diff --git a/deployment-apps/Splunk_TA_linux/.DS_Store b/deployment-apps/Splunk_TA_linux/.DS_Store new file mode 100644 index 0000000..2e4e74e Binary files /dev/null and b/deployment-apps/Splunk_TA_linux/.DS_Store differ diff --git a/deployment-apps/Splunk_TA_linux/VERSION b/deployment-apps/Splunk_TA_linux/VERSION new file mode 100644 index 0000000..dd36387 --- /dev/null +++ b/deployment-apps/Splunk_TA_linux/VERSION @@ -0,0 +1,2 @@ +2.1.0 +2.1.0 \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_linux/app.manifest b/deployment-apps/Splunk_TA_linux/app.manifest new file mode 100644 index 0000000..6d531f1 --- /dev/null +++ b/deployment-apps/Splunk_TA_linux/app.manifest @@ -0,0 +1,63 @@ +{ + "dependencies": null, + "incompatibleApps": null, + "info": { + "author": [ + { + "name": "Splunk", + "email": null, + "company": null + } + ], + "classification": { + "categories": [ + "IT Operations" + ], + "developmentStatus": "Production/Stable", + "intendedAudience": "IT" + }, + "commonInformationModels": { + "Alerts": "==5.0.1", + "Authentication": "==5.0.1", + "Change": "==5.0.1", + "Intrusion Detection": "==5.0.1" + }, + "description": "Splunk Add-on for Linux", + "id": { + "group": null, + "name": "Splunk_TA_linux", + "version": "2.1.0" + }, + "license": { + "name": "Splunk Software License Agreement", + "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "uri": "http://www.splunk.com/view/SP-CAAAAFA" + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseDate": null, + "releaseNotes": { + "name": "README", + "text": "./README.txt", + "uri": "https://docs.splunk.com/Documentation/AddOns/released/Linux/Releasenotes" + }, + "title": "Splunk Add-on for Linux" + }, + "inputGroups": null, + "platformRequirements": null, + "schemaVersion": "2.0.0", + "supportedDeployments": [ + "_standalone", + "_distributed", + "_search_head_clustering" + ], + "targetWorkloads": [ + "_search_heads", + "_indexers", + "_forwarders" + ], + "tasks": null +} \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_linux/default/app.conf b/deployment-apps/Splunk_TA_linux/default/app.conf new file mode 100644 index 0000000..42a9491 --- /dev/null +++ b/deployment-apps/Splunk_TA_linux/default/app.conf @@ -0,0 +1,28 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[install] +is_configured = false +state = enabled +build = 1658326316 + +[launcher] +author = Splunk +version = 2.1.0 +description = Splunk Add-on for Linux + +[ui] +is_visible = false +label = Splunk Add-on for Linux +docs_section_override = AddOns:released + +[package] +id = Splunk_TA_linux + +[id] +name = Splunk_TA_linux +version = 2.1.0 + diff --git a/deployment-apps/Splunk_TA_linux/default/eventtypes.conf b/deployment-apps/Splunk_TA_linux/default/eventtypes.conf new file mode 100644 index 0000000..74bc89a --- /dev/null +++ b/deployment-apps/Splunk_TA_linux/default/eventtypes.conf @@ -0,0 +1,76 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[linux_collectd_cpu] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=cpu +#tags = performance oshost cpu inventory + +[linux_collectd_memory] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=memory +#tags = performance oshost memory inventory + +[linux_collectd_swap] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=swap +#tags = performance oshost memory + +[linux_collectd_df] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=df +#tags = performance oshost storage inventory + +[linux_collectd_interface] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=interface +#tags = performance oshost network inventory + +[linux_collectd_disk] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=disk +#tags = performance oshost storage + +[linux_collectd_load] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=load +#tags = performance oshost + +[linux_collectd_processes] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=processes +#tags = performance oshost process cpu + +[linux_collectd_protocols] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=protocols +#tags = performance oshost + +[linux_collectd_irq] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=irq +#tags = performance oshost + +[linux_collectd_tcpconns] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=tcpconns +#tags = performance oshost network + +[linux_collectd_thermal] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=thermal +#tags = performance oshost + +[linux_collectd_uptime] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=uptime +#tags = performance oshost os + +[linux_audit_anomalies] +search = sourcetype=linux:audit type=ANOM_* +#tags = ids attack alert + +[linux_audit_account_change] +search = sourcetype=linux:audit type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") +#tags = change account + +[linux_audit_authentication] +search = sourcetype=linux:audit type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") +#tags = authentication + +[linux_audit_endpoint] +search = sourcetype=linux:audit (type=USER_CMD) +#tags = process report + +[linux_audit_endpoint_services] +search = sourcetype=linux:audit type IN ("SERVICE_START", "SERVICE_STOP") +#tags = service report diff --git a/deployment-apps/Splunk_TA_linux/default/props.conf b/deployment-apps/Splunk_TA_linux/default/props.conf new file mode 100644 index 0000000..a43affd --- /dev/null +++ b/deployment-apps/Splunk_TA_linux/default/props.conf @@ -0,0 +1,284 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[linux:collectd:graphite] +category = Operating System +description = Metrics collected from linux host using collectd-write_graphite plugin +pulldown_type = true +# Load balancing on UF +EVENT_BREAKER_ENABLE = true +SHOULD_LINEMERGE = false +KV_MODE = none +TIME_PREFIX = \S+\s+\S+\s+ +TIME_FORMAT = %s.%3N +MAX_TIMESTAMP_LOOKAHEAD = 12 + +EXTRACT-KVFORLINUX = ^[^\.]+[^\.\n]*\.[^\.]+\.(?<_KEY_1>\S+)\s+(?<_VAL_1>\S+) + + +EXTRACT-collectd_data = ^(?[^.\s]+)\.(?[^.\s]+)\.(?P\S+)\s+(?P\S+)\s+(?\S+) +EXTRACT-plugin_info = (?[^\-]\w+)-*(?.*) in object +EXTRACT-metric_type = (?[^\-\.]\w+)-*(?[^\.]\w+)?\.* in metric + +FIELDALIAS-linux_collectd_plugin = linux_collectd_plugin AS plugin +EVAL-dsname = mvindex(split(metric, "."),1) +FIELDALIAS-linux_host = collectd_host as host +FIELDALIAS-linux_dest = collectd_host as dest + +## HOST_OS Model.Performance.Memory +EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null()) +EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null()) +EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null()) +EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null()) +EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null()) + +## HOST_OS Model.Performance.Storage +EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null()) +EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null()) + +## HOST_OS Model.Performance.Network +EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null()) +EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null()) +EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null()) + +## HOST_OS Model.Inventory.Machine Information + +## HOST_OS Model.Inventory.Storage Information +EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null()) + +## HOST_OS Model.Performance.CPU +FIELDALIAS-cpu_interrupts = cpu_interrupt_value AS cpu_interrupts +FIELDALIAS-cpu_load_percent = cpu_system_value AS cpu_load_percent +FIELDALIAS-cpu_time = ps_cputime_syst AS cpu_time +FIELDALIAS-cpu_user_percent = cpu_user_value AS cpu_user_percent + +## HOST_OS Model.Performance.Memory +FIELDALIAS-mem_free_percent = percent_free_value AS mem_free_percent +FIELDALIAS-mem_used_percent = percent_used_value AS mem_used_percent + +## HOST_OS Model.Performance.Storage +FIELDALIAS-read_ops = disk_ops_read AS read_ops +FIELDALIAS-storage_free_percent = percent_bytes_free_value AS storage_free_percent +FIELDALIAS-storage_used_percent = percent_bytes_used_value AS storage_used_percent +FIELDALIAS-write_ops = disk_ops_write AS write_ops + +## HOST_OS Model.Performance.Network +FIELDALIAS-packets_in = if_packets_rx AS packets_in +FIELDALIAS-packets_out = if_packets_tx AS packets_out + +## HOST_OS Model.Performance.OS +FIELDALIAS-uptime = uptime_value AS uptime + +## HOST_OS Model.Inventory.Storage Information + +## HOST_OS Model.Inventory.Network Information + +[linux:collectd:http:json] +category = Operating System +description = Metrics collected from linux host using collectd-write_http plugin in json +pulldown_type = true +# Load balancing on UF +EVENT_BREAKER_ENABLE = true +EVENT_BREAKER = ([\[|\,]){\"values\": +SHOULD_LINEMERGE = false +LINE_BREAKER = ([\[|\,]){\"values\": +SEDCMD-remove_tail = s/\}]$/}/ +KV_MODE = json +TIME_PREFIX = "time":\s* +TIME_FORMAT = %s.%3N + +TRANSFORMS-linux_one_fields = http_one_item_field, http_one_item_field_no_type_instance +TRANSFORMS-linux_two_fields = http_two_item_fields, http_two_item_fields_no_type_instance +TRANSFORMS-linux_three_fields = http_three_item_fields, http_three_item_fields_no_type_instance + +EXTRACT-linux_collectd_host = \s*"host":\s*(?:"|)(?[^"]*)(?:"|) +EXTRACT-linux_collectd_http_plugin = "plugin":\s*(?:"|)(?[^"]+)(?:"|),\s*"plugin_instance": + +FIELDALIAS-dsnames = dsnames{} as dsname +FIELDALIAS-linux_value = values{} as value +FIELDALIAS-linux_host = collectd_host as host +FIELDALIAS-linux_dest = collectd_host as dest + +## HOST_OS Model.Performance.CPU +FIELDALIAS-linux_cpu_interrupts = cpu_interrupt_value as cpu_interrupts +FIELDALIAS-linux_load_percent = cpu_system_value as cpu_load_percent +FIELDALIAS-linux_cpu_time = ps_cputime_syst as cpu_time +FIELDALIAS-linux_cpu_user_percent = cpu_user_value as cpu_user_percent +FIELDALIAS-system_threads_count = ps_count_threads as system_threads_count + +## HOST_OS Model.Performance.Memory +FIELDALIAS-linux_mem_free_percent = percent_free_value as mem_free_percent +FIELDALIAS-linux_mem_used_percent = percent_used_value as mem_used_percent + +EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null()) +EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null()) +EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null()) +EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null()) +EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null()) + +## HOST_OS Model.Performance.Storage +FIELDALIAS-linux_read_ops = disk_ops_read as read_ops +FIELDALIAS-linux_write_ops = disk_ops_write as write_ops +EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null()) + +EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null()) +EVAL-storage_free_percent = percent_bytes_free_value +EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null()) +EVAL-storage_used_percent = percent_bytes_used_value +EVAL-total_ops = disk_ops_read + disk_ops_write + +## HOST_OS Model.Performance.Network +FIELDALIAS-linux_packets_in = if_packets_rx as packets_in +FIELDALIAS-linux_packets_out = if_packets_tx as packets_out + +EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null()) +EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null()) +EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null()) +EVAL-bytes = if(plugin=="interface" and isnotnull(if_octets_rx) and isnotnull(if_octets_tx), if(isnum(if_octets_rx), if_octets_rx, 0) + if(isnum(if_octets_tx), if_octets_tx, 0), null()) +EVAL-packets = packets_in + packets_out + +## HOST_OS Model.Performance.OS +FIELDALIAS-linux_uptime = uptime_value as uptime + +[linux:collectd:http:metrics] +category = Operating System +description = Metrics collected from linux host using collectd-write_http plugin for metrics index +# Load balancing on UF +EVENT_BREAKER_ENABLE = true +SHOULD_LINEMERGE = false + +## uncomment METRICS_PROTOCOL property if you want to collect metrics data in metrics index +#METRICS_PROTOCOL = COLLECTD_HTTP +KV_MODE = json +TIME_PREFIX = "time":\s* +TIME_FORMAT = %s.%3N + +# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog +#[syslog] +#TRANSFORMS-linux_syslog = linux_syslog_audit + +[source::.../var/log/audit/audit.log(.\d+)?] +sourcetype = linux:audit + +[linux:audit] +category = Operating System +description = Audit events from linux host using monitoring audit logs +# Load balancing on UF +EVENT_BREAKER_ENABLE = true +SHOULD_LINEMERGE = false +TIME_PREFIX = msg=audit\( +TIME_FORMAT = %s.%3N +MAX_TIMESTAMP_LOOKAHEAD = 12 +FIELDALIAS-subj = subj AS subject +FIELDALIAS-obj = obj AS object +REPORT-event_id = event_id +REPORT-op = op +REPORT-subject = subject +REPORT-object = object +REPORT-res = res + +EVAL-vendor_product = "Linux Audit" +FIELDALIAS-host = host AS dest + +# DM Endpoint.Processes +EVAL-process = if(type=="USER_CMD" AND isnotnull(cmd), if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd), null()) +EVAL-process_current_directory = if(type=="USER_CMD" AND isnotnull(cwd), cwd, null()) +EVAL-process_path = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0) +EVAL-process_exec = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0) +EVAL-process_name = mvindex(split(mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0),"/"),-1) + +# DM Endpoint.Services +EVAL-service = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null()) +EVAL-service_name = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null()) + + +# # DM Authentication:Authentication +EVAL-src = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"),case(isnotnull(hostname) AND hostname!="?", hostname,isnotnull(addr) AND addr!="?", addr), null()) +EVAL-src_ip = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(addr) AND addr!="?", addr, null()) +EVAL-signature = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"), type, null()) +EVAL-signature_id = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(event_id), event_id, null()) +EVAL-app = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(exe), exe, null()) +EVAL-reason = if(type IN ("USER_LOGIN") AND isnotnull(acct) AND match(acct,"^[0-9A-F]+$"), mvindex(split(mvindex(split(urldecode(replace(acct,"([0-9A-F]{2})","%\1")),"("),1),")"),0), null()) +EVAL-src_user_id = if(type IN ("USER_START") AND isnotnull(auid), auid, null()) + +# DM Change:Account_Management +EVAL-change_type = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "AAA", null()) +EVAL-command = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(exe), exe, null()) +EVAL-dvc = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(dest), dest, null()) +EVAL-result = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(res), res, null()) +EVAL-object_id = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(id), id, null()) +EVAL-linux_ev_ch_mgmt_user = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(AUID), AUID, if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(aiud), aiud, null())) +EVAL-user_name = case(type IN ("ADD_GROUP") AND isnotnull(AUID), AUID,\ + type IN ("ADD_GROUP") AND isnotnull(auid), auid,\ + type IN ("DEL_GROUP") AND isnotnull(AUID), AUID,\ + type IN ("DEL_GROUP") AND isnotnull(auid), auid,\ + type IN ("ADD_USER") AND isnotnull(acct), acct,\ + type IN ("DEL_USER") AND isnotnull(ID), ID,\ + type IN ("GRP_MGMT") AND isnotnull(AUID), AUID,\ + type IN ("GRP_MGMT") AND isnotnull(auid), auid,\ + type IN ("USER_ACCT") AND isnotnull(AUID), AUID,\ + type IN ("USER_ACCT") AND isnotnull(auid), auid,\ + ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\ + ((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\ + ((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID), AUID,\ + ((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\ + true(), null()) +EVAL-object = case(type IN ("USER_ACCT") AND isnotnull(acct), acct,\ + ((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER")) AND isnotnull(acct), acct,\ + ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER")) AND isnotnull(ID), ID,\ + type IN ("DEL_GROUP", "ADD_GROUP", "GRP_MGMT", "USER_CHAUTHTOK") AND isnotnull(ID), ID,\ + true(), null()) +EVAL-object_category = case(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "user",\ + type=="USER_ACCT" AND op=="PAM:accounting", "user",\ + type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT"), "group",\ + true(), null()) +EVAL-src_user_name = if(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK", "USER_ACCT") AND isnotnull(AUID), AUID, null()) + +# DM Authentication:Authentication, DM Endpoint.Processes, DM Change:Account_Management +EVAL-action = case(type=="USER_CMD" AND (res=="success" OR res=="1"), "allowed",\ + type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="success" OR res=="1"), "success",\ + type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="failed" OR res=="0"), "failure",\ + (type IN ("GRP_MGMT", "USER_ACCT", "USER_CHAUTHTOK", "USER_MGMT") OR \ + ((type=="DEL_USER" AND op=="deleting user from group") OR \ + (type=="ADD_USER" AND op=="adding user to group"))) AND (res=="success" OR res=="1"), "modified",\ + type IN ("DEL_USER", "DEL_GROUP") AND (res=="success" OR res=="1"), "deleted",\ + type IN ("ADD_GROUP", "ADD_USER") AND (res=="success" OR res=="1"), "created",\ + true(), null()) + +# DM Authentication:Authentication, DM Endpoint.Processes, DM Endpoint.Services, DM Change:Account_Management +EVAL-user_id = case(type IN ("USER_CMD") AND isnotnull(auid), auid,\ + type IN ("USER_START") AND isnotnull(uid), uid,\ + type IN ("LOGIN", "USER_LOGIN", "CRED_ACQ") AND isnotnull(auid), auid,\ + true(), null()) +EVAL-user = case(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(UID), UID,\ + type IN ("USER_LOGIN", "LOGIN", "USER_CMD", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_GROUP") AND isnotnull(AUID) AND AUID!="unset", AUID,\ + type IN ("USER_START") AND isnotnull(acct), acct,\ + type IN ("DEL_GROUP", "USER_ACCT", "GRP_MGMT", "ADD_GROUP") AND isnotnull(auid), auid,\ + type IN ("ADD_USER") AND isnotnull(acct), acct,\ + type IN ("DEL_USER") AND isnotnull(ID), ID,\ + ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR \ + (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\ + ((type=="USER_MGMT" AND op=="add-user-to-group") OR \ + (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\ + ((type=="USER_MGMT" AND op=="changing-uid") OR \ + (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID) AND AUID!="unset", AUID,\ + ((type=="USER_MGMT" AND op=="changing-uid") OR \ + (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\ + true(), null()) + +# DM Endpoint.Services, DM Endpoint.Processes +EVAL-process_id = if(type IN ("USER_CMD", "SERVICE_START", "SERVICE_STOP") AND isnotnull(pid), pid, null()) + +# DM Endpoint.Services, DM Change:Account_Management +EVAL-status = case(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \ + isnotnull(res) AND (res=="success" OR res=="1"), "success",\ + type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \ + isnotnull(res) AND (res=="failed" OR res=="0"), "failure",\ + type IN ("SERVICE_START") AND (res=="success" OR res=="1"), "started",\ + type IN ("SERVICE_STOP") AND (res=="success" OR res=="1"), "stopped",\ + true(), null()) + +# DM Authentication:Authentication, DM Change:Account_Management +EVAL-src_user = case(type IN ("ADD_USER", "DEL_USER", "USER_ACCT", "USER_CHAUTHTOK", "USER_START") AND isnotnull(AUID), AUID, true(), null()) diff --git a/deployment-apps/Splunk_TA_linux/default/tags.conf b/deployment-apps/Splunk_TA_linux/default/tags.conf new file mode 100644 index 0000000..1f5d0ec --- /dev/null +++ b/deployment-apps/Splunk_TA_linux/default/tags.conf @@ -0,0 +1,90 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[eventtype=linux_collectd_cpu] +performance = enabled +oshost = enabled +cpu = enabled + +[eventtype=linux_collectd_memory] +performance = enabled +oshost = enabled +memory = enabled + +[eventtype=linux_collectd_swap] +performance = enabled +oshost = enabled +memory = enabled + +[eventtype=linux_collectd_df] +performance = enabled +oshost = enabled +storage = enabled + +[eventtype=linux_collectd_interface] +performance = enabled +oshost = enabled +network = enabled + +[eventtype=linux_collectd_disk] +performance = enabled +oshost = enabled +storage = enabled + +[eventtype=linux_collectd_load] +performance = enabled +oshost = enabled + +[eventtype=linux_collectd_processes] +performance = enabled +oshost = enabled +process = enabled +cpu = enabled + +[eventtype=linux_collectd_protocols] +performance = enabled +oshost = enabled + +[eventtype=linux_collectd_irq] +performance = enabled +oshost = enabled + +[eventtype=linux_collectd_tcpconns] +performance = enabled +oshost = enabled +network = enabled + +[eventtype=linux_collectd_thermal] +performance = enabled +oshost = enabled + +[eventtype=linux_collectd_uptime] +performance = enabled +oshost = enabled +os = enabled +uptime = enabled + +# [eventtype=linux_audit_anomalies] +# ids = enabled +# attack = enabled +# alert = enabled + +[eventtype=linux_audit_account_change] +change = enabled +account = enabled + +[eventtype=linux_audit_authentication] +authentication = enabled + +[eventtype=linux_audit_endpoint] +process = enabled +report = enabled + +# [eventtype=linux_audit_privileged] +# privileged = enabled + +[eventtype=linux_audit_endpoint_services] +service = enabled +report = enabled diff --git a/deployment-apps/Splunk_TA_linux/default/transforms.conf b/deployment-apps/Splunk_TA_linux/default/transforms.conf new file mode 100644 index 0000000..bda8609 --- /dev/null +++ b/deployment-apps/Splunk_TA_linux/default/transforms.conf @@ -0,0 +1,70 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[http_one_item_field] +# $1 = value[0], $2 = dsnames[0], $3 = type, $4 = type_instance +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\}) +FORMAT = $3_$4_$2::$1 +WRITE_META = true + +[http_one_item_field_no_type_instance] +# $1 = value[0], $2 = dsnames[0], $3 = type +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\}) +FORMAT = $3_$2::$1 +WRITE_META = true + +[http_two_item_fields] +# $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type, +# $6 = type_instance +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\}) +FORMAT = $5_$6_$3::$1 $5_$6_$4::$2 +WRITE_META = true + +[http_two_item_fields_no_type_instance] +# $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\}) +FORMAT = $5_$3::$1 $5_$4::$2 +WRITE_META = true + +[http_three_item_fields] +# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1], +# $6 = dsnames[2], $7 = type, $8 = type_instance +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\}) +FORMAT = $7_$8_$4::$1 $7_$8_$5::$2 $7_$8_$6::$3 +WRITE_META = true + +[http_three_item_fields_no_type_instance] +# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1], +# $6 = dsnames[2], $7 = type +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\}) +FORMAT = $7_$4::$1 $7_$5::$2 $7_$6::$3 +WRITE_META = true + +# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog + +#[linux_syslog_audit] +#DEST_KEY = MetaData:Sourcetype +#REGEX = type=\S+\s+msg=audit +#FORMAT = sourcetype::linux:audit + +[event_id] +REGEX = msg=audit\(([^:]+):(.+)\): +FORMAT = time_stamp::$1 event_id::$2 + +[op] +REGEX = op=([^=]+)\s+\S+= +FORMAT = op::$1 + +[subject] +REGEX = subj=([^:]+):([^:]+):([^:]+):(\S+) +FORMAT = subj_context_user::$1 subj_context_role::$2 subj_context_domain::$3 subj_context_sensitivity::$4 + +[object] +REGEX = obj=([^:]+):([^:]+):([^:]+):(\S+) +FORMAT = obj_context_user::$1 obj_context_role::$2 obj_context_type::$3 obj_context_sensitivity::$4 + +[res] +REGEX = res=(1|0|success|failed) +FORMAT = res::$1 diff --git a/deployment-apps/Splunk_TA_linux/metadata/default.meta b/deployment-apps/Splunk_TA_linux/metadata/default.meta new file mode 100644 index 0000000..1231cfa --- /dev/null +++ b/deployment-apps/Splunk_TA_linux/metadata/default.meta @@ -0,0 +1,7 @@ + +# Application-level permissions + +[] +owner = admin +access = read : [ * ], write : [ admin, sc_admin ] +export = system diff --git a/deployment-apps/Splunk_TA_linux/splunkbase.manifest b/deployment-apps/Splunk_TA_linux/splunkbase.manifest new file mode 100644 index 0000000..78c3429 --- /dev/null +++ b/deployment-apps/Splunk_TA_linux/splunkbase.manifest @@ -0,0 +1,109 @@ +{ + "version": "1.0", + "date": "2022-11-12T07:31:14.789702366Z", + "hashAlgorithm": "SHA-256", + "app": { + "id": 3412, + "version": "2.1.0", + "files": [ + { + "path": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "hash": "a7fd78cf8a03b74da08c74b7254dba9b281cd064b7ec6426c3f1d40023286a69" + }, + { + "path": "README.txt", + "hash": "3e3414a7d245704daea10ea69cea3eade4b69f4d1990d051898696726842a0e0" + }, + { + "path": "VERSION", + "hash": "0e7ec8a6cdf156b6322154a30cc6b822575b36fa0c410231d0cf998b315d6c99" + }, + { + "path": "app.manifest", + "hash": "921001dc7717a4080b1f7de2a58ecc688e89470754a793b55410bab8f3417a60" + }, + { + "path": "default/app.conf", + "hash": "19cb8a0e5fc463929de77ea58ad4a98b0f71b8dca9e618004975dde4896b530b" + }, + { + "path": "default/eventtypes.conf", + "hash": "19018d5b39843f06430411b18699c7bbd9b1504dacb1661215e35e4914e9670e" + }, + { + "path": "default/props.conf", + "hash": "66a542ac33ef12e5840cfda4a024cf166b49e64c51a8e3f65aea0d16c86c7803" + }, + { + "path": "default/tags.conf", + "hash": "1a011c718cf94f28101a18b93b7be8939e12ceef5939c6211203d0c718039cd7" + }, + { + "path": "default/transforms.conf", + "hash": "653c460463dfb1833e80371ad1f92dd8799c86cd33151d531b0b81eede37854c" + }, + { + "path": "metadata/default.meta", + "hash": "b6453d5bb2430c013ee89b765334cf788f0eddae7b9073fa31eb839eb1885d39" + }, + { + "path": "static/appIcon.png", + "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" + }, + { + "path": "static/appIconAlt.png", + "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" + }, + { + "path": "static/appIconAlt_2x.png", + "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" + }, + { + "path": "static/appIcon_2x.png", + "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" + } + ] + }, + "products": [ + { + "platform": "splunk", + "product": "enterprise", + "versions": [ + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + }, + { + "platform": "splunk", + "product": "cloud", + "versions": [ + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + } + ] +} \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_linux/static/appIcon.png b/deployment-apps/Splunk_TA_linux/static/appIcon.png new file mode 100644 index 0000000..88f67e7 Binary files /dev/null and b/deployment-apps/Splunk_TA_linux/static/appIcon.png differ diff --git a/deployment-apps/Splunk_TA_linux/static/appIconAlt.png b/deployment-apps/Splunk_TA_linux/static/appIconAlt.png new file mode 100644 index 0000000..88f67e7 Binary files /dev/null and b/deployment-apps/Splunk_TA_linux/static/appIconAlt.png differ diff --git a/deployment-apps/Splunk_TA_linux/static/appIconAlt_2x.png b/deployment-apps/Splunk_TA_linux/static/appIconAlt_2x.png new file mode 100644 index 0000000..c638b3f Binary files /dev/null and b/deployment-apps/Splunk_TA_linux/static/appIconAlt_2x.png differ diff --git a/deployment-apps/Splunk_TA_linux/static/appIcon_2x.png b/deployment-apps/Splunk_TA_linux/static/appIcon_2x.png new file mode 100644 index 0000000..c638b3f Binary files /dev/null and b/deployment-apps/Splunk_TA_linux/static/appIcon_2x.png differ diff --git a/deployment-apps/Splunk_TA_nix/.DS_Store b/deployment-apps/Splunk_TA_nix/.DS_Store new file mode 100644 index 0000000..ee640fe Binary files /dev/null and b/deployment-apps/Splunk_TA_nix/.DS_Store differ diff --git a/deployment-apps/Splunk_TA_nix/README/restmap.conf.spec b/deployment-apps/Splunk_TA_nix/README/restmap.conf.spec new file mode 100644 index 0000000..a501720 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/README/restmap.conf.spec @@ -0,0 +1,12 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[script:] +python.version = {default|python|python2|python3} +* For Splunk 8.0.x and Python scripts only, selects which Python version to use. +* Either "default" or "python" select the system-wide default Python version. +* Optional. +* Default: not set; uses the system-wide Python version. diff --git a/deployment-apps/Splunk_TA_nix/THIRDPARTY b/deployment-apps/Splunk_TA_nix/THIRDPARTY new file mode 100644 index 0000000..19ae3e2 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/THIRDPARTY @@ -0,0 +1,61 @@ +================================================================================ +================================================================================ + + Third-Party Software for splunk-add-on-for-unix-and-linux + +-------------------------------------------------------------------------------- + +The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-unix-and-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means. + +Date generated: 2023-6-13 + +Revision ID: 24640f0314996c138e17d8616e40d592c12ea444 + +================================================================================ +================================================================================ + + + + +================================================================================ + + Declared License + +================================================================================ + +No declared license found for splunk-add-on-for-unix-and-linux + + + + +================================================================================ + + First Party Licenses + +================================================================================ + +No licenses found + + + + + +================================================================================ + + Dependencies + +================================================================================ + + + + +================================================================================ + License + +================================================================================ + + +-------------------------------------------------------------------------------- +-------------------------------------------------------------------------------- + +Report Generated by FOSSA on 2023-6-13 diff --git a/deployment-apps/Splunk_TA_nix/VERSION b/deployment-apps/Splunk_TA_nix/VERSION new file mode 100644 index 0000000..311ec08 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/VERSION @@ -0,0 +1,2 @@ +8.10.0 +8.10.0 \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_nix/app.manifest b/deployment-apps/Splunk_TA_nix/app.manifest new file mode 100644 index 0000000..453c5dc --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/app.manifest @@ -0,0 +1,66 @@ +{ + "dependencies": null, + "incompatibleApps": null, + "info": { + "author": [ + { + "name": "Splunk", + "email": null, + "company": null + } + ], + "classification": { + "categories": [ + "IT Operations", + "Utilities" + ], + "developmentStatus": "Production/Stable", + "intendedAudience": "IT" + }, + "commonInformationModels": { + "Authentication": "==4.20.2", + "Change": "==4.20.2", + "Endpoint": "==4.20.2", + "Inventory": "==4.20.2", + "Network Sessions": "==4.20.2", + "Performance": "==4.20.2" + }, + "description": "Splunk Add-on for Unix and Linux", + "id": { + "group": null, + "name": "Splunk_TA_nix", + "version": "8.10.0" + }, + "license": { + "name": "Splunk Software License Agreement", + "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "uri": "http://www.splunk.com/view/SP-CAAAAFA" + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseDate": null, + "releaseNotes": { + "name": "README", + "text": "./README.txt", + "uri": "https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes" + }, + "title": "Splunk Add-on for Unix and Linux" + }, + "inputGroups": null, + "platformRequirements": null, + "schemaVersion": "2.0.0", + "supportedDeployments": [ + "_standalone", + "_distributed", + "_search_head_clustering" + ], + "targetWorkloads": [ + "_search_heads", + "_forwarders", + "_indexers" + ], + "tasks": null +} \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_nix/appserver/static/appIcon.png b/deployment-apps/Splunk_TA_nix/appserver/static/appIcon.png new file mode 100644 index 0000000..88f67e7 Binary files /dev/null and b/deployment-apps/Splunk_TA_nix/appserver/static/appIcon.png differ diff --git a/deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/common.js b/deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/common.js new file mode 100644 index 0000000..62ac0c9 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/common.js @@ -0,0 +1,19 @@ +/* + * SPDX-FileCopyrightText: 2021 Splunk, Inc. + * SPDX-License-Identifier: LicenseRef-Splunk-8-2021 + * + */ + +define([], function () { + var utils_namespaceFromProperties = function (props) { + return { + owner: props.acl.owner, + app: props.acl.app, + sharing: props.acl.sharing + } + } + + return { + utils_namespaceFromProperties: utils_namespaceFromProperties + } +}) diff --git a/deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/monitor_inputs.js b/deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/monitor_inputs.js new file mode 100644 index 0000000..5821fa3 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/monitor_inputs.js @@ -0,0 +1,54 @@ +/* + * SPDX-FileCopyrightText: 2021 Splunk, Inc. + * SPDX-License-Identifier: LicenseRef-Splunk-8-2021 + * + */ + +define([ + 'splunkjs/ready!', // for splunkjs global + './common' +], function (mvc, sdkx_common) { + var root = { + Entity: splunkjs.Service.Entity, + Collection: splunkjs.Service.Collection + } + + var utils_namespaceFromProperties = sdkx_common.utils_namespaceFromProperties + + // ------------------------------------------------------------------------- + // JS SDK Extension: Monitor Inputs + + var Paths = { + monitorInputs: 'data/inputs/monitor' + } + + root.MonitorInput = root.Entity.extend({ + path: function () { + return Paths.monitorInputs + '/' + encodeURIComponent(this.name) + }, + + init: function (service, name, namespace) { + this.name = name + this._super(service, this.path(), namespace) + } + }) + + root.MonitorInputs = root.Collection.extend({ + path: function () { + return Paths.monitorInputs + }, + + instantiateEntity: function (props) { + var entityNamespace = utils_namespaceFromProperties(props) + return new root.MonitorInput(this.service, props.name, entityNamespace) + }, + + init: function (service, namespace) { + this._super(service, this.path(), namespace) + } + }) + + // ------------------------------------------------------------------------- + + return root +}) diff --git a/deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/scripted_inputs.js b/deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/scripted_inputs.js new file mode 100644 index 0000000..47337ce --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/appserver/static/components/js_sdk_extensions/scripted_inputs.js @@ -0,0 +1,68 @@ +/* + * SPDX-FileCopyrightText: 2021 Splunk, Inc. + * SPDX-License-Identifier: LicenseRef-Splunk-8-2021 + * + */ + +define([ + 'splunkjs/ready!', // for splunkjs global + './common' +], function (mvc, sdkx_common) { + var root = { + Entity: splunkjs.Service.Entity, + Collection: splunkjs.Service.Collection + } + + var utils_namespaceFromProperties = sdkx_common.utils_namespaceFromProperties + + // ------------------------------------------------------------------------- + // JS SDK Extension: Scripted Inputs + + var Paths = { + scriptedInputs: 'data/inputs/script' + } + + root.ScriptedInput = root.Entity.extend({ + path: function () { + // Approximate path - accepts reads only + // ex: data/inputs/script/%2FApplications%2Fsplunk_622light_unix%2Fetc%2Fapps%2FSplunk_TA_nix%2Fbin%2Fcpu.sh + return Paths.monitorInputs + '/' + encodeURIComponent(this.name) + }, + + init: function (service, name, namespace) { + this.name = name + this._super(service, this.path(), namespace) + }, + + _load: function (properties) { + this._super(properties) + + // HACK: Patch path to be canonical version to enable updates + // + // Canonical path - accepts reads and updates + // ex: data/inputs/script/.%252Fbin%252Fcpu.sh + if (this.state().id) { + this.qualifiedPath = this.state().id.match(/\/servicesNS\/.*$/)[0] + } + } + }) + + root.ScriptedInputs = root.Collection.extend({ + path: function () { + return Paths.scriptedInputs + }, + + instantiateEntity: function (props) { + var entityNamespace = utils_namespaceFromProperties(props) + return new root.ScriptedInput(this.service, props.name, entityNamespace) + }, + + init: function (service, namespace) { + this._super(service, this.path(), namespace) + } + }) + + // ------------------------------------------------------------------------- + + return root +}) diff --git a/deployment-apps/Splunk_TA_nix/appserver/static/setup.css b/deployment-apps/Splunk_TA_nix/appserver/static/setup.css new file mode 100644 index 0000000..bbd6116 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/appserver/static/setup.css @@ -0,0 +1,64 @@ +/* +SPDX-FileCopyrightText: 2021 Splunk, Inc. +SPDX-License-Identifier: LicenseRef-Splunk-8-2021 + +*/ + +/* Hide Simple XML dashboard controls: Edit, Export PDF, Print */ +.dashboard-view-controls { + display: none !important; +} + +#overview { + max-width: 500px; + text-align: justify; +} + +.error-box { + display: none; + color: white; + background-color: #d85d3c; /* red */ + padding: 0.5em; + margin-bottom: 1em; +} + +.input-table th { + text-align: left; +} + +.input-table th, +.input-table td { + padding: 0 10px 0 10px; +} + +.input-table input[type='radio'] { + margin: 4px; /* override with symmetric margins */ +} + +.input-table .interval-field { + width: 4em; /* narrower than default */ + text-align: right; /* make the numbers line up */ + padding: 2px; /* reduce from default of 4 */ + height: 30px; /* reduce height */ + margin-top: 12.5px; /* inline with index dropdown */ +} + +#btn-bar { + margin-top: 1em; /* separate from table */ +} + +#btn-bar #save-btn { + padding-left: 3em; + padding-right: 3em; /* made it wider */ +} + +#index-selection .splunk-dropdown { + max-width: 50%; /* fix the width of dropdown */ + width: 300px; /* default width of dropdown */ + margin-left: 0; /* remove left margin for inlinement */ + height: 30px; /* reduce height */ +} + +.table-header { + width: 150px; +} diff --git a/deployment-apps/Splunk_TA_nix/appserver/static/setup.js b/deployment-apps/Splunk_TA_nix/appserver/static/setup.js new file mode 100644 index 0000000..cfca2cf --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/appserver/static/setup.js @@ -0,0 +1,314 @@ +/* + * SPDX-FileCopyrightText: 2021 Splunk, Inc. + * SPDX-License-Identifier: LicenseRef-Splunk-8-2021 + * + */ + +require([ + 'splunkjs/ready!', + 'splunkjs/mvc/simplexml/ready!', + 'underscore', + 'jquery', + '../app/Splunk_TA_nix/components/js_sdk_extensions/scripted_inputs', + '../app/Splunk_TA_nix/components/js_sdk_extensions/monitor_inputs' +], function (mvc, ignored, _, $, sdkx_scripted_inputs, sdkx_monitor_inputs) { + var ScriptedInputs = sdkx_scripted_inputs.ScriptedInputs + var MonitorInputs = sdkx_monitor_inputs.MonitorInputs + + var service = mvc.createService() + var cleaned_data = {} + + // ------------------------------------------------------------------------- + // Prerequisite Checks + + // Error if running on unrecognized unix + // + service.get('/services/SetupService', cleaned_data, function (err, response) { + if (err) { + console.error('Problem fetching data', err) + } else if (response.status === 200) { + var isRecognizedUnix = JSON.parse(response.data) + if (!isRecognizedUnix) { + $('#not-unix-error').show() + $('#save-btn').addClass('disabled') + } + } else { + console.error('Problem checking whether splunkweb is running on Unix.') + } + }) + + // ------------------------------------------------------------------------- + // Populate Tables + + var INPUT_ROW_TEMPLATE = _.template( + '\n' + + ' <%- name %>\n' + + ' checked="checked"<% } %> />\n' + + ' checked="checked"<% } %> />\n' + + '<% if (interval != -1) { %>\n' + + ' \n' + + '<% } %>\n' + + '<% if (index != -1) { %>\n' + + ' <% if (index == "") { %>\n' + + ' ' + + ' ' + + ' \n' + + ' <% }else { %>\n' + + ' ' + + ' ' + + ' \n' + + ' <% } %>\n' + + '<% } %>\n' + + '\n' + ) + + // Populate monitor input table + var monitorInputs = {} + new MonitorInputs(service, { + owner: '-', + app: 'Splunk_TA_nix', + sharing: 'app' + }).fetch(function (err, inputs) { + var inputsList = _.filter(inputs.list(), function (input) { + return input.namespace.app === 'Splunk_TA_nix' + }) + + _.each(inputsList, function (input) { + $('#monitor-input-table').append( + $( + INPUT_ROW_TEMPLATE({ + fullname: input.name, + name: input.name, + enabled: !input.properties().disabled, + interval: -1, + index: -1 + }) + ) + ) + monitorInputs[input.name] = input + }) + }) + + // Populate scripted Event inputs table + var scriptedMetricInputs = {} + new ScriptedInputs(service, { + owner: '-', + app: 'Splunk_TA_nix', + sharing: 'app' + }).fetch(function (err, inputs) { + var inputsList = _.filter(inputs.list(), function (input) { + var input_name = input.name + .substring(input.name.lastIndexOf('/') + 1) + .split('_') + return ( + input.namespace.app === 'Splunk_TA_nix' && + input_name[input_name.length - 1] === 'metric.sh' + ) + }) + + _.each(inputsList, function (input) { + $('#scripted-metric-input-table').append( + $( + INPUT_ROW_TEMPLATE({ + fullname: input.name, + name: input.name.substring(input.name.lastIndexOf('/') + 1), + enabled: !input.properties().disabled, + interval: input.properties().interval, + index: + input.properties().index === 'default' + ? '' + : input.properties().index + }) + ) + ) + scriptedMetricInputs[input.name] = input + }) + }) + + // Populate scripted Event inputs table + var scriptedEventInputs = {} + new ScriptedInputs(service, { + owner: '-', + app: 'Splunk_TA_nix', + sharing: 'app' + }).fetch(function (err, inputs) { + var inputsList = _.filter(inputs.list(), function (input) { + var input_name = input.name + .substring(input.name.lastIndexOf('/') + 1) + .split('_') + return ( + input.namespace.app === 'Splunk_TA_nix' && + input_name[input_name.length - 1] !== 'metric.sh' + ) + }) + + _.each(inputsList, function (input) { + $('#scripted-event-input-table').append( + $( + INPUT_ROW_TEMPLATE({ + fullname: input.name, + name: input.name.substring(input.name.lastIndexOf('/') + 1), + enabled: !input.properties().disabled, + interval: input.properties().interval, + index: -1 + }) + ) + ) + scriptedEventInputs[input.name] = input + }) + }) + + // ------------------------------------------------------------------------- + // Buttons + + // Enable All button + $('.enable-all-btn').click(function (e) { + e.preventDefault() + var table = $(e.target).closest('.input-table') + $('.input .enable-btn', table).prop('checked', true) + }) + + // Disable All button + $('.disable-all-btn').click(function (e) { + e.preventDefault() + var table = $(e.target).closest('.input-table') + $('.input .disable-btn', table).prop('checked', true) + }) + + // Save button + $('#save-btn').click(function (e) { + e.preventDefault() + if ($('#save-btn').hasClass('disabled')) { + return + } + + var savesPending = 0 + var saveErrors = [] + + // Save monitor inputs + _.each($('#monitor-input-table .input'), function (inputElem) { + var fullname = $(inputElem).data('fullname') + var enabled = $('.enable-btn', inputElem).prop('checked') + + var input = monitorInputs[fullname] + + savesPending += 1 + input.update( + { + disabled: !enabled + }, + saveDone + ) + }) + + var invalidIndex = 0 // invalid index flag + var invalidInterval = 0 // invalid interval flag + var numbers = /^[0-9]+$/ + // Save scripted Metric inputs + _.each($('#scripted-metric-input-table .input'), function (inputElem) { + var fullname = $(inputElem).data('fullname') + var enabled = $('.enable-btn', inputElem).prop('checked') + var interval = $('.interval-field', inputElem).val() + var index = $('#index-selection', inputElem)[0].innerText + // Handling internationalization transalation due to ticket ADDON-30736 + if ( + index.includes('...') || + index.includes('Search produced no results.') + ) { + index = enabled === true ? index : '' // Setting index="" if input is disable, so it allows to save. + if (enabled) { + invalidIndex = 1 + } + } + if (!interval.match(numbers)) { + // Check for the interval, Interval must contain only numeric values + if (interval.charAt(0) === '-' || interval.includes('.')) { + interval = 'invalid' + } + invalidInterval = 1 + } + var input = scriptedMetricInputs[fullname] + savesPending += 1 + input.update( + { + disabled: !enabled, + interval: interval, + index: index + }, + saveDone + ) + }) + + // Save scripted Event inputs + _.each($('#scripted-event-input-table .input'), function (inputElem) { + var fullname = $(inputElem).data('fullname') + var enabled = $('.enable-btn', inputElem).prop('checked') + var interval = $('.interval-field', inputElem).val() + if (!interval.match(numbers)) { + if (interval.charAt(0) === '-' || interval.includes('.')) { + interval = 'invalid' + } + invalidInterval = 1 + } + var input = scriptedEventInputs[fullname] + savesPending += 1 + input.update( + { + disabled: !enabled, + interval: interval + }, + saveDone + ) + }) + + //Set is_configured=true in app.conf + service.post('/services/SetupService', cleaned_data, function ( + err, + response + ) { + if (err) { + console.log('Error saving configuration in app.conf') + } + }) + + // After saves are completed... + function saveDone (err) { + $('#index-not-selected-error').hide() + $('#generic-save-error').hide() + $('#invalid-interval-error').hide() + if (err) { + saveErrors.push(err) + } + + savesPending -= 1 + if (savesPending > 0) { + return + } + if (saveErrors.length === 0) { + // Save successful. Provide feedback in form of page reload. + window.location.reload() + } else { + // invalid index or interval failure + if (invalidIndex || invalidInterval) { + if (invalidInterval) { + invalidInterval = 0 + // invalid interval failure + $('#invalid-interval-error').show() + } + if (invalidIndex) { + invalidIndex = 0 + // invalid index failure + $('#index-not-selected-error').show() + } + } else { + // Unexpected failure. + $('#generic-save-error').show() + } + + // (Allow Support to debug if necessary.) + console.log('Errors while saving inputs:') + console.log(saveErrors) + } + } + }) +}) diff --git a/deployment-apps/Splunk_TA_nix/bin/bandwidth.sh b/deployment-apps/Splunk_TA_nix/bin/bandwidth.sh new file mode 100755 index 0000000..dbeaac3 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/bandwidth.sh @@ -0,0 +1,92 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# jscpd:ignore-start +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='Name rxPackets_PS txPackets_PS rxKB_PS txKB_PS' +HEADERIZE="BEGIN {print \"$HEADER\"}" +PRINTF='{printf "%s %s %s %s %s\n", Name, rxPackets_PS, txPackets_PS, rxKB_PS, txKB_PS}' + +# Note: For FreeBSD, bsdsar package needs to be installed. Output matches linux equivalent +if [ "$KERNEL" = "Linux" ] ; then + CMD='sar -n DEV 1 2' + # shellcheck disable=SC2016 + FILTER='($0 !~ "Average" || $0 ~ "sar" || $2 ~ "lo|IFACE") {next}' + # shellcheck disable=SC2016 + FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$4; rxKB_PS=$5; txKB_PS=$6}' +elif [ "$KERNEL" = "SunOS" ] ; then + if [ "$SOLARIS_10" = "true" ] ; then + CMD='netstat -i 1 2' + FILTER='(NR==2||NR==3){next}' + # shellcheck disable=SC2016 + EXTRACT_NAME='NR==1 {for (i=0; i< NF/3 -1; i++) { name[i]=$(i*3 + 2); location[name[i]]=i }}' + # shellcheck disable=SC2016 + EXTRACT_FIELDS=' NR==4 { for (each in name){ printf "%s %s %s %s %s\n",name[each], $(5*location[name[each]]+1), $(5*location[name[each]]+3), "",""; }}' + PRINTF='' + FORMAT="$EXTRACT_NAME $EXTRACT_FIELDS" + + elif [ "$SOLARIS_11" = "true" ] ; then + if ! dlstat 1 1 > /dev/null 2>&1 ; then + CMD='netstat -i 1 2' + FILTER='(NR==2||NR==3){next}' + # shellcheck disable=SC2016 + EXTRACT_NAME='NR==1 {for (i=0; i< NF/3 -1; i++) { name[i]=$(i*3 + 2); location[name[i]]=i }}' + # shellcheck disable=SC2016 + EXTRACT_FIELDS=' NR==4 { for (each in name){ printf "%s %s %s %s %s\n",name[each], $(5*location[name[each]]+1), $(5*location[name[each]]+3), "",""; }}' + PRINTF='' + FORMAT="$EXTRACT_NAME $EXTRACT_FIELDS" + else + CMD='dlstat 1 2' + FILTER='(NR==1||NR==2){next}' + # shellcheck disable=SC2016 + FORMAT=' + function to_kbps(KBPS_param){ + if(KBPS_param ~ /[Kk]$/){ sub(/[A-Za-z]/,"",KBPS_param); return(KBPS_param); } + else if(KBPS_param ~ /[Gg]$/){ sub(/[A-Za-z]/,"",KBPS_param); return(KBPS_param*1024*1024); } + else if(KBPS_param ~ /[Mm]$/){ sub(/[A-Za-z]/,"",KBPS_param); return(KBPS_param*1024); } + sub(/[a-zA-Z]/,"",KBPS_param); return(KBPS_param/1024); + } + {Name=$1; rxPackets_PS=$2; txPackets_PS=$4; rxKB_PS=to_kbps($3); txKB_PS=to_kbps($5);}' + fi + else + CMD='sar -n DEV 1 2' + # shellcheck disable=SC2016 + FILTER='($0 ~ "Time|sar| lo") {next}' + # shellcheck disable=SC2016 + FORMAT='{Name=$2; rxPackets_PS=$5; txPackets_PS=$6; rxKB_PS=$3; txKB_PS=$4}' + fi +elif [ "$KERNEL" = "AIX" ] ; then + # Sample output: http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.performance/nestat_in.htm + CMD='eval netstat -i -Z; sleep 1; netstat -in' + # shellcheck disable=SC2016 + FILTER='($0 ~ "Name|sar|lo") {next}' + # shellcheck disable=SC2016 + FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS="?"; txKB_PS="?"}' +elif [ "$KERNEL" = "Darwin" ] ; then + CMD='sar -n DEV 1 2' + # shellcheck disable=SC2016 + FILTER='($0 !~ "Average" || $0 ~ "sar" || $2~/lo[0-9]|IFACE/) {next}' + # shellcheck disable=SC2016 + FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$6/1024}' +elif [ "$KERNEL" = "HP-UX" ] ; then + # Sample output: http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02263324 + CMD='netstat -i 1 2' + # shellcheck disable=SC2016 + FILTER='($0 ~ "Name|sar| lo") {next}' + # shellcheck disable=SC2016 + FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS=?; txKB_PS=?}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + CMD='sar -n DEV 1 2' + # shellcheck disable=SC2016 + FILTER='($0 !~ "Average" || $0 ~ "sar" || $2 ~ "lo|IFACE") {next}' + # shellcheck disable=SC2016 + FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$4; rxKB_PS=$5; txKB_PS=$6}' +fi + +assertHaveCommand "$CMD" +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" +# jscpd:ignore-end diff --git a/deployment-apps/Splunk_TA_nix/bin/common.sh b/deployment-apps/Splunk_TA_nix/bin/common.sh new file mode 100755 index 0000000..7643f91 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/common.sh @@ -0,0 +1,138 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1000-SC9999 # Reason: This script is used in all the scripts and any change in this script would require a higher effort in testing all the scripts. Hence ignoring whole file. +# # # we don't want to point OS's utilities -- e.g. ntpdate(1) -- to libraries which Splunk bundles in SPLUNK_HOME/lib/ +unset LD_PRELOAD LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH + +# # # NIX-203 - set LANG env variable set to en_US to avoid parsing problems in other locales +EngLocale=`locale -a | grep -i "en_US.utf"` +if [ ! -z "$EngLocale" ]; then + LANG=`echo $EngLocale | awk 'NR==1 {printf $1}'` + export LANG +fi + +# # # are we in debug mode? +if [ $# -ge 1 -a "x$1" = "x--debug" ] ; then + DEBUG=1 + TEE_DEST=`dirname $0`/debug--`basename $0`--`date | sed 's/ /_/g;s/:/-/g'` +else + DEBUG=0 + TEE_DEST=/dev/null +fi + +DMESG_FILE=/var/log/dmesg +OS_FILE=/etc/os-release + +# # # what OS is this? +KERNEL=`uname -s` +# # # what is the Kernel version? +KERNEL_RELEASE=`uname -r` + +# # # assert we are in a supported OS +AWK=awk +case "x$KERNEL" in + "xLinux") + if [ -e $OS_FILE ]; then + UBUNTU_MAJOR_VERSION=`awk -F'[".]' '/VERSION_ID=/ {print $2} ' $OS_FILE`; + else + UBUNTU_MAJOR_VERSION=""; + echo "$OS_FILE does not exist. UBUNTU_MAJOR_VERSION will be empty." > $TEE_DEST + fi + # # # enable check for OS versions, if needed later + if [ -e /etc/debian_version ]; then DEBIAN=true; else DEBIAN=false; fi + + # # # /sbin/ is often absent in non-root users' PATH, and we want it for ifconfig(8) + PATH=$PATH:/sbin/ + ;; + "xSunOS") + # # # enable check for OS versions, if needed later + if [ `uname -r` = "5.8" ]; then SOLARIS_8=true; else SOLARIS_8=false; fi + if [ `uname -r` = "5.9" ]; then SOLARIS_9=true; else SOLARIS_9=false; fi + if [ `uname -r` = "5.10" ]; then SOLARIS_10=true; else SOLARIS_10=false; fi + if [ `uname -r` = "5.11" ]; then SOLARIS_11=true; else SOLARIS_11=false; fi + + # # # eschew the antedeluvial awk + AWK=nawk + ;; + "xDarwin") + OSX_MINOR_VERSION=`sw_vers | sed -En '/ProductVersion/ s/^[^.]+\.([0-9]+)(\.[^.])?$/\1/p'` + OSX_MAJOR_VERSION=`sw_vers | sed -En '/ProductVersion/ s/^[^0-9]+([0-9]+)\.[0-9]+(\.[^.]+)?$/\1/p'` + + # OSX_GE_SNOW_LEOPARD is for backward compatiblity. + # Recommend that new code just use $OSX_MINOR_VERSION directly. + if [ "$OSX_MAJOR_VERSION" == 10 ] && [ "$OSX_MINOR_VERSION" -ge 6 ]; then + OSX_GE_SNOW_LEOPARD=true; + else + OSX_GE_SNOW_LEOPARD=false; + fi + + ;; + "xFreeBSD") + ;; + "xAIX") + ;; + "xHP-UX") + ;; + *) + echo "UNIX flavor [$KERNEL] unsupported for Splunk *NIX App, quitting" > $TEE_DEST + exit 1 + ;; +esac + +# # # check for presence of required commands; we do not assume that which(1) exists, and roll our own +queryHaveCommand () # returns 0 if found, 1 if not +{ + [ "x$1" = "xeval" ] && shift + for directory in `echo $PATH | sed 's/:/ /g'` + do + [ -x $directory/$1 ] && return 0 + done + return 1 +} + +failLackCommand () +{ + echo "Not found command [$1] on this host, quitting" > $TEE_DEST + exit 1 +} + +failLackMultipleCommands () +{ + echo "Not found any of commands [$*] on this host, quitting" > $TEE_DEST + exit 1 +} + +assertHaveCommand () +{ + queryHaveCommand $1 + if [ $? -eq 1 ] ; then + failLackCommand $1 + fi +} + +assertHaveCommandGivenPath () +{ + [ "x$1" = "xeval" ] && shift + [ -x $1 ] && return + echo "Not found commandGivenPath [$1] on this host, quitting" > $TEE_DEST + exit 1 +} + +failUnsupportedScript () +{ + echo "UNIX flavor [$KERNEL] unsupported for this script, quitting" > $TEE_DEST + exit 0 +} + +assertInvokerIsSuperuser () +{ + [ `id -u` -eq 0 ] && return + echo "Must be superuser to run this script, quitting" > $TEE_DEST + exit 1 +} + +# # # check for presence of a few basic commands ubiquitous in our scripts +assertHaveCommand $AWK +assertHaveCommand egrep diff --git a/deployment-apps/Splunk_TA_nix/bin/cpu.sh b/deployment-apps/Splunk_TA_nix/bin/cpu.sh new file mode 100755 index 0000000..e78fd6a --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/cpu.sh @@ -0,0 +1,184 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle' +HEADERIZE="BEGIN {print \"$HEADER\"}" +PRINTF='{printf "%-3s %9s %9s %9s %9s %9s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}' + +if [ "$KERNEL" = "Linux" ] ; then + queryHaveCommand sar + FOUND_SAR=$? + queryHaveCommand mpstat + FOUND_MPSTAT=$? + if [ $FOUND_SAR -eq 0 ] ; then + CMD='sar -P ALL 1 1' + # shellcheck disable=SC2016 + FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF}' + elif [ $FOUND_MPSTAT -eq 0 ] ; then + CMD='mpstat -P ALL 1 1' + # shellcheck disable=SC2016 + FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF}' + else + failLackMultipleCommands sar mpstat + fi + # shellcheck disable=SC2016 + FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}' +elif [ "$KERNEL" = "SunOS" ] ; then + if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then + CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r' + else + CMD='eval mpstat -aq -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -q -p 1 2 | tail -r' + fi + assertHaveCommand "$CMD" + # shellcheck disable=SC2016 + FILTER='($1=="CPU") {exit 1}' + # shellcheck disable=SC2016 + FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1)}' +elif [ "$KERNEL" = "AIX" ] ; then + queryHaveCommand mpstat + queryHaveCommand lparstat + FOUND_MPSTAT=$? + FOUND_LPARSTAT=$? + if [ $FOUND_MPSTAT -eq 0 ] && [ $FOUND_LPARSTAT -eq 0 ] ; then + # Get extra fields from lparstat + COUNT=$(lparstat | grep " app" | wc -l) + if [ $COUNT -gt 0 ] ; then + # Fetch value from "app" column of lparstat output + FETCH_APP_COL_NUM='BEGIN {app_col_num = 8} + { + if($0 ~ /System configuration|^$/) {next} + if($0 ~ / app/) + { + for(i=1; i<=NF; i++) + { + if($i == "app") + { + app_col_num = i; + break; + } + } + print app_col_num; + exit 0; + } + }' + APP_COL_NUM=$(lparstat | awk "$FETCH_APP_COL_NUM") + CPUPool=$(lparstat | tail -1 | awk -v APP_COL_NUM=$APP_COL_NUM -F " " '{print $APP_COL_NUM}') + else + CPUPool=0 + fi + # Fetch other required fields from lparstat output + OnlineVirtualCPUs=$(lparstat -i | grep "Online Virtual CPUs" | awk -F " " '{print $NF}') + EntitledCapacity=$(lparstat -i | grep "Entitled Capacity " | awk -F " " '{print $NF}') + DEFINE="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity" + + # Get cpu stats using mpstat command and manipulate the output for adding extra fields + CMD='mpstat -a 1 1' + # shellcheck disable=SC2016 + FORMAT='BEGIN {flag = 0} + { + if($0 ~ /System configuration|^$/) {next} + if(flag == 1) + { + # Prepend extra field values from lparstat + for(i=NF+4; i>=4; i--) + { + $i = $(i-3); + } + if($0 ~ /ALL/) + { + $1 = CPUPool; + $2 = OnlineVirtualCPUs; + $3 = EntitledCapacity; + } + else + { + $1 = "-"; + $2 = "-"; + $3 = "-"; + } + } + if($0 ~ /cpu /) + { + # Prepend extra field headers from lparstat + for(i=NF+4; i>=4; i--) + { + $i = $(i-3); + } + $1 = "CPUPool"; + $2 = "OnlineVirtualCPUs"; + $3 = "EntitledCapacity"; + flag = 1; + } + for(i=1; i<=NF; i++) + { + printf "%17s ", $i; + } + print ""; + }' + fi + $CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT" + echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST" + exit +elif [ "$KERNEL" = "Darwin" ] ; then + HEADER='CPU pctUser pctSystem pctIdle' + HEADERIZE="BEGIN {print \"$HEADER\"}" + PRINTF='{printf "%-3s %9s %9s %9s \n", cpu, pctUser, pctSystem, pctIdle}' + # top command here is used to get a single instance of cpu metrics + CMD='top -l 1' + assertHaveCommand "$CMD" + # FILTER here skips all the rows that doesn't match "CPU". + # shellcheck disable=SC2016 + FILTER='($1 !