Inputs ######
## Global
[eventtype=aix_scripted_input]
check = enabled
report = enabled
[eventtype=hpux_scripted_input]
check = enabled
report = enabled
[eventtype=linux_scripted_input]
check = enabled
report = enabled
[eventtype=osx_scripted_input]
check = enabled
report = enabled
[eventtype=solaris_scripted_input]
check = enabled
report = enabled
[eventtype=unix_scripted_input]
check = enabled
report = enabled
## CPUTime
[eventtype=cputime]
os = enabled
avail = enabled
cpu = enabled
performance = enabled
oshost = enabled
[eventtype=cputime_anomalous]
anomalous = enabled
## Disk
[eventtype=freediskspace]
os = enabled
avail = enabled
disk = enabled
performance = enabled
oshost = enabled
storage = enabled
[eventtype=freediskspace_anomalous]
anomalous = enabled
## Listening Ports
[eventtype=listeningports]
os = enabled
config = enabled
report = enabled
## Local Processes
[eventtype=localprocesses_anomalous]
anomalous = enabled
## Memory
[eventtype=memory]
os = enabled
avail = enabled
memory = enabled
performance = enabled
oshost = enabled
[eventtype=memory_anomalous]
anomalous = enabled
## SELinux Config
[eventtype=selinuxconfig]
application = enabled
config = enabled
selinux = enabled
[selinux=disabled]
insecure = enabled
## Service
[eventtype=service]
os = enabled
config = enabled
service = enabled
report = enabled
[eventtype=service_runlevel_anomalous]
anomalous = enabled
[app=ntpd]
time = enabled
synchronize = enabled
[app=%2Fnetwork%2Fntp%3Adefault]
time = enabled
synchronize = enabled
[app=yum-updatesd]
automatic = enabled
update = enabled
## SSHD Config
[eventtype=sshdconfig]
application = enabled
config = enabled
ssh = enabled
[eventtype=sshd_insecure]
insecure = enabled
## Update
[eventtype=update]
os = enabled
info = enabled
system = enabled
update = enabled
[eventtype=update_status]
status = enabled
## Uptime
[eventtype=uptime]
os = enabled
info = enabled
report = enabled
uptime = enabled
performance = enabled
[eventtype=uptime_anomalous]
anomalous = enabled
## User Accounts
[eventtype=useraccounts]
os = disabled
config = enabled
user = enabled
inventory = enabled
[eventtype=useraccounts_anomalous]
anomalous = enabled
[shell=%2Fbin%2Fbash]
interactive = enabled
[shell=%2Fbin%2Fsh]
interactive = enabled
[shell=%2Fusr%2Fbin%2Fbash]
interactive = enabled
[shell=%2Fusr%2Fbin%2Fpfksh]
interactive = enabled
[shell=%2Fusr%2Fbin%2Fpfsh]
interactive = enabled
## Version
[eventtype=nix_version]
os = enabled
info = enabled
report = enabled
system = enabled
version = enabled
inventory = enabled
oshost = enabled
cpu = enabled
memory = enabled
## VSFTDP Config
[eventtype=vsftpd_config]
application = enabled
config = enabled
ftp = enabled
cleartext = enabled
[eventtype=vsftpd_config_anonymous]
anonymous = enabled
###### END CONTENT IMPORTED FROM TA-deploymentapps ######

538
deployment-apps/Splunk_TA_nix/default/transforms.conf
Unescape View File

@ -0,0 +1,538 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
###### Globals ######
## Lookups
[nix_action_lookup]
filename = nix_vendor_actions.csv
case_sensitive_match = false
## Aliases
[host_as_dest]
SOURCE_KEY = host
REGEX = (.+)
FORMAT = dest::"$1"
[host_as_src]
SOURCE_KEY = host
REGEX = (.+)
FORMAT = src::"$1"
[src_dns_as_src]
SOURCE_KEY = src_dns
REGEX = (.+)
FORMAT = src::"$1"
[src_ip_as_src]
SOURCE_KEY = src_ip
REGEX = (.+)
FORMAT = src::"$1"
[dest_nt_host_as_dest]
SOURCE_KEY = dest_nt_host
REGEX = (.+)
FORMAT = dest::"$1"
[dest_mac_as_dest]
SOURCE_KEY = dest_mac
REGEX = (.+)
FORMAT = dest::"$1"
[dest_ip_as_dest]
SOURCE_KEY = dest_ip
REGEX = (.+)
FORMAT = dest::"$1"
## netstat
[ip_and_ports_for_netstat]
REGEX = \w+\s+\d+\s+\d+\s+((?:\d+.\d+.\d+.\d+)|(?:\[[^\]]+\])|\*):([\S]+)\s+((?:\d+.\d+.\d+.\d+)|(?:\[[^\]]+\])|\*):([\S]+)\s+[\S]+
FORMAT = dest::$1 dest_port::$2 src::$3 src_port::$4
MV_ADD = true
###### DHCP ######
[dhcp_prefix_dest]
#when dhcp server is the dest, extract the dest and process fields
#format as below (fields are within the angle brackets):
#<dest> <dest_host>[process_id]|<process>:
REGEX=\s+(?<dest>\S+)\s+(?:(?<dest_host>[^\s\[\]]+)\[(?<process_id>[^\]\s]+)\]|(?<process>[^\s\[\]]+)):\s+
[dhcp_prefix_src]
#when dhcp server is the src, extract the src and process fields
#format as below (fields are within the angle brackets):
#<src> <src_host>[process_id]|<process>:
REGEX=\s+(?<src>\S+)\s+(?:(?<src_host>[^\s\[\]]+)\[(?<process_id>[^\]\s]+)\]|(?<process>[^\s\[\]]+)):\s+
[dhcp_mac_hostname_for_dest]
#extract mac address and hostname for dest
#format as below (fields are within the angle brackets):
#<dest_mac> (<dest_host>)
#Note: dest_host may not exist
REGEX=\s+(?<dest_mac>\S+)\s+(?:\((?<dest_host>[^)]+)\)\s+)?
[dhcp_mac_hostname_for_src]
#extract mac address and hostname for src
#format as below (fields are within the angle brackets):
#<src_mac> (<src_host>)
#Note: src_host may not exist
REGEX=\s+(?<mac_address>\S+)\s+(?:\((?<src_host>[^)]+)\)\s+)?
[dhcp_relay]
#extract relay field
REGEX = (?<relay>[^\s:\\]+)
[dhcp_block_action]
#extract blocked actions
REGEX = (?<block_action>(REFUSED|Invalid|ignored|rejected|not authoritative|[uU]nable to add forward map))
[dhcp_discover_extract]
# for event of DHCPDISCOVER, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPDISCOVER from <src_mac> (<src_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPDISCOVER)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]]
[dhcp_offer_extract]
# for event of DHCPOFFER, format as below (fields are within the angle brackets):
# <src> <process>: DHCPOFFER on <dest_ip> to <dest_mac> (<dest_host>) via <relay>
# Note: dest_host may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPOFFER)\s+on\s+(?<dest_ip>\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]]
[dhcp_request_extract]
# for event of DHCPREQUEST, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPREQUEST for <src> (<server_ip>) from <src_mac> (<src_host>) via <relay> uid <uuid>
# Note: server_ip, src_host, uuid may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPREQUEST)\s+for\s+(?<src>\S+)\s+(?:\((?<server_ip>[^)]+)\)\s+)?from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]](?:\s+uid\s+(?<uuid>[^\s]+))?
[dhcp_ack_nak_extract_0]
# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets):
# <src> <process>: DHCPACK|DHCPNAK on <dest_ip> to <dest_mac> (<dest_host>) via (<relay>) relay <relay_ip> lease-duration <lease_duration> uid <uuid>
# Note: dest_host, relay_ip, lease_duration, uuid may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPACK|DHCPNAK)\s+on\s+(?<dest_ip>\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]](?:\s+relay\s+(?<relay_ip>\S+)\s+lease-duration\s+(?<lease_duration>\S+)\s+.*uid\s+(?<uuid>\S+))?
[dhcp_ack_nak_extract_1]
# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets):
# <src> <process>: DHCPACK|DHCPNAK to <dest_ip> (<dest_mac>) via <relay>
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPACK|DHCPNAK)\s+to\s+(?<dest_ip>\S+)\s+\((?<dest_mac>[^)]+)\)\s+via\s+[[dhcp_relay]]
[dhcp_decline_extract]
# for event of DHCPDECLINE, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPDECLINE of <src> from <src_mac> (<src_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPDECLINE)\s+of\s+(?<src>\S+)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]]
[dhcp_release_extract]
# for event of DHCPRELEASE, format as below (fields are within the angle brackets):
# <src> <process>: DHCPRELEASE of <dest> from <dest_mac> (<dest_host>) via <relay>
# Note: src_host may not exist
REGEX=[[dhcp_prefix_src]](?<dhcp_type>DHCPRELEASE)\s+of\s+(?<dest>\S+)\s+from[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]]
[dhcp_inform_extract]
# for event of DHCPINFORM, format as below (fields are within the angle brackets):
# <dest> <process>: DHCPINFORM from <src> via <relay>
REGEX=[[dhcp_prefix_dest]](?<dhcp_type>DHCPINFORM)\s+from\s+(?<src>\S+)\s+via\s+[[dhcp_relay]]
[dhcp_unable_to_add_forward_map_extract]
# for event of unable to add forward map, format as below (fields are within the angle brackets):
# <src> <process>: Unable to add forward map from <dest> to <dest_ip>
REGEX=[[dhcp_prefix_src]][uU]nable\s+to\s+add\s+forward\s+map\s+from\s+(?<dest>\S+)\s+to\s+(?<dest_ip>[^\s:]+)
[dhcp_add_new_forward_map_extract]
# for event of add new forward map, format as below (fields are within the angle brackets):
# <src> <process>: Added new forward map from <dest> to <dest_ip>
REGEX=[[dhcp_prefix_src]][aA]dded\s+new\s+forward\s+map\s+from\s+(?<dest>\S+)\s+to\s+(?<dest_ip>[^\s:]+)
[dhcp_added_reverse_map_extract]
# for event of add reverse map, format as below (fields are within the angle brackets):
# <dest> <process>: [aA]dded reverse map from <src_ptr> to <src>
REGEX=[[dhcp_prefix_dest]][aA]dded\s+reverse\s+map\s+from\s+(?<src_ptr>\S+)\s+to\s+(?<src>\S+)
[dhcp_abandon_ip_extract]
# for event of Abandon IP address, format as below (fields are within the angle brackets):
# <src> <process>: Abandoning IP address <dest_ip>
REGEX=[[dhcp_prefix_src]]Abandoning\s+IP\s+address\s+(?<dest_ip>[^\s:]+)
[dhcp_lease_duplicate_extract]
# for event of lease duplicate, format as below (fields are within the angle brackets):
# <server> <process>: uid lease <dest_ip> for client <dest_mac> is duplicate on <src>
REGEX=\s+(?<server>\S+)\s+(?<server_process>[^\s:]+):\s+uid\s+lease\s+(?<dest_ip>\S+)\s+for\s+client\s+(?<dest_mac>\S+)\s+is\s+duplicate\s+on\s+(?<src>\S+)/
[bind_update_fail_extract]
# for event of bind update reject, format as below (fields are within the angle brackets):
# <dest> <process>: bind update on <src> from <failover_peer> rejected
REGEX=[[dhcp_prefix_dest]]bind\s+update\s+on\s+(?<src>\S+)\s+from\s+(?<failover_peer>\S+)\s+rejected.*
[dhcp_icmp_echo_reply]
REGEX=[[dhcp_prefix_src]]ICMP\s+Echo\s+reply\s+while\s+lease\s+(?<dest>\S+)
[dhcp_reuse_lease]
REGEX=[[dhcp_prefix_src]]reuse_lease:\s+lease\s+age.*under.*threshold,\s+reply\s+with\s+unaltered,\s+existing\s+lease\s+for\s+(?<dest>[^$]+)
###### Scripted Metric Inputs ######
[eval_dimensions]
# Support for omitting the IPv6 Address field when the script output doesn't include an IPv6 Address
INGEST_EVAL = metric_name=sourcetype, entity_type="TA_Nix", OS_name=replace(OSName, "_", " "), IPv6_address = if(IPv6_Address=="?", null(), IPv6_Address)
[extract_df_metrics]
INGEST_EVAL = UsePct=coalesce('UsePct','Capacity','Use'), Size_KB=coalesce('Size','1K_blocks','1024_blocks'), Used_KB='Used', Avail_KB=coalesce('Avail','Available'), INodes=coalesce('INodes','Inodes'), IUsed=coalesce('IUsed','iused','Iused'), IFree=coalesce('IFree','ifree','Ifree'), IUsePct=coalesce('IUsePct','IUse'), Size=coalesce('Size','1K_blocks','1024_blocks'), Avail=coalesce('Avail','Available'), Type=coalesce('Type',"?")
[metric-schema:extract_metrics_interfaces]
METRIC-SCHEMA-MEASURES= Collisions,RXbytes,RXerrors,TXbytes,TXerrors,RXdropped,TXdropped
METRIC-SCHEMA-BLACKLIST-DIMS= OSName, IPv6_Address
# added extract_iostat_metrics_field for backward compatibility
[extract_iostat_metrics_field]
INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm, rAvgWaitMillis=r_await, rAvgReqSZkb=rareq_sz, wReq_PS=w_s, wKB_PS=coalesce(wkB_s, Kb_wrtn, kw_s), wrqmPct=wrqm, wAvgWaitMillis=w_await, wAvgReqSZkb=wareq_sz, avgQueueSZ=coalesce(aqu_sz, avgqu_sz), bandwUtilPct=coalesce(util, tm_act, ms_o, b), avgSvcMillis=coalesce(svctm, ms_w, asvc_t), avgWaitMillis=coalesce(await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), null())
[extract_ps_metric_field]
INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB)
[extract_cpu_metric_field]
INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU)
[metric-schema:extract_metrics_iostat]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_vmstat]
METRIC-SCHEMA-MEASURES= memTotalMB,memFreeMB,memUsedMB,memFreePct,memUsedPct,pgPageOut,swapUsedPct,pgSwapOut,cSwitches,interrupts,forks,processes,threads,loadAvg1mi,waitThreads,interrupts_PS,pgPageIn_PS,pgPageOut_PS
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_df]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address, Filesystem, Type, MountedOn, IPv6_Address, IPv6_address
METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address
[metric-schema:extract_metrics_cpu]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OSName, OS_name, OS_version, IP_address, cpu, CPU
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_ps]
METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ ARGS,COMMAND,CPUTIME,ELAPSED,PID,PSR,S,STAT,START,STARTED,TT,TTY,USER,OSName,OS_name,OS_version,IP_address,IPv6_Address,IPv6_address
METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address
###### Scripted Event Inputs ######
[vmstat_osx]
REGEX = (?m)(?:Pages free:\s*(\d+)\.).*(?:Pages active:\s*(\d+)\.).*(?:Pages inactive:\s*(\d+)\.).*(?:Pages wired down:\s*(\d+)\.).*(?:Pageins:\s*(\d+)\.).*(?:Pageouts:\s*(\d+)\.)
FORMAT = free::$1 active::$2 inactive::$3 wired::$4 pageins::$5 pageouts::$6
#procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
# r b swpd free inact active si so bi bo in cs us sy id wa
# 0 0 24 4272 172660 67124 0 0 2 1 0 1 0 0 100 0
[vmstat_linux]
REGEX = (\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)
FORMAT = proc_waiting::$1 proc_unitsleep::$2 swap::$3 free::$4 inactive::$5 active::$6 swap_in::$7 swap_out::$8 blocks_in::$9 blocks_out::$10 interrupts::$11 contextswitch::$12 usermode::$13 kernelmode::$14 idle::$15 waiting::$16
#memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS
# 8192 4153 4039 50.7 49.3 1585619 5.0 ? ? ? ? 82 566 0.72 0.00 714.2 1.0 133.0
[fields_for_vmstat_sh]
REGEX = \s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)
FORMAT = memTotalMB::"$1" memFreeMB::"$2" memUsedMB::"$3" memFreePct::"$4" memUsedPct::"$5" pgPageOut::"$6" swapUsedPct::"$7" pgSwapOut::"$8" cSwitches::"$9" interrupts::"$10" forks::"$11" processes::"$12" threads::"$13" loadAvg1mi::"$14" waitThreads::"$15" interrupts_PS::"$16" pgPageIn_PS::"$17" pgPageOut_PS::"$18"
###### System Logs ######
# General
[loghost_as_dest]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s(\S+)\s\w+[\w\s\[]*