~ "CPU") {next;}' + # FORMAT here removes '%'in the end of the metrics. + # shellcheck disable=SC2016 + FORMAT='function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + cpu="all"; + pctUser = remove_char($3, "%"); + pctSystem = remove_char($5, "%"); + pctIdle = remove_char($7, "%"); + }' +elif [ "$KERNEL" = "FreeBSD" ] ; then + CMD='eval top -P -d2 c; top -d2 c' + assertHaveCommand "$CMD" + # shellcheck disable=SC2016 + FILTER='($1 !~ "CPU") { next; }' + # shellcheck disable=SC2016 + FORMAT='function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + if ($1 == "CPU:") { + cpu = "all"; + } else { + cpu = remove_char($2, ":"); + } + } + { + pctUser = remove_char($(NF-9), "%"); + pctNice = remove_char($(NF-7), "%"); + pctSystem = remove_char($(NF-5), "%"); + pctIdle = remove_char($(NF-1), "%"); + pctIowait = "0.0"; + }' +elif [ "$KERNEL" = "HP-UX" ] ; then + queryHaveCommand sar + FOUND_SAR=$? + if [ $FOUND_SAR -eq 0 ] ; then + CMD='sar -M 1 1 ALL' + fi + FILTER='/HP-UX|^$|%/ {next}' + # shellcheck disable=SC2016 + FORMAT='{k=0; if(5> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/cpu_metric.sh b/deployment-apps/Splunk_TA_nix/bin/cpu_metric.sh new file mode 100755 index 0000000..76ad928 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/cpu_metric.sh @@ -0,0 +1,211 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='CPU pctUser pctNice pctSystem pctIowait pctIdle OSName OS_version IP_address' +HEADERIZE="BEGIN {print \"$HEADER\"}" +PRINTF='{printf "%-3s %9s %9s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle, OSName, OS_version, IP_address}' +FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}' + +if [ "$KERNEL" = "Linux" ] ; then + queryHaveCommand sar + FOUND_SAR=$? + queryHaveCommand mpstat + FOUND_MPSTAT=$? + if [ ! -f "/etc/os-release" ] ; then + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)" + else + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)" + fi + if [ $FOUND_SAR -eq 0 ] ; then + CMD='sar -P ALL 1 1' + # shellcheck disable=SC2016 + FORMAT='{cpu=$(NF-6); pctUser=$(NF-5); pctNice=$(NF-4); pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' + elif [ $FOUND_MPSTAT -eq 0 ] ; then + CMD='mpstat -P ALL 1 1' + # shellcheck disable=SC2016 + FORMAT='{cpu=$(NFIELDS-10); pctUser=$(NFIELDS-9); pctNice=$(NFIELDS-8); pctSystem=$(NFIELDS-7); pctIowait=$(NFIELDS-6); pctIdle=$NF;OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' + else + failLackMultipleCommands sar mpstat + fi + # shellcheck disable=SC2016 + FILTER='($0 ~ /CPU/) { if($(NF-1) ~ /gnice/){ NFIELDS=NF; } else {NFIELDS=NF+1;} next} /Average|Linux|^$|%/ {next}' +elif [ "$KERNEL" = "SunOS" ] ; then + if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then + CMD='eval mpstat -a -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -p 1 2 | tail -r' + else + CMD='eval mpstat -aq -p 1 2 | tail -1 | sed "s/^[ ]*0/all/"; mpstat -q -p 1 2 | tail -r' + fi + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + assertHaveCommand "$CMD" + # shellcheck disable=SC2016 + FILTER='($1=="CPU") {exit 1}' + # shellcheck disable=SC2016 + FORMAT='{cpu=$1; pctUser=$(NF-4); pctNice="0"; pctSystem=$(NF-3); pctIowait=$(NF-2); pctIdle=$(NF-1);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' +elif [ "$KERNEL" = "AIX" ] ; then + queryHaveCommand mpstat + queryHaveCommand lparstat + FOUND_MPSTAT=$? + FOUND_LPARSTAT=$? + DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + if [ $FOUND_MPSTAT -eq 0 ] && [ $FOUND_LPARSTAT -eq 0 ] ; then + # Get extra fields from lparstat + COUNT=$(lparstat | grep " app" | wc -l) + if [ $COUNT -gt 0 ] ; then + # Fetch value from "app" column of lparstat output + FETCH_APP_COL_NUM='BEGIN {app_col_num = 8} + { + if($0 ~ /System configuration|^$/) {next} + if($0 ~ / app/) + { + for(i=1; i<=NF; i++) + { + if($i == "app") + { + app_col_num = i; + break; + } + } + print app_col_num; + exit 0; + } + }' + APP_COL_NUM=$(lparstat | awk "$FETCH_APP_COL_NUM") + CPUPool=$(lparstat | tail -1 | awk -v APP_COL_NUM=$APP_COL_NUM -F " " '{print $APP_COL_NUM}') + else + CPUPool=0 + fi + # Fetch other required fields from lparstat output + OnlineVirtualCPUs=$(lparstat -i | grep "Online Virtual CPUs" | awk -F " " '{print $NF}') + EntitledCapacity=$(lparstat -i | grep "Entitled Capacity " | awk -F " " '{print $NF}') + DEFINE_LPARSTAT_FIELDS="-v CPUPool=$CPUPool -v OnlineVirtualCPUs=$OnlineVirtualCPUs -v EntitledCapacity=$EntitledCapacity" + + # Get cpu stats using mpstat command and manipulate the output for adding extra fields + CMD='mpstat -a 1 1' + # shellcheck disable=SC2016 + FORMAT='BEGIN {flag = 0} + { + if($0 ~ /System configuration|^$/) {next} + if(flag == 1) + { + for(i=NF+7; i>=7; i--) + { + $i = $(i-6); + } + # Prepend OSName, OS_version, IP_address values + $1 = OSName; + $2 = OSVersion/1000; + $3 = IP_address; + # Prepend lparstat field values + if($0 ~ /ALL/) + { + $4 = CPUPool; + $5 = OnlineVirtualCPUs; + $6 = EntitledCapacity; + } + else + { + $4 = "-"; + $5 = "-"; + $6 = "-"; + } + } + if($0 ~ /cpu /) + { + for(i=NF+7; i>=7; i--) + { + $i = $(i-6); + } + # Prepend OSName, OS_version, IP_address headers + $1 = "OSName"; + $2 = "OS_version"; + $3 = "IP_address"; + # Prepend lparstat field headers + $4 = "CPUPool"; + $5 = "OnlineVirtualCPUs"; + $6 = "EntitledCapacity"; + flag = 1; + } + for(i=1; i<=NF; i++) + { + printf "%17s ", $i; + } + print ""; + }' + fi + $CMD | tee "$TEE_DEST" | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS "$FORMAT $FILL_DIMENSIONS" + echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST" + exit +elif [ "$KERNEL" = "Darwin" ] ; then + HEADER='CPU pctUser pctSystem pctIdle OSName OS_version IP_address' + HEADERIZE="BEGIN {print \"$HEADER\"}" + PRINTF='{printf "%-3s %9s %9s %9s %-35s %15s %-16s\n", cpu, pctUser, pctSystem, pctIdle, OSName, OS_version, IP_address}' + # top command here is used to get a single instance of cpu metrics + CMD='top -l 1' + assertHaveCommand "$CMD" + # FILTER here skips all the rows that doesn't match "CPU". + # shellcheck disable=SC2016 + FILTER='($1 !~ "CPU") {next;}' + + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # FORMAT here removes '%'in the end of the metrics. + # shellcheck disable=SC2016 + FORMAT='function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + cpu="all"; + pctUser = remove_char($3, "%"); + pctSystem = remove_char($5, "%"); + pctIdle = remove_char($7, "%"); + OSName=OSName; + OS_version=OS_version; + IP_address=IP_address; + }' +elif [ "$KERNEL" = "FreeBSD" ] ; then + CMD='eval top -P -d2 c; top -d2 c' + assertHaveCommand "$CMD" + # shellcheck disable=SC2016 + FILTER='($1 !~ "CPU") { next; }' + # shellcheck disable=SC2016 + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # shellcheck disable=SC2016 + FORMAT='function remove_char(string, char_to_remove) { + sub(char_to_remove, "", string); + return string; + } + { + if ($1 == "CPU:") { + cpu = "all"; + } else { + cpu = remove_char($2, ":"); + } + } + { + pctUser = remove_char($(NF-9), "%"); + pctNice = remove_char($(NF-7), "%"); + pctSystem = remove_char($(NF-5), "%"); + pctIdle = remove_char($(NF-1), "%"); + pctIowait = "0.0"; + OSName=OSName; + OS_version=OS_version; + IP_address=IP_address; + }' +elif [ "$KERNEL" = "HP-UX" ] ; then + queryHaveCommand sar + FOUND_SAR=$? + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + if [ $FOUND_SAR -eq 0 ] ; then + CMD='sar -M 1 1 ALL' + fi + FILTER='/HP-UX|^$|%/ {next}' + # shellcheck disable=SC2016 + FORMAT='{k=0; if(5>"$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/df.sh b/deployment-apps/Splunk_TA_nix/bin/df.sh new file mode 100755 index 0000000..a64e78b --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/df.sh @@ -0,0 +1,318 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +# jscpd:ignore-start +if [ "$KERNEL" = "Linux" ] ; then + assertHaveCommand df + CMD='df -h --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target' + # shellcheck disable=SC2016 + BEGIN='BEGIN { OFS = "\t" }' + # shellcheck disable=SC2016 + FILTER_POST='/(devtmpfs|tmpfs)/ {next}' + # shellcheck disable=SC2016 + PRINTF=' + { + if($0 ~ /^Filesystem.*/){ + sub("Mounted on","MountedOn",$0); + } + match($0,/^(.*[^ ]) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+%|-) +(.*)$/,a); + if (length(a) != 0) + { printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", a[1],a[2],a[3],a[4],a[5],a[6],a[7],a[8],a[9],a[10],a[11];} + }' + +elif [ "$KERNEL" = "SunOS" ] ; then + assertHaveCommandGivenPath /usr/bin/df + CMD_1='eval /usr/bin/df -n ; /usr/bin/df -g' + CMD_2='/usr/bin/df -h' + + # shellcheck disable=SC2016 + BEGIN='BEGIN { OFS = "\t" }' + #Filters out Inode info from df -g output -> inodes = Value just before "total files" & ifree = Value just before "free files" + # shellcheck disable=SC2016 + INODE_FILTER=' + /^\// {key=$1} + { + for(i=1;i<=NF;i++) + { + if($i == "total" && $(i+1) == "files") + { + inodes=$(i-1) + } + if($i == "free" && $(i+1) == "files") + { + ifree=$(i-1) + } + } + } + {if(NR%5==0) sub("\\(.*\\)?", "", key); print "INODE:" key, inodes, ifree}' + + CMD="${CMD_1} | ${AWK} '${INODE_FILTER}'; ${CMD_2}" + FILTER_PRE='/libc_psr/ {next}' + + #Maps fsType and inode info from the output of INODE_FILTER + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/INODE:/ {MoInodes[$1] = $2; MoIFree[$1] = $3;} /: / { + for(i=1;i<=NF;i++){ + if($i ~ /^\/.*/) + keyCol=i; + else if($i ~ /[a-zA-Z0-9]/) + valueCol=i; + } + if($keyCol ~ /^\/.*:/) + fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol; + else + fsTypes[$keyCol]=$valueCol; + }' + + #Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF=' + { + if($0 ~ /^Filesystem.*/){ + for(i=1;i<=NF;i++){ + if($i=="Mounted" && $(i+1)=="on"){ + mountedCol=i; + sub("Mounted on","MountedOn",$0); + } + } + $(NF+1)="Type"; + $(NF+1)="INodes"; + $(NF+1)="IUsed"; + $(NF+1)="IFree"; + $(NF+1)="IUsePct"; + + print $0; + } + } + { + for(i=1;i<=NF;i++) + { + if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){ + $(NF+1)=fsTypes[$mountedCol]; + $(NF+1)=MoInodes["INODE:"$mountedCol]; + $(NF+1)=MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol]; + $(NF+1)=MoIFree["INODE:"$mountedCol]; + + if(MoInodes["INODE:"$mountedCol]>0) + { + $(NF+1)=int(((MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol])*100)/MoInodes["INODE:"$mountedCol])"%"; + } + else + { + $(NF+1)="0"; + } + + print $0; + } + } + }' + +elif [ "$KERNEL" = "AIX" ] ; then + assertHaveCommandGivenPath /usr/bin/df + CMD='eval /usr/sysv/bin/df -n ; /usr/bin/df -kP -F %u %f %z %l %n %p %m' + + # Normalize Size, Used and Avail columns + # shellcheck disable=SC2016 + NORMALIZE=' + function fromKB(KB) { + MB = KB/1024; + if (MB<1024) return MB "M"; + GB = MB/1024; + if (GB<1024) return GB "G"; + TB = GB/1024; return TB "T" + } + { + if($0 ~ /^Filesystem.*/){ + for(i=1;i<=NF;i++){ + if($i=="1024-blocks") {sizeCol=i; sizeFlag=1;} + if($i=="Used") {usedCol=i; usedFlag=1;} + if($i=="Available") {availCol=i; availFlag=1;} + } + } + if(!($0 ~ /^Filesystem.*/) && sizeFlag==1) + $sizeCol=fromKB($sizeCol); + if(!($0 ~ /^Filesystem.*/) && usedFlag==1) + $usedCol=fromKB($usedCol); + if(!($0 ~ /^Filesystem.*/) && availFlag==1) + $availCol=fromKB($availCol); + }' + + #Maps fsType + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/: / { + for(i=1;i<=NF;i++){ + if($i ~ /^\/.*/) + keyCol=i; + else if($i ~ /[a-zA-Z0-9]/) + valueCol=i; + } + if($keyCol ~ /^\/.*:/) + fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol; + else + fsTypes[$keyCol]=$valueCol; + }' + + # shellcheck disable=SC2016 + BEGIN='BEGIN { OFS = "\t" }' + # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF=' + { + if($0 ~ /^Filesystem.*/){ + sub("%Iused","IUsePct",$0); + for(i=1;i<=NF;i++){ + if($i=="Iused") iusedCol=i; + if($i=="Ifree") ifreeCol=i; + + if($i=="Mounted" && $(i+1)=="on"){ + mountedCol=i; + sub("Mounted on","MountedOn",$0); + } + } + $(NF+1)="Type"; + $(NF+1)="INodes"; + print $0; + } + } + { + for(i=1;i<=NF;i++) + { + if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){ + $(NF+1)=fsTypes[$mountedCol]; + $(NF+1)=$iusedCol+$ifreeCol; + print $0; + } + } + }' + +elif [ "$KERNEL" = "HP-UX" ] ; then + assertHaveCommand df + assertHaveCommand fstyp + CMD='df -Pk' + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='{c="fstyp " $1; c | getline ft; close(c);}' + # shellcheck disable=SC2016 + HEADER='Filesystem\tType\tSize\tUsed\tAvail\tUsePct\tINodes\tIUsed\tIFree\tIUsePct\tMountedOn' + # shellcheck disable=SC2016 + HEADERIZE='/^Filesystem/ {print header; next}' + # shellcheck disable=SC2016 + FORMAT='{size=$2; used=$3; avail=$4; usePct=$5; mountedOn=$6; $2=ft; $3=size; $4=used; $5=avail; $6=usePct; $7=mountedOn}' + # shellcheck disable=SC2016 + FILTER_POST='($2 ~ /^(tmpfs)$/) {next}' + # shellcheck disable=SC2016 + PRINTF='{printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11}' +elif [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand mount + assertHaveCommand df + CMD='eval mount -t nocddafs,autofs,devfs,fdesc,nfs; df -h -T nocddafs,autofs,devfs,fdesc,nfs' + # shellcheck disable=SC2016 + BEGIN='BEGIN { OFS = "\t" }' + #Maps fsType + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/ on / { + for(i=1;i<=NF;i++){ + if($i=="on" && $(i+1) ~ /^\/.*/) + { + key=$(i+1); + } + if($i ~ /^\(/) + value=substr($i,2,length($i)-2); + } + fsTypes[key]=value; + }' + # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF=' + { + if($0 ~ /^Filesystem.*/){ + sub("%iused","IUsePct",$0); + + for(i=1;i<=NF;i++){ + if($i=="iused") iusedCol=i; + if($i=="ifree") ifreeCol=i; + + if($i=="Mounted" && $(i+1)=="on"){ + mountedCol=i; + sub("Mounted on","MountedOn",$0); + } + } + $(NF+1)="Type"; + $(NF+1)="INodes"; + print $0; + } + } + { + for(i=1;i<=NF;i++) + { + if($i ~ /^\/dev\/.*s[0-9]+$/){ + sub("^/dev/", "", $i); + sub("s[0-9]+$", "", $i); + } + if($i ~ /^\/\S*/ && i==mountedCol){ + $(NF+1)=fsTypes[$mountedCol]; + $(NF+1)=$iusedCol+$ifreeCol; + print $0; + } + } + }' + +elif [ "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand mount + assertHaveCommand df + CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ih -t nodevfs,nonfs,noswap,nocd9660' + # shellcheck disable=SC2016 + BEGIN='BEGIN { OFS = "\t" }' + #Maps fsType + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/ on / { + for(i=1;i<=NF;i++){ + if($i=="on" && $(i+1) ~ /^\/.*/) + { + key=$(i+1); + } + if($i ~ /^\(/) + value=substr($i,2,length($i)-2); + } + fsTypes[key]=value; + }' + # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF=' + { + if($0 ~ /^Filesystem.*/){ + sub("%iused","IUsePct",$0); + + for(i=1;i<=NF;i++){ + if($i=="iused") iusedCol=i; + if($i=="ifree") ifreeCol=i; + + if($i=="Mounted" && $(i+1)=="on"){ + mountedCol=i; + sub("Mounted on","MountedOn",$0); + } + } + $(NF+1)="Type"; + $(NF+1)="INodes"; + print $0; + } + } + { + for(i=1;i<=NF;i++) + { + if($i ~ /^\/\S*/ && i==mountedCol){ + $(NF+1)=fsTypes[$mountedCol]; + $(NF+1)=$iusedCol+$ifreeCol; + print $0; + } + } + }' + +fi +# jscpd:ignore-end + +$CMD | tee "$TEE_DEST" | $AWK "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/df_metric.sh b/deployment-apps/Splunk_TA_nix/bin/df_metric.sh new file mode 100755 index 0000000..52872ed --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/df_metric.sh @@ -0,0 +1,364 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +# shellcheck disable=SC2016 +FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?";length(IPv6_Address) || IPv6_Address = "?"}' + +# jscpd:ignore-start +if [ "$KERNEL" = "Linux" ] ; then + assertHaveCommand df + CMD='df -k --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target' + if [ ! -f "/etc/os-release" ] ; then + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + else + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + fi + BEGIN='BEGIN { OFS = "\t" }' + FORMAT='{OSName=OSName;OS_version=OS_version;IP_address=IP_address;IPv6_Address=IPv6_Address}' + # shellcheck disable=SC2016 + FILTER_POST='/(devtmpfs|tmpfs)/ {next}' + # shellcheck disable=SC2016 + PRINTF=' + function rem_pcent(val) + { + if(substr(val, length(val), 1)=="%") + {val=substr(val, 1, length(val)-1); return val} + } + { + if($0 ~ /^Filesystem.*/){ + sub("Mounted on","MountedOn",$0); + $(NF+1)="OSName"; + $(NF+1)="OS_version"; + $(NF+1)="IP_address"; + $(NF+1)="IPv6_Address"; + print $0; + } + + match($0,/^(.*[^ ]) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+%|-) +(.*)$/,a); + + if (length(a) != 0) + { printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", a[1], a[2], a[3], a[4], a[5], rem_pcent(a[6]), a[7], a[8], a[9], rem_pcent(a[10]), a[11], OSName, OS_version, IP_address, IPv6_Address} + + }' + +elif [ "$KERNEL" = "SunOS" ] ; then + assertHaveCommandGivenPath /usr/bin/df + CMD_1='eval /usr/bin/df -n; /usr/bin/df -g' + CMD_2='/usr/bin/df -k' + #Filters out Inode info from df -g output -> inodes = Value just before "total files" & ifree = Value just before "free files" + # shellcheck disable=SC2016 + INODE_FILTER=' + /^\// {key=$1} + { + for(i=1;i<=NF;i++) + { + if($i == "total" && $(i+1) == "files") + { + inodes=$(i-1) + } + if($i == "free" && $(i+1) == "files") + { + ifree=$(i-1) + } + } + } + {if(NR%5==0) sub("\\(.*\\)?", "", key); print "INODE:" key, inodes, ifree}' + CMD="${CMD_1} | ${AWK} '${INODE_FILTER}'; ${CMD_2}" + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + FILTER_PRE='/libc_psr/ {next}' + BEGIN='BEGIN { OFS = "\t" }' + #Maps fsType and inode info from the output of INODE_FILTER + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/INODE:/ {MoInodes[$1] = $2; MoIFree[$1] = $3;} /: / { + for(i=1;i<=NF;i++){ + if($i ~ /^\/.*/) + keyCol=i; + else if($i ~ /[a-zA-Z0-9]/) + valueCol=i; + } + if($keyCol ~ /^\/.*:/) + fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol; + else + fsTypes[$keyCol]=$valueCol; + }' + #Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF=' + { + if($0 ~ /^Filesystem.*/){ + for(i=1;i<=NF;i++){ + if($i=="Mounted" && $(i+1)=="on"){ + mountedCol=i; + sub("Mounted on","MountedOn",$0); + } + } + $(NF+1)="Type"; + $(NF+1)="INodes"; + $(NF+1)="IUsed"; + $(NF+1)="IFree"; + $(NF+1)="IUsePct"; + $(NF+1)="OSName"; + $(NF+1)="OS_version"; + $(NF+1)="IP_address"; + $(NF+1)="IPv6_Address"; + + print $0; + } + } + { + for(i=1;i<=NF;i++) + { + if($i ~ /.*\%$/) + $i=substr($i, 1, length($i)-1); + + if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){ + $(NF+1)=fsTypes[$mountedCol]; + $(NF+1)=MoInodes["INODE:"$mountedCol]; + $(NF+1)=MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol]; + $(NF+1)=MoIFree["INODE:"$mountedCol]; + if(MoInodes["INODE:"$mountedCol]>0) + { + $(NF+1)=int(((MoInodes["INODE:"$mountedCol]-MoIFree["INODE:"$mountedCol])*100)/MoInodes["INODE:"$mountedCol]); + } + else + { + $(NF+1)="0"; + } + $(NF+1)=OSName; + $(NF+1)=OS_version; + $(NF+1)=IP_address; + $(NF+1)=IPv6_Address; + + print $0; + } + } + }' + +elif [ "$KERNEL" = "AIX" ] ; then + assertHaveCommandGivenPath /usr/bin/df + CMD='eval /usr/sysv/bin/df -n ; /usr/bin/df -kP -F %u %f %z %l %n %p %m' + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + BEGIN='BEGIN { OFS = "\t" }' + #Maps fsType + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/: / { + for(i=1;i<=NF;i++){ + if($i ~ /^\/.*/) + keyCol=i; + else if($i ~ /[a-zA-Z0-9]/) + valueCol=i; + } + if($keyCol ~ /^\/.*:/) + fsTypes[substr($keyCol,1,length($keyCol)-1)] = $valueCol; + else + fsTypes[$keyCol]=$valueCol; + }' + # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF=' + { + if($0 ~ /^Filesystem.*/){ + sub("%Iused","IUsePct",$0); + + for(i=1;i<=NF;i++){ + if($i=="Iused") iusedCol=i; + if($i=="Ifree") ifreeCol=i; + + if($i=="Mounted" && $(i+1)=="on"){ + mountedCol=i; + sub("Mounted on","MountedOn",$0); + } + } + $(NF+1)="Type"; + $(NF+1)="INodes"; + $(NF+1)="OSName"; + $(NF+1)="OS_version"; + $(NF+1)="IP_address"; + $(NF+1)="IPv6_Address"; + + print $0; + } + } + { + for(i=1;i<=NF;i++) + { + if($i ~ /.*\%$/) + $i=substr($i, 1, length($i)-1); + + if($i ~ /^\/\S*/ && i==mountedCol && !(fsTypes[$mountedCol]~/(devfs|ctfs|proc|mntfs|objfs|lofs|fd|tmpfs)/) && !($0 ~ /.*\/proc.*/)){ + $(NF+1)=fsTypes[$mountedCol]; + $(NF+1)=$iusedCol+$ifreeCol; + $(NF+1)=OSName; + OS_version=OSVersion/1000; + $(NF+1)=OS_version; + $(NF+1)=IP_address; + $(NF+1)=IPv6_Address; + + print $0; + } + } + }' + +elif [ "$KERNEL" = "HP-UX" ] ; then + assertHaveCommand df + assertHaveCommand fstyp + CMD='df -Pk' + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # shellcheck disable=SC2016 + HEADER='Filesystem\tType\tSize\tUsed\tAvail\tUsePct\tINodes\tIUsed\tIFree\tIUsePct\tOSName\tOS_version\tIP_address\tMountedOn' + # shellcheck disable=SC2016 + HEADERIZE='/^Filesystem/ {print header; next}' + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='{c="fstyp " $1; c | getline ft; close(c);}' + # shellcheck disable=SC2016 + FORMAT='{size=$2; used=$3; avail=$4; usePct=$5; mountedOn=$6; $2=ft; $3=size; $4=used; $5=avail; if(substr(usePct,length(usePct),1)=="%") $6=substr(usePct, 1, length(usePct)-1); else $6=usePct; $7=mountedOn; OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' + # shellcheck disable=SC2016 + FILTER_POST='($2 ~ /^(tmpfs)$/) {next}' + # shellcheck disable=SC2016 + PRINTF='{printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, OSName, OS_version, IP_address, $11}' +elif [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand mount + assertHaveCommand df + CMD='eval mount -t nocddafs,autofs,devfs,fdesc,nfs; df -k -T nocddafs,autofs,devfs,fdesc,nfs' + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + # shellcheck disable=SC2016 + BEGIN='BEGIN { OFS = "\t" }' + #Maps fsType + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/ on / { + for(i=1;i<=NF;i++){ + if($i=="on" && $(i+1) ~ /^\/.*/) + { + key=$(i+1); + } + if($i ~ /^\(/) + value=substr($i,2,length($i)-2); + } + fsTypes[key]=value; + }' + # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF=' + { + if($0 ~ /^Filesystem.*/){ + sub("%iused","IUsePct",$0); + + for(i=1;i<=NF;i++){ + if($i=="iused") iusedCol=i; + if($i=="ifree") ifreeCol=i; + if($i=="Mounted" && $(i+1)=="on"){ + mountedCol=i; + sub("Mounted on","MountedOn",$0); + } + } + $(NF+1)="Type"; + $(NF+1)="INodes"; + $(NF+1)="OSName"; + $(NF+1)="OS_version"; + $(NF+1)="IP_address"; + $(NF+1)="IPv6_Address"; + + + print $0; + } + } + { + for(i=1;i<=NF;i++) + { + if($i ~ /.*\%$/) + $i=substr($i, 1, length($i)-1); + + if($i ~ /^\/dev\/.*s[0-9]+$/){ + sub("^/dev/", "", $i); + sub("s[0-9]+$", "", $i); + } + + if($i ~ /^\/\S*/ && i==mountedCol){ + $(NF+1)=fsTypes[$mountedCol]; + $(NF+1)=$iusedCol+$ifreeCol; + $(NF+1)=OSName; + $(NF+1)=OS_version; + $(NF+1)=IP_address; + $(NF+1)=IPv6_Address; + print $0; + } + } + }' + +elif [ "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand mount + assertHaveCommand df + CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ik -t nodevfs,nonfs,noswap,nocd9660' + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + # shellcheck disable=SC2016 + BEGIN='BEGIN { OFS = "\t" }' + #Maps fsType + # shellcheck disable=SC2016 + MAP_FS_TO_TYPE='/ on / { + for(i=1;i<=NF;i++){ + if($i=="on" && $(i+1) ~ /^\/.*/) + { + key=$(i+1); + } + if($i ~ /^\(/) + value=substr($i,2,length($i)-2); + } + fsTypes[key]=value; + }' + # Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables + # shellcheck disable=SC2016 + PRINTF=' + { + if($0 ~ /^Filesystem.*/){ + sub("%iused","IUsePct",$0); + + for(i=1;i<=NF;i++){ + if($i=="iused") iusedCol=i; + if($i=="ifree") ifreeCol=i; + if($i=="Mounted" && $(i+1)=="on"){ + mountedCol=i; + sub("Mounted on","MountedOn",$0); + } + } + $(NF+1)="Type"; + $(NF+1)="INodes"; + $(NF+1)="OSName"; + $(NF+1)="OS_version"; + $(NF+1)="IP_address"; + $(NF+1)="IPv6_Address"; + + print $0; + } + } + { + for(i=1;i<=NF;i++) + { + if($i ~ /.*\%$/) + $i=substr($i, 1, length($i)-1); + + if($i ~ /^\/\S*/ && i==mountedCol){ + $(NF+1)=fsTypes[$mountedCol]; + $(NF+1)=$iusedCol+$ifreeCol; + $(NF+1)=OSName; + $(NF+1)=OS_version; + $(NF+1)=IP_address; + $(NF+1)=IPv6_Address; + print $0; + } + } + }' + +fi +# jscpd:ignore-end + +# shellcheck disable=SC2086 +$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK $DEFINE '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >>"$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/hardware.sh b/deployment-apps/Splunk_TA_nix/bin/hardware.sh new file mode 100755 index 0000000..41c0484 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/hardware.sh @@ -0,0 +1,193 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh +# shellcheck disable=SC2016 +FORMAT='{key = $1; if (NF == 1) {value = ""} else {value = $2; for (i=3; i <= NF; i++) value = value " " $i}}' +PRINTF='{printf("%-20s %-s\n", key, value)}' + +if [ "$KERNEL" = "Linux" ] ; then + assertHaveCommand dmesg + queryHaveCommand ip + FOUND_IP=$? + # CPUs + CPU_TYPE=$(awk -F: '/model name/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST") + CPU_CACHE=$(awk -F: '/cache size/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST") + CPU_COUNT=$(grep -c processor /proc/cpuinfo 2>>"$TEE_DEST") + # HDs + # shellcheck disable=SC2010 + for deviceBasename in $(ls /sys/block | grep -E -v '^(dm|md|ram|sr|loop)') + do + DEVICE="/sys/block/$deviceBasename" HARD_DRIVES="$HARD_DRIVES $deviceBasename" + if [ -e "$DEVICE"/device/model ] ; then HARD_DRIVES="$HARD_DRIVES ($(sed 's/ *$//' "$DEVICE"/device/model))"; fi + if [ -e "$DEVICE"/size ] ; then HARD_DRIVES="$HARD_DRIVES $((($(cat "$DEVICE"/size)*512)/(1024*1024*1024))) GB; "; fi + done + # NICs + # For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd. + if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then + NIC_TYPE=$(cat "$DMESG_FILE"* | awk '/Ethernet/ {sub("[^a-zA-Z]*Ethernet.*$", ""); sub("^[^:]*: ", ""); print; exit}') + else + NIC_TYPE=$(dmesg | awk '/Ethernet/ {sub("[^a-zA-Z]*Ethernet.*$", ""); sub("^[^:]*: ", ""); print; exit}') + fi + if [ $FOUND_IP -eq 0 ]; then + NIC_COUNT=$(ip a | awk '!length() || $2 ~/lo/ || /^ / {next} {ct++} END {print ct}') + else + assertHaveCommand ifconfig + NIC_COUNT=$(ifconfig | awk '!length() || /^( |lo)/ {next} {ct++} END {print ct}') + fi + # memory + MEMORY_REAL=$(awk -F: '/MemTotal/ {print $2; exit}' /proc/meminfo 2>>"$TEE_DEST") + MEMORY_SWAP=$(awk -F: '/SwapTotal/ {print $2; exit}' /proc/meminfo 2>>"$TEE_DEST") +elif [ "$KERNEL" = "SunOS" ] ; then + UNAME_PLATFORM=$(uname -i) + assertHaveCommand mpstat + assertHaveCommand iostat + assertHaveCommand dmesg + assertHaveCommandGivenPath /usr/sbin/prtconf + assertHaveCommandGivenPath /usr/sbin/swap + # CPUs and NIC count + if [ -x /usr/sbin/prtdiag ] ; then + if [ "$SOLARIS_10" = "true" ] || [ "$SOLARIS_11" = "true" ] ; then + # shellcheck disable=SC2016 + CPU_TYPE=$(/usr/sbin/prtdiag | $AWK 'BEGIN {leftToSkip=-1} /Processor Sockets/ {leftToSkip=3; next} (leftToSkip>0) {leftToSkip-=1; next} (!leftToSkip) {sub("[0-9]$", "", $0); sub(" CPU socket #$", "", $0); print $0; exit}') + else + # shellcheck disable=SC2016 + CPU_TYPE=$(/usr/sbin/prtdiag | $AWK 'BEGIN {leftToSkip=-1} /Processor Sockets/ {leftToSkip=3; next} (leftToSkip>0) {leftToSkip-=1; next} (!leftToSkip) {sub("[0-9]$", "", $0); sub(" [A-Za-z]+ ?