FORMAT = dest::$1
## Account Management
[useradd]
REGEX = (useradd).*?(?:new (?:user|account))(?:: | (?:added) - )(?:name|account)=([^\,]+),(?:\s)(?:(?:UID|uid)=(\w+),)?(?:\s)(?:(?:GID|gid)=(\w+),)?(?:\s)*(?:home=((?:\/[^\/ ]*)+\/?),)?(?:.*uid=(\d+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"user" user::$2 change_type::"AAA" object_id::$3 object_path::$5 status::"success" object_attrs::$4 src_user_id::$6
[userdel]
REGEX = (userdel).*?(?:(?:delete)(?:\s)*(?:user|account)) .(\S+).
FORMAT = vendor_action::"delete" object_category::"user" action::"deleted" change_type::"AAA" command::$1 user::$2 status::"success"
[userdel-grp]
REGEX = (userdel).*?(?:(?:removed)(?:\s)*(?:\w+)?(?:\s)*(group))\s+\'(\S+)\'\s+owned\s+by\s+\'(\S+)\'
FORMAT = action::"deleted" change_type::"AAA" command::$1 object_category::$2 object::$3 status::"success" "object_attrs"::$4
[groupdel]
REGEX = (groupdel).*(?:group)\s+'(\S+)'\s+removed(?:\s)*(?:(?:from\s+))?(\S+)?
FORMAT = action::"deleted" change_type::"AAA" command::$1 object::$2 object_category::"group" status::"success" object_path::$3
[groupadd]
REGEX = (groupadd).*?(?:group added to |new group: )(?:((?:\/[^\/ ]*)+\/?):)?\s*(?:name=(\w+))?(?:,\s*GID=(\w+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"group" object::$3 change_type::"AAA" object_id::$4 object_path::$2 status::"success"
[groupadd-suse]
REGEX = (useradd).*?(?:account added to group -)\s*(?:account=([^,]+))?(?:,\s*)?(?:group=([^,]+))(?:,\s*)?(?:gid=(?:[^,]+))?\,\s+(?:by\s+\(uid=(\d+)\))?
FORMAT = vendor_action::"account added to group" action::"modified" command::$1 object_category::"user" user::$2 change_type::"AAA" object_attrs::$3 status::"success" src_user_id::$4
## password change
[pam-passwd-ok]
REGEX = (passwd).*pam_unix\((?:passwd):chauthtok\): password changed for (\S+)
FORMAT = action::"modified" change_type::"AAA" command::$1 object_attrs::"password" object_category::"user" status::"success" user::$2
[passwd-change-fail]
REGEX = (passwd).*(?:password change failed).*(?:account=)([^,\s]+),\s+uid=([^,\s]+)\,\s+by(?:\s+\(uid=(\d+)\))?
FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs::"password" object_category::"user" status::"failure" object_id::$3 src_user_id::$4
[command_for_linux_audit]
REGEX = exe=.*\/(\S+)\"
FORMAT = command::$1
## Authentication
# Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2
# Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2
[ssh-login-accepted]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5
# Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX
# Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2
[ssh-login-failed]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5
# Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player rom XXX.XXX.XX.XXX port 343 ssh2
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX
[ssh-invalid-user]
REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))?
FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5
# Jan 11 03:16:49 crest-aix-dev auth|security:info syslog: ssh: failed login attempt for root from XXX.XXX.XX.XXX
# Jan 8 06:00:56 crest-aix-dev auth|security:info syslog: pts/2: failed login attempt for root from qa-centos7x64-267.sv.splunk.com
[failed_login1]
REGEX = (?:syslog):.*(?:failed login attempt for)\s+(\S+)\s+from\s+(\S+)
FORMAT = app::"nix" action::"failure" src::$2 user::$1 reason::"failed login"
# Mar 18 16:54:02 splunk5 sshd(pam_unix)[17183]: session opened for user mark by (uid=0)
# Mar 18 16:58:23 splunk5 sshd(pam_unix)[31639]: session closed for user mark
# Apr 30 17:45:35 magnum.google.com sshd[5019]: Connection closed by XXX.XXX.XX.XXX
[ssh-session-close]
REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^ ]+))?(?: by \(uid=(\d+)\))?(?: by (\d+\.\d+\.\d+\.\d+))?
FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4
# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye
[ssh-disconnect]
REGEX = .* (Received disconnect) from (.*):
FORMAT = name::$1 src_ip::$2
[sshd_authentication_kerberos_success]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authorized\s+to)\s+([^,]+)\,\s+krb5\s+principal\s+([^@]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3" src_user::"$4"
[sshd_authentication_refused]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+refused)\:.*?directory\s+\/home\/([^\/]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3"
[sshd_authentication_tried]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+tried)\s+for\s+([^\s]+)(?:.*?host\=([^,]+),\s+ip=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))?
FORMAT = app::$1 vendor_action::$2 user::"$3" src_dns::"$4" src_ip::"$5"
[sshd_login_restricted]
REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Login\s+restricted)\s+for\s+([^:]+)
FORMAT = app::$1 vendor_action::"$2" user::"$3"
[pam_unix_authentication_failure]
REGEX = pam_unix\((?:[^:]+):\w+\)\:\s+authentication\s+(failure)\;\s+logname\=(?:[^\s]+)?\s+uid\=(?:[^\s]+)?\s+euid=(?:[^\s]+)?\s+tty=(?:[^\s]+)?\s+ruser=([^\s]+)?\s+rhost=([^\s]+)?\s*(?:user=([^\s]+)?)?
FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2
[pam_unix_authentication_success]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s]+)\s+by\s+(.*?)\(uid=(\d+)\)
FORMAT = app::"$1" vendor_action::"$2" user::$3 src_user::$4 action::"success" user_id::$5
[passwd-auth-failure]
REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure)
FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure"
[sudo_cannot_identify]
REGEX = pam_unix\(([^:]+):\w+\)\:\s+auth\s+(could\s+not\s+identify\s+password)\s+for\s+\[([^]]+)
FORMAT = app::"$1" vendor_action::"$2" user::"$3" reason::"could not identify password"
[remote_login_allowed]
REGEX = (pam_rhosts_auth)\[\d+\]:\s+allowed\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+)
FORMAT = action::"success" app::$1 user::$2 vendor_action::"allowed"
[remote_login_failure]
REGEX = (pam_rhosts_auth)\[\d+\]:\s+denied\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+)
FORMAT = action::"failure" app::$1 user::$2 vendor_action::"denied" reason::"access not allowed"
[failed-su]
REGEX = \'(?:su)\s+(?:[^']+)\'\s+(failed)\s+for\s+([^\s]+)
FORMAT = vendor_action::$1 action::"failure" app::"nix" user::$2 reason::"other"
[bad-su]
REGEX = (?:su):\s+BAD\s+SU\s+dcid\s+to\s+(\w+)\s+on\s+(?:(?:\/[^\/ \n]*)+)
FORMAT = action::"failure" app::"nix" user::$1 reason::"BAD SU dcid"
[bad-su2]
REGEX = (?:su):\s+BAD\s+SU\s+from\s+(\S+)\s+to\s+(\S+)\s+at\s+(?:(?:\/[^\/ \n]*)+)
FORMAT = action::"failure" app::"nix" user::$2 src_user::$1 reason::"BAD SU"
[ksu_authentication]
REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?\'ksu\s+([^']+)\'\s+(authentication\s+failed|authenticated).*?for\s+(\w+)
FORMAT = app::$1 user::"$2" vendor_action::"$3" src_user::$4
[ksu_authorization]
REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?Account\s+([^:]+)\:\s+authorization\s+for\s+([^@]+).*?(failed|successful)
FORMAT = app::$1 user::"$2" src_user::"$3" vendor_action::$4
[login_authentication]
REGEX = (login)\:.*(failure).*from\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\,\s+(\S+))?
FORMAT = app::$1 action::$2 user::$4 src::$3 reason::"login failure"
[su_simple]
REGEX = (?:su)\:\s+(?:\[[^]]+]\s+)?from\s+([^\s]+)\s+to\s+([^\s]+)
FORMAT = app::"nix" src_user::$1 user::$2 action::"success"
[su_authentication]
REGEX = \'(?:su)\s+([^']+)\'\s+(succeeded|failed)\s+for\s+([^\s]+)
FORMAT = app::"nix" user::"$1" vendor_action::$2 src_user::$3
[su_successful]
REGEX = (Successful)\s+(?:su)\s+for\s+([^\s]+)\s+by\s+([^\s]+)
FORMAT = app::"nix" vendor_action::$1 user::$2 src_user::$3
[wksh_authentication]
REGEX = (wksh):\s+(HANDLING\s+TELNET\s+CALL)\s+\(User:\s+([^,]+),\s+Branch:\s+(?:[^,]+),\s+Client:\s+([^)]+)
FORMAT = app::$1 vendor_action::"$2" user::$3 src_dns::$4
[ftpd_authentication]
REGEX = (ftpd)\[\d+\]\:.*(FTP\s+LOGIN)\s+FROM\s+([^\s]+)\s+\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\,\s+(.*)
FORMAT = app::$1 vendor_action::"$2" src::$3 src_ip::$4 user::"$5"
## Firewall
[ipfw]
REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*(\d+) (Deny|Accept) (UDP|TCP) ([^:]*):(\d+) ([^:]*):(\d+) (in|out) via ([^\s]+)
FORMAT = rule_number::$1 action::$2 proto::$3 dest_ip::$4 dest_port::$5 src_ip::$6 src_port::$7 direction::$8 interface::$9
[ipfw-stealth]
REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*Stealth Mode connection (attempt) to (UDP|TCP) ([^:]*):(\d+) from ([^:]*):(\d+)
FORMAT = action::$1 proto::$2 src_ip::$3 src_port::$4 dest_ip::$5 dest_port::$6
[ipfw-icmp]
#REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via ([^\s])*\s*
REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via (.*)
FORMAT = rule_number::$1 action::$2 proto::$3 application::$4 src_ip::$5 dest_ip::$6 direction::$7 interface::$8
[pf]
REGEX = rule ([-\d]+\/\d+)\(.*?\): (pass|block) (in|out) on (\w+): (\d+\.\d+\.\d+\.\d+)\.?(\d*) [<>] (\d+\.\d+\.\d+\.\d+)\.?(\d*): (?:.*)
FORMAT = rule_number::$1 action::$2 direction::$3 interface::$4 src_ip::$5 src_port::$6 dest_ip::$7 dest_port::$8
## Routing
# Mar 26 11:03:20 splunk4 kernel: BLOCK IN=eth0 OUT= MAC=00:15:c5:e0:ba:45:00:10:db:ff:20:70:08:00 SRC=10.1.5.78 DST=10.2.1.44 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=64317 DF PROTO=TCP SPT=57293 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
[iptables]
REGEX = kernel:\s+(\w+ ?\w*) IN=(\w+) OUT=(\w*) .*SRC=(\d+\.\d+\.\d+\.\d+) DST=(\d+\.\d+\.\d+\.\d+).*PROTO=(\w+) SPT=(\w+) DPT=(\w+)
FORMAT = action::"$1" inbound_interface::$2 outbound_interface::$3 src_ip::$4 dest_ip::$5 proto::$6 src_port::$7 dest_port::$8
## bash
[bash_user]
SOURCE_KEY=source
REGEX=^\/home\/([^\/]+)\/
FORMAT=user_name::$1
[bash_user_root]
SOURCE_KEY=source
REGEX=^\/(root)\/
FORMAT=user_name::$1
## Time synchronization
[signature_for_nix_timesync]
REGEX = ((?:Adjusting\s+system\s+clock)|(?:synchronized\s+to)|(?:step\s+time\s+server)|(?:adjust\s+time\s+server)|(?:NTP\s+Server\s+Unreachable))
FORMAT = signature::$1
###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ######
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.
###### Scripted Inputs ######
## Global
##
[force_host_for_linux_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-001
[force_host_for_osx_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-002
[force_host_for_solaris_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-003
[force_host_for_unix_eventgen]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::ACME-004
## Service
[nix_linux_service_startmode_lookup]
filename = nix_linux_service_startmodes.csv
## Update
[nix_da_update_status_lookup]
filename = nix_da_update_status.csv
[Description_for_installedupdates]
REGEX = ^Description=([^\r\n]+)
FORMAT = Description::$1
## Version
[nix_da_version_range_lookup]
filename = nix_da_version_ranges.csv
[nix_linux_audit_action_lookup]
filename = nix_linux_audit_action_object_category.csv
[force_host_for_linux_cpu]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_memory]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_io]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
[force_host_for_linux_disk]
DEST_KEY=MetaData:Host
REGEX=^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT=host::$1
###### END CONTENT IMPORTED FROM TA-deploymentapps ######

8
deployment-apps/Splunk_TA_nix/default/web.conf
Unescape View File

@ -0,0 +1,8 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[expose:setup]
pattern=SetupService
methods=GET,POST

8
deployment-apps/Splunk_TA_nix/lookups/nix_da_update_status.csv
Unescape View File

@ -0,0 +1,8 @@
sourcetype,status
AIX:Update,available
FreeBSD:Update,available
HPUX:Update,available
Linux:Update,available
OSX:Update,available
Solaris:Update,available
Unix:Update,available
1 sourcetype status
2 AIX:Update available
3 FreeBSD:Update available
4 HPUX:Update available
5 Linux:Update available
6 OSX:Update available
7 Solaris:Update available
8 Unix:Update available

8
deployment-apps/Splunk_TA_nix/lookups/nix_da_version_ranges.csv
Unescape View File

@ -0,0 +1,8 @@
sourcetype,range
AIX:Version,aix
FreeBSD:Version,freebsd
HPUX:Version,hpux
Linux:Version,linux
OSX:Version,osx
Solaris:Version,solaris
Unix:Version,unix
1 sourcetype range
2 AIX:Version aix
3 FreeBSD:Version freebsd
4 HPUX:Version hpux
5 Linux:Version linux
6 OSX:Version osx
7 Solaris:Version solaris
8 Unix:Version unix

12
deployment-apps/Splunk_TA_nix/lookups/nix_linux_audit_action_object_category.csv
Unescape View File

@ -0,0 +1,12 @@
op,action,object_category
add-user,created,user
add-home-dir,created,user
add-group,created,group
add-shadow-group,created,group
delete-user,deleted,user
deleting-user-from-group,modified,user
deleting-user-from-shadow-group,modified,user
delete-shadow-group,deleted,group
delete-group,deleted,group
success,success,user
failed,failure,user
1 op action object_category
2 add-user created user
3 add-home-dir created user
4 add-group created group
5 add-shadow-group created group
6 delete-user deleted user
7 deleting-user-from-group modified user
8 deleting-user-from-shadow-group modified user
9 delete-shadow-group deleted group
10 delete-group deleted group
11 success success user
12 failed failure user

129
deployment-apps/Splunk_TA_nix/lookups/nix_linux_service_startmodes.csv
Unescape View File