$", "", $0); print $0; exit}') + fi + NIC_COUNT=$(/usr/sbin/prtdiag | grep -c NIC) + elif [ -x /usr/platform/"$UNAME_PLATFORM"/sbin/prtdiag ]; then + # shellcheck disable=SC2016 + CPU_TYPE=$(/usr/platform/"$UNAME_PLATFORM"/sbin/prtdiag | $AWK 'BEGIN {leftToSkip=-1} /Processor Sockets/ {leftToSkip=3; next} (leftToSkip>0) {leftToSkip-=1; next} (!leftToSkip) {sub("[0-9]$", "", $0); sub(" [A-Za-z]+ ?$", "", $0); print $0; exit}') + NIC_COUNT=$(/usr/platform/"$UNAME_PLATFORM"/sbin/prtdiag | grep -c NIC) + else + echo "Not found commandGivenPath [ /usr/sbin/prtdiag or /usr/platform/$UNAME_PLATFORM/sbin/prtdiag ] on this host, quitting" >> "$TEE_DEST" + exit 1 + fi + # shellcheck disable=SC2016 + CPU_CACHE=$(/usr/sbin/prtconf -v | $AWK 'function hexToDecKB (hex, digitsAll, idx, curDigit, dec) {sub("^value=", "", hex); for (idx=1; idx<=length(hex); idx++) {curDigit = index("0123456789abcdef", substr(hex,idx,1)); dec=(16*dec)+curDigit-1} if (debug) printf "hexToDec:%s->%d ", hex, dec; dec /= 1024; return dec} BEGIN {L2=L1i=L1d=0} (L2) {strL2=$1; L2=0} /l2-cache-size/ {L2=1} (L1i) {strL1i=$1; L1i=0} /l1-icache-size/ {L1i=1} (L1d) {strL1d=$1; L1d=0} /l1-dcache-size/ {L1d=1} END {if (debug) printf "strL2:%s strL1i:%s strL1d:%s ", strL2, strL1i, strL1d; nL2=hexToDecKB(strL2); nL1=hexToDecKB(strL1i)+hexToDecKB(strL1d); printf "L1:%dKB L2:%dKB", nL1, nL2}' debug="$DEBUG") + if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then + CPU_COUNT=$(mpstat | grep -cv CPU) + else + CPU_COUNT=$(mpstat -q | grep -cv CPU) + fi + # # # that gives # of cores; `/usr/sbin/psrinfo -p` gives # of chips + # HDs + # shellcheck disable=SC2016 + HARD_DRIVES=$(iostat -E | $AWK '/Soft Errors:/ {name=$1} /^Vendor:/ {info = $2 " " $4} /^Size:/ {sizeGB=0+$2; if (sizeGB>0) drives[name]=info " " $2} END {for (d in drives) printf("%s %s; ", d, drives[d])}') + # NICs + NIC_TYPE=$(dmesg | grep 'mac address' | sed -n 's/^.*] [a-z]*[0-9]*: //;s/mac address .*$//;p' | uniq) + # memory + MEMORY_REAL=$(/usr/sbin/prtconf | awk '/^Memory size:/ {print $3 " MB"; exit}') + # shellcheck disable=SC2016 + MEMORY_SWAP=$(/usr/sbin/swap -s | $AWK '{used=0+$(NF-3); free=0+$(NF-1); total=(used+free)/1024; print int(total) " MB"}') +elif [ "$KERNEL" = "AIX" ] ; then + assertHaveCommandGivenPath /usr/sbin/prtconf + assertHaveCommandGivenPath /usr/sbin/lsattr + assertHaveCommandGivenPath /usr/sbin/lsdev + assertHaveCommandGivenPath /usr/sbin/lscfg + assertHaveCommandGivenPath /usr/sbin/lspv + assertHaveCommandGivenPath /usr/sbin/lsps + # CPUs + # shellcheck disable=SC2016 + CPU_TYPE=$(/usr/sbin/prtconf | $AWK -F: '/^Processor Type:/{type=$2} /^Processor Clock Speed:/ {clock=$2}END {printf("%s %s",type,clock)}') + # shellcheck disable=SC2016 + CPU_CACHE=$(/usr/sbin/lsattr -EHl L2cache0 | $AWK '/^size/{print "L2:" $2 " KB" }') + CPU_COUNT=$(/usr/sbin/lsdev -Cc processor | grep -c proc) + # HDs + HDD_NAME=$(/usr/sbin/lsdev -Cc disk | awk '{print $1}') + HARD_DRIVES="" + for disk in $HDD_NAME + do + # shellcheck disable=SC2016 + HARD_INFO=$(/usr/sbin/lscfg -vpl "$disk" | $AWK -F . '/Manufacturer/ {name = $NF } /Machine Type and Model/ {info = $(NF)} END {printf("%s %s", name, info)}') + ACTIVE_STATUS=$(/usr/sbin/lspv | awk -v pat="$disk" '$0~pat{print $NF}') + VOLUME_GROUP=$(/usr/sbin/lspv | awk -v pat="$disk" '$0~pat{print $3}') + + if [ "${ACTIVE_STATUS}" != "active" ] || [ "${VOLUME_GROUP}" = "None" ]; then # lspv cannot get disk-size as disk is inactive or not in any volume group + HARD_MB=$(getconf DISK_SIZE /dev/"$disk")" MB" + else + HARD_MB=$(/usr/sbin/lspv -L "$disk" | awk -F \( '{print $2}'| awk '/VG DESCRIPTORS/{print $1" MB"}') + fi + HARD_DRIVES="$HARD_DRIVES$disk $HARD_INFO $HARD_MB; " + done + # NICs + NIC_TYPE=$(/usr/sbin/lsdev -Cc adapter | grep ent | awk -F" " '{print $1" "$3"; "}') + NIC_COUNT=$(/usr/sbin/lsdev -Cc adapter | grep -c ent) + # memory + # shellcheck disable=SC2016 + MEMORY_REAL=$(/usr/sbin/lsattr -EHl mem0 | $AWK '/^size/ {print $2 " MB"}') + # shellcheck disable=SC2016 + MEMORY_SWAP=$(/usr/sbin/lsps -s | $AWK -F MB '/MB/ {print $1" MB"}') +elif [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand sysctl + assertHaveCommand df + assertHaveCommand system_profiler + assertHaveCommand ifconfig + # CPUs + CPU_TYPE=$(sysctl machdep.cpu.brand_string | sed -E 's/^.*: //;s/[ ]+/ /g') + CPU_CACHE=$(sysctl hw.cachesize | awk '{L1=$3/1024; L2=$4/(1024*1024); printf "L1:%d KB; L2:%d MB", L1, L2}') + CPU_COUNT=$(sysctl hw.ncpu | sed 's/^.*: //') + # HDs + HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}') + # NICs + NIC_TYPE=$(system_profiler SPNetworkDataType | awk '/Media Subtype:/ {print $3; exit}') + NIC_COUNT=$(ifconfig | grep -c 'supported media:.*baseT') + # memory + MEMORY_REAL=$(sysctl hw.memsize | awk '{print $2/(1024*1024) " MB"}') + MEMORY_SWAP=$(sysctl vm.swapusage | awk '{print 0+$4 " MB"}') +elif [ "$KERNEL" = "HP-UX" ] ; then + assertHaveCommand ioscan + assertHaveCommand iostat + assertHaveCommand lanscan + assertHaveCommand machinfo + assertHaveCommand swapinfo + OUTPUT=$(machinfo) + CPU_TYPE=$(echo "$OUTPUT" | awk '/processor family/ { for(i=4; i<=NF; i++) printf("%s ", $i); exit}') + CPU_CACHE=$(echo "$OUTPUT" | awk '/L[123]/ {cache+=$5} END {print cache " KB"}') + CPU_COUNT=$(echo "$OUTPUT" | awk '/CPUs/ {print $5; exit}') + HARD_DRIVES=$(iostat 2 1 | wc -l) + # shellcheck disable=SC2307,2003 + HARD_DRIVES=$(expr "$HARD_DRIVES"-4) + NIC_COUNT=$(lanscan -i | wc -l) + NIC_TYPE=$(ioscan -u | grep lan | awk 'NF>2 {for(i=3; i<=NF; i++) printf("%s", $i); exit}') + OUTPUT=$(swapinfo -tm) + MEMORY_REAL=$(echo "$OUTPUT" | awk '$1=="memory" {print $2 " MB"; exit}') + MEMORY_SWAP=$(echo "$OUTPUT" | awk '$1=="dev" {print $2 " MB"; exit}') +elif [ "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand sysctl + assertHaveCommand df + assertHaveCommand ifconfig + assertHaveCommand dmesg + assertHaveCommand top + # CPUs + CPU_TYPE=$(sysctl hw.model | sed 's/^.*: //') + CPU_CACHE= + CPU_COUNT=$(sysctl hw.ncpu | sed 's/^.*: //') + # HDs + HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}') + # NICs + IFACE_NAME=$(ifconfig -a | awk '!/^[a-z]/ {next} /LOOPBACK/ {next} {print $1}' | head -1) + NIC_TYPE=$(dmesg | awk '(index($0, iface) && index($0, " port ")) {sub("^.*<", ""); sub(">.*$", ""); print $0}' iface="$IFACE_NAME" | head -1) + NIC_COUNT=$(ifconfig -a | grep -c media) + # memory + MEMORY_REAL=$(sysctl hw.physmem | awk '{print $2/(1024*1024) "MB"}') + MEMORY_SWAP=$(top -Sb 0 | awk '/^Swap: / {print $2 "B"}') +fi + +formatAndPrint () +{ + # shellcheck disable=SC2086 + echo $1 | awk "$FORMAT $PRINTF" +} + +formatAndPrint "KEY VALUE" +formatAndPrint "CPU_TYPE $CPU_TYPE" +formatAndPrint "CPU_CACHE $CPU_CACHE" +formatAndPrint "CPU_COUNT $CPU_COUNT" +formatAndPrint "HARD_DRIVES $HARD_DRIVES" +formatAndPrint "NIC_TYPE $NIC_TYPE" +formatAndPrint "NIC_COUNT $NIC_COUNT" +formatAndPrint "MEMORY_REAL $MEMORY_REAL" +formatAndPrint "MEMORY_SWAP $MEMORY_SWAP" diff --git a/deployment-apps/Splunk_TA_nix/bin/interfaces.sh b/deployment-apps/Splunk_TA_nix/bin/interfaces.sh new file mode 100755 index 0000000..c5a51ce --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/interfaces.sh @@ -0,0 +1,512 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# jscpd:ignore-start +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex' +FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}' +PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}' + +if [ "$KERNEL" = "Linux" ] ; then + HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex' + PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex}' + queryHaveCommand ip + FOUND_IP=$? + if [ $FOUND_IP -eq 0 ]; then + CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" + # shellcheck disable=SC2016 + CMD='eval ip addr show $iface; ip -s link show' + # shellcheck disable=SC2016 + GET_IPv4='{if ($0 ~ /inet /) {split($2, a, " "); IPv4 = a[1]}}' + # shellcheck disable=SC2016 + GET_IPv6='{if ($0 ~ /inet6 /) { IPv6 = $2 }}' + # shellcheck disable=SC2016 + GET_TXbytes='{ + if($0 ~ /TX: /){ + tx_row_count=NR+1; + for(i=1;i<=NF;i++){ + if($i=="bytes"){ + TX_bytes_column=i; + } + else if($i=="errors"){ + TX_errors_column=i; + } + else if($i=="dropped"){ + TX_dropped_column=i; + } + else if($i=="collsns"){ + TX_collsns_column=i; + } + } + next; + } + if(NR==tx_row_count){ + (TX_bytes_column == "") ? TXbytes = 0 : TXbytes = $(TX_bytes_column - 1); + (TX_errors_column == "") ? TXerrors = "" : TXerrors = $(TX_errors_column - 1); + (TX_dropped_column == "") ? TXdropped = "" : TXdropped = $(TX_dropped_column - 1); + (TX_collsns_column == "") ? collisions = 0 : collisions = $(TX_collsns_column - 1); + } + }' + # shellcheck disable=SC2016 + GET_RXbytes='{ + if($0 ~ /RX: /){ + rx_row_count=NR+1; + for(i=1;i<=NF;i++){ + if($i=="bytes"){ + RX_bytes_column=i; + } + else if($i=="errors"){ + RX_errors_column=i; + } + else if($i=="dropped"){ + RX_dropped_column=i; + } + }next; + } + if(NR==rx_row_count){ + (RX_bytes_column == "") ? RXbytes = 0 : RXbytes = $(RX_bytes_column - 1); + (RX_errors_column == "") ? RXerrors = "" : RXerrors = $(RX_errors_column - 1); + (RX_dropped_column == "") ? RXdropped = "" : RXdropped = $(RX_dropped_column - 1); + } + }' + else + assertHaveCommand ifconfig + # shellcheck disable=SC2089 + CMD_LIST_INTERFACES="eval ifconfig | tee $TEE_DEST | grep 'Link encap:\|mtu' | grep -Ev lo | tee -a $TEE_DEST | cut -d' ' -f1 | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" + CMD='ifconfig' + # shellcheck disable=SC2016 + GET_IPv4='{if ($0 ~ /inet addr:/) {split($2, a, ":"); IPv4 = a[2]} else if ($0 ~ /inet /) {IPv4 = $2}}' + # shellcheck disable=SC2016 + GET_IPv6='{if ($0 ~ /inet6 addr:/) { IPv6 = $3 } else if ($0 ~ /inet6 /) { IPv6 = $2 }}' + # shellcheck disable=SC2016 + GET_COLLISIONS='{ + if ($0 ~ /collisions:/){ + for(i=1;i<=NF;i++){ + if($i ~ /collisions:/){ + collisions_col_no = i; + break; + } + } + if(collisions_col_no==""){ + collisions=0; + } + else + split($collisions_col_no, a, ":"); + collisions=a[2]; + } + else if($0 ~ /collisions /){ + for(i=1;i<=NF;i++){ + if($i=="collisions"){ + collisions_column=i+1; + } + } + (collisions_column != "") ? collisions = $collisions_column : collisions = 0; + } + }' + # shellcheck disable=SC2016 + GET_RXbytes='{ + if ($0 ~ /RX bytes:/){ + for(i=1;i<=NF;i++){ + if($i ~ /bytes:/){ + rxbytes_col_no = i; + break; + } + } + if(rxbytes_col_no==""){ + RXbytes=0; + } + else + split($rxbytes_col_no, a, ":"); + RXbytes=a[2]; + } + else if($0 ~ /RX/ && $0 ~ /bytes/){ + for(i=1;i<=NF;i++){ + if($i=="bytes"){ + RXbytes_column=i+1; + row = NR; + } + } + if(NR == row){ + if(RXbytes_column != ""){ + RXbytes = $RXbytes_column; + } + else + RXbytes = 0; + } + } + }' + # shellcheck disable=SC2016 + GET_RXerrors='{ + if ($0 ~ /RX packets:/){ + for(i=1;i<=NF;i++){ + if($i ~ /errors:/){ + rxerrors_col_no = i; + } + else if($i ~ /dropped:/){ + rxdropped_col_no = i; + } + } + if(rxerrors_col_no != ""){ + split($rxerrors_col_no, a, ":"); + RXerrors=a[2]; + } + else + RXerrors=""; + if(rxdropped_col_no != ""){ + split($rxdropped_col_no, b, ":"); + RXdropped=b[2]; + } + else + RXdropped=""; + } + else if($0 ~ /RX/ && ($0 ~ /errors/)){ + for(i=1;i<=NF;i++){ + if($i=="errors"){ + RXerrors_column=i+1; + } + if($i=="dropped"){ + RXdropped_column=i+1; + } + } + (RXerrors_column != "") ? RXerrors=$RXerrors_column : RXerrors = ""; + (RXdropped_column != "") ? RXdropped = $RXdropped_column : RXdropped = ""; + } + }' + # shellcheck disable=SC2016 + GET_TXbytes='{ + if ($0 ~ /TX bytes:/){ + for(i=1;i<=NF;i++){ + if($i ~ /bytes:/){ + txbytes_col_no = i; + } + } + if(txbytes_col_no==""){ + TXbytes=0; + } + else + split($txbytes_col_no, a, ":"); + TXbytes=a[2]; + } + else if($0 ~ /TX/ && $0 ~ /bytes/){ + for(i=1;i<=NF;i++){ + if($i=="bytes"){ + TXbytes_column=i+1; + row = NR; + } + } + if(NR == row){ + if(TXbytes_column != ""){ + TXbytes = $TXbytes_column; + } + else + TXbytes = 0; + } + } + }' + # shellcheck disable=SC2016 + GET_TXerrors='{ + if ($0 ~ /TX packets:/){ + for(i=1;i<=NF;i++){ + if($i ~ /errors:/){ + txerrors_col_no = i; + } + if($i ~ /dropped:/){ + txdropped_col_no = i; + } + } + if(txerrors_col_no != ""){ + split($txerrors_col_no, a, ":"); + TXerrors=a[2]; + } + else + TXerrors=""; + if(txdropped_col_no != ""){ + split($txdropped_col_no, b, ":"); + TXdropped=b[2]; + } + else + TXdropped=""; + } + else if($0 ~ /TX/ && $0 ~ /errors/){ + for(i=1;i<=NF;i++){ + if($i=="errors"){ + TXerrors_column=i+1; + } + if($i=="dropped"){ + TXdropped_column=i+1; + } + } + (TXerrors_column != "") ? TXerrors = $TXerrors_column : TXerrors = ""; + (TXdropped_column != "") ? TXdropped = $TXdropped_column : TXdropped = ""; + } + }' + fi + GET_ALL="$GET_IPv4 $GET_IPv6 $GET_COLLISIONS $GET_RXbytes $GET_RXerrors $GET_TXbytes $GET_TXerrors" + FILL_BLANKS='{length(speed) || speed = ""; length(duplex) || duplex = ""; length(TXdropped) || TXdropped = "";length(RXdropped) || RXdropped = ""; length(IPv4) || IPv4 = ""; length(IPv6) || IPv6= ""}' + BEGIN='BEGIN {RXbytes = TXbytes = collisions = 0}' + # shellcheck disable=SC2090 + out=$($CMD_LIST_INTERFACES) + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + if [ -r /sys/class/net/"$iface"/duplex ]; then + DUPLEX=$(cat /sys/class/net/"$iface"/duplex 2>/dev/null || echo 'error') + if [ "$DUPLEX" != 'error' ]; then + DUPLEX=$(echo "$DUPLEX" | sed 's/./\u&/') + if [ -r /sys/class/net/"$iface"/speed ]; then + SPEED=$(cat /sys/class/net/"$iface"/speed 2>/dev/null || echo 'error') + [ -n "$SPEED" ] && [ "$SPEED" != 'error' ] && SPEED="${SPEED}Mb/s" + else + # For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd. + if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then + SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d') + else + assertHaveCommand dmesg + SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d') + fi + fi + else + DUPLEX="" + fi + fi + if [ "$DUPLEX" = "" ] || [ "$SPEED" = "" ] ; then + assertHaveCommand dmesg + # Get Duplex only if still null + if [ "$DUPLEX" = "" ] ; then + # For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd. + if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then + DUPLEX=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d') + else + DUPLEX=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d') + fi + fi + # Get Speed only if still null + if [ "$SPEED" = "" ] ; then + # For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd. + if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then + SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d') + else + SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d') + fi + fi + fi + if [ $FOUND_IP -eq 0 ]; then + # shellcheck disable=SC2016 + GET_MAC='{if ($0 ~ /ether /) { mac = $2 }}' + elif [ -r /sys/class/net/"$iface"/address ]; then + MAC=$(cat /sys/class/net/"$iface"/address) + else + # shellcheck disable=SC2016 + GET_MAC='{if ($0 ~ /ether /) { mac = $2; } else if ( NR == 1 ) { mac = $5; }}' + fi + if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then + $CMD "$iface" | tee -a "$TEE_DEST" | awk "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC" + echo "Cmd = [$CMD $iface]; | awk '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST" + else + echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST" + fi + done + +elif [ "$KERNEL" = "SunOS" ] ; then + assertHaveCommandGivenPath /usr/sbin/ifconfig + assertHaveCommand kstat + # shellcheck disable=SC2089 + CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" + # shellcheck disable=SC2016 + GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX='($1=="collisions") {collisions=$2} ($1=="duplex" || $1=="link_duplex") {duplex=$2} ($1=="rbytes") {RXbytes=$2} ($1=="obytes") {TXbytes=$2} ($1=="ierrors") {RXerrors=$2} ($1=="oerrors") {TXerrors=$2} ($1=="ifspeed") {speed=$2; speed/=1000000; speed=speed "Mb/s"}' + # shellcheck disable=SC2016 + GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}' + # shellcheck disable=SC2016 + GET_MAC='{if ($1 == "ether") {split($2, submac, ":"); mac=sprintf("%02s:%02s:%02s:%02s:%02s:%02s", submac[1], submac[2], submac[3], submac[4], submac[5], submac[6])}}' + FILL_BLANKS='{length(speed) || speed = ""; length(duplex) || duplex = ""; IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX $GET_IP $GET_MAC $FILL_BLANKS" + # shellcheck disable=SC2090 + out=$($CMD_LIST_INTERFACES) + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST" + NODE=$(uname -n) + # shellcheck disable=SC2050 + if [ SOLARIS_8 = false ] && [ SOLARIS_9 = false ] ; then + CMD_DESCRIBE_INTERFACE="eval kstat -c net -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null" + else + CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null" + fi + $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE" + echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST" + done +elif [ "$KERNEL" = "AIX" ] ; then + assertHaveCommandGivenPath /usr/sbin/ifconfig + assertHaveCommandGivenPath /usr/bin/netstat + # shellcheck disable=SC2089 + CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask|inet6|tcp_sendspace' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" + # shellcheck disable=SC2016 + GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS='($1=="Single"){collisions_s=$4} ($1=="Multiple"){collisions=collisions_s+$4} ($1=="Bytes:") {RXbytes=$4 ; TXbytes=$2} ($1=="Media" && $3=="Running:") {speed=$4"Mb/s" ; duplex=$6} ($1="Transmit" && $2="Errors:") {TXerrors=$3 ; RXerrors=$6}' + # shellcheck disable=SC2016 + GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}' + # shellcheck disable=SC2016 + GET_MAC='/^Hardware Address:/{mac=$3}' + FILL_BLANKS='{length(speed) || speed = ""; length(duplex) || duplex = ""; IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS $GET_IP $GET_MAC $FILL_BLANKS" + # shellcheck disable=SC2090 + out=$($CMD_LIST_INTERFACES) + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST" + NODE=$(uname -n) + CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface" + $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE" + echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST" + done +elif [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand ifconfig + assertHaveCommand netstat + + CMD_LIST_INTERFACES='ifconfig -u' + # shellcheck disable=SC2016 + CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /status: active/ {print iface}' + # shellcheck disable=SC2016 + UNIQUE='sort -u' + # shellcheck disable=SC2016 + GET_MAC='{$1 == "ether" && mac = $2}' + # shellcheck disable=SC2016 + GET_IPv4='{$1 == "inet" && IPv4 = $2}' + # shellcheck disable=SC2016 + GET_IPv6='{if ($1 == "inet6") {sub("%.*$", "", $2);IPv6 = $2}}' + # shellcheck disable=SC2016 + GET_SPEED_DUPLEX='{if ($1 == "media:") {gsub("[^0-9]", "", $3); speed=$3 "Mb/s"; sub("-duplex.*", "", $4); sub("<", "", $4); duplex=$4}}' + # shellcheck disable=SC2016 + GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{ + if ($0 ~ /Name/) + { + for (i=1; i<=NF; i++) + { + if ($i == "Address") {address_column = i;} + else if ($i == "Ibytes") {ibytes_column = i;} + else if ($i == "Ierrs") {ierrs_column = i;} + else if ($i == "Obytes") {obytes_column = i;} + else if ($i == "Oerrs") {oerrs_column = i;} + else if ($i == "Coll") {coll_column = i;} + } + flag = 1; + } + + if(flag == 1){ + if ($address_column == mac) + { + (ibytes_column == "") ? RXbytes = "" : RXbytes = $(ibytes_column); + (ierrs_column == "") ? RXerrors = "" : RXerrors = $(ierrs_column); + (obytes_column == "") ? TXbytes = "" : TXbytes = $(obytes_column); + (oerrs_column == "") ? TXerrors = "" : TXerrors = $(oerrs_column); + (coll_column == "") ? collisions = "" : collisions = $(coll_column); + } + } + }' + FILL_BLANKS='{length(speed) || speed = ""; length(duplex) || duplex = ""; IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + GET_ALL="$GET_MAC $GET_IPv4 $GET_IPv6 $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS" + out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST" + CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface" + $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface" + echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST" + done +elif [ "$KERNEL" = "HP-UX" ] ; then + assertHaveCommand ifconfig + assertHaveCommand lanadmin + assertHaveCommand lanscan + assertHaveCommand netstat + + CMD='lanscan' + # shellcheck disable=SC2016 + LANSCAN_AWK='/^Hardware/ {next} /^Path/ {next} {mac=$2; ifnum=$3; ifstate=$4; name=$5; type=$8}' + # shellcheck disable=SC2016 + GET_IP4='{c="netstat -niwf inet | grep "name; c | getline; close(c); if (NF==10) {next} mtu=$2; IPv4=$4; RXbytes=$5; RXerrors=$6; TXbytes=$7; TXerrors=$8; collisions=$9}' + # shellcheck disable=SC2016 + GET_IP6='{c="netstat -niwf inet6 | grep "name" "; c| getline; close(c); IPv6=$3}' + # shellcheck disable=SC2016 + GET_SPEED_DUPLEX='{c="lanadmin -x "ifnum ; c | getline; close(c); if (NF==4) speed=$3"Mb/s"; sub("\-.*", "", $4); duplex=tolower($4)}' + PRINTF='{printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}' + FILL_BLANKS='{length(speed) || speed = ""; length(duplex) || duplex = ""; IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS") + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + echo "$out" + fi +elif [ "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand ifconfig + assertHaveCommand netstat + + CMD_LIST_INTERFACES='ifconfig -a' + # shellcheck disable=SC2016 + CHOOSE_ACTIVE='/LOOPBACK/ {next} !/RUNNING/ {next} /^[a-z0-9]+: / {sub(":$", "", $1); print $1}' + UNIQUE='sort -u' + # shellcheck disable=SC2016 + GET_MAC='{$1 == "ether" && mac = $2}' + # shellcheck disable=SC2016 + GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}' + # shellcheck disable=SC2016 + GET_SPEED_DUPLEX='/media: / {sub("\134(", "", $4); speed=$4; sub("-duplex.*", "", $5); sub("<", "", $5); duplex=$5}' + # shellcheck disable=SC2016 + GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{ + if ($0 ~ /Name/) + { + for (i=1; i<=NF; i++) + { + if ($i == "Address") {address_column = i;} + else if ($i == "Ibytes") {ibytes_column = i;} + else if ($i == "Ierrs") {ierrs_column = i;} + else if ($i == "Obytes") {obytes_column = i;} + else if ($i == "Oerrs") {oerrs_column = i;} + else if ($i == "Coll") {coll_column = i;} + } + flag = 1; + } + + if(flag == 1){ + if ($address_column == mac) + { + (ibytes_column == "") ? RXbytes = "" : RXbytes = $(ibytes_column); + (ierrs_column == "") ? RXerrors = "" : RXerrors = $(ierrs_column); + (obytes_column == "") ? TXbytes = "" : TXbytes = $(obytes_column); + (oerrs_column == "") ? TXerrors = "" : TXerrors = $(oerrs_column); + (coll_column == "") ? collisions = "" : collisions = $(coll_column); + } + } + }' + FILL_BLANKS='{length(speed) || speed = ""; length(duplex) || duplex = ""; IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + GET_ALL="$GET_MAC $GET_IP $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS" + out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST" + CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface" + $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface" + echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST" + done +fi +# jscpd:ignore-end diff --git a/deployment-apps/Splunk_TA_nix/bin/interfaces_metric.sh b/deployment-apps/Splunk_TA_nix/bin/interfaces_metric.sh new file mode 100755 index 0000000..4d96934 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/interfaces_metric.sh @@ -0,0 +1,535 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# jscpd:ignore-start +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex OSName OS_version IP_address IPv6_Address' +FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}' +PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s %-35s %15s %-16s %-42s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex, OSName, OS_version, IP_address, IPv6_Address}' + +if [ "$KERNEL" = "Linux" ] ; then + HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex OSName OS_version IP_address IPv6_Address' + PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s %-35s %15s %-16s %-42s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex, OSName, OS_version, IP_address, IPv6_Address}' + queryHaveCommand ip + FOUND_IP=$? + if [ ! -f "/etc/os-release" ] ; then + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + else + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + fi + if [ $FOUND_IP -eq 0 ]; then + CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" + # shellcheck disable=SC2016 + CMD='eval ip addr show $iface; ip -s link show' + # shellcheck disable=SC2016 + GET_IPv4='{if ($0 ~ /inet /) {split($2, a, " "); IPv4 = a[1]}}' + # shellcheck disable=SC2016 + GET_IPv6='{if ($0 ~ /inet6 /) { IPv6 = $2 }}' + # shellcheck disable=SC2016 + GET_TXbytes='{ + if($0 ~ /TX: /){ + tx_row_count=NR+1; + for(i=1;i<=NF;i++){ + if($i=="bytes"){ + TX_bytes_column=i; + } + else if($i=="errors"){ + TX_errors_column=i; + } + else if($i=="dropped"){ + TX_dropped_column=i; + } + else if($i=="collsns"){ + TX_collsns_column=i; + } + } + next; + } + if(NR==tx_row_count){ + (TX_bytes_column == "") ? TXbytes = 0 : TXbytes = $(TX_bytes_column - 1); + (TX_errors_column == "") ? TXerrors = "" : TXerrors = $(TX_errors_column - 1); + (TX_dropped_column == "") ? TXdropped = "" : TXdropped = $(TX_dropped_column - 1); + (TX_collsns_column == "") ? collisions = 0 : collisions = $(TX_collsns_column - 1); + } + }' + # shellcheck disable=SC2016 + GET_RXbytes='{ + if($0 ~ /RX: /){ + rx_row_count=NR+1; + for(i=1;i<=NF;i++){ + if($i=="bytes"){ + RX_bytes_column=i; + } + else if($i=="errors"){ + RX_errors_column=i; + } + else if($i=="dropped"){ + RX_dropped_column=i; + } + }next; + } + if(NR==rx_row_count){ + (RX_bytes_column == "") ? RXbytes = 0 : RXbytes = $(RX_bytes_column - 1); + (RX_errors_column == "") ? RXerrors = "" : RXerrors = $(RX_errors_column - 1); + (RX_dropped_column == "") ? RXdropped = "" : RXdropped = $(RX_dropped_column - 1); + } + }' + else + assertHaveCommand ifconfig + # shellcheck disable=SC2089 + CMD_LIST_INTERFACES="eval ifconfig | tee $TEE_DEST | grep 'Link encap:\|mtu' | grep -Ev lo | tee -a $TEE_DEST | cut -d' ' -f1 | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" + CMD='ifconfig' + # shellcheck disable=SC2016 + GET_IPv4='{if ($0 ~ /inet addr:/) {split($2, a, ":"); IPv4 = a[2]} else if ($0 ~ /inet /) {IPv4 = $2}}' + # shellcheck disable=SC2016 + GET_IPv6='{if ($0 ~ /inet6 addr:/) { IPv6 = $3 } else if ($0 ~ /inet6 /) { IPv6 = $2 }}' + # shellcheck disable=SC2016 + GET_COLLISIONS='{ + if ($0 ~ /collisions:/){ + for(i=1;i<=NF;i++){ + if($i ~ /collisions:/){ + collisions_col_no = i; + break; + } + } + if(collisions_col_no==""){ + collisions=0; + } + else + split($collisions_col_no, a, ":"); + collisions=a[2]; + } + else if($0 ~ /collisions /){ + for(i=1;i<=NF;i++){ + if($i=="collisions"){ + collisions_column=i+1; + } + } + (collisions_column != "") ? collisions = $collisions_column : collisions = 0; + } + }' + # shellcheck disable=SC2016 + GET_RXbytes='{ + if ($0 ~ /RX bytes:/){ + for(i=1;i<=NF;i++){ + if($i ~ /bytes:/){ + rxbytes_col_no = i; + break; + } + } + if(rxbytes_col_no==""){ + RXbytes=0; + } + else + split($rxbytes_col_no, a, ":"); + RXbytes=a[2]; + } + else if($0 ~ /RX/ && $0 ~ /bytes/){ + for(i=1;i<=NF;i++){ + if($i=="bytes"){ + RXbytes_column=i+1; + row = NR; + } + } + if(NR == row){ + if(RXbytes_column != ""){ + RXbytes = $RXbytes_column; + } + else + RXbytes = 0; + } + } + }' + # shellcheck disable=SC2016 + GET_RXerrors='{ + if ($0 ~ /RX packets:/){ + for(i=1;i<=NF;i++){ + if($i ~ /errors:/){ + rxerrors_col_no = i; + } + else if($i ~ /dropped:/){ + rxdropped_col_no = i; + } + } + if(rxerrors_col_no != ""){ + split($rxerrors_col_no, a, ":"); + RXerrors=a[2]; + } + else + RXerrors=""; + if(rxdropped_col_no != ""){ + split($rxdropped_col_no, b, ":"); + RXdropped=b[2]; + } + else + RXdropped=""; + } + else if($0 ~ /RX/ && ($0 ~ /errors/)){ + for(i=1;i<=NF;i++){ + if($i=="errors"){ + RXerrors_column=i+1; + } + if($i=="dropped"){ + RXdropped_column=i+1; + } + } + (RXerrors_column != "") ? RXerrors=$RXerrors_column : RXerrors = ""; + (RXdropped_column != "") ? RXdropped = $RXdropped_column : RXdropped = ""; + } + }' + # shellcheck disable=SC2016 + GET_TXbytes='{ + if ($0 ~ /TX bytes:/){ + for(i=1;i<=NF;i++){ + if($i ~ /bytes:/){ + txbytes_col_no = i; + } + } + if(txbytes_col_no==""){ + TXbytes=0; + } + else + split($txbytes_col_no, a, ":"); + TXbytes=a[2]; + } + else if($0 ~ /TX/ && $0 ~ /bytes/){ + for(i=1;i<=NF;i++){ + if($i=="bytes"){ + TXbytes_column=i+1; + row = NR; + } + } + if(NR == row){ + if(TXbytes_column != ""){ + TXbytes = $TXbytes_column; + } + else + TXbytes = 0; + } + } + }' + # shellcheck disable=SC2016 + GET_TXerrors='{ + if ($0 ~ /TX packets:/){ + for(i=1;i<=NF;i++){ + if($i ~ /errors:/){ + txerrors_col_no = i; + } + if($i ~ /dropped:/){ + txdropped_col_no = i; + } + } + if(txerrors_col_no != ""){ + split($txerrors_col_no, a, ":"); + TXerrors=a[2]; + } + else + TXerrors=""; + if(txdropped_col_no != ""){ + split($txdropped_col_no, b, ":"); + TXdropped=b[2]; + } + else + TXdropped=""; + } + else if($0 ~ /TX/ && $0 ~ /errors/){ + for(i=1;i<=NF;i++){ + if($i=="errors"){ + TXerrors_column=i+1; + } + if($i=="dropped"){ + TXdropped_column=i+1; + } + } + (TXerrors_column != "") ? TXerrors = $TXerrors_column : TXerrors = ""; + (TXdropped_column != "") ? TXdropped = $TXdropped_column : TXdropped = ""; + } + }' + fi + GET_ALL="$GET_IPv4 $GET_IPv6 $GET_COLLISIONS $GET_RXbytes $GET_RXerrors $GET_TXbytes $GET_TXerrors" + FILL_BLANKS='{length(TXdropped) || TXdropped = "";length(RXdropped) || RXdropped = "";length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = ""; length(duplex) || duplex = ""; length(IPv4) || IPv4 = ""; length(IPv6) || IPv6= ""}' + BEGIN='BEGIN {RXbytes = RXerrors = RXdropped = TXbytes = TXerrors = TXdropped = collisions = 0}' + + # shellcheck disable=SC2090 + out=$($CMD_LIST_INTERFACES) + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + if [ -r /sys/class/net/"$iface"/duplex ]; then + DUPLEX=$(cat /sys/class/net/"$iface"/duplex 2>/dev/null || echo 'error') + if [ "$DUPLEX" != 'error' ]; then + DUPLEX=$(echo "$DUPLEX" | sed 's/./\u&/') + if [ -r /sys/class/net/"$iface"/speed ]; then + SPEED=$(cat /sys/class/net/"$iface"/speed 2>/dev/null || echo 'error') + [ -n "$SPEED" ] && [ "$SPEED" != 'error' ] && SPEED="${SPEED}Mb/s" + else + # For Ubuntu version >= 20, we use cat to read the dmseg file. Otherwise we use dmesg cmd. + if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then + SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d') + else + assertHaveCommand dmesg + SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d') + fi + fi + else + DUPLEX="" + fi + fi + if [ "$DUPLEX" = "" ] || [ "$SPEED" = "" ] ; then + # Get Duplex only if still null + if [ "$DUPLEX" = "" ] ; then + if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then + DUPLEX=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d') + else + assertHaveCommand dmesg + DUPLEX=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([-_a-zA-Z0-9]+)([Dd]uplex)/)) {print $i} else { if (match($i, /[Dd]uplex/)) {print $(i-1) } } } }' | sed 's/[-_]//g; $!d') + fi + fi + # Get Speed only if still null + if [ "$SPEED" = "" ] ; then + if [ -e "$DMESG_FILE" ] && [ "$UBUNTU_MAJOR_VERSION" -ge 20 ] ; then + SPEED=$(cat "$DMESG_FILE"* | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d') + else + assertHaveCommand dmesg + SPEED=$(dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'"$iface"'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {print $i} else { if (match($i, /[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d') + fi + fi + fi + if [ $FOUND_IP -eq 0 ]; then + # shellcheck disable=SC2016 + GET_MAC='{if ($0 ~ /ether /) { mac = $2 }}' + elif [ -r /sys/class/net/"$iface"/address ]; then + MAC=$(cat /sys/class/net/"$iface"/address) + else + # shellcheck disable=SC2016 + GET_MAC='{if ($0 ~ /ether /) { mac = $2; } else if ( NR == 1 ) { mac = $5; }}' + fi + if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then + # shellcheck disable=SC2086 + $CMD "$iface" | tee -a "$TEE_DEST" | awk $DEFINE "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC" + echo "Cmd = [$CMD $iface]; | awk $DEFINE '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST" + else + echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST" + fi + done + +elif [ "$KERNEL" = "SunOS" ] ; then + assertHaveCommandGivenPath /usr/sbin/ifconfig + assertHaveCommand kstat + # shellcheck disable=SC2089 + CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + # shellcheck disable=SC2016 + GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX='($1=="collisions") {collisions=$2} ($1=="duplex" || $1=="link_duplex") {duplex=$2} ($1=="rbytes") {RXbytes=$2} ($1=="obytes") {TXbytes=$2} ($1=="ierrors") {RXerrors=$2} ($1=="oerrors") {TXerrors=$2} ($1=="ifspeed") {speed=$2; speed/=1000000; speed=speed "Mb/s"}' + # shellcheck disable=SC2016 + GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}' + # shellcheck disable=SC2016 + GET_MAC='{if ($1 == "ether") {split($2, submac, ":"); mac=sprintf("%02s:%02s:%02s:%02s:%02s:%02s", submac[1], submac[2], submac[3], submac[4], submac[5], submac[6])}}' + FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = ""; length(duplex) || duplex = "";IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX $GET_IP $GET_MAC $FILL_BLANKS" + + # shellcheck disable=SC2090 + out=$($CMD_LIST_INTERFACES) + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST" + NODE=$(uname -n) + # shellcheck disable=SC2050 + if [ SOLARIS_8 = false ] && [ SOLARIS_9 = false ] ; then + CMD_DESCRIBE_INTERFACE="eval kstat -c net -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null" + else + CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null" + fi + # shellcheck disable=SC2086 + $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE" + echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST" + done +elif [ "$KERNEL" = "AIX" ] ; then + assertHaveCommandGivenPath /usr/sbin/ifconfig + assertHaveCommandGivenPath /usr/bin/netstat + # shellcheck disable=SC2089 + CMD_LIST_INTERFACES="eval /usr/sbin/ifconfig -au | tee $TEE_DEST | egrep -v 'LOOPBACK|netmask|inet6|tcp_sendspace' | tee -a $TEE_DEST | grep flags | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + # shellcheck disable=SC2016 + GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS='($1=="Single"){collisions_s=$4} ($1=="Multiple"){collisions=collisions_s+$4} ($1=="Bytes:") {RXbytes=$4 ; TXbytes=$2} ($1=="Media" && $3=="Running:") {speed=$4"Mb/s" ; duplex=$6} ($1="Transmit" && $2="Errors:") {TXerrors=$3 ; RXerrors=$6}' + # shellcheck disable=SC2016 + GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}' + # shellcheck disable=SC2016 + GET_MAC='/^Hardware Address:/{mac=$3}' + GET_OS_VERSION='{OS_version=OSVersion/1000}' + FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = ""; length(duplex) || duplex = ""; IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + GET_ALL="$GET_COLLISIONS_RXbytes_TXbytes_SPEED_DUPLEX_ERRORS $GET_IP $GET_MAC $GET_OS_VERSION $FILL_BLANKS" + + # shellcheck disable=SC2090 + out=$($CMD_LIST_INTERFACES) + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST" + NODE=$(uname -n) + CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface" + # shellcheck disable=SC2086 + $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE" + echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST" + done +elif [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand ifconfig + assertHaveCommand netstat + + CMD_LIST_INTERFACES='ifconfig -u' + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + # shellcheck disable=SC2016 + CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /status: active/ {print iface}' + UNIQUE='sort -u' + # shellcheck disable=SC2016 + GET_MAC='{$1 == "ether" && mac = $2}' + # shellcheck disable=SC2016 + GET_IPv4='{$1 == "inet" && IPv4 = $2}' + # shellcheck disable=SC2016 + GET_IPv6='{if ($1 == "inet6") {sub("%.*$", "", $2);IPv6 = $2}}' + # shellcheck disable=SC2016 + GET_SPEED_DUPLEX='{if ($1 == "media:") {gsub("[^0-9]", "", $3); speed=$3 "Mb/s"; sub("-duplex.*", "", $4); sub("<", "", $4); duplex=$4}}' + # shellcheck disable=SC2016 + GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{ + if ($0 ~ /Name/) + { + for (i=1; i<=NF; i++) + { + if ($i == "Address") {address_column = i;} + else if ($i == "Ibytes") {ibytes_column = i;} + else if ($i == "Ierrs") {ierrs_column = i;} + else if ($i == "Obytes") {obytes_column = i;} + else if ($i == "Oerrs") {oerrs_column = i;} + else if ($i == "Coll") {coll_column = i;} + } + flag = 1; + } + + if(flag == 1){ + if ($address_column == mac) + { + (ibytes_column == "") ? RXbytes = "" : RXbytes = $(ibytes_column); + (ierrs_column == "") ? RXerrors = "" : RXerrors = $(ierrs_column); + (obytes_column == "") ? TXbytes = "" : TXbytes = $(obytes_column); + (oerrs_column == "") ? TXerrors = "" : TXerrors = $(oerrs_column); + (coll_column == "") ? collisions = "" : collisions = $(coll_column); + } + } + }' + FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = ""; length(duplex) || duplex = ""; IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + GET_ALL="$GET_MAC $GET_IPv4 $GET_IPv6 $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS" + + out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST" + CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface" + # shellcheck disable=SC2086 + $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface" + echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST" + done +elif [ "$KERNEL" = "HP-UX" ] ; then + assertHaveCommand ifconfig + assertHaveCommand lanadmin + assertHaveCommand lanscan + assertHaveCommand netstat + + CMD='lanscan' + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # shellcheck disable=SC2016 + LANSCAN_AWK='/^Hardware/ {next} /^Path/ {next} {mac=$2; ifnum=$3; ifstate=$4; name=$5; type=$8}' + # shellcheck disable=SC2016 + GET_IP4='{c="netstat -niwf inet | grep "name; c | getline; close(c); if (NF==10) {next} mtu=$2; IPv4=$4; RXbytes=$5; RXerrors=$6; TXbytes=$7; TXerrors=$8; collisions=$9}' + # shellcheck disable=SC2016 + GET_IP6='{c="netstat -niwf inet6 | grep "name" "; c| getline; close(c); IPv6=$3}' + # shellcheck disable=SC2016 + GET_SPEED_DUPLEX='{c="lanadmin -x "ifnum ; c | getline; close(c); if (NF==4) speed=$3"Mb/s"; sub("\-.*", "", $4); duplex=tolower($4)}' + PRINTF='{printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s %-35s %15s %-16s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex, OSName, OS_version, IP_address}' + FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?";length(speed) || speed = ""; length(duplex) || duplex = ""; IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS") + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + echo "$out" + fi +elif [ "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand ifconfig + assertHaveCommand netstat + + CMD_LIST_INTERFACES='ifconfig -a' + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + # shellcheck disable=SC2016 + CHOOSE_ACTIVE='/LOOPBACK/ {next} !/RUNNING/ {next} /^[a-z0-9]+: / {sub(":$", "", $1); print $1}' + UNIQUE='sort -u' + # shellcheck disable=SC2016 + GET_MAC='{$1 == "ether" && mac = $2}' + # shellcheck disable=SC2016 + GET_IP='/ netmask / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}' + # shellcheck disable=SC2016 + GET_SPEED_DUPLEX='/media: / {sub("\134(", "", $4); speed=$4; sub("-duplex.*", "", $5); sub("<", "", $5); duplex=$5}' + # shellcheck disable=SC2016 + GET_RXbytes_TXbytes_COLLISIONS_ERRORS='{ + if ($0 ~ /Name/) + { + for (i=1; i<=NF; i++) + { + if ($i == "Address") {address_column = i;} + else if ($i == "Ibytes") {ibytes_column = i;} + else if ($i == "Ierrs") {ierrs_column = i;} + else if ($i == "Obytes") {obytes_column = i;} + else if ($i == "Oerrs") {oerrs_column = i;} + else if ($i == "Coll") {coll_column = i;} + } + flag = 1; + } + + if(flag == 1){ + if ($address_column == mac) + { + (ibytes_column == "") ? RXbytes = "" : RXbytes = $(ibytes_column); + (ierrs_column == "") ? RXerrors = "" : RXerrors = $(ierrs_column); + (obytes_column == "") ? TXbytes = "" : TXbytes = $(obytes_column); + (oerrs_column == "") ? TXerrors = "" : TXerrors = $(oerrs_column); + (coll_column == "") ? collisions = "" : collisions = $(coll_column); + } + } + }' + FILL_BLANKS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"; length(IPv6_Address) || IPv6_Address = "?"; length(speed) || speed = ""; length(duplex) || duplex = ""; IPv4 = IPv4 ? IPv4 : ""; IPv6 = IPv6 ? IPv6 : ""}' + GET_ALL="$GET_MAC $GET_IP $GET_SPEED_DUPLEX $GET_RXbytes_TXbytes_COLLISIONS_ERRORS $FILL_BLANKS" + + out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST") + lines=$(echo "$out" | wc -l) + if [ "$lines" -gt 0 ]; then + echo "$HEADER" + fi + for iface in $out + do + echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST" + CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface" + # shellcheck disable=SC2086 + $CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface" + echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST" + done +fi +# jscpd:ignore-end diff --git a/deployment-apps/Splunk_TA_nix/bin/iostat.sh b/deployment-apps/Splunk_TA_nix/bin/iostat.sh new file mode 100755 index 0000000..2922290 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/iostat.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# suggested command for testing reads: $ find / -type f 2>/dev/null | xargs wc &> /dev/null & + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +if [ "$KERNEL" = "Linux" ] ; then + CMD='iostat -xky 1 1' + assertHaveCommand "$CMD" + # considers the device, r/s and w/s columns and returns output of the first interval + FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f' +elif [ "$KERNEL" = "SunOS" ] ; then + CMD='iostat -xn 1 2' + assertHaveCommand "$CMD" + # considers the device, r/s and w/s columns and returns output of the second interval + FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2' +elif [ "$KERNEL" = "AIX" ] ; then + CMD='iostat 1 2' + assertHaveCommand "$CMD" + # considers the disks, kb_read and kb_wrtn columns and returns output of the second interval + FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2' +elif [ "$KERNEL" = "FreeBSD" ] ; then + CMD='iostat -x -c 2' + assertHaveCommand "$CMD" + # considers the device, r/s and w/s columns and returns output of the second interval + FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2' +elif [ "$KERNEL" = "Darwin" ] ; then + CMD="eval $SPLUNK_HOME/bin/darwin_disk_stats ; sleep 2; echo Pause; $SPLUNK_HOME/bin/darwin_disk_stats" + # shellcheck disable=SC2086 + assertHaveCommandGivenPath $CMD + # shellcheck disable=SC2016 + HEADER='Device rReq_PS wReq_PS rKB_PS wKB_PS avgWaitMillis avgSvcMillis bandwUtilPct' + HEADERIZE="BEGIN {print \"$HEADER\"}" + PRINTF='{printf "%-10s %11s %11s %12s %12s %13s %13s %13s\n", device, rReq_PS, wReq_PS, rKB_PS, wKB_PS, avgWaitMillis, avgSvcMillis, bandwUtilPct}' + # shellcheck disable=SC2016 + FILTER='BEGIN {FS="|"; after=0} /^Pause$/ {after=1; next} !/Bytes|Operations/ {next} {devices[$1]=$1; values[after,$1,$2]=$3; next}' + FORMAT='avgSvcMillis=bandwUtilPct="?";' + FUNC1='function getDeltaPS(disk, metric) {delta=values[1,disk,metric]-values[0,disk,metric]; return delta/2.0}' + # Calculates the latency by pulling the read and write latency fields from darwin__disk_stats and evaluating their sum + LATENCY='function getLatency(disk) {read=getDeltaPS(disk,"Latency Time (Read)"); write=getDeltaPS(disk,"Latency Time (Write)"); return expr read + write;}' + FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}' + SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}" + $CMD | tee "$TEE_DEST" | awk "$SCRIPT" header="$HEADER" + echo "Cmd = [$CMD]; | awk '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST" + exit 0 +fi + +$CMD | tee "$TEE_DEST" | $AWK "$FILTER" +echo "Cmd = [$CMD]; | $AWK '$FILTER'" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/iostat_metric.sh b/deployment-apps/Splunk_TA_nix/bin/iostat_metric.sh new file mode 100755 index 0000000..52b135e --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/iostat_metric.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# suggested command for testing reads: $ find / -type f 2>/dev/null | xargs wc &> /dev/null & + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +if [ "$KERNEL" = "Linux" ] ; then + CMD='iostat -xky 1 1' + assertHaveCommand "$CMD" + if [ ! -f "/etc/os-release" ] ; then + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)" + else + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)" + fi + FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f' + # shellcheck disable=SC2016 + PRINTF='{if ($0~/Device/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version, IP_address}}' +elif [ "$KERNEL" = "SunOS" ] ; then + CMD='iostat -xn 1 2' + # jscpd:ignore-start + assertHaveCommand "$CMD" + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2' + # shellcheck disable=SC2016 + PRINTF='{if ($0~/device/ && /r\/s/ && /w\/s/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version, IP_address}}' + # jscpd:ignore-end +elif [ "$KERNEL" = "AIX" ] ; then + CMD='iostat 1 2' + assertHaveCommand "$CMD" + DEFINE="-v OSName=$(uname -s) -v OS_version=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2' + # shellcheck disable=SC2016 + PRINTF='{if ($0~/Disks/ && /Kb_read/ && /Kb_wrtn/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version/1000, IP_address}}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + CMD='iostat -x -c 2' + assertHaveCommand "$CMD" + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + FILTER='/device/ && /r\/s/ && /w\/s/ {f++;} f==2' + # shellcheck disable=SC2016 + PRINTF='{if ($0~/device/ && /r\/s/ && /w\/s/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version, IP_address}}' +elif [ "$KERNEL" = "Darwin" ] ; then + CMD="eval $SPLUNK_HOME/bin/darwin_disk_stats ; sleep 2; echo Pause; $SPLUNK_HOME/bin/darwin_disk_stats" + # shellcheck disable=SC2086 + assertHaveCommandGivenPath $CMD + HEADER='Device rReq_PS wReq_PS rKB_PS wKB_PS avgWaitMillis avgSvcMillis bandwUtilPct OSName OS_version IP_address' + HEADERIZE="BEGIN {print \"$HEADER\"}" + PRINTF='{printf "%-10s %11s %11s %12s %12s %13s %13s %13s %-35s %15s %-16s\n", device, rReq_PS, wReq_PS, rKB_PS, wKB_PS, avgWaitMillis, avgSvcMillis, bandwUtilPct, OSName, OS_version, IP_address}' + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # shellcheck disable=SC2016 + FILTER='BEGIN {FS="|"; after=0} /^Pause$/ {after=1; next} !/Bytes|Operations/ {next} {devices[$1]=$1; values[after,$1,$2]=$3; next}' + FORMAT='{avgSvcMillis=bandwUtilPct="?";OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' + FUNC1='function getDeltaPS(disk, metric) {delta=values[1,disk,metric]-values[0,disk,metric]; return delta/2.0}' + # Calculates the latency by pulling the read and write latency fields from darwin__disk_stats and evaluating their sum + LATENCY='function getLatency(disk) {read=getDeltaPS(disk,"Latency Time (Read)"); write=getDeltaPS(disk,"Latency Time (Write)"); return expr read + write;}' + FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}' + SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}" + # shellcheck disable=SC2086 + $CMD | tee "$TEE_DEST" | awk $DEFINE "$SCRIPT" header="$HEADER" + echo "Cmd = [$CMD]; | awk $DEFINE '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST" + exit 0 +fi +# shellcheck disable=SC2086 +$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FILTER $PRINTF" +echo "Cmd = [$CMD]; | $AWK $DEFINE '$FILTER'" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/lastlog.sh b/deployment-apps/Splunk_TA_nix/bin/lastlog.sh new file mode 100755 index 0000000..c84685b --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/lastlog.sh @@ -0,0 +1,53 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='USERNAME FROM LATEST' +HEADERIZE="BEGIN {print \"$HEADER\"}" +PRINTF='{printf "%-30s %-30.30s %-s\n", username, from, latest}' + +if [ "$KERNEL" = "Linux" ] ; then + CMD='last -iw' + # shellcheck disable=SC2016 + FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' + # shellcheck disable=SC2016 + FORMAT='{username = $1; from = (NF==10) ? $3 : ""; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' +elif [ "$KERNEL" = "SunOS" ] ; then + CMD='last -n 999' + # shellcheck disable=SC2016 + FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' + # shellcheck disable=SC2016 + FORMAT='{username = $1; from = (NF==10) ? $3 : ""; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' +elif [ "$KERNEL" = "AIX" ] ; then + failUnsupportedScript +elif [ "$KERNEL" = "Darwin" ] ; then + CMD='last -99' + # shellcheck disable=SC2016 + FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}' + # shellcheck disable=SC2016 + FORMAT='{username = $1; from = ($0 !~ / /) ? $3 : ""; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}' +elif [ "$KERNEL" = "HP-UX" ] ; then + CMD='lastb -Rx' + # shellcheck disable=SC2016 + FORMAT='{username = $1; from = ($2=="console") ? $2 : $3; latest = $(NF-3) " " $(NF-2)" " $(NF-1)}' + # shellcheck disable=SC2016 + FILTER='{if ($1 == "BTMPS_FILE") next; if (NF==0) next; if (NF<=6) next;}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + CMD='lastlogin' + # shellcheck disable=SC2016 + FORMAT='{username = $1; from = (NF==8) ? $3 : ""; latest=$(NF-4) " " $(NF-3) " " $(NF-2) " " $(NF-1) " " $NF}' +fi + +assertHaveCommand $CMD + +out=$($CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER") +lines=$(echo "$out" | wc -l) +if [ "$lines" -gt 1 ]; then + echo "$out" + echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" +else + echo "No data is present" >> "$TEE_DEST" +fi diff --git a/deployment-apps/Splunk_TA_nix/bin/lsof.sh b/deployment-apps/Splunk_TA_nix/bin/lsof.sh new file mode 100755 index 0000000..1b3e411 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/lsof.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +assertHaveCommand lsof +HEADER='COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME' +# shellcheck disable=SC2016 +HEADERIZE='{NR == 1 && $0 = header}' +CMD='lsof -nPs' +# shellcheck disable=SC2016 +PRINTF='{printf "%-15.15s %-10s %-15.15s %-8s %-8s %-15.15s %15s %-20.20s %-s\n", $1,$2,$3,$4,$5,$6,$7,$8,$9}' + +if [ "$KERNEL" = "Linux" ] ; then + # shellcheck disable=SC2016 + HEADERIZE='NR == 1 {match($0, "USER"); separator=RSTART+RLENGTH; match($0, "NAME"); name_start=RSTART; mid_length=RSTART-separator; } + { first_part=substr($0, 0, separator); + mid_part=substr($0, separator, mid_length); + last_part=substr($0, name_start); + split(first_part, first, " "); + split(mid_part, mid, " "); + split(last_part, last, " "); + if (length(last) > 1 ) { for(ptr=2; ptr<=length(last); ptr++) { $(NF+1-length(last)) = $(NF+1-length(last)) FS last[ptr]; } } + if (length(first) == 4) { $3=$4; $4=$5; $5=$6; $6=$7; $7=$8; $8=$9; $9=$10; } + } + NR==1 { $0 = header;}' + # shellcheck disable=SC2016 + FILTER='/Permission denied/ {next} {if ($4 == "NOFD" || $5 == "unknown") next}' + # shellcheck disable=SC2016 + FILL_BLANKS='{ if(length(mid) == 4) {$9=$8; $8=$7; $7="?" } else if(length(mid) == 3) {$9=$7; $8=$6; $7="?"; $6="?"; } }' +elif [ "$KERNEL" = "HP-UX" ] ; then + # shellcheck disable=SC2016 + FILTER='/Permission denied/ {next} {if ($4 == "NOFD" || $5 == "unknown") next}' + # shellcheck disable=SC2016 + FILL_BLANKS='{if (NF<9) {node=$7; name=$8; $7="?"; $8=node; $9=name}}' +elif [ "$KERNEL" = "SunOS" ] ; then + failUnsupportedScript +elif [ "$KERNEL" = "AIX" ] ; then + failUnsupportedScript +elif [ "$KERNEL" = "Darwin" ] ; then + # shellcheck disable=SC2016 + FILTER='{if ($5 ~ /KQUEUE|PIPE|PSXSEM/) next}' + # shellcheck disable=SC2016 + FILL_BLANKS='{if (NF<9) {name=$8; $8="?"; $9=name}}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + # the below syntax is valid when using zsh, bash, ksh + if [[ $KERNEL_RELEASE =~ 11.* ]] || [[ $KERNEL_RELEASE =~ 12.* ]] || [[ $KERNEL_RELEASE =~ 13.* ]]; then + # empty condition to allow the execution of script as is + echo > /dev/null + else + failUnsupportedScript + fi +fi + +assertHaveCommand "$CMD" +# shellcheck disable=SC2094 +$CMD 2>"$TEE_DEST" | tee "$TEE_DEST" | awk "$HEADERIZE $FILTER $FILL_BLANKS $PRINTF" header="$HEADER" +echo "Cmd = [$CMD 2>$TEE_DEST]; | awk '$HEADERIZE $FILTER $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/netstat.sh b/deployment-apps/Splunk_TA_nix/bin/netstat.sh new file mode 100755 index 0000000..3359e46 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/netstat.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='Proto Recv-Q Send-Q LocalAddress ForeignAddress State' +HEADERIZE="BEGIN {print \"$HEADER\"}" +# shellcheck disable=SC2016 +PRINTF='{printf "%-5s %6s %6s %-30.30s %-30.30s %-s\n", $1, $2, $3, $4, $5, $6}' +# shellcheck disable=SC2016 +FILL_BLANKS='($1=="udp") {$6=""}' + +if [ "$KERNEL" = "Linux" ] ; then + queryHaveCommand ss + FOUND_SS=$? + if [ $FOUND_SS -eq 0 ] ; then + CMD='eval ss -antu 2>/dev/null | egrep "tcp|udp"' + # shellcheck disable=SC2016 + FORMAT='{ state=$2; $2=$3; $3=$4; $4=$5; $5=$6; $6=state}' + else + CMD='eval netstat -aenp 2>/dev/null | egrep "tcp|udp"' + fi +elif [ "$KERNEL" = "SunOS" ] ; then + CMD='netstat -an -f inet -f inet6' + FIGURE_SECTION='NR==1 {inUDP=1;inTCP=0} /^TCP: IPv/ {inUDP=0;inTCP=1} /^SCTP:/ {exit}' + FILTER='/: IPv|Local Address|^$|^-----/ {next}' + # shellcheck disable=SC2016 + FORMAT_UDP='(inUDP) {localAddr=$1; $1="udp"; $2=$3=0; $4=localAddr; $5="*.