@ -0,0 +1,129 @@
runlevel0,runlevel1,runlevel2,runlevel3,runlevel4,runlevel5,runlevel6,StartMode
off,off,off,off,off,off,off,Disabled
off,off,off,off,off,off,on,Auto
off,off,off,off,off,on,off,Auto
off,off,off,off,off,on,on,Auto
off,off,off,off,on,off,off,Auto
off,off,off,off,on,off,on,Auto
off,off,off,off,on,on,off,Auto
off,off,off,off,on,on,on,Auto
off,off,off,on,off,off,off,Auto
off,off,off,on,off,off,on,Auto
off,off,off,on,off,on,off,Auto
off,off,off,on,off,on,on,Auto
off,off,off,on,on,off,off,Auto
off,off,off,on,on,off,on,Auto
off,off,off,on,on,on,off,Auto
off,off,off,on,on,on,on,Auto
off,off,on,off,off,off,off,Auto
off,off,on,off,off,off,on,Auto
off,off,on,off,off,on,off,Auto
off,off,on,off,off,on,on,Auto
off,off,on,off,on,off,off,Auto
off,off,on,off,on,off,on,Auto
off,off,on,off,on,on,off,Auto
off,off,on,off,on,on,on,Auto
off,off,on,on,off,off,off,Auto
off,off,on,on,off,off,on,Auto
off,off,on,on,off,on,off,Auto
off,off,on,on,off,on,on,Auto
off,off,on,on,on,off,off,Auto
off,off,on,on,on,off,on,Auto
off,off,on,on,on,on,off,Auto
off,off,on,on,on,on,on,Auto
off,on,off,off,off,off,off,Auto
off,on,off,off,off,off,on,Auto
off,on,off,off,off,on,off,Auto
off,on,off,off,off,on,on,Auto
off,on,off,off,on,off,off,Auto
off,on,off,off,on,off,on,Auto
off,on,off,off,on,on,off,Auto
off,on,off,off,on,on,on,Auto
off,on,off,on,off,off,off,Auto
off,on,off,on,off,off,on,Auto
off,on,off,on,off,on,off,Auto
off,on,off,on,off,on,on,Auto
off,on,off,on,on,off,off,Auto
off,on,off,on,on,off,on,Auto
off,on,off,on,on,on,off,Auto
off,on,off,on,on,on,on,Auto
off,on,on,off,off,off,off,Auto
off,on,on,off,off,off,on,Auto
off,on,on,off,off,on,off,Auto
off,on,on,off,off,on,on,Auto
off,on,on,off,on,off,off,Auto
off,on,on,off,on,off,on,Auto
off,on,on,off,on,on,off,Auto
off,on,on,off,on,on,on,Auto
off,on,on,on,off,off,off,Auto
off,on,on,on,off,off,on,Auto
off,on,on,on,off,on,off,Auto
off,on,on,on,off,on,on,Auto
off,on,on,on,on,off,off,Auto
off,on,on,on,on,off,on,Auto
off,on,on,on,on,on,off,Auto
off,on,on,on,on,on,on,Auto
on,off,off,off,off,off,off,Auto
on,off,off,off,off,off,on,Auto
on,off,off,off,off,on,off,Auto
on,off,off,off,off,on,on,Auto
on,off,off,off,on,off,off,Auto
on,off,off,off,on,off,on,Auto
on,off,off,off,on,on,off,Auto
on,off,off,off,on,on,on,Auto
on,off,off,on,off,off,off,Auto
on,off,off,on,off,off,on,Auto
on,off,off,on,off,on,off,Auto
on,off,off,on,off,on,on,Auto
on,off,off,on,on,off,off,Auto
on,off,off,on,on,off,on,Auto
on,off,off,on,on,on,off,Auto
on,off,off,on,on,on,on,Auto
on,off,on,off,off,off,off,Auto
on,off,on,off,off,off,on,Auto
on,off,on,off,off,on,off,Auto
on,off,on,off,off,on,on,Auto
on,off,on,off,on,off,off,Auto
on,off,on,off,on,off,on,Auto
on,off,on,off,on,on,off,Auto
on,off,on,off,on,on,on,Auto
on,off,on,on,off,off,off,Auto
on,off,on,on,off,off,on,Auto
on,off,on,on,off,on,off,Auto
on,off,on,on,off,on,on,Auto
on,off,on,on,on,off,off,Auto
on,off,on,on,on,off,on,Auto
on,off,on,on,on,on,off,Auto
on,off,on,on,on,on,on,Auto
on,on,off,off,off,off,off,Auto
on,on,off,off,off,off,on,Auto
on,on,off,off,off,on,off,Auto
on,on,off,off,off,on,on,Auto
on,on,off,off,on,off,off,Auto
on,on,off,off,on,off,on,Auto
on,on,off,off,on,on,off,Auto
on,on,off,off,on,on,on,Auto
on,on,off,on,off,off,off,Auto
on,on,off,on,off,off,on,Auto
on,on,off,on,off,on,off,Auto
on,on,off,on,off,on,on,Auto
on,on,off,on,on,off,off,Auto
on,on,off,on,on,off,on,Auto
on,on,off,on,on,on,off,Auto
on,on,off,on,on,on,on,Auto
on,on,on,off,off,off,off,Auto
on,on,on,off,off,off,on,Auto
on,on,on,off,off,on,off,Auto
on,on,on,off,off,on,on,Auto
on,on,on,off,on,off,off,Auto
on,on,on,off,on,off,on,Auto
on,on,on,off,on,on,off,Auto
on,on,on,off,on,on,on,Auto
on,on,on,on,off,off,off,Auto
on,on,on,on,off,off,on,Auto
on,on,on,on,off,on,off,Auto
on,on,on,on,off,on,on,Auto
on,on,on,on,on,off,off,Auto
on,on,on,on,on,off,on,Auto
on,on,on,on,on,on,off,Auto
on,on,on,on,on,on,on,Auto
1 runlevel0 runlevel1 runlevel2 runlevel3 runlevel4 runlevel5 runlevel6 StartMode
2 off off off off off off off Disabled
3 off off off off off off on Auto
4 off off off off off on off Auto
5 off off off off off on on Auto
6 off off off off on off off Auto
7 off off off off on off on Auto
8 off off off off on on off Auto
9 off off off off on on on Auto
10 off off off on off off off Auto
11 off off off on off off on Auto
12 off off off on off on off Auto
13 off off off on off on on Auto
14 off off off on on off off Auto
15 off off off on on off on Auto
16 off off off on on on off Auto
17 off off off on on on on Auto
18 off off on off off off off Auto
19 off off on off off off on Auto
20 off off on off off on off Auto
21 off off on off off on on Auto
22 off off on off on off off Auto
23 off off on off on off on Auto
24 off off on off on on off Auto
25 off off on off on on on Auto
26 off off on on off off off Auto
27 off off on on off off on Auto
28 off off on on off on off Auto
29 off off on on off on on Auto
30 off off on on on off off Auto
31 off off on on on off on Auto
32 off off on on on on off Auto
33 off off on on on on on Auto
34 off on off off off off off Auto
35 off on off off off off on Auto
36 off on off off off on off Auto
37 off on off off off on on Auto
38 off on off off on off off Auto
39 off on off off on off on Auto
40 off on off off on on off Auto
41 off on off off on on on Auto
42 off on off on off off off Auto
43 off on off on off off on Auto
44 off on off on off on off Auto
45 off on off on off on on Auto
46 off on off on on off off Auto
47 off on off on on off on Auto
48 off on off on on on off Auto
49 off on off on on on on Auto
50 off on on off off off off Auto
51 off on on off off off on Auto
52 off on on off off on off Auto
53 off on on off off on on Auto
54 off on on off on off off Auto
55 off on on off on off on Auto
56 off on on off on on off Auto
57 off on on off on on on Auto
58 off on on on off off off Auto
59 off on on on off off on Auto
60 off on on on off on off Auto
61 off on on on off on on Auto
62 off on on on on off off Auto
63 off on on on on off on Auto
64 off on on on on on off Auto
65 off on on on on on on Auto
66 on off off off off off off Auto
67 on off off off off off on Auto
68 on off off off off on off Auto
69 on off off off off on on Auto
70 on off off off on off off Auto
71 on off off off on off on Auto
72 on off off off on on off Auto
73 on off off off on on on Auto
74 on off off on off off off Auto
75 on off off on off off on Auto
76 on off off on off on off Auto
77 on off off on off on on Auto
78 on off off on on off off Auto
79 on off off on on off on Auto
80 on off off on on on off Auto
81 on off off on on on on Auto
82 on off on off off off off Auto
83 on off on off off off on Auto
84 on off on off off on off Auto
85 on off on off off on on Auto
86 on off on off on off off Auto
87 on off on off on off on Auto
88 on off on off on on off Auto
89 on off on off on on on Auto
90 on off on on off off off Auto
91 on off on on off off on Auto
92 on off on on off on off Auto
93 on off on on off on on Auto
94 on off on on on off off Auto
95 on off on on on off on Auto
96 on off on on on on off Auto
97 on off on on on on on Auto
98 on on off off off off off Auto
99 on on off off off off on Auto
100 on on off off off on off Auto
101 on on off off off on on Auto
102 on on off off on off off Auto
103 on on off off on off on Auto
104 on on off off on on off Auto
105 on on off off on on on Auto
106 on on off on off off off Auto
107 on on off on off off on Auto
108 on on off on off on off Auto
109 on on off on off on on Auto
110 on on off on on off off Auto
111 on on off on on off on Auto
112 on on off on on on off Auto
113 on on off on on on on Auto
114 on on on off off off off Auto
115 on on on off off off on Auto
116 on on on off off on off Auto
117 on on on off off on on Auto
118 on on on off on off off Auto
119 on on on off on off on Auto
120 on on on off on on off Auto
121 on on on off on on on Auto
122 on on on on off off off Auto
123 on on on on off off on Auto
124 on on on on off on off Auto
125 on on on on off on on Auto
126 on on on on on off off Auto
127 on on on on on off on Auto
128 on on on on on on off Auto
129 on on on on on on on Auto

22
deployment-apps/Splunk_TA_nix/lookups/nix_vendor_actions.csv
Unescape View File

@ -0,0 +1,22 @@
vendor_action,action
accepted,success
add,created
added,created
create,created
authenticated,success
"authentication failed",failure
"authentication refused",failure
"authentication tried",failure
"authorized to",success
"could not identify password",failure
delete,deleted
failed,failure
"ftp login",success
"handling telnet call",success
"invalid user",failure
"login restricted",failure
remove,deleted
"session opened",success
succeeded,success
successful,success
"account added to group",modified
1 vendor_action action
2 accepted success
3 add created
4 added created
5 create created
6 authenticated success
7 authentication failed failure
8 authentication refused failure
9 authentication tried failure
10 authorized to success
11 could not identify password failure
12 delete deleted
13 failed failure
14 ftp login success
15 handling telnet call success
16 invalid user failure
17 login restricted failure
18 remove deleted
19 session opened success
20 succeeded success
21 successful success
22 account added to group modified

11
deployment-apps/Splunk_TA_nix/metadata/default.meta
Unescape View File

@ -0,0 +1,11 @@
# Application-level permissions
[]
access = read : [ * ], write : [ admin , sc_admin ]
export = system
[savedsearches]
owner = admin
## Exclude export of custom alert actions
[alert_actions/email]
export = none

353
deployment-apps/Splunk_TA_nix/splunkbase.manifest
Unescape View File

@ -0,0 +1,353 @@
{
"version": "1.0",
"date": "2023-06-16T18:27:09.187109199Z",
"hashAlgorithm": "SHA-256",
"app": {
"id": 833,
"version": "8.10.0",
"files": [
{
"path": "LICENSES/Apache-2.0.txt",
"hash": "d3910dee6fe9fe134856d76268fe82adb1ade1ecf51b3568b7da6b94894b88f3"
},
{
"path": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"hash": "37906d637abbbeca35cfb2efcb658cabbc0208d101848372c1e55fbf9ba62e47"
},
{
"path": "README/restmap.conf.spec",
"hash": "db1641a66cc6703fb2aa4f8d26f4041091e7685843befee21ae01cc9735b75c3"
},
{
"path": "README.txt",
"hash": "229729a9533d76ddf7352d064d780cf7242104ad50785939dd42cdb53c979e3f"
},
{
"path": "THIRDPARTY",
"hash": "73e046ee6823db5317f756098d1b9376701cde8b55d90fe3edeed366c5cc9e7c"
},
{
"path": "VERSION",
"hash": "a8e8864e5c57f868056321c8f6d21e8e23ea1754db0d538b653851355737a105"
},
{
"path": "app.manifest",
"hash": "2d823a0227d741f9353770fbf7307e0b2053c6104a58c685c05abe9b74e67b6c"
},
{
"path": "appserver/static/appIcon.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "appserver/static/components/js_sdk_extensions/common.js",
"hash": "295fe307ec286b9b4eb89c4b59dbd6204376e63b7346c26fd1b087446db372c2"
},
{
"path": "appserver/static/components/js_sdk_extensions/monitor_inputs.js",
"hash": "27af704acaeb3b98c78ad5322a6171e1b748b5650be809f5d92a4e5618529123"
},
{
"path": "appserver/static/components/js_sdk_extensions/scripted_inputs.js",
"hash": "6fe5d6f31a60a86d9988170e1641f13eb315351f890c2247c6de83b3aa372e26"
},
{
"path": "appserver/static/setup.css",
"hash": "f27882e6a07bbd87f99f95d77211439e71959efae6d52ce4771ce26d06e0bcc9"
},
{
"path": "appserver/static/setup.js",
"hash": "a3d4e2567779b605a97daa3ced2fc49a8e487a5ec4ee95080392824eb74e7e11"
},
{
"path": "bin/bandwidth.sh",
"hash": "4da182e234d9f1ac7375f1f73dc381a175de6f6727442760a7a94c202a0d27ee"
},
{
"path": "bin/common.sh",
"hash": "8e62abdfdcc59dd1da11c343fc27d82245c5f656b7a83697d1f59b5c0f1cc847"
},
{
"path": "bin/cpu.sh",
"hash": "5a08b99fc719ddb2a52c0e14851c41a3ec00fcab1d22266776a9663bd0ad513a"
},
{
"path": "bin/cpu_metric.sh",
"hash": "d586ebd5828bb859784bbd38508615dece134c309c4d4648743de8de2e23145b"
},
{
"path": "bin/df.sh",
"hash": "cf44d7fc37f3e8bd0ad45ad52c6ead1e4eba0c24b7df6591ea81ed9ccefd86a5"
},
{
"path": "bin/df_metric.sh",
"hash": "fd80b682cc891492b2ac0814ee100ac602a44784d26090e68c3bf43a65033d2d"
},
{
"path": "bin/hardware.sh",
"hash": "91a7b459aa0902c0279301d1fcb48045a765e949f313f01b537115100849c438"
},
{
"path": "bin/interfaces.sh",
"hash": "1201660100788ee93cf04fd204e9cac5fbef57a2e8bfbfe73cf2d8d23e186f15"
},
{
"path": "bin/interfaces_metric.sh",
"hash": "2a9d04640b257a3db77d8c156390bf28b6899d43b223c06160a1bd6005a52354"
},
{
"path": "bin/iostat.sh",
"hash": "e061b38ecc91dac97e3866303ec9cebdd66bda4c8840f9892ac3a11d6e1119e9"
},
{
"path": "bin/iostat_metric.sh",
"hash": "00cd13732819423428e4e0e3e7755ab6166d497eef1532c00a21d4247467a2d3"
},
{
"path": "bin/lastlog.sh",
"hash": "49780f6191857ff198d686a5816df33e647953f6b4e2c0b8b74da7544f81d1a1"
},
{
"path": "bin/lsof.sh",
"hash": "16271b65b56ed86bd12e4c1f4ab6764ae3a6569303172f816839828cabc7d378"
},
{
"path": "bin/netstat.sh",
"hash": "cf59f2d06335063e39c34fc7f943b5036ab950a56e7c854a58c23961f85728cf"
},
{
"path": "bin/nfsiostat.sh",
"hash": "b59c6a5209c3d8713fc13b9c6ba5d208c7e5926c7276067bf8059c4ff0515755"
},
{
"path": "bin/openPorts.sh",
"hash": "78c65c42a30407cf83e6e5cc02f38a1582892a8b174f2908c9ff6c5008a5185f"
},
{
"path": "bin/openPortsEnhanced.sh",
"hash": "84bbce81c94dcad1b4d355c5376e2fce87254345e3ab4691b1ca6f594c78729a"
},
{
"path": "bin/package.sh",
"hash": "969e87b45c30d33f97d71f6dee5207ab316fc002974dcc7173fe4282cac49deb"
},
{
"path": "bin/passwd.sh",
"hash": "43bbaf6f474b19eaa33bbd3a211c5f05baaca1c8054bb27111300066e8a2a4bc"
},
{
"path": "bin/protocol.sh",
"hash": "aa6b5ee56486ff766d7d7fe392a9c19be778dee6f3e4d0c98d10973d150d15ba"
},
{
"path": "bin/ps.sh",
"hash": "a6410a2fd13baf04293dabc1bdf87dfb27f9053093c314e7247ef7d7949134fa"
},
{
"path": "bin/ps_metric.sh",
"hash": "f64f1823d7d5e5666bb6e9762411695de17721e61bb8cd133c0feeba2d00452a"
},
{
"path": "bin/rlog.sh",
"hash": "003f20fcbbc9025938346224a7d8e4482451a70ae4b58d6331519e55d5711c4c"
},
{
"path": "bin/selinuxChecker.sh",
"hash": "d53a56969fd63fb03b83dfa4f15b176340616c2d90e7786e9c2915de10007c0f"
},
{
"path": "bin/service.sh",
"hash": "0fb7c94bb476c4509cf0694ea365efbe2b820b547068d310cff11b35a201d252"
},
{
"path": "bin/setup.sh",
"hash": "102460dd7db695c753a2710cb7b8202e9a1543eb670d48384eb2b5c014231f8f"
},
{
"path": "bin/setupservice.py",
"hash": "67c36b304a1693772b6efea6e06ea23657461d394062e2520f62672ec3fc6766"
},
{
"path": "bin/sshdChecker.sh",
"hash": "d01610d6ce7204e7de063bc72b7452c7839de390a764a4bb596f8334b05b6ca5"
},
{
"path": "bin/time.sh",
"hash": "86e46cbd14715419905341ebf6894f6df67c38200277b8230c1607ddae70f574"
},
{
"path": "bin/top.sh",
"hash": "78281eb09ba3aee954f4fe1e23f03c3f0626cd6d4e7a0b8897a872a88de3caa5"
},
{
"path": "bin/update.sh",
"hash": "949192d59612d2703cb09df17f653211c1a8e17094c9bc593d387fe07d5f2b1a"
},
{
"path": "bin/uptime.sh",
"hash": "9d47de23f02e8df2d115916aa2d39c670d3906ef535e2ce5d61a9b6040dd2941"
},
{
"path": "bin/usersWithLoginPrivs.sh",
"hash": "c9d69fcf12821ba5fdf113d488761811f3e10070587f25ab40a260285678bb4c"
},
{
"path": "bin/version.sh",
"hash": "93df3b8c69c7764966d9e86c40ebe0fe68adfa1e41b1ebcb43a2988c1bed15d2"
},
{
"path": "bin/vmstat.sh",
"hash": "8d6c38f4ecca1129656aa922d7f3c571b1732c0d097163df62915e1abc27f6ba"
},
{
"path": "bin/vmstat_metric.sh",
"hash": "a1329bdb5c7e1768b9cc3b7e2dda9f786b5577635fafe61c6814d3954702bfc9"
},
{
"path": "bin/vsftpdChecker.sh",
"hash": "53723f1c6b60bf066aee58d1c9e326ccf393b379d82ff4e01f44a461530c42ed"
},
{
"path": "bin/who.sh",
"hash": "ba5c25645e57938297bf85f5869924b9a006f27511b4e7f067e196a9049898cf"
},
{
"path": "default/app.conf",
"hash": "fe7aa54896c9407bd862171e53d2d7dd56e710cc9e74ff5ef14e446fb791dab2"
},
{
"path": "default/data/ui/nav/default.xml",
"hash": "36078398f91fa377c21f2369271797cc0016b8ba1a6f271e327cce2809f2711d"
},
{
"path": "default/data/ui/views/ta_nix_configuration.env_cloud.xml",
"hash": "d353c157375a04dc5f1dabc3229ef927a2277d6b42d3974b862df50c40b830ae"
},
{
"path": "default/data/ui/views/ta_nix_configuration.xml",
"hash": "2d30308510e08aea0a190984fda45b708ab373768796494202a4813c37ef74d2"
},
{
"path": "default/eventtypes.conf",
"hash": "5b517737ba9e2543fc3e46d2fc7619451f97c89623225687fb1fbbbafb740ec0"
},
{
"path": "default/inputs.conf",
"hash": "2fd8e1d795313cffad4a000d4df4c21813fb73df59d081e7655c956524c2d14a"
},
{
"path": "default/macros.conf",
"hash": "1654b2a87cb8c728837d048ecf1f2e9edec701618eae8a9d1d8c3f85958518ae"
},
{
"path": "default/props.conf",
"hash": "f9b55acbbeacf6613c84b21431b60fedd1c204fdcdb1e7bb0038ba1350770fc7"
},
{
"path": "default/restmap.conf",
"hash": "0c8a09ad79c266a28d987730706ecd7cd06802aecd1dbf4a3b01fe689fd0d0e7"
},
{
"path": "default/tags.conf",
"hash": "c3e8aa2f96f145fb51a5ed3e24f21d1e6c5f4832c888c2581b3f96347c0df192"
},
{
"path": "default/transforms.conf",
"hash": "2ce1dc83c2ea48959707fe64443eed6612209a505a4d8701086cba1f0a524d8b"
},
{
"path": "default/web.conf",
"hash": "e469e328c8e94caae6059bb3675ac1578a5d7c14a7757b784c1cb988adca9572"
},
{
"path": "lookups/nix_da_update_status.csv",
"hash": "a9a794b39377946e0dcb5f70c9c8ba6114fec1728512c9f39cfb0f3eca46159c"
},
{
"path": "lookups/nix_da_version_ranges.csv",
"hash": "992529c548d8273e073a988d089fbd5c7fa5c1ef47d51243e9da9dfb77eba6d2"
},
{
"path": "lookups/nix_linux_audit_action_object_category.csv",
"hash": "5838950fd3cade537dea91d1dcdcbd10532457fa7de07d397bfc699e56a19867"
},
{
"path": "lookups/nix_linux_service_startmodes.csv",
"hash": "dd669b358909f4d9be9d0aef9f4720e78a290e422a90ec3e3cdabe39ed9b8be2"
},
{
"path": "lookups/nix_vendor_actions.csv",
"hash": "f287b03905a705fed92dd4a1d1cf060c16b9521aba80b06494af8d5e8530fa97"
},
{
"path": "metadata/default.meta",
"hash": "6fa3057938996152cdfeddb46b20a1c079966ba87a56cf7c13c9d35f3caaf2e7"
},
{
"path": "static/appIcon.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "static/appIconAlt.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "static/appIconAlt_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
},
{
"path": "static/appIconLg.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
},
{
"path": "static/appIconLg_2x.png",
"hash": "11ca7ef68587f5f1bacbbcb24b85924089724bcf02610b512f899fadac186f34"
},
{
"path": "static/appIcon_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
}
]
},
"products": [
{
"platform": "splunk",
"product": "enterprise",
"versions": [
"8.1",
"8.2",
"9.0"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
},
{
"platform": "splunk",
"product": "cloud",
"versions": [
"8.1",
"8.2",
"9.0"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
}
]
}