*"}' + # shellcheck disable=SC2016 + FORMAT_TCP='(inTCP) {localAddr=$1; foreignAddr=$2; sendQ=$4; recvQ=$6; state=$7; $1="tcp"; $2=recvQ; $3=sendQ; $4=localAddr; $5=foreignAddr; $6=state}' + FORMAT="$FORMAT_UDP $FORMAT_TCP" +elif [ "$KERNEL" = "AIX" ] ; then + CMD='eval netstat -an 2>/dev/null | egrep "tcp|udp"' +elif [ "$KERNEL" = "Darwin" ] ; then + CMD='eval netstat -anW | egrep "tcp|udp"' + # shellcheck disable=SC2016 + FORMAT='{gsub("[46]", "", $1)}' +elif [ "$KERNEL" = "HP-UX" ] ; then + CMD='eval netstat -an | egrep "tcp|udp"' +elif [ "$KERNEL" = "FreeBSD" ] ; then + # shellcheck disable=SC2089 + CMD='eval netstat -an | egrep "tcp|udp"' + # shellcheck disable=SC2016 + FORMAT='{gsub("[46]", "", $1)}' +fi + +assertHaveCommand "$CMD" +# shellcheck disable=SC2090 +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $FILTER $FORMAT $FILL_BLANKS $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $FILTER $FORMAT $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/nfsiostat.sh b/deployment-apps/Splunk_TA_nix/bin/nfsiostat.sh new file mode 100755 index 0000000..0b0045b --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/nfsiostat.sh @@ -0,0 +1,163 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='Mount Path r_op/s w_op/s r_KB/s w_KB/s rpc_backlog r_avg_RTT w_avg_RTT r_avg_exe w_avg_exe' +HEADERIZE="BEGIN {print \"$HEADER\"}" + +# We can have the multiple mounts for the nfs. So we have to parse mount separately. +# For CentOS and RHEL the number of lines for each mount is 9, while for the ubuntu it is 22 +# due to the bug mentioned in this link. https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1584719 +# So, we are handling the case of Ubuntu separately. + +# When awk iterates through each line, using modulo operator we are checking the line number +# And extracting the particular value from that line and assigning it to the variable +# which we will use when the output of modulo is 0 as it will be the last line of that mount. + +# We are also removing last character in the line "path=substr($4, 1, length($4)-1)" +# as last character of the path is ":" + +if [ "$KERNEL" = "Linux" ] ; then + CMD='nfsiostat' + + assertHaveCommand $CMD + no_of_lines=$($CMD| wc -l) + + # If there are no mount, exit + if [ "$no_of_lines" -eq 1 ]; + then + $CMD >> "$TEE_DEST" + exit 1 + fi + OS_FILE=/etc/os-release + # Below condition is added to handle the case of Ubuntu OS + if [ -e $OS_FILE ] && (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q ubuntu); + then + # shellcheck disable=SC2016 + OS_RELEASE=$($AWK -F= '/VERSION_ID=/ {print $2}' $OS_FILE) + if [ "$OS_RELEASE" = "\"18.04\"" ] || [ "$OS_RELEASE" = "\"20.04\"" ] || [ "$OS_RELEASE" = "\"22.04\"" ] ; then # Ubuntu 18.04, 20.04 and 22.04 + # shellcheck disable=SC2016 + FORMAT='{ + if (NR%10==2){ + echo "device" + device=$1 + path=substr($4, 1, length($4)-1) + } + else if (NR%10==5){ + rpc_backlog=$2 + } + else if (NR%10==8){ + r_op_s=$1 + r_kb_s=$2 + r_avg_rtt=$6 + r_avg_exe=$7 + } + else if (NR%10==0){ + w_op_s=$1 + w_kb_s=$2 + w_avg_rtt=$6 + w_avg_exe=$7 + printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe + } + }' + else + # shellcheck disable=SC2016 + FORMAT='{ + if (NR%22==2){ + echo "device" + device=$1 + path=substr($4, 1, length($4)-1) + } + else if (NR%22==6){ + rpc_backlog=$1 + } + else if (NR%22==9){ + r_op_s=$1 + } + else if (NR%22==10){ + r_kb_s=$1 + } + else if (NR%22==13){ + r_avg_rtt=$1 + } + else if (NR%22==14){ + r_avg_exe=$1 + } + else if (NR%22==17){ + w_op_s=$1 + } + else if (NR%22==18){ + w_kb_s=$1 + } + else if (NR%22==21){ + w_avg_rtt=$1 + } + else if (NR%22==0){ + w_avg_exe=$1 + printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe + } + }' + fi + # For CentOS and RHEL + else + #For RHEL 8.x + if [ -e $OS_FILE ] && ( ( (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q rhel) && (awk -F'=' '/VERSION_ID=/ {print $2}' $OS_FILE | grep -Eq 8.7\|8.6\|8.5\|8.4\|8.3\|9) ) || ( (awk -F'=' '/ID=/ {print $2}' $OS_FILE | grep -q cent) && (awk -F'=' '/VERSION_ID=/ {print $2}' $OS_FILE | grep -Eq 8) ) ); + then + # shellcheck disable=SC2016 + FORMAT='{ + if (NR%10==2){ + device=$1 + path=substr($4, 1, length($4)-1) + } + else if (NR%10==5){ + rpc_backlog=$2 + } + else if (NR%10==8){ + r_op_s=$1 + r_kb_s=$2 + r_avg_rtt=$6 + r_avg_exe=$7 + } + else if (NR%10==0){ + w_op_s=$1 + w_kb_s=$2 + w_avg_rtt=$6 + w_avg_exe=$7 + printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe + } + }' + else + # shellcheck disable=SC2016 + FORMAT='{ + if (NR%9==2){ + device=$1 + path=substr($4, 1, length($4)-1) + } + else if (NR%9==5){ + rpc_backlog=$2 + } + else if (NR%9==7){ + r_op_s=$1 + r_kb_s=$2 + r_avg_rtt=$6 + r_avg_exe=$7 + } + else if (NR%9==0){ + w_op_s=$1 + w_kb_s=$2 + w_avg_rtt=$6 + w_avg_exe=$7 + printf "%s %s %s %s %s %s %s %s %s %s %s\n",device, path, r_op_s, w_op_s, r_kb_s, w_kb_s, rpc_backlog, r_avg_rtt, w_avg_rtt, r_avg_exe, w_avg_exe + } + }' + fi + fi + $CMD | tee "$TEE_DEST" | awk "$HEADERIZE $FORMAT" | column -t + echo "Cmd = [$CMD]; | awk '$HEADERIZE $FORMAT' header=\"$HEADER\"" >> "$TEE_DEST" + +else + failUnsupportedScript +fi diff --git a/deployment-apps/Splunk_TA_nix/bin/openPorts.sh b/deployment-apps/Splunk_TA_nix/bin/openPorts.sh new file mode 100755 index 0000000..a4dbd20 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/openPorts.sh @@ -0,0 +1,66 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# a similar effect can be accomplished with: "nc -z 127.0.0.1 1-32768", and "nc -zu 127.0.0.1 1-32768" + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='Proto Port' +HEADERIZE="BEGIN {print \"$HEADER\"}" +PRINTF='{printf "%-5s %5d\n", proto, port}' +# shellcheck disable=SC2016 +FILTER_INACTIVE='($NF ~ /^CLOSE/) {next}' + +if [ "$KERNEL" = "Linux" ] ; then + queryHaveCommand ss + FOUND_SS=$? + if [ $FOUND_SS -eq 0 ] ; then + CMD='eval ss -lnut | egrep "^tcp|^udp"' + # shellcheck disable=SC2016 + FORMAT='{proto=$1; sub("^.*:", "", $5); port=$5}' + else + CMD='eval netstat -ln | egrep "^tcp|^udp"' + # shellcheck disable=SC2016 + FORMAT='{proto=$1; sub("^.*:", "", $4); port=$4}' + fi +elif [ "$KERNEL" = "SunOS" ] ; then + CMD='netstat -an -f inet -f inet6' + FIGURE_SECTION='BEGIN {inUDP=1;inTCP=0} /^TCP: IPv/ {inUDP=0;inTCP=1} /^SCTP:/ {exit}' + FILTER='/: IPv|Local Address|^$|^-----/ {next} (! port) {next}' + # shellcheck disable=SC2016 + FORMAT='{if (inUDP) proto="udp"; if (inTCP) proto="tcp"; sub("^.*[^0-9]", "", $1); port=$1}' +elif [ "$KERNEL" = "AIX" ] ; then + CMD='eval netstat -an | egrep "^tcp|^udp"' + HEADERIZE="BEGIN {print \"$HEADER\"}" + # shellcheck disable=SC2016 + FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}' + # shellcheck disable=SC2016 + FILTER='{if ($4 == "") next}' +elif [ "$KERNEL" = "Darwin" ] ; then + CMD='eval netstat -ln | egrep "^tcp|^udp"' + HEADERIZE="BEGIN {print \"$HEADER\"}" + # shellcheck disable=SC2016 + FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}' + # shellcheck disable=SC2016 + FILTER='{if ($4 == "") next}' +elif [ "$KERNEL" = "HP-UX" ] ; then + CMD='eval netstat -an | egrep "^tcp|^udp"' + HEADERIZE="BEGIN {print \"$HEADER\"}" + # shellcheck disable=SC2016 + FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}' + # shellcheck disable=SC2016 + FILTER='{if ($4 == "") next}' +elif [ "$KERNEL" = "FreeBSD" ] ; then +# shellcheck disable=SC2089 + CMD='eval netstat -ln | egrep "^tcp|^udp"' + HEADERIZE="BEGIN {print \"$HEADER\"}" + # shellcheck disable=SC2016 + FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}' +fi + +assertHaveCommand "$CMD" +# shellcheck disable=SC2090 +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $FORMAT $FILTER $FILTER_INACTIVE $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $FORMAT $FILTER $FILTER_INACTIVE $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/openPortsEnhanced.sh b/deployment-apps/Splunk_TA_nix/bin/openPortsEnhanced.sh new file mode 100755 index 0000000..bafd04d --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/openPortsEnhanced.sh @@ -0,0 +1,125 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +# In AWK scripts in this file, the following are true: +# FULLTEXT is used to capture the output for SHA256 checksum generation. +# SPLUNKD is used to determine Splunk service status. + +if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand date + assertHaveCommand lsof + if [ -f /usr/sbin/lsof ] ; then + LSOF=/usr/sbin/lsof + elif [ -f /usr/bin/lsof ] ; then + # shellcheck disable=SC2034 + LSOF=/usr/bin/lsof + fi + # shellcheck disable=SC2016 + CMD='eval date ; ${LSOF} -i -P -n' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}' + # Only base the file hash on the listening ports, not on + # open connections. + # shellcheck disable=SC2016 + PARSE_1='/LISTEN|[Uu][Dd][Pp]/ { + FULLTEXT = FULLTEXT $0 "\n" + idx=match($0, /\(LISTEN\)/) + if (idx>0) { + DATA=substr($0, 0, idx-1) + } else { + DATA=$0 + } + fields = split(DATA, portarr) + + # This compensates for varying field counts. + if (fields == 9) { + hostfields = split(portarr[9], hostarr, ":") + TRANSPORT="transport=" portarr[8] + } else if (fields == 8) { + hostfields = split(portarr[8], hostarr, ":") + TRANSPORT="transport=" portarr[7] + } + + if (hostfields == 2 && hostarr[2] ~ /[0-9][0-9]*/) { + DESTIP="dest_ip=" hostarr[1] + DESTPORT="dest_port=" hostarr[2] + APP="app=" portarr[1] + PID="pid=" portarr[2] + USER="user=" portarr[3] + FD="fd=" portarr[4] + IPVERSION="ip_version=" substr(portarr[5],index(portarr[5],"v")+1) + DVCID="dvc_id=" portarr[6] + #printf "MATCH: %s\n", $0 + printf "%s %s %s %s %s %s %s %s %s %s\n", DATE, APP, DESTIP, DESTPORT, PID, USER, FD, IPVERSION, DVCID, TRANSPORT + } else { + #printf "NOMATCH: %s\n", $0 + ; + } + }' + MASSAGE="$PARSE_0 $PARSE_1" + + # Send the collected full text to openssl; this avoids any timing discrepancies + # between when the information is collected and when we process it. + # shellcheck disable=SC2016 + POSTPROCESS='END { + printf "%s %s", DATE, "file_hash=" + printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256" + }' + +elif [ "$KERNEL" = "SunOS" ] ; then + + assertHaveCommand date + assertHaveCommand netstat + + CMD='eval date ; netstat -an -f inet -f inet6' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}' + # shellcheck disable=SC2016 + PARSE_1='/^[Tt][Cc][Pp]|[Uu][Dd][Pp]/ { + split($0, protoarr, ":") + TRANSPORT="transport=" protoarr[1] + IPVERSION="ip_version=" substr(protoarr[2],index(protoarr[2],"v")+1) + next + }' + # shellcheck disable=SC2016 + PARSE_3='NR>1 && $0 !~ /Local|^-|^$/ { + FULLTEXT = FULLTEXT $0 "\n" + split($0, arr) + num = split(arr[1], hostarr, "\.") + if ( TRANSPORT ~ /[Tt][Cc][Pp]/) { + DESTIP="dest_ip="hostarr[1] + } else { + DESTIP="dest_dns="hostarr[1] + } + DESTPORT=hostarr[num] + + for (i=2; i> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/package.sh b/deployment-apps/Splunk_TA_nix/bin/package.sh new file mode 100755 index 0000000..f7aed95 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/package.sh @@ -0,0 +1,67 @@ +#!/usr/bin/env bash +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='NAME VERSION RELEASE ARCH VENDOR GROUP' +HEADERIZE="BEGIN {print \"$HEADER\"}" +PRINTF='{printf "%-55.55s %-20.20s %-20.20s %-10.10s %-30.30s %-20s\n", name, version, release, arch, vendor, group}' + +CMD='echo There is no flavor-independent command...' +if [ "$KERNEL" = "Linux" ] ; then + if $DEBIAN; then + CMD1="eval dpkg-query -W -f='" + # shellcheck disable=SC2016 + CMD2='${Package} ${Version} ${Architecture} ${Homepage}\n' + CMD3="'" + CMD=$CMD1$CMD2$CMD3 + # shellcheck disable=SC2016 + FORMAT='{name=$1;version=$2;sub("\\.?[^0-9\\.:\\-].*$", "", version); release=$2; sub("^[0-9\\.:\\-]*","",release); if(release=="") {release="?"}; arch=$3; if (NF>3) {sub("^.*:\\/\\/", "", $4); sub("^www\\.", "", $4); sub("\\/.*$", "", $4); vendor=$4} else {vendor="?"} group="?"}' + else + CMD='eval rpm --query --all --queryformat "%-56{name} %-21{version} %-21{release} %-11{arch} %-31{vendor} %-{group}\n"' + # shellcheck disable=SC2016 + PRINTF='{print $0}' + fi +elif [ "$KERNEL" = "SunOS" ] ; then + CMD='pkginfo -l' + # shellcheck disable=SC2016 + FORMAT='/PKGINST:/ {name=$2 ":"} /NAME:/ {for (i=2;i<=NF;i++) name = name " " $i} /CATEGORY:/ {group=$2} /ARCH:/ {arch=$2} /VERSION:/ {split($2,a,",REV="); version=a[1]; release=a[2]} /VENDOR:/ {vendor=$2; for(i=3;i<=NF;i++) vendor = vendor " " $i}' + SEPARATE_RECORDS='!/^$/ {next} {release = release ? release : "?"}' +elif [ "$KERNEL" = "AIX" ] ; then + CMD='eval lslpp -icq | sed "s,:, ," | sed "s,:.*,,"' + # shellcheck disable=SC2016 + FORMAT='{name=$2 ; version=$3 ; vendor=release=arch=group="?"}' +elif [ "$KERNEL" = "Darwin" ] ; then + CMD='system_profiler SPApplicationsDataType' + FILTER='{ if (NR<3) next}' + # shellcheck disable=SC2016 + FORMAT='{gsub("[^\40-\176]", "", $0)} /:$/ {sub("^[ ]*", "", $0); sub(":$", "", $0); name=$0} /Last Modified: / {vendor=""} /Version: / {version=$2} /Kind: / {arch=$2} /Get Info String: / {sub("^.*: ", "", $0); sub("[Aa]ll [Rr]ights.*$", "", $0); sub("^.*[Cc]opyright", "", $0); sub("^[^a-zA-Z_]*[0-9][0-9[0-9][0-9]", "", $0); sub("^[ ]*", "", $0); vendor=$0}' + SEPARATE_RECORDS='!/Location:/ {next} {release = "?"; vendor = vendor ? vendor : "?"; group = "?"}' +elif [ "$KERNEL" = "HP-UX" ] ; then + assertHaveCommand swlist + CMD='swlist -a revision -a architecture -a vendor_tag' + # shellcheck disable=SC2016 + FILTER='/^#/ {next} $1=="" {next}' + # shellcheck disable=SC2016 + FORMAT='{release="?"; group="?"; vendor="?"; name=$1; version=$2; arch=$3} NF==4 {vendor=$4}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + # the below syntax is valid when using zsh, bash, ksh + if [[ $KERNEL_RELEASE =~ 10.* ]] || [[ $KERNEL_RELEASE =~ 11.* ]] || [[ $KERNEL_RELEASE =~ 12.* ]] || [[ $KERNEL_RELEASE =~ 13.* ]]; then + CMD='eval pkg info --raw --all | grep "^name:\|^version:\|^arch:" | cut -d\" -f2' + HEADER='NAME VERSION ARCH ' + HEADERIZE="BEGIN {print \"$HEADER\"}" + # shellcheck disable=SC2016 + PRINTF='{ printf "%-50.50s" (NR%3==0 ? RS:FS),$1}' + else + CMD='pkg_info -da' + # shellcheck disable=SC2016 + FORMAT='/^Information for / {vendor=""; sub(":$", "", $3); name=$3} /^WWW: / {sub("^.*//", "", $2); sub("/.*$", "", $2); sub("^www\134.", "", $2); vendor=$2} /^$/ {blanks+=1} !/^$/ {blanks=0}' + SEPARATE_RECORDS='(blanks<3) {next} {vendor = vendor ? vendor : "?"; version=release=arch=group="?"}' + fi +fi + +assertHaveCommand "$CMD" +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/passwd.sh b/deployment-apps/Splunk_TA_nix/bin/passwd.sh new file mode 100755 index 0000000..0f1abcf --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/passwd.sh @@ -0,0 +1,30 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +PRINTF='END {printf "%s %s\n", DATE, FILEHASH}' +# shellcheck disable=SC2034 +PASSWD_FILE=/etc/passwd + +if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "x$KERNEL" != "xHP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand date + # shellcheck disable=SC2016 + CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $PASSWD_FILE ; cat $PASSWD_FILE' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + # shellcheck disable=SC2016 + PARSE_1='NR==2 {FILEHASH="file_hash=" $2}' + # Note the inline print in the next PARSE statement. + # Comments are eliminated from the output, but included in FILEHASH. + # shellcheck disable=SC2016 + PARSE_2='NR>2 && /^[^#]/ { split($0, arr, ":") ; printf "%s user=%s password=x user_id=%s user_group_id=%s home=%s shell=%s\n", DATE, arr[1], arr[3], arr[4], arr[6], arr[7]}' + + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2" + +fi + +$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF" +echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/protocol.sh b/deployment-apps/Splunk_TA_nix/bin/protocol.sh new file mode 100755 index 0000000..2cf9e1e --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/protocol.sh @@ -0,0 +1,71 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +CMD='netstat -s' +HEADER=' IPdropped TCPrexmits TCPreorder TCPpktRecv TCPpktSent UDPpktLost UDPunkPort UDPpktRecv UDPpktSent' +HEADERIZE="BEGIN {print \"$HEADER\"}" +PRINTF='END {printf " %10d %10d %10d %10d %10d %10d %10d %10d %10d\n", IPdropped, TCPrexmits, TCPreorder, TCPpktRecv, TCPpktSent, UDPpktLost, UDPunkPort, UDPpktRecv, UDPpktSent}' + +if [ "$KERNEL" = "Linux" ] ; then + # shellcheck disable=SC2016 + FIGURE_SECTION='/^Ip:$/ {inIP=1;inTCP=0;inUDP=0} /^Tcp(Ext)?:$/ {inIP=0;inTCP=1;inUDP=0} /^Udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^Ip:$|^Udp:$|^Tcp(Ext)?:$/) inIP=inTCP=inUDP=0}' + # shellcheck disable=SC2016 + SECTION_IP='inIP && /outgoing packets dropped/ {IPdropped=$1}' + # shellcheck disable=SC2016 + SECTION_TCP='inTCP && /segments retransmited/ {TCPrexmits=$1} inTCP && /Detected reordering/ {TCPreorder=$3} inTCP && /[0-9] segments received$/ {TCPpktRecv=$1} inTCP && /segments send out/ {TCPpktSent=$1}' + # shellcheck disable=SC2016 + SECTION_UDP='inUDP && /packets received/ {UDPpktRecv=$1} inUDP && /packets sent/ {UDPpktSent=$1} inUDP && /packet receive errors/ {UDPpktLost=$1} inUDP && /packets to unknown port received/ {UDPunkPort=$1}' +elif [ "$KERNEL" = "SunOS" ] ; then + # shellcheck disable=SC2016 + COMMON='{gsub("=", "", $0)}' + # shellcheck disable=SC2016 + SECTION_IP='/ipOutDiscards/ {IPdropped+=$2} /ipOutNoRoutes/ {IPdropped+=$4} /ipv6OutNoRoutes/ {IPdropped+=$2} /ipv6OutDiscards/ {IPdropped+=$4}' + # shellcheck disable=SC2016 + SECTION_TCP='/tcpRetransSegs/ {TCPrexmits=$2} /tcpInUnorderSegs/ {TCPreorder=$2} /tcpInSegs/ {TCPpktRecv=$2} /tcpOutSegs/ {TCPpktSent=$4}' + # shellcheck disable=SC2016 + SECTION_UDP='/udpOutErrors/ {UDPpktLost=$4} /udpInErrors/ {UDPunkPort=$5} /udpInDatagrams/ {UDPpktRecv=$3} /udpOutDatagrams/ {UDPpktSent=$2}' +elif [ "$KERNEL" = "AIX" ] ; then + # shellcheck disable=SC2016 + FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}' + # shellcheck disable=SC2016 + SECTION_IP='inIP && /output packets? (dropped|discarded)/ {IPdropped+=$1}' + # shellcheck disable=SC2016 + SECTION_TCP='inTCP && /data packet.* bytes\) retransmitted$/ {TCPrexmits=$1} inTCP && /out-of-order packets?/ {TCPreorder=$1} inTCP && /packets? received$/ {TCPpktRecv=$1} inTCP && /packets? sent/ {TCPpktSent=$1}' + # shellcheck disable=SC2016 + SECTION_UDP='inUDP && /datagrams? received$/ {UDPpktRecv=$1} inUDP && /datagrams? output$/ {UDPpktSent=$1} inUDP && /dropped due to full socket buffers$/ {UDPpktLost=$1} inUDP && /dropped due to no socket$/ {UDPunkPort=$1}' +elif [ "$KERNEL" = "Darwin" ] ; then + # shellcheck disable=SC2016 + FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}' + # shellcheck disable=SC2016 + SECTION_IP='inIP && /output packets? (dropped|discarded)/ {IPdropped+=$1}' + # shellcheck disable=SC2016 + SECTION_TCP='inTCP && /data packets? .* retransmitted/ {TCPrexmits=$1} inTCP && /out-of-order packets?/ {TCPreorder=$1} inTCP && /packets? received$/ {TCPpktRecv=$1} inTCP && /packets? sent/ {TCPpktSent=$1}' + # shellcheck disable=SC2016 + SECTION_UDP='inUDP && /datagrams? received$/ {UDPpktRecv=$1} inUDP && /datagrams? output$/ {UDPpktSent=$1} inUDP && /dropped due to full socket buffers$/ {UDPpktLost=$1} inUDP && /dropped due to no socket$/ {UDPunkPort=$1}' +elif [ "$KERNEL" = "HP-UX" ] ; then + # shellcheck disable=SC2016 + FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp(Ext)?:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp(Ext)?:$/) inIP=inTCP=inUDP=0}' + # shellcheck disable=SC2016 + SECTION_IP='inIP && /fragments dropped/ {IPdropped=$1}' + # shellcheck disable=SC2016 + SECTION_TCP='inTCP && /retransmited$/ {TCPrexmits=$1} inTCP && /out of order/ {TCPreorder=$1} inTCP && /[0-9] packets received$/ {TCPpktRecv=$1} inTCP && /[0-9] packets sent$/ {TCPpktSent=$1}' + # shellcheck disable=SC2016 + SECTION_UDP='inUDP && /packets received/ {UDPpktRecv=$1} inUDP && /packets sent/ {UDPpktSent=$1} inUDP && /packet receive errors/ {UDPpktLost=$1} inUDP && /packets to unknown port received/ {UDPunkPort=$1}' + elif [ "$KERNEL" = "FreeBSD" ] ; then + # shellcheck disable=SC2016 + FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}' + # shellcheck disable=SC2016 + SECTION_IP='inIP && /output packets? (dropped|discarded)/ {IPdropped+=$1}' + # shellcheck disable=SC2016 + SECTION_TCP='inTCP && /data packet.* bytes\) retransmitted$/ {TCPrexmits=$1} inTCP && /out-of-order packets?/ {TCPreorder=$1} inTCP && /packets? received$/ {TCPpktRecv=$1} inTCP && /packets? sent/ {TCPpktSent=$1}' + # shellcheck disable=SC2016 + SECTION_UDP='inUDP && /datagrams? received$/ {UDPpktRecv=$1} inUDP && /datagrams? output$/ {UDPpktSent=$1} inUDP && /dropped due to full socket buffers$/ {UDPpktLost=$1} inUDP && /dropped due to no socket$/ {UDPunkPort=$1}' +fi + +assertHaveCommand "$CMD" +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/ps.sh b/deployment-apps/Splunk_TA_nix/bin/ps.sh new file mode 100755 index 0000000..a50dd0f --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/ps.sh @@ -0,0 +1,76 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +# shellcheck disable=SC2166 +if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand ps + CMD='ps auxww' +elif [ "$KERNEL" = "AIX" ] ; then + assertHaveCommandGivenPath /usr/sysv/bin/ps + CMD='/usr/sysv/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args' +elif [ "$KERNEL" = "SunOS" ] ; then + assertHaveCommandGivenPath /usr/bin/ps + CMD='/usr/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args' +elif [ "$KERNEL" = "HP-UX" ] ; then + HEADER='USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS' + # shellcheck disable=SC2016 + FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args=""; sub("^[^\134[: -]*/", "", $12)}' + # shellcheck disable=SC2016 + PRINTF='{if (NR == 1) {print $0} else {printf "%32.32s %6s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %12s %-100.100s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, args}}' + # shellcheck disable=SC2016 + HEADERIZE='{NR == 1 && $0 = header}' + + assertHaveCommand ps + export UNIX95=1 + CMD='ps -e -o ruser,pid,pset,pcpu,time,vsz,tty,state,etime,args' + # shellcheck disable=SC2016 + FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args=""; sub("^[\[\]]", "", $11)}' + # shellcheck disable=SC2016 + PRINTF='{if (NR == 1) {print $0} else {printf "%-14.14s %6s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %12s %-18.18s %s\n", $1, $2, $3, $4, $5, "?", "?", $6, $7, $8, $9, $10, $11, arg}}' + + $CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FORMAT $PRINTF" header="$HEADER" + echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" + exit +fi + +# shellcheck disable=SC2016 +# awk logic for adding extra field ARGS with underscore delimiter +ARGS_FORMAT='BEGIN {OFS = " ";} # specify output field separator +{ + if (NR == 1) # Add extra header/field ARGS in first (header) row + { + command_column = NF; + $(NF+1) = "ARGS"; + } + else + { + # If arguments exist, then append all with underscore delimeter, else specify + if ($(command_column+1) != "") + { + args = $(command_column+1); + for (i=command_column+2; i<=NF; i++) + { + args = args "_" $i; + $i = ""; + } + $(command_column+1) = args; + } + else + { + $(command_column+1) = ""; + } + + # Remove trailing white spaces if any + sub(/[ \t]+$/,"",$0); + } + print; +}' + +# Execute the command +$CMD | tee "$TEE_DEST" | $AWK "$ARGS_FORMAT" + +echo "Cmd = [$CMD]; $AWK '$ARGS_FORMAT'" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/ps_metric.sh b/deployment-apps/Splunk_TA_nix/bin/ps_metric.sh new file mode 100755 index 0000000..c434817 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/ps_metric.sh @@ -0,0 +1,110 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# jscpd:ignore-start +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +# shellcheck disable=SC2166 +if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand ps + CMD='ps auxww' + if [ "$KERNEL" = "Linux" ] ; then + if [ ! -f "/etc/os-release" ] ; then + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + else + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)" + fi + elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" + fi +elif [ "$KERNEL" = "AIX" ] ; then + assertHaveCommandGivenPath /usr/sysv/bin/ps + CMD='/usr/sysv/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args' + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OS_version=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" +elif [ "$KERNEL" = "SunOS" ] ; then + assertHaveCommandGivenPath /usr/bin/ps + CMD='/usr/bin/ps -eo user,pid,psr,pcpu,time,pmem,rss,vsz,tty,s,etime,args' + # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address. + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)" +elif [ "$KERNEL" = "HP-UX" ] ; then + HEADER='USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED OSName OS_version IP_address COMMAND ARGS' + # shellcheck disable=SC2016 + FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args=""; sub("^[^\134[: -]*/", "", $12);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' + # shellcheck disable=SC2016 + PRINTF='{if (NR == 1) {print $0} else {printf "%-32.32s %8s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %15s %-35s %15s %-16s %-100.100s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, OSName, OS_version, IP_address, $12, args}}' + FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}' + # shellcheck disable=SC2016 + HEADERIZE='{NR == 1 && $0 = header}' + + assertHaveCommand ps + export UNIX95=1 + CMD='ps -e -o ruser,pid,pset,pcpu,time,vsz,tty,state,etime,args' + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # shellcheck disable=SC2016 + FORMAT='{sub("^_", "", $1); if (NF>12) {args=$13; for (j=14; j<=NF; j++) args = args "_" $j} else args=""; sub("^[\[\]]", "", $11);OSName=OSName;OS_version=OS_version;IP_address=IP_address;}' + # shellcheck disable=SC2016 + PRINTF='if (NR == 1) {print $0} else {printf "%-14.14s %6s %4s %6s %12s %6s %8s %8s %-7.7s %1.1s %12s %-35s %15s %-16s %-18.18s %s\n", $1, $2, $3, $4, $5, "?", "?", $6, $7, $8, $9, $10, OSName, OS_version, IP_address, $11, arg}}' + + # shellcheck disable=SC2086 + $CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $FILL_DIMENSIONS $FORMAT $PRINTF" header="$HEADER" + echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $FILL_DIMENSIONS $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" + exit +fi + +# shellcheck disable=SC2016 +# awk logic for adding extra field ARGS with underscore delimiter and OSName, OS_version, IP_address +FORMAT='BEGIN {OFS = " ";} # specify output field separator +{ + if (NR == 1) # Add extra headers/fields - ARGS,OSName,OS_version,IP_address in first (header) row + { + # Replace TIME with CPUTIME to solve field extraction issue (metrics index) + sub("TIME","CPUTIME",$0); + + command_column = NF; + $(NF+1) = "ARGS"; + $(NF+1) = "OSName"; + $(NF+1) = "OS_version"; + $(NF+1) = "IP_address"; + $(NF+1) = "IPv6_Address"; + + } + else + { + # If arguments exist, then append all with underscore delimeter, else specify + if ($(command_column+1) != "") + { + args = $(command_column+1); + for (i=command_column+2; i<=NF; i++) + { + args = args "_" $i; + $i = ""; + } + $(command_column+1) = args; + } + else + { + $(command_column+1) = ""; + } + + # Append OSName, OS_version, IP_address values in the last three columns + if (OSName == "") {$(command_column+2) = "?";} else {$(command_column+2) = OSName;} + if (OS_version == "") {$(command_column+3) = "?";} else {$(command_column+3) = OS_version;} + if (IP_address == "") {$(command_column+4) = "?";} else {$(command_column+4) = IP_address;} + if (IPv6_Address == "") {$(command_column+5) = "?";} else {$(command_column+5) = IPv6_Address;} + + # Remove trailing white spaces if any + sub(/[ \t]+$/,"",$0); + } + print; +}' + +# shellcheck disable=SC2086 +# Execute the command +$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT" + +echo "Cmd = [$CMD]; $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST" +# jscpd:ignore-end diff --git a/deployment-apps/Splunk_TA_nix/bin/rlog.sh b/deployment-apps/Splunk_TA_nix/bin/rlog.sh new file mode 100755 index 0000000..99dcc60 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/rlog.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 +# +# credit for improvement to http://splunk-base.splunk.com/answers/41391/rlogsh-using-too-much-cpu + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios +CURRENT_AUDIT_FILE=/var/log/audit/audit.log # For handling upgrade scenarios +SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime +TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_rlog_error_tmpfile # For filering out "no matches" error from stderr +AUDIT_FILE="/var/log/audit/audit.log*" + +if [ "$KERNEL" = "Linux" ] ; then + assertHaveCommand service + assertHaveCommandGivenPath /sbin/ausearch + if [ -n "$(service auditd status 2>/dev/null)" ] && [ "$(service auditd status 2>/dev/null)" ] ; then + CURRENT_TIME=$(date --date="1 seconds ago" +"%m/%d/%Y %T") # 1 second ago to avoid data loss + + if [ -e "$SEEK_FILE" ] ; then + SEEK_TIME=$(head -1 "$SEEK_FILE") + # shellcheck disable=SC2086 + awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -ts $SEEK_TIME -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----"; + # shellcheck disable=SC2086 + grep -v "" < $TMP_ERROR_FILTER_FILE 1>&2 + + elif [ -e "$OLD_SEEK_FILE" ] ; then + rm -rf "$OLD_SEEK_FILE" # remove previous checkpoint + # start ingesting from the first entry of current audit file + # shellcheck disable=SC2086 + awk ' { print } ' $CURRENT_AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----"; + # shellcheck disable=SC2086 + grep -v "" <$TMP_ERROR_FILTER_FILE 1>&2 + + else + # no checkpoint found + # shellcheck disable=SC2086 + awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----"; + # shellcheck disable=SC2086 + grep -v "" <$TMP_ERROR_FILTER_FILE 1>&2 + fi + echo "$CURRENT_TIME" > "$SEEK_FILE" # Checkpoint+ + + else # Added this condition to get error logs + echo "error occured while running 'service auditd status' command in rlog.sh script. Output : $(service auditd status). Command exited with exit code $?" 