BIN
deployment-apps/Splunk_TA_nix/static/appIcon.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
deployment-apps/Splunk_TA_nix/static/appIconAlt.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
deployment-apps/Splunk_TA_nix/static/appIconAlt_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
deployment-apps/Splunk_TA_nix/static/appIconLg.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
deployment-apps/Splunk_TA_nix/static/appIconLg_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
deployment-apps/Splunk_TA_nix/static/appIcon_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
deployment-apps/Splunk_TA_sysmon-for-linux/.DS_Store vendored
View File

Binary file not shown.

61
deployment-apps/Splunk_TA_sysmon-for-linux/THIRDPARTY
Unescape View File

@ -0,0 +1,61 @@
================================================================================
================================================================================
Third-Party Software for splunk-add-on-for-sysmon-for-linux
--------------------------------------------------------------------------------
The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-sysmon-for-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means.
Date generated: 2022-10-24
Revision ID: 532ef5d523c4c212a653d2169fba73ebade75ff5
================================================================================
================================================================================
================================================================================
Declared License
================================================================================
No declared license found for splunk-add-on-for-sysmon-for-linux
================================================================================
First Party Licenses
================================================================================
No licenses found
================================================================================
Dependencies
================================================================================
================================================================================
License
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Report Generated by FOSSA on 2022-10-24

2
deployment-apps/Splunk_TA_sysmon-for-linux/VERSION
Unescape View File

@ -0,0 +1,2 @@
1.0.0
1.0.0

58
deployment-apps/Splunk_TA_sysmon-for-linux/app.manifest
Unescape View File

@ -0,0 +1,58 @@
{
"dependencies": null,
"incompatibleApps": null,
"info": {
"author": [
{
"name": "Splunk, Inc.",
"email": null,
"company": null
}
],
"classification": {
"categories": [
"Security, Fraud & Compliance"
],
"developmentStatus": "Production/Stable",
"intendedAudience": "IT Professionals"
},
"commonInformationModels": null,
"description": "Splunk Add-on for Sysmon For Linux",
"id": {
"group": null,
"name": "Splunk_TA_sysmon-for-linux",
"version": "1.0.0"
},
"license": {
"name": null,
"text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"uri": null
},
"privacyPolicy": {
"name": null,
"text": null,
"uri": null
},
"releaseDate": null,
"releaseNotes": {
"name": "README",
"text": "README.txt",
"uri": "https://docs.splunk.com/Documentation/AddOns/McAfeeEPOSyslog/About"
},
"title": "Splunk Add-on for Sysmon For Linux"
},
"inputGroups": null,
"platformRequirements": null,
"schemaVersion": "2.0.0",
"supportedDeployments": [
"_standalone",
"_distributed",
"_search_head_clustering"
],
"targetWorkloads": [
"_search_heads",
"_forwarders",
"_indexers"
],
"tasks": null
}

28
deployment-apps/Splunk_TA_sysmon-for-linux/default/app.conf
Unescape View File

@ -0,0 +1,28 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[install]
is_configured = false
state = enabled
build = 1666608684
[launcher]
author = Splunk, Inc.
description = Splunk Add-on for Sysmon For Linux
version = 1.0.0
[ui]
is_visible = false
label = Splunk Add-on for Sysmon For Linux
docs_section_override = AddOns:released
[package]
id = Splunk_TA_sysmon-for-linux
[id]
name = Splunk_TA_sysmon-for-linux
version = 1.0.0

17
deployment-apps/Splunk_TA_sysmon-for-linux/default/eventtypes.conf
Unescape View File

@ -0,0 +1,17 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[sysmon-linux-network]
search = sourcetype="sysmon:linux" EventID="3"
[sysmon-linux-process]
search = sourcetype="sysmon:linux" (EventID IN ("1","5","9") )
[sysmon-linux-filemod]
search = sourcetype="sysmon:linux" (EventID IN ("11","23") )
[sysmon-linux-service]
search = sourcetype="sysmon:linux" (EventID IN ("4","16") )

13
deployment-apps/Splunk_TA_sysmon-for-linux/default/inputs.conf
Unescape View File

@ -0,0 +1,13 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[journald://sysmon]
interval = 30
journalctl-quiet = true
journalctl-include-fields = PRIORITY,_SYSTEMD_UNIT,_SYSTEMD_CGROUP,_TRANSPORT,_PID,_UID,_MACHINE_ID,_GID,_COMM,_EXE
journalctl-exclude-fields = __MONOTONIC_TIMESTAMP,__SOURCE_REALTIME_TIMESTAMP
journalctl-filter = _SYSTEMD_UNIT=sysmon.service
sourcetype = sysmon:linux

95
deployment-apps/Splunk_TA_sysmon-for-linux/default/props.conf
Unescape View File

@ -0,0 +1,95 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[sysmon:linux]
TIME_PREFIX = <Data Name="UtcTime">
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N%
TZ = UTC
REPORT-sysmon = sysmon-eventid,sysmon-keywords,sysmon-computer,sysmon-data,sysmon-filename
FIELDALIAS-dvc = Computer AS dvc
EVAL-file_hash = case( EventID IN ("23") AND NOT Hashes IN ("-"), Hashes )
EVAL-process_hash = case( EventID IN ("1") AND NOT Hashes IN ("-"), Hashes )
EVAL-action = case( EventID IN ("1", "3", "9"), "allowed", \
EventID="5", "blocked", \
(EventID = "11" AND UtcTime==CreationUtcTime), "created", \
EventID IN ("23"), "deleted", \
(EventID = "11" AND UtcTime!=CreationUtcTime), "modified" )
EVAL-dest = case( EventID IN ("1","4","5","9","11","16","23"), Computer, \
EventID="3" AND isnotnull(DestinationHostname) AND DestinationHostname != "-", DestinationHostname, \
EventID="3", DestinationIp )
# ID 1 only
EVAL-parent_process = case( EventID="1", ParentCommandLine)
FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory
EVAL-original_file_name = case( EventID="1", replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
# ID 3 only (DNS query)
FIELDALIAS-dest_port = DestinationPort AS dest_port
FIELDALIAS-SourcePort = SourcePort AS src_port
FIELDALIAS-Protocol = Protocol AS transport
EVAL-dest_host = case( EventID="3" AND DestinationHostname != '-', DestinationHostname)
FIELDALIAS-dest_ip = DestinationIp AS dest_ip
FIELDALIAS-dvc_ip = SourceIp AS dvc_ip
FIELDALIAS-src_ip = SourceIp AS src_ip
EVAL-src_host = case( EventID="3" AND NOT SourceHostname IN ("-"), SourceHostname )
EVAL-app = case( EventID="3", Image )
EVAL-creation_time = case( EventID=="3",UtcTime )
EVAL-direction = case( EventID="3" AND Initiated=="true","outbound", EventID="3", "inbound" )
EVAL-protocol = case( EventID="3", "IP" )
EVAL-protocol_version = case( EventID="3" AND DestinationIsIpv6="true", "ipv6", EventID="3", "ipv4" )
EVAL-rule = case( EventID="3" AND isnotnull(RuleName) AND RuleName != '-', RuleName)
EVAL-state = case(EventID=="3", "established")
EVAL-transport_dest_port = mvzip(transport,dest_port,"/")
EVAL-vendor_product = "Sysmon For Linux"
EVAL-src = case( EventID IN ("3"), SourceIp, \
isnotnull(SourceHostname), SourceHostname, \
isnotnull(SourceIp), SourceIp )
# ID 4, 16 only
# Endpoint:Services
EVAL-description = case( EventID="4", "Sysmon state changed", \
EventID="16", "Sysmon configuration changed")
EVAL-service = case( EventID IN ("4","16"), "Linux-Sysmon" )
EVAL-service_name = case( EventID IN ("4","16"), "Linux-Sysmon" )
EVAL-user = case( EventID IN ("3"), User, UserId="0","root")
FIELDALIAS-UserId = UserId AS user_id
EVAL-os = case( EventID IN ("1","5","9"),"Linux" )
EVAL-parent_process_path = case( EventID="1", ParentImage )
EVAL-parent_process_exec = case( EventID="1", replace(ParentImage,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
EVAL-parent_process_name = case( EventID="1", replace(ParentImage,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
EVAL-parent_process_id = case( EventID="1", ParentProcessId )
EVAL-parent_process_guid = case( EventID="1", ParentProcessGuid )
EVAL-process = case( EventID IN ("1"), CommandLine, EventID IN ("5"), Image )
EVAL-process_path = case( EventID IN ("1","5","9","11","23"), Image )
EVAL-process_exec = case( EventID IN ("1","3","5","9","11","23"), replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
EVAL-process_name = case( EventID IN ("1","3","5","9","11","23"), replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
EVAL-process_guid = case( EventID IN ("1","3","5","9","11","23"), ProcessGuid )
EVAL-process_id = case( EventID IN ("4","16"), ProcessID, \
EventID IN ("1","3","5","9","11","23"), ProcessId )
FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level
EVAL-status = case( (EventID=14 AND Keywords="0x8000000000000000"),"success", \
EventID="16","started", \
EventID="4",lower(State) )
FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time
EVAL-file_modify_time = case( EventID IN ("23"),UtcTime )
EVAL-file_path = case ( EventID IN ("11", "23"), replace(TargetFilename,"(:[\w\. ]+)",""), EventID IN ("16"), Configuration )
EVAL-file_name = case ( EventID IN ("11","23"), replace(replace(TargetFilename,"(.*/)",""),"(:[\w\. ]+)","") )
EVAL-object_category = case( EventID IN ("11","23"), "file" )
#Fields for ChangeAnalysis DM
LOOKUP-sysmon-eventid-lookup = sysmon-eventid-lookup EventID OUTPUTNEW EventDescription EventDescription AS signature
FIELDALIAS-signature_id = EventID AS signature_id

21
deployment-apps/Splunk_TA_sysmon-for-linux/default/tags.conf
Unescape View File

@ -0,0 +1,21 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[eventtype=sysmon-linux-network]
network = enabled
communicate = enabled
[eventtype=sysmon-linux-process]
process = enabled
report = enabled
[eventtype=sysmon-linux-filemod]
endpoint = enabled
filesystem = enabled
[eventtype=sysmon-linux-service]
service = enabled
report = enabled

30
deployment-apps/Splunk_TA_sysmon-for-linux/default/transforms.conf
Unescape View File

@ -0,0 +1,30 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[sysmon-eventid]
REGEX = <EventID>(\d+)</EventID>
FORMAT = EventID::$1
[sysmon-keywords]
REGEX = <Keywords>(0x[0-9a-fA-F]+)</Keywords>
FORMAT = Keywords::$1
[sysmon-computer]
REGEX = <Computer>(.*?)</Computer>
FORMAT = Computer::$1
[sysmon-data]
REGEX = <Data Name="(.*?)">(.*?)</Data>
FORMAT = $1::$2
[sysmon-filename]
SOURCE_KEY = TargetFilename
REGEX = (?<file_name>[^\\\\]+$)
[sysmon-eventid-lookup]
default_match = Unknown
filename = sysmon_for_linux_eventid.csv
min_matches = 1

28
deployment-apps/Splunk_TA_sysmon-for-linux/lookups/sysmon_for_linux_eventid.csv
Unescape View File

@ -0,0 +1,28 @@
EventID,EventDescription
1,"Process creation"
2,"A process changed a file creation time"
3,"Network connection"
4,"Sysmon service state changed"
5,"Process terminated"
6,"Driver loaded"
7,"Image loaded"
8,"CreateRemoteThread"
9,"RawAccessRead"
10,"ProcessAccess"
11,"FileCreate"
12,"RegistryEvent (Object create and delete)"
13,"RegistryEvent (Value Set)"
14,"RegistryEvent (Key and Value Rename)"
15,"FileCreateStreamHash"
16,"ServiceConfigurationChange"
17,"PipeEvent (Pipe Created)"
18,"PipeEvent (Pipe Connected)"
19,"WmiEvent (WmiEventFilter activity detected)"
20,"WmiEvent (WmiEventConsumer activity detected)"
21,"WmiEvent (WmiEventConsumerToFilter activity detected)"
22,"DNSEvent (DNS query)"
23,"FileDelete (File Delete archived)"
24,"ClipboardChange (New content in the clipboard)"
25,"ProcessTampering (Process image change)"
26,"FileDeleteDetected (File Delete logged)"
255,"Error"
1 EventID EventDescription
2 1 Process creation
3 2 A process changed a file creation time
4 3 Network connection
5 4 Sysmon service state changed
6 5 Process terminated
7 6 Driver loaded
8 7 Image loaded
9 8 CreateRemoteThread
10 9 RawAccessRead
11 10 ProcessAccess
12 11 FileCreate
13 12 RegistryEvent (Object create and delete)
14 13 RegistryEvent (Value Set)
15 14 RegistryEvent (Key and Value Rename)
16 15 FileCreateStreamHash
17 16 ServiceConfigurationChange
18 17 PipeEvent (Pipe Created)
19 18 PipeEvent (Pipe Connected)
20 19 WmiEvent (WmiEventFilter activity detected)
21 20 WmiEvent (WmiEventConsumer activity detected)
22 21 WmiEvent (WmiEventConsumerToFilter activity detected)
23 22 DNSEvent (DNS query)
24 23 FileDelete (File Delete archived)
25 24 ClipboardChange (New content in the clipboard)
26 25 ProcessTampering (Process image change)
27 26 FileDeleteDetected (File Delete logged)
28 255 Error

9
deployment-apps/Splunk_TA_sysmon-for-linux/metadata/default.meta
Unescape View File

@ -0,0 +1,9 @@
##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[]
access = read : [ * ], write : [ admin ]
export = system

Some files were not shown because too many files have changed in this diff Show More

Write Preview
Loading…
Cancel
Save