1>&2 + fi + # remove temporary error redirection file if it exists + # shellcheck disable=SC2086 + rm $TMP_ERROR_FILTER_FILE 2>/dev/null + +elif [ "$KERNEL" = "SunOS" ] ; then + : +elif [ "$KERNEL" = "Darwin" ] ; then + : +elif [ "$KERNEL" = "HP-UX" ] ; then + : +elif [ "$KERNEL" = "FreeBSD" ] ; then + : +fi diff --git a/deployment-apps/Splunk_TA_nix/bin/selinuxChecker.sh b/deployment-apps/Splunk_TA_nix/bin/selinuxChecker.sh new file mode 100755 index 0000000..9ceb8e2 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/selinuxChecker.sh @@ -0,0 +1,48 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +PRINTF='END {printf "%s app=selinux %s %s %s %s\n", DATE, FILEHASH, SELINUX, SELINUXTYPE, SETLOCALDEFS}' + +if [ "$KERNEL" = "Linux" ] ; then + if [ -f /etc/sysconfig/selinux ] ; then + SELINUX_FILE=/etc/sysconfig/selinux + elif [ -f /etc/selinux/config ] ; then + # shellcheck disable=SC2034 + SELINUX_FILE=/etc/selinux/config + else + echo "SELinux not configured." >> "$TEE_DEST" + exit 1 + fi + + assertHaveCommand cat + + # Get file hash + # shellcheck disable=SC2016 + CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $SELINUX_FILE ; cat $SELINUX_FILE' + + # Get the date. + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + + # Try to use cross-platform case-insensitive matching for text. Note + # that "match", "tolower", IGNORECASE and other common awk commands or + # options are actually nawk/gawk extensions so avoid them if possible. + # shellcheck disable=SC2016 + PARSE_1='/^[Ss][Ee][Ll][Ii][Nn][Uu][Xx]\=/ { SELINUX="selinux=" substr($0,index($0,"=")+1,length($0)) } ' + # shellcheck disable=SC2016 + PARSE_2='/^[Ss][Ee][Ll][Ii][Nn][Uu][Xx][Tt][Yy][Pp][Ee]\=/ { SELINUXTYPE="selinuxtype=" substr($0,index($0,"=")+1,length($0)) } ' + # shellcheck disable=SC2016 + PARSE_3='/^[Ss][Ee][Tt][Ll][Oo][Cc][Aa][Ll][Dd][Ee][Ff][Ss]\=/ { SETLOCALDEFS="setlocaldefs=" substr($0,index($0,"=")+1,length($0)) } ' + # shellcheck disable=SC2016 + PARSE_4='/^SHA256/ {FILEHASH="file_hash=" $2}' + + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4" + + $CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF" + echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST" + +fi diff --git a/deployment-apps/Splunk_TA_nix/bin/service.sh b/deployment-apps/Splunk_TA_nix/bin/service.sh new file mode 100755 index 0000000..ec946ef --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/service.sh @@ -0,0 +1,196 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +# In AWK scripts in this file, the following are true: +# FULLTEXT is used to capture the output for SHA256 checksum generation. +# SPLUNKD is used to determine Splunk service status. + +if [ "$KERNEL" = "Linux" ] ; then + if ! queryHaveCommand systemctl; then + assertHaveCommand date + assertHaveCommand chkconfig + CMD='eval date ; /sbin/chkconfig --list' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}' + # shellcheck disable=SC2016 + PARSE_1='NR>1 { + FULLTEXT = FULLTEXT $0 "\n" + split($0, ARR) + EVT="app=" ARR[1] + for (i=0 ; i<7 ; i++) { + split(ARR[i+2], STATE, ":") + EVT = EVT " runlevel" i "=" STATE[2] + } + if (ARR[1] ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 } + printf "%s type=chkconfig %s\n", DATE, EVT + }' + MASSAGE="$PARSE_0 $PARSE_1" + + # Send the collected full text to openssl; this avoids any timing discrepancies + # between when the information is collected and when we process it. + # shellcheck disable=SC2016 + POSTPROCESS='END { + if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } + printf "%s %s", DATE, "file_hash=" + printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256" + }' + else + assertHaveCommand systemctl + assertHaveCommand date + + # Run the systemctl command to get all units and their state + CMD='eval date; systemctl list-units --type=service --all' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + # shellcheck disable=SC2016 + PARSE_1=' + # On header row, get lengths to the fields + NR==2 { + match($0, /^ */); leading=RLENGTH; + match($0, /^.*DESC/); desclen=RLENGTH-4; + FULLTEXT=""; + next; + }' + # shellcheck disable=SC2016 + PARSE_2='(NR > 2){ + # Stop at the empty line + if ( !NF ) { exit; } + # Skip the leading spaces + $0 = substr( $0, leading ); + # the description spans fields so catch it seperately + desc=substr( $0, desclen ); + FULLTEXT = FULLTEXT $0 "\n" + if ($1 ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 } + printf "%s type=systemctl UNIT=%s, LOADED=%s, ACTIVE=%s, SUB=%s, DESCRIPTION=\"%s\" \n",DATE, $1, $2, $3, $4, desc + }' + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2" + # shellcheck disable=SC2016 + POSTPROCESS='END { + if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } + printf "%s %s", DATE, "file_hash=" + printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256" + }' + fi + +elif [ "$KERNEL" = "SunOS" ] ; then + assertHaveCommand date + assertHaveCommand svcs + + CMD='eval date ; svcs -H -a -o STATE,FMRI' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0 ; FULLTEXT=""}' + # shellcheck disable=SC2016 + PARSE_1='NR>1 { + STATE="State=\""$1"\"" + idx=index($2,":") + STARTNAME="StartName=\""substr($2,0,idx-1)"\"" + APP="app=\""substr($2,idx+1)"\"" + FULLTEXT=FULLTEXT $0 "\n" + }' + PARSE_2='/^legacy_run/ { + STARTMODE="StartMode=\"Auto\"" + }' + PARSE_3='/^online/ { + STARTMODE="StartMode=\"Auto\"" + STATE="State=\"Running\"" + }' + PARSE_4='/^disabled/ { + STARTMODE="StartMode=\"Disabled\"" + STATE="State=\"Stopped\"" + }' + + INLINE_PRINT='NR>1 && APP!=0 {printf "%s %s %s %s %s\n", DATE, APP, STARTMODE, STARTNAME, STATE}' + + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $INLINE_PRINT" + + # Send the collected full text to openssl; this avoids any timing discrepancies + # between when the information is collected and when we process it. + # shellcheck disable=SC2016 + POSTPROCESS='END { + if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } + printf "%s %s", DATE, "file_hash=" + printf "%s", FULLTEXT | "LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256" + }' + +elif [ "$KERNEL" = "Darwin" ] ; then + + assertHaveCommand date + assertHaveCommand defaults + assertHaveCommand dscl + assertHaveCommand find + assertHaveCommand ls + + # Get startup items + CMD='eval date ; ls -1 /System/Library/StartupItems/ /Library/StartupItems/' + # Get per-user startup items + # shellcheck disable=SC2044 + for PLIST_FILE in $(find /Users -name "loginwindow.plist") ; do + CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE + done + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + # Retrieve path for system startup items + # shellcheck disable=SC2016 + PARSE_1='/^\/(System|Library)/ { + split($0, tmparr, ":") + PATH="file_path=\""tmparr[1] + USER=0 + START_MODE="StartMode=Auto" + START_TYPE="StartType=startup" + }' + + # Retrieve user information for user startup items. + # shellcheck disable=SC2016 + PARSE_2='/^\/Users/ { + split($0, tmparr, "/") + USER="user=" tmparr[3] + START_MODE="StartMode=Auto" + START_TYPE="StartType=login" + }' + + # Retrieve the path for user startup items. + # shellcheck disable=SC2016 + PARSE_3='/[[:blank:]]*Path/ { + split($0, path_arr, "=") + num=split(path_arr[2], app_arr, "/") + split(app_arr[num], app_final, ".") + split(path_arr[2], path_final, "\"") + APP="app=\"" app_final[1] "\"" + FILE_PATH="file_path=\"" path_final[2] "\"" + + # Only print if we find a path. + printf "%s %s %s %s %s %s\n", DATE, APP, START_MODE, START_TYPE, FILE_PATH, USER + + # Note that we found splunkd if app matches + if (APP ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 } + }' + + # Retrieve the system startup item name from the output of "ls -1" + # shellcheck disable=SC2016 + PARSE_4='/^[^\/]/ { + if (NR>1 && USER==0 && NF > 0) { + APP="app=\""$0"\"" + PATH=PATH$0"\"" + printf "%s %s %s %s %s\n", DATE, APP, START_MODE, START_TYPE, PATH + } + + # Note that we found splunkd if app matches + if (APP ~ /[Ss][Pp][Ll][Uu][Nn][Kk]/) { SPLUNKD=1 } + + }' + + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4" + + POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }' + +else + # Exits + failUnsupportedScript +fi + +$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $POSTPROCESS" +echo "Cmd = [$CMD]; | $AWK '$MASSAGE $POSTPROCESS'" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/setup.sh b/deployment-apps/Splunk_TA_nix/bin/setup.sh new file mode 100755 index 0000000..2d13a1a --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/setup.sh @@ -0,0 +1,1276 @@ +#!/usr/bin/env bash +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +function build_scripted_input_endpoint() +# build a command name suitable for use in a REST target +{ + temp=`echo $1 | awk -F"/" '{print $NF}'` + echo ".%252Fbin%252F"$temp +} + +function build_monitor_input_endpoint() +# build a path name suitable for use in a REST target +{ + echo `echo $1 | sed -e 's/\//%252F/g'` +} + +function get_interval() +# get the given scripted input's interval +{ + interval=$(get_scripted_input_rest_value "$1" 'interval') + echo $interval +} + +function set_interval() +# set the given scripted input's interval +{ + set_scripted_input_rest_value "$1" "interval" "$2" +} + +function set_metric_index() +# set the index for the given metric input +{ + set_scripted_input_rest_value "$1" "index" "$2" +} + +function get_server_name +# get the server_name from 'show servername' cli +{ + if [ $remote_server_uri != "false" ]; then + echo `$SPLUNK_HOME/bin/splunk show servername -uri $remote_server_uri | $AWK {'print $3'}` + else + echo `$SPLUNK_HOME/bin/splunk show servername | $AWK {'print $3'}` + fi +} + +function internal_call() +# low-level internal call handler +{ + if [ $remote_server_uri != "false" ]; then + echo `$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$remote_server_app_name/data/inputs/$1/$2 -uri $remote_server_uri` + else + echo `$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$server_app_name/data/inputs/$1/$2` + fi +} + +function get_monitor_disabled_value() +{ + temp=$(internal_call 'monitor' "$1") + for l in $temp; do + case $l in + *name=?disabled*) echo `echo $l | grep "name=\"disabled" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' -e "s/name=\"disabled\">//" -e 's/<\/s:key>//g'`; break;; + esac + done +} + +function get_monitor_status() +{ + echo "$input_counter) $1" + input_endpoint=$(build_monitor_input_endpoint "$1") + rest_value=$(get_monitor_disabled_value "$input_endpoint") + case $rest_value in + 0) echo " enabled: *** disabled: ";; + 1) echo " enabled: disabled: *** ";; + esac +} + +function get_scripted_input_rest_value() +# given an scripted input endpoint and a key, set to $rest_value +{ + if [ $remote_server_uri != "false" ]; then + echo `$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$remote_server_app_name/data/inputs/script/$1 -uri $remote_server_uri | grep "name=\"$2" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' -e "s///" -e 's/<\/s:key>//g'` + else + echo `$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$server_app_name/data/inputs/script/$1 | grep "name=\"$2" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' -e "s///" -e 's/<\/s:key>//g'` + fi +} + +function handle_rest_response() +# handle the rest response +{ + case $1 in + *HTTP?Status:?200.*) echo " $2 successful"; echo "";; + *) echo " $2 failed"; echo "";res="failure";; + esac +} +function set_scripted_input_rest_value() +# given an endpoint and a post string, set the value +{ + setter_response= + if [ $remote_server_uri != "false" ]; then + setter_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$remote_server_app_name/data/inputs/script/$1 -uri $remote_server_uri -post:$2 $3` + else + setter_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$server_app_name/data/inputs/script/$1 -post:$2 $3` + fi + handle_rest_response "$setter_response" "update" +} + +function enable_monitor_input() +# given a monitor input, enable it +{ + enable_response= + if [ $remote_server_uri != "false" ]; then + enable_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$remote_server_app_name/data/inputs/monitor/$1/enable -uri $remote_server_uri -method POST` + else + enable_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$server_app_name/data/inputs/monitor/$1/enable -method POST` + fi + handle_rest_response "$enable_response" "enable" +} + +function disable_monitor_input() +# given a monitor input, disable it +{ + disable_response= + if [ $remote_server_uri != "false" ]; then + disable_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$remote_server_app_name/data/inputs/monitor/$1/disable -uri $remote_server_uri -method POST` + else + disable_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$server_app_name/data/inputs/monitor/$1/disable -method POST` + fi + handle_rest_response "$disable_response" "disable" +} +function enable_scripted_input() +# given a script name, enable it +{ + enable_response= + if [ $remote_server_uri != "false" ]; then + enable_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$remote_server_app_name/data/inputs/script/$1/enable -uri $remote_server_uri -method POST` + else + enable_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$server_app_name/data/inputs/script/$1/enable -method POST` + fi + handle_rest_response "$enable_response" "enable" +} + +function disable_scripted_input() +# given a script name, disable it +{ + disable_response= + if [ $remote_server_uri != "false" ]; then + disable_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$remote_server_app_name/data/inputs/script/$1/disable -uri $remote_server_uri -method POST` + else + disable_response=`$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/$server_app_name/data/inputs/script/$1/disable -method POST` + fi + handle_rest_response "$disable_response" "disable" +} + +function update_app() +# updates the given app +{ + if [ $remote_server_uri != "false" ]; then + install_response=`$SPLUNK_HOME/bin/splunk install app $1 -update true --uri $remote_server` + case "$install_response" in + *is?installed.* ) echo " app install successful"; echo "";; + *n?error?occurred:*) echo " app install failed"; echo "";; + esac + else + install_response=`$SPLUNK_HOME/bin/splunk install app $1 -update true` + case "$install_response" in + *is?installed.* ) echo " app install successful"; echo "";; + *n?error?occurred:*) echo " app install failed"; echo "";; + esac + fi +} + +function install_app() +# installs the app residing at the given remote path +{ + if [ $remote_server_uri != "false" ]; then + install_response=`$SPLUNK_HOME/bin/splunk install app $1 -uri $remote_server_uri` + case "$install_response" in + *is?installed.* ) echo " app install successful"; echo "";; + *install?anywa* ) echo " app already installed. Attempting to upgrade"; update_app "$1";; + *n?error?occurred:*) echo " app install failed - the URI provided was not found"; echo "";; + * ) echo "ERROR: $install_response";; + esac + else + install_response=`$SPLUNK_HOME/bin/splunk install app $1` + case "$install_response" in + *is?installed.* ) echo " app install successful"; echo "";; + *install?anywa* ) echo " app already installed. Attempting to upgrade"; update_app "$1";; + *n?error?occurred:*) echo " app install failed - the URI provided was not found"; echo "";; + * ) echo "ERROR: $install_response";; + esac + fi +} + +function get_scripted_input_status() +# given an input, get the enabled/disabled +# status and, if enabled, the interval +{ + echo "$input_counter) $1" + input_endpoint=$(build_scripted_input_endpoint "$1") + rest_value=$(get_scripted_input_rest_value "$input_endpoint" 'disabled') + index_value=$(get_scripted_input_rest_value "$input_endpoint" 'index') + if [ "$rest_value" = "0" ]; then + interval=$(get_interval "$input_endpoint") + if [ "$interval" != "false" ]; then + echo " enabled: *** disabled: interval: $interval index: $index_value" + else + echo " enabled: *** disabled: index: $index_value" + fi + + else + echo " enabled: disabled: *** index: $index_value" + fi +} + +function get_script_list +# sets the scripted input list in $output +{ + if [ $remote_server_uri != "false" ]; then + echo `$SPLUNK_HOME/bin/splunk list exec -uri "$remote_server_uri"` + else + echo `$SPLUNK_HOME/bin/splunk list exec` + fi +} + +function show_inputs +# show input status parsed from 'list exec' +# if enabled show the interval and last run time +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > SHOW INPUT STATUS ***" + echo "" + input_counter=0 + echo " Scripted Inputs:" + echo "" + script_list=$(get_script_list) + for line in $script_list; do + case "$line" in + *unix* | *Splunk_TA_nix* ) get_scripted_input_status "$line"; input_counter=`expr $input_counter + 1`; + esac + done + echo "" + echo " Monitor Inputs:" + echo "" + for line in $MONITOR_INPUTS; do + get_monitor_status "$line" + input_counter=`expr $input_counter + 1` + done +} + +function enable_all_inputs +#enables all endpoints +{ + oldIFS=$IFS + IFS=' + ' + script_list=$(get_script_list) + for line in $script_list; do + res="success" + flag=0 + if [[ $line == *"_metric"* && ! -z $1 ]]; then + input_endpoint=$(build_scripted_input_endpoint "$line") + echo "updating index of $line to $1" + set_metric_index "$input_endpoint" "$1" + flag=1 + fi + if [ "$res" == "success" ] && [[ ( $line != *"_metric"* || $flag == 1 ) ]]; then + case "$line" in + *unix* | *Splunk_TA_nix* ) echo "enabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); enable_scripted_input $input_endpoint;; + esac + fi + done + for line in $MONITOR_INPUTS; do + echo "enabling $line" + input_endpoint=$(build_monitor_input_endpoint "$line") + enable_monitor_input $input_endpoint + done + IFS=$oldIFS + echo "" +} + +function disable_all_inputs +# disables all inputs +{ + #oldIFS=$IFS + #IFS=' + #' + script_list=$(get_script_list) + for line in $script_list; do + case "$line" in + *unix* | *Splunk_TA_nix* ) echo "disabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); disable_scripted_input $input_endpoint;; + esac + done + for line in $MONITOR_INPUTS; do + echo "disabling $line" + input_endpoint=$(build_monitor_input_endpoint "$line") + disable_monitor_input "$input_endpoint" + done + #IFS=$oldIFS + echo "" +} + +function set_remote_input() +# set the given configuration on the remote host +{ + _input_type= + _input= + _disabled= + for value in $1; do + if [ ! -n "$_input_type" ]; then + _input_type="$value" + else + if [ "$_input_type" == "monitor" ]; then + if [ ! -n "$_input" ]; then + _input="$value" + else + if [ "$value" == "1" ]; then + disable_monitor_input "$_input" + else + enable_monitor_input "$_input" + fi + fi + else + if [ ! -n "$_input" ]; then + _input="$value" + else + if [ ! -n "$_disabled" ]; then + _disabled="$value" + else + if [ "$_disabled" == "1" ]; then + disable_scripted_input "$_input" + else + enable_scripted_input "$_input" + set_interval "$_input" "$value" + fi + fi + fi + fi + fi + done +} + +function monitor_clone() +# clone monitor input +{ + _remote_server_uri=$remote_server_uri + remote_server_uri="false" + input_endpoint=$(build_monitor_input_endpoint "$1") + rest_value=$(get_monitor_disabled_value "$input_endpoint") + remote_server_uri=$_remote_server_uri + set_remote_input "monitor $input_endpoint $rest_value" +} + +function scripted_clone() +# clone scripted input +{ + interval= + _remote_server_uri=$remote_server_uri + remote_server_uri="false" + input_endpoint=$(build_scripted_input_endpoint "$1") + rest_value=$(get_scripted_input_rest_value "$input_endpoint" 'disabled') + remote_server_uri=$_remote_server_uri + if [ "$rest_value" = "0" ]; then + interval=$(get_interval "$input_endpoint") + set_remote_input "scripted $input_endpoint $rest_value $interval" + else + set_remote_input "scripted $input_endpoint $rest_value" + fi +} + +function clone_all_inputs +# clone all inputs from local to remote_server_uri +{ + if [ $_remote_server_uri == "false" ]; then + echo "" + echo " No remote server is set" + echo "" + echo " Please specify a remote server through the main menu" + echo " or via command line arguments in order to clone inputs" + echo "" + else + echo "" + echo " copying local input configuration to $server_name" + echo "" + echo " Please be patient, this might take a minute..." + echo "" + script_list=$(get_script_list) + for line in $script_list; do + case "$line" in + *unix* | *Splunk_TA_nix* ) echo ""; echo " cloning $line to $server_name"; echo ""; scripted_clone "$line" + esac + done + for line in $MONITOR_INPUTS; do + echo "" + echo " cloning $line to $server_name" + echo "" + monitor_clone "$line" + done + fi +} + +function enable_all_menu +# batch enable all inputs +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > ENABLE ALL INPUTS ***" + echo "" + echo "You are currently managing Splunk server '$server_name'" + echo "" + echo "1 - confirm and enable all inputs" + echo "2 - return to the manage inputs menu" + echo "" + read selection + echo "" + + case $selection in + 1 ) echo "";echo "Do you want to enable metric inputs too, if yes, enter metric index name else press enter";read metric_index;if [ ! -z $metric_index ]; then enable_all_inputs "$metric_index"; else enable_all_inputs; fi; press_enter;manage_inputs_menu;; + 2 ) manage_inputs_menu;; + * ) echo "Please enter a number between 1 and 2"; press_enter; enable_all_menu;; + esac +} + +function disable_all_menu +# batch disable all inputs +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > DISABLE ALL INPUTS ***" + echo "" + echo "You are currently managing Splunk server '$server_name'" + echo "" + echo "1 - confirm and disable all inputs" + echo "2 - return to the manage inputs menu" + echo "" + echo -n "Please enter your selection: " + read selection + echo "" + case $selection in + 1 ) disable_all_inputs; press_enter; manage_inputs_menu;; + 2 ) manage_inputs_menu;; + * ) echo "Please enter a number between 1 and 2"; press_enter; disable_all_menu;; + esac +} + +function local_to_remote_menu +# confirm local to remote config copy +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > COPY LOCAL CONFIG TO REMOTE ***" + echo "" + echo "You are currently managing Splunk server '$server_name'" + echo "" + echo "1 - confirm and clone all local inputs to $server_name" + echo "2 - return to the manage inputs menu" + echo "" + echo -n "Please enter your selection: " + read selection + echo "" + case $selection in + 1 ) clone_all_inputs; press_enter; manage_inputs_menu;; + 2 ) manage_inputs_menu;; + * ) echo "Please enter a number between 1 and 2"; press_enter; local_to_remote_menu;; + esac +} + +function change_input_interval() +# change the input's interval +{ + echo "" + echo "" + echo -n "Enter the new interval value: " + read selection + echo "" + if test $selection -ge 0; then + input_endpoint=$(build_scripted_input_endpoint "$1") + set_interval "$input_endpoint" "$selection" + else + echo "" + echo "The value you entered is not a number - please try again" + echo "" + change_input_interval $1 + fi + +} + +function toggle_scripted_input() +# handle enable/disable of scripted input +{ + if [ "$2" = "0" ]; then + input_endpoint=$(build_scripted_input_endpoint "$1") + disable_scripted_input "$input_endpoint" + else + input_endpoint=$(build_scripted_input_endpoint "$1") + enable_scripted_input "$input_endpoint" + fi +} + +function toggle_monitor_input() +# handle enable/disable of monitor input +{ + if [ "$2" = "0" ]; then + input_endpoint=$(build_monitor_input_endpoint "$1") + disable_monitor_input "$input_endpoint" + else + input_endpoint=$(build_monitor_input_endpoint "$1") + enable_monitor_input "$input_endpoint" + fi + +} + +function manage_scripted_input_options() +# show scripted input settings/options and handle input +{ + get_scripted_input_status "$1" + echo "" + echo " Please choose from one of the following options:" + echo "" + if [ "$rest_value" = "0" ]; then + echo "1 - disable input" + else + echo "1 - enable input" + fi + echo "2 - change input interval" + echo "3 - return to the previous menu" + echo "" + echo "0 - logout and exit program" + echo "" + echo -n "Please enter your selection: " + read selection + echo "" + case $selection in + 1) toggle_scripted_input "$1" "$rest_value"; press_enter; manage_input_menu "$1";; + 2) change_input_interval "$1"; press_enter; manage_input_menu "$1";; + 3) select_input_menu;; + 0) splunk_logout; exit 0;; + *) echo "please enter a number between 0 and 3"; manage_input_menu "$1";; + esac +} + +function manage_monitor_input_options() +# show monitor input settings/options and handle input +{ + get_monitor_status "$1" + echo "" + echo " Please choose from one of the following options:" + echo "" + if [ "$rest_value" = "0" ]; then + echo "1 - disable input" + else + echo "1 - enable input" + fi + echo "2 - return to the previous menu" + echo "" + echo "0 - logout and exit program" + echo "" + echo -n "Please enter your selection: " + read selection + echo "" + case $selection in + 1) toggle_monitor_input "$1" "$rest_value"; press_enter; manage_input_menu "$1";; + 2) select_input_menu;; + 0) splunk_logout; exit 0;; + *) echo "please enter a number between 0 and 2"; manage_input_menu "$1";; + esac +} + +function manage_input_menu() +# manage one input +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > CHOOSE INPUT TO MANAGE ***" + echo "" + echo "You are currently managing Splunk server '$server_name'" + echo "" + echo "--> Manage Input '$1'" + echo "" + res="success" + input_endpoint=$(build_scripted_input_endpoint "$1") + rest_index=$(get_scripted_input_rest_value "$input_endpoint" 'index') + if [[ "$1" == *"_metric"* ]] ; then + if [[ "$rest_index" != "default" ]]; then + echo "Do you want to change the metric index (y/n)?" + read answer + + if [[ "$answer" == "y" ]]; then + echo "Enter the metric index" + read metric_index + if [ ! -z $metric_index ]; then + input_endpoint=$(build_scripted_input_endpoint "$1") + set_metric_index $input_endpoint $metric_index + else + echo "Please enter a valid index" + press_enter + manage_input_menu "$1" + fi + fi + else + echo "Enter the metric index" + read metric_index + if [ ! -z $metric_index ]; then + input_endpoint=$(build_scripted_input_endpoint "$1") + set_metric_index $input_endpoint $metric_index + else + echo "Please enter a valid index" + press_enter + manage_input_menu "$1" + fi + fi + fi + if [ $res == "success" ]; then + case "$1" in + *.sh) manage_scripted_input_options $1;; + *) manage_monitor_input_options $1;; + esac + else + press_enter + select_input_menu + fi +} + +function select_input_menu +# choose one input, then enable/disable/change interval +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > CHOOSE INPUT TO MANAGE ***" + echo "" + echo "You are currently managing Splunk server '$server_name'" + echo "" + echo "" + echo " Choose one of the following inputs:" + echo "" + selection_list=() + input_counter=1 + oldIFS=$IFS + IFS=' + ' + script_list=$(get_script_list) + for line in $script_list; do + case "$line" in + *unix* | *Splunk_TA_nix* ) echo " $input_counter - $line"; selection_list[$input_counter]=$line; input_counter=`expr $input_counter + 1`; + esac + done + for line in $MONITOR_INPUTS; do + echo " $input_counter - $line" + selection_list[$input_counter]=$line + input_counter=`expr $input_counter + 1` + done + echo "" + echo " $input_counter - go back to manage inputs menu" + echo "" + echo "" + echo " 0 - logout and exit program" + echo "" + echo -n "Enter selection: " + read selection + echo "" + if [ $selection = $input_counter ]; then + manage_inputs_menu + elif [ $selection = 0 ]; then + splunk_logout + exit 0 + elif [ $selection -gt $input_counter ]; then + echo "Please enter a number between 0 and $input_counter" + press_enter + select_input_menu + elif [ $selection -lt 0 ]; then + echo "Please enter a number between 0 and $input_counter" + press_enter + select_input_menu + else + ### TODO: implement manage_selected_input_menu + manage_input_menu ${selection_list[$selection]} + fi +} + +function manage_inputs_menu +# the aptly named 'manage inputs' menu +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > MANAGE INPUTS ***" + echo "" + echo "You are currently managing Splunk server '$server_name'" + echo "" + echo " Please choose from one of the following options:" + echo "" + echo "1 - manage one input" + echo "2 - enable all inputs" + echo "3 - disable all inputs" + if [ "$remote_server_uri" != "false" ] && [ "$server_unix_app_installed" = "true" ]; then + echo "4 - copy local configuration to remote" + echo "5 - go back to main menu" + echo "" + echo "0 - logout and exit program" + echo "" + echo -n "Enter selection: " + read selection + echo "" + case $selection in + 1 ) select_input_menu;; + 2 ) enable_all_menu;; + 3 ) disable_all_menu;; + 4 ) local_to_remote_menu;; + 5 ) main_menu ;; + 0 ) splunk_logout; exit 0 ;; + * ) echo "Please enter a number between 0 and 4"; press_enter; manage_inputs_menu;; + esac + else + echo "4 - go back to main menu" + echo "" + echo "0 - logout and exit program" + echo "" + echo -n "Enter selection: " + read selection + echo "" + case $selection in + 1 ) select_input_menu;; + 2 ) enable_all_menu;; + 3 ) disable_all_menu;; + 4 ) main_menu ;; + 0 ) splunk_logout; exit 0 ;; + * ) echo "Please enter a number between 0 and 4"; press_enter; manage_inputs_menu;; + esac + fi +} + +function install_menu +# the aptly named install menu +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > INSTALL/UPGRADE MENU***" + echo "" + echo "You are currently managing Splunk server '$server_name'" + echo "" + echo " Please enter the full URI string indicating where the app resides" + echo "" + echo " -> for example, 'https://localhost/apps/unix_app_new.tgz'" + echo "" + echo -n "Enter URI: " + read install_uri + install_app "$install_uri" + press_enter + main_menu +} + +function press_enter +# convenience function to prompt for return +{ + echo "" + echo -n "Press Enter to continue" + read + clear +} + +function main_menu +# the aptly named main menu +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > MAIN MENU ***" + echo "" + echo "You are currently managing Splunk server '$server_name'" + echo "" + echo " Please choose from one of the following options:" + echo "" + echo "1 - show *nix input status" + echo "2 - manage *nix inputs" + echo "3 - install/upgrade app" + echo "4 - change credentials" + if [ $remote_server_uri != "false" ]; then + echo "5 - disconnect from remote instance" + else + echo "5 - connect to remote instance" + fi + echo "" + echo "0 - logout and exit program" + echo "" + echo -n "Enter selection: " + read selection + echo "" + case $selection in + 1 ) show_inputs; press_enter; main_menu ;; + 2 ) manage_inputs_menu;; + 3 ) install_menu;; + 4 ) handle_credential_change;; + 5 ) handle_remote_connection;; + 0 ) splunk_logout; exit 0;; + * ) echo "Please enter a number between 0 and 5"; press_enter; main_menu;; + esac +} + +function set_app_installed() +# set the appropriate remote or local app installed flag +{ + if [ $remote_server_uri != "false" ]; then + remote_server_unix_app_installed="true" + remote_server_app_name="$1" + else + server_unix_app_installed="true" + server_app_name="$1" + fi +} + +function set_app_enabled +# if app is enabled, set the appropriate variables +{ + if [ $remote_server_uri != "false" ]; then + if [ $remote_server_unix_app_installed != "false" ]; then + set_server_has_app_enabled + else + unset_server_has_app_enabled + fi + else + if [ $server_unix_app_installed != "false" ]; then + set_server_has_app_enabled + else + unset_server_has_app_enabled + fi + fi +} + +function set_server_has_app_enabled +# set appropriate flag that server has +# the unix app installed and enabled +{ + if [ $remote_server_uri != "false" ]; then + remote_server_has_unix_app_enabled="true" + else + server_has_unix_app_enabled="true" + fi +} + +function unset_server_has_app_enabled +# set appropriate flag that server does not +# have the unix app installed and enabled +{ + if [ $remote_server_uri != "false" ]; then + remote_server_has_unix_app_enabled="false" + else + server_has_unix_app_enabled="false" + fi +} + +function handle_credential_change +# handle remote or local credential change +{ + if [ $remote_server_uri != "false" ]; then + splunk_remote_credential_change + else + splunk_logout + splunk_login + fi +} + +function handle_remote_connection +# if connected to remote instance, logout +# else redirect to remote instance login +{ + if [ $remote_server_uri != "false" ]; then + splunk_remote_logout + else + splunk_remote_login + fi +} + +function set_unix_app_info +{ + if [ $remote_server_uri != "false" ]; then + app_output=`$SPLUNK_HOME/bin/splunk display app -uri $remote_server_uri` + else + app_output=`$SPLUNK_HOME/bin/splunk display app` + fi + oldIFS=$IFS + IFS=' + ' + for line in $app_output; do + case "$line" in + *unix* ) set_app_installed "unix";; + *Splunk_TA_nix* ) set_app_installed "Splunk_TA_nix";; + *ENABLED*) set_app_enabled;; + #*DISABLED*) set_app_disabled;; + esac + done + IFS=$oldIFS +} + +function check_for_unix_app +# can't manage the unix app if there is nothing to manage +{ + set_unix_app_info + if [ $remote_server_uri = "true" ]; then + if [ $remote_server_has_unix_app_enabled = "true" ]; then + main_menu + else + echo "the remote server $server_name does not have the unix app installed or the app is disabled" + echo "" + echo "do you want to install the unix app from a location on your network?" + echo "" + echo -n "enter y to continue: " + read want_install_app + case $want_install_app in + y ) install_menu; check_for_unix_app;; + * ) splunk_remote_logout; prerequisites;; + esac + fi + else + if [ $server_has_unix_app_enabled = "true" ]; then + main_menu + else + echo "the local server $server_name does not have the unix app installed or the app is disabled" + echo "" + echo "only remote management of servers with the unix app will be permitted" + splunk_remote_login + fi + fi +} + +function prerequisites +# use 'list app' to see if the unix app is installed/enabled +# set server_name +# if app installed/enabled, redirect to main menu +# else warn and exit +{ + server_name=$(get_server_name) + check_for_unix_app + main_menu +} + +function splunk_login +# log user in to splunk +# then route to main_menu +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > LOCAL LOGIN ***" + echo "" + $SPLUNK_HOME/bin/splunk login + if [ "$?" = "0" ]; then + prerequisites + else + exit 1 + fi +} + +function splunk_remote_login +# log user in to some other splunk +# then route to main_menu +{ + clear + echo "" + echo "*** Splunk> *nix command-line setup > REMOTE LOGIN ***" + echo "" + echo " Please enter the full URI for the remote server" + echo "" + echo " -> for example, 'https://remotehost:8089'" + echo "" + echo -n "Enter URI: " + read remote_server_uri + splunk_remote_credential_change +} + +function splunk_remote_credential_change +# branch the remote credential change to facilitate +# changing credentials on the same remote instance +{ + echo "" + echo "connecting to the remote server '$remote_server_uri'" + echo "" + echo "enter your credentials to the remote server below:" + echo "" + $SPLUNK_HOME/bin/splunk login --uri "$remote_server_uri" + if [ "$?" = "0" ]; then + prerequisites + else + remote_server_uri="false" + remote_server_unix_app_installed="false" + remote_server_has_unix_app_enabled="false" + echo "" + echo "remote login failed" + echo "" + press_enter + main_menu + fi +} + +function splunk_logout +# log user out of splunk +# often followed by call to splunk_login +{ + $SPLUNK_HOME/bin/splunk logout + remote_server_uri="false" + server_name="false" + server_unix_app_installed="false" + server_has_unix_app_enabled="false" + remote_server_unix_app_installed="false" + remote_server_has_unix_app_enabled="false" + clear +} + +function splunk_remote_logout +# log user out of remote splunk instance +{ + $SPLUNK_HOME/bin/splunk logout --uri "$remote_server_uri" + remote_server_uri="false" + remote_server_unix_app_installed="false" + remote_server_has_unix_app_enabled="false" + splunk_login + server_name=$(get_server_name) + main_menu +} + +function usage() +# provides usage +{ + echo '' + echo ' usage: setup.sh' + echo '' + echo ' (no argument) menu-based setup' + echo ' --auth credentials (user:pass) for specified command' + echo ' --clone-all clone input configuration from local to remote' + echo ' --disable-all disable all inputs' + echo ' --disable-input input to be disabled' + echo ' --enable-all enable all inputs. Metric inputs will be enabled if metric input will be passed' + echo ' --enable-input input to be enabled and metric index must be passed for metric input' + echo ' --help print usage and exit' + echo ' --install-app install the app at the given location' + echo ' --interval set input to given interval' + echo ' --list-all show details all inputs' + echo ' --list-input show details for input' + echo ' --usage print usage and exit' + echo ' --uri remote uri (https://host:port) to use' + echo ' --metric-index provide metric index in metric input' + echo '' + echo '' + echo ' examples:' + echo '' + echo ' set cpu.sh interval to 120 (with auth prompt):' + echo '' + echo ' setup.sh --interval cpu.sh 120' + echo '' + echo ' disable all local inputs (with no auth prompt):' + echo '' + echo ' setup.sh --disable-all --auth admin:changeme1' + echo '' + echo ' show input status on remote host foobar:' + echo '' + echo ' setup.sh --list-all --uri https://foobar:8089' + echo '' + echo ' update the unix app from your-server on the remote host foobar:' + echo '' + echo ' setup.sh --install-app https://your-server/unix.spl --uri https://foobar:8089' + echo '' + echo ' copy the local input configuration to the remote host foobar:' + echo '' + echo ' setup.sh --clone-all --uri https://foobar:8089' + echo '' + echo ' enable all inputs including metric inputs' + echo '' + echo ' setup.sh --enable-all --metric-index test3' + echo '' + echo ' enable a single metric input' + echo '' + echo ' setup.sh --enable-input interfaces_metric.sh --metric-index test3' + echo '' + + exit 1 +} + +function execute_command() +# executes one command from the execution queue +{ + action= + _target= + _interval= + res="success" + for token in $1; do + if [ ! -n "$action" ]; then + action="$token" + continue + else + if [ "$action" == "clone" ]; then + clone_all_inputs + elif [ "$action" == "disable" ]; then + if [ "$token" == "all" ]; then + disable_all_inputs + else + case $token in + *.sh ) input_endpoint=$(build_scripted_input_endpoint "$token"); echo "disabling input $token"; echo ""; disable_scripted_input "$input_endpoint";; + * ) input_endpoint=$(build_monitor_input_endpoint "$token"); echo "disabling input $token"; echo ""; disable_monitor_input "$input_endpoint";; + esac + fi + elif [ "$action" == "enable" ]; then + word=( $1 ) + if [ "$token" == "all" ]; then + if [ ${#word[@]} == "2" ] || [ ${#word[@]} == "3" ]; then + echo "" + echo "Warning <<<<<<<<< Metric inputs will not be enabled as metric index was not specified >>>>>>>>>" + echo "" + enable_all_inputs + elif [ ${#word[@]} == "4" ]; then + if [ "${word[2]}" == "--metric-index" ]; then + enable_all_inputs ${word[3]} + else + echo "Wrong Argument" + usage + fi + else + echo "Wrong argument" + usage + fi + elif [ "$token" == "input" ]; then + _target=${word[2]} + if [ ${#word[@]} == "3" ] ; then + if [[ "$_target" != *"_metric"* ]]; then + enable_single_input $_target + else + echo "Metric index must be specified for this input" + usage + fi + elif [ ${#word[@]} == "4" ] ; then + echo "Wrong argument" + usage + elif [ ${#word[@]} == "5" ]; then + if [[ "${word[3]}" == "--metric-index" ]] && [[ "$_target" == *"_metric"* ]]; then + enable_metric_input $_target ${word[4]} + else + echo "This input is not a metric input or wrong argument passed" + usage + fi + else + echo "Wrong Argument" + usage + fi + fi + elif [ "$action" == "install" ]; then + install_app "$token" + elif [ "$action" == "interval" ]; then + if [ ! -n "$_target" ]; then + _target="$token" + else + if [ ! -n "$_interval" ]; then + input_endpoint=$(build_scripted_input_endpoint "$_target") + echo "setting $_target interval to $token" + set_interval "$input_endpoint" "$token" + fi + fi + elif [ "$action" == "list" ]; then + if [ "$token" == "all" ]; then + show_inputs + else + case "$token" in + *.sh ) input_endpoint=$(build_scripted_input_endpoint "$token"); get_scripted_input_status "$input_endpoint";; + * ) input_endpoint=$(build_monitor_input_endpoint "$token"); get_monitor_status "$input_endpoint";; + esac + fi + fi + fi + done + } + +function enable_metric_input +# Updates index of metric input and if successful then enable it. +{ + input_endpoint=$(build_scripted_input_endpoint "$1") + set_metric_index "$input_endpoint" "$2" + if [ "$res" == "success" ]; then + enable_single_input "$1" + fi +} + +function enable_single_input +# Enable any input +{ + case $1 in + *.sh ) input_endpoint=$(build_scripted_input_endpoint "$1"); echo "enabling input $1"; echo ""; enable_scripted_input "$input_endpoint";; + * ) input_endpoint=$(build_monitor_input_endpoint "$1"); echo "enabling input $1"; echo ""; enable_monitor_input "$input_endpoint";; + esac +} + +function execute_queue +# executes a stored queue of command line options and arguments +{ + if [ ! -n "$__QUEUE" ]; then + echo "" + echo " Error parsing command line options/arguments" + echo "" + echo "" + usage + else + if [ -n "$AUTH_STRING" ]; then + if [ "$remote_server_uri" != "false" ]; then + $SPLUNK_HOME/bin/splunk login -uri $remote_server_uri -auth $AUTH_STRING + if [ "$?" != 0 ]; then + echo "" + echo " authentication failed" + echo "" + exit 1 + fi + else + $SPLUNK_HOME/bin/splunk login -auth $AUTH_STRING + if [ "$?" != 0 ]; then + echo "" + echo " authentication failed" + echo "" + exit 1 + fi + fi + fi + server_name=$(get_server_name) + set_unix_app_info + echo "" + echo " authenticated to $server_name" + echo "" + _oldIFS=$IFS + IFS="::" + for key in $__QUEUE; do + IFS=$_oldIFS + execute_command "$key" + IFS="::" + done + IFS=$_oldIFS + fi +} + +function queue_action +# creates queue of actions to be executed by execute_queue +{ + __QUEUE=$_QUEUE"::$ACTION $ACTION_TARGET " +} + +### MAIN ### + +. `dirname $0`/common.sh + +remote_server_uri="false" +server_unix_app_installed="false" +server_has_unix_app_enabled="false" +remote_server_unix_app_installed="false" +remote_server_has_unix_app_enabled="false" + +MONITOR_INPUTS="/Library/Logs ~/Library/Logs /var/log /var/adm /etc" + +__QUEUE= +ACTION= +ACTION_TARGET= +AUTH_STRING= +REMOTE_URI= + +if [ ! -n "$1" ]; then + splunk_login +else + while [ "$1" != "" ]; do + case $1 in + --auth ) shift; AUTH_STRING="$1"; shift;; + --clone-all ) ACTION="clone"; queue_action; shift;; + --disable-all ) ACTION="disable"; ACTION_TARGET="all"; queue_action; shift;; + --disable-input ) ACTION="disable"; shift; ACTION_TARGET="$1"; queue_action; shift;; + --enable-all ) ACTION="enable"; shift; ACTION_TARGET="$1"; ACTION_TARGET="all "$ACTION_TARGET;shift;ACTION_TARGET=$ACTION_TARGET" $1";shift;queue_action; shift;; + --enable-input ) ACTION="enable"; shift; ACTION_TARGET="$1";shift; ACTION_TARGET="input "$ACTION_TARGET" $1";shift;ACTION_TARGET=$ACTION_TARGET" $1";shift;queue_action; shift;; + --interval ) ACTION="interval"; shift; ACTION_TARGET="$1"; shift; ACTION_TARGET=$ACTION_TARGET" $1"; queue_action; shift;; + --install-app ) ACTION="install"; shift; ACTION_TARGET="$1"; queue_action; shift;; + --list-all ) ACTION="list"; ACTION_TARGET="all"; queue_action; shift;; + --list-input ) ACTION="list"; shift; ACTION_TARGET="$1"; queue_action; shift;; + --uri ) remote_server_uri="$1"; shift;; + --usage | --help ) usage;; + * ) usage;; + esac + done + execute_queue +fi diff --git a/deployment-apps/Splunk_TA_nix/bin/setupservice.py b/deployment-apps/Splunk_TA_nix/bin/setupservice.py new file mode 100644 index 0000000..3d479f9 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/setupservice.py @@ -0,0 +1,38 @@ +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +import json +import sys + +import splunk +import splunk.bundle as bundle + + +class SetupService(splunk.rest.BaseRestHandler): + def handle_GET(self): + try: + is_recognized_unix = not sys.platform.startswith("win") + self.response.write(json.dumps(is_recognized_unix)) + except Exception as e: + self.response.write(e) + + def handle_POST(self): + sessionKey = self.sessionKey + try: + conf = bundle.getConf( + "app", sessionKey, namespace="Splunk_TA_nix", owner="nobody" + ) + stanza = conf.stanzas["install"].findKeys("is_configured") + if stanza: + if stanza["is_configured"] == "0" or stanza["is_configured"] == "false": + conf["install"]["is_configured"] = "true" + splunk.rest.simpleRequest( + "/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey + ) + else: + conf["install"]["is_configured"] = "true" + splunk.rest.simpleRequest( + "/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey + ) + except Exception as e: + self.response.write(e) diff --git a/deployment-apps/Splunk_TA_nix/bin/sshdChecker.sh b/deployment-apps/Splunk_TA_nix/bin/sshdChecker.sh new file mode 100755 index 0000000..b6177a7 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/sshdChecker.sh @@ -0,0 +1,98 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +SSH_CONFIG_FILE="" +if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] ; then + SSH_CONFIG_FILE=/etc/ssh/sshd_config +elif [ "$KERNEL" = "Darwin" ] ; then + SSH_CONFIG_FILE=/etc/sshd_config +else + failUnsupportedScript +fi + +FILL_BLANKS='END { + if (SSHD_PROTOCOL == 0) { + SSHD_PROTOCOL=SSHD_DEFAULT_PROTOCOL + }' + +PRINTF='{printf "%s app=sshd %s %s\n", DATE, FILEHASH, SSHD_PROTOCOL}}' + +if [ "x$SOLARIS_11" != "xtrue" ] ; then + + # If $SSH_CONFIG_FILE file exists and is a regular file. + if [ -f "$SSH_CONFIG_FILE" ] ; then + + assertHaveCommand cat + + # Get file hash + # shellcheck disable=SC2016 + CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $SSH_CONFIG_FILE ; cat $SSH_CONFIG_FILE' + + # Get the date. + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + + # Try to use cross-platform case-insensitive matching for text. Note + # that "match", "tolower", IGNORECASE and other common awk commands or + # options are actually nawk/gawk extensions so avoid them if possible. + # shellcheck disable=SC2016 + PARSE_1='/^[Pp][Rr][Oo][Tt][Oo][Cc][Oo][Ll]/ { + split($0, arr) + num = split(arr[2], protocols, ",") + if (num == 2) { + SSHD_PROTOCOL="sshd_protocol=" protocols[1] "/" protocols[2] + } else { + SSHD_PROTOCOL="sshd_protocol=" protocols[1] + } + }' + # shellcheck disable=SC2016 + PARSE_2='/^#[[:blank:]]*[Pp][Rr][Oo][Tt][Oo][Cc][Oo][Ll]/ { + num=split($0, arr) + protonum = split(arr[num], protocols, ",") + if (protonum == 2) { + SSHD_DEFAULT_PROTOCOL="sshd_protocol=" protocols[1] "/" protocols[2] + } else { + SSHD_DEFAULT_PROTOCOL="sshd_protocol=" protocols[1] + } + }' + # shellcheck disable=SC2016 + PARSE_3='/^SHA256/ {FILEHASH="file_hash=" $2}' + + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3" + + else + # shellcheck disable=SC2016 + echo "SSHD configuration (file: $SSH_CONFIG_FILE) missing or unreadable." >> "$TEE_DEST" + exit 1 + fi + +else + + if [ -f "$SSH_CONFIG_FILE" ] && [ -r "$SSH_CONFIG_FILE" ] ; then + + # Solaris 11 only supports SSH protocol 2. + assertHaveCommand cat + + # Get file hash + # shellcheck disable=SC2016 + CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $SSH_CONFIG_FILE' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0 ; SSHD_PROTOCOL="sshd_protocol=2"}' + # shellcheck disable=SC2016 + PARSE_1='/^SHA256/ {FILEHASH="file_hash=" $2}' + + MASSAGE="$PARSE_0 $PARSE_1" + + else + echo "SSHD configuration (file: $SSH_CONFIG_FILE) missing or unreadable." >> "$TEE_DEST" + exit 1 + fi + +fi + +$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $FILL_BLANKS $PRINTF" +echo "Cmd = [$CMD]; | $AWK '$MASSAGE $FILL_BLANKS $PRINTF'" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/time.sh b/deployment-apps/Splunk_TA_nix/bin/time.sh new file mode 100755 index 0000000..553e835 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/time.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +queryHaveCommand ntpdate +FOUND_NTPDATE=$? + +queryHaveCommand sntp +FOUND_SNTP=$? + +getServer () +{ + if [ -f /etc/ntp.conf ] ; then # Linux; FreeBSD; AIX; Mac OS X maybe + CONFIG=/etc/ntp.conf + elif [ -f /etc/inet/ntp.conf ] ; then # Solaris + CONFIG=/etc/inet/ntp.conf + elif [ -f /private/etc/ntp.conf ] ; then # Mac OS X + CONFIG=/private/etc/ntp.conf + else + CONFIG= + fi + + SERVER_DEFAULT='0.pool.ntp.org' + if [ "$CONFIG" = "" ] ; then + SERVER=$SERVER_DEFAULT + else + # shellcheck disable=SC2016 + SERVER=$($AWK '/^server / {print $2; exit}' "$CONFIG") + SERVER=${SERVER:-$SERVER_DEFAULT} + fi + +} + +#With ntpdate +if [ $FOUND_NTPDATE -eq 0 ] ; then + echo "Found ntpdate command" >> "$TEE_DEST" + getServer + + CMD2="ntpdate -q $SERVER" + echo "CONFIG=$CONFIG, SERVER=$SERVER" >> "$TEE_DEST" + +#With sntp +elif [ "$KERNEL" = "Darwin" ] && [ $FOUND_SNTP -eq 0 ] ; then # Mac OS 10.14.6 or higher version + echo "Found sntp command" >> "$TEE_DEST" + getServer + + CMD2="sntp $SERVER" + echo "CONFIG=$CONFIG, SERVER=$SERVER" >> "$TEE_DEST" + +#With Chrony +else + CMD2="chronyc -n sources" +fi + +CMD1='date' + +assertHaveCommand $CMD1 +assertHaveCommand "$CMD2" + +$CMD1 | tee -a "$TEE_DEST" +echo "Cmd1 = [$CMD1]" >> "$TEE_DEST" + +$CMD2 | tee -a "$TEE_DEST" +echo "Cmd2 = [$CMD2]" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/top.sh b/deployment-apps/Splunk_TA_nix/bin/top.sh new file mode 100755 index 0000000..82d3d86 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/top.sh @@ -0,0 +1,87 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER=' PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND' +# shellcheck disable=SC2016 +PRINTF='{printf "%6s %-14s %4s %4s %6s %6s %6s %2s %6s %6s %12s %-s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12}' + +CMD='top' + +if [ "$KERNEL" = "Linux" ] ; then + CMD='top -bn 1' + FILTER='{if (NR < 7) next}' + # shellcheck disable=SC2016 + HEADERIZE='{NR == 7 && $0 = header}' +elif [ "$KERNEL" = "SunOS" ] ; then + CMD='prstat -n 999 1 1' + HEADERIZE="BEGIN {print \"$HEADER\"}" + FILTER='(NR==1) {next} /^Total:|^$/ {exit}' + # shellcheck disable=SC2016 + FORMAT_DOMAIN='{virt=$3; res=$4; stateRaw=$5; pr=$6; ni=$7; cpuTIME=$8; pctCPU=0.0+$9; sub("/.*$", "", $10); command=$10 ? $10 : ""}' + SPECIFY_STATES_MAP='BEGIN {map["sleep"]="S"; map["stop"]="T"; map["zombie"]="Z"; map["wait"]="D"; map["cpu"]="R"}' + MAP_STATE='{sub("[0-9]+$", "", stateRaw); state=map[stateRaw]}' + # shellcheck disable=SC2016 + FORMAT_RANGE='{$3=pr; $4=ni; $5=virt; $6=res; $7="?"; $8=state; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}' + FORMAT="$FORMAT_DOMAIN $SPECIFY_STATES_MAP $MAP_STATE $FORMAT_RANGE" +elif [ "$KERNEL" = "AIX" ] ; then + CMD="eval /usr/sysv/bin/ps -eo pid,user,pri,nice,vsz,rss,s,s,pcpu,pmem,time,comm" + HEADERIZE="BEGIN {print \"$HEADER\"}" + FILTER='/PID/{next}' + # shellcheck disable=SC2016 + FORMAT='{$7="?" ; sub("A","R",$8)}' + # Substitute ? for temporary [field 7] & + # Substitute R(running) for A(Active) on field 8 in AIX by Jacky Ho, Systex +elif [ "$KERNEL" = "Darwin" ] ; then + if [ "$OSX_MAJOR_VERSION" = 10 ] && [ "$OSX_MINOR_VERSION" -ge 9 ] || [ "$OSX_MAJOR_VERSION" -ge 11 ]; then + # OS X 10.9 does not report rshrd statistic (Resident Shared Address Space Size) + CMD="eval top -F -l 2 -ocpu -Otime -stats pid,username,vsize,rsize,cpu,time,command" + # shellcheck disable=SC2016 + FORMAT='{gsub("[+-] ", " "); virt=$3; res=$4; shr="?"; pctCPU=$5; cpuTIME=$6; command=$7; $3="?"; $4="?"; $5=virt; $6=res; $7=shr; $8="?"; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}' + elif $OSX_GE_SNOW_LEOPARD; then + CMD="eval top -F -l 2 -ocpu -Otime -stats pid,username,vsize,rsize,rshrd,cpu,time,command" + # shellcheck disable=SC2016 + FORMAT='{gsub("[+-] ", " "); virt=$3; res=$4; shr=$5; pctCPU=$6; cpuTIME=$7; command=$8; $3="?"; $4="?"; $5=virt; $6=res; $7=shr; $8="?"; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}' + else + CMD="eval top -F -l 2 -ocpu -Otime -t -R -p '^aaaaa ^nnnnnnnnnnnnnnnnnn ^lllll ^jjjjj ^ccccc ^ddddd ^bbbbbbbbbbbbbbbbbbbbbbbbbbbbb'" + # shellcheck disable=SC2016 + FORMAT='{ virt=$3; res=$4; pctCPU=$5; cpuTIME=$6; command=$7; $3="?"; $4="?"; $5=virt; $6=res; $7="?"; $8="?"; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}' + fi + HEADERIZE="BEGIN {print \"$HEADER\"}" + FILTER='/ %CPU / {reportOrd++; next} {if ((reportOrd < 2) || !length) next}' +elif [ "$KERNEL" = "HP-UX" ] ; then + assertHaveCommand ps + HEADERIZE="BEGIN {print \"$HEADER\"}" + FILTER='/PID/{next}' + export UNIX95=1 + CMD='ps -e -o pid,user,pri,nice,vsz,state,pcpu,time,comm' + # shellcheck disable=SC2016 + PRINTF='{q="?"; printf "%6s %-14s %4s %4s %6s %6s %6s %2s %6s %6s %12s %-s\n", $1, $2, $3, $4, $5, q, q, $6, $7, q, $8, $9}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + line=$(top -Sb 999 | grep -n -m 1 "PID" | cut -f1 -d:) + CMD='top -Sb 999' + HEADERIZE="BEGIN {print \"$HEADER\"}" + FILTER='(NR<='$line') {next} /^$/ {next}' + # shellcheck disable=SC2016 + FORMAT_DOMAIN='{pr=$4; ni=$5; virt=$6; res=$7; stateRaw=$8; cpuTIME=$10; pctCPU=0+$11; command=$12}' + SPECIFY_STATES_MAP='BEGIN {map["SLEEP"]="S"; map["STOP"]="T"; map["ZOMB"]="Z"; map["WAIT"]="D"; map["LOCK"]="D"; map["START"]="R"; map["RUN"]="R"; map["CPU"]="R"}' + MAP_STATE='{sub("[0-9]+$", "", stateRaw); state=map[stateRaw]; state=state ? state : "?"}' + # shellcheck disable=SC2016 + FORMAT_RANGE='{$3=pr; $4=ni; $5=virt; $6=res; $7="?"; $8=state; $9=pctCPU; $10="?"; $11=cpuTIME; $12=command}' + FORMAT="$FORMAT_DOMAIN $SPECIFY_STATES_MAP $MAP_STATE $FORMAT_RANGE" +fi +# shellcheck disable=SC2086 +assertHaveCommand $CMD + +out=$($CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER") +lines=$(echo "$out" | wc -l) + +if [ "$lines" -gt 1 ]; then + echo "$out" + echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" +else + echo "No data is present" >> "$TEE_DEST" +fi diff --git a/deployment-apps/Splunk_TA_nix/bin/update.sh b/deployment-apps/Splunk_TA_nix/bin/update.sh new file mode 100755 index 0000000..3bb2b95 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/update.sh @@ -0,0 +1,110 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +if [ "$KERNEL" = "Linux" ] ; then + assertHaveCommand date + OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) + # Ubuntu doesn't have yum installed by default hence apt is being used to get the list of upgradable packages + if [ "$OSName" = "Ubuntu" ]; then + assertHaveCommand apt + assertHaveCommand sed + # sed command here replaces '/, [, ]' with ' ' + CMD='eval date ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + # shellcheck disable=SC2016 + PARSE_1='NR>2 { printf "%s package=%s ubuntu_update_stream=%s latest_package_version=%s ubuntu_architecture=%s current_package_version=%s\n", DATE, $1, $2, $3, $4, $7}' + MESSAGE="$PARSE_0 $PARSE_1" + else + assertHaveCommand yum + + CMD='eval date ; yum check-update' + # shellcheck disable=SC2016 + PARSE_0='NR==1 { + DATE=$0 + PROCESS=0 + UPDATES["addons"]=0 + UPDATES["base"]=0 + UPDATES["extras"]=0 + UPDATES["updates"]=0 + }' + + # Skip extraneous text up to first blank line. + # shellcheck disable=SC2016 + PARSE_1='NR>1 && PROCESS==0 && $0 ~ /^[[:blank:]]*$|^$/ { + PROCESS=1 + }' + # shellcheck disable=SC2016 + PARSE_2='NR>1 && PROCESS==1 { + num = split($0, update_array) + if (num == 3) { + # Record the update count + UPDATES[update_array[3]] = UPDATES[update_array[3]]+1 + printf "%s package=\"%s\" package_type=\"%s\"\n", DATE, update_array[1], update_array[3] + } else if (num==2 && update_array[1] != "") { + printf "%s package=\"%s\"\n", DATE, update_array[1] + } + }' + + PARSE_3='END { + TOTALS="" + for (key in UPDATES) { + TOTALS=TOTALS key "=" UPDATES[key] " " + } + printf "%s %s\n", DATE, TOTALS + }' + + MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3" + fi + +elif [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand date + assertHaveCommand softwareupdate + + CMD='eval date ; softwareupdate -l' + # shellcheck disable=SC2016 + PARSE_0='NR==1 { + DATE=$0 + PROCESS=0 + TOTAL=0 + }' + + # If the first non-space character is an asterisk, assume this is the name + # of the update. Otherwise, print the update. + # shellcheck disable=SC2016 + PARSE_1='NR>1 && PROCESS==1 && $0 !~ /^[[:blank:]]*$/ { + if ( $0 ~ /^[[:blank:]]*\*/ ) { + PACKAGE="package=\"" $2 "\"" + RECOMMENDED="" + RESTART="" + TOTAL=TOTAL+1 + } else { + if ( $0 ~ /recommended/ ) { RECOMMENDED="is_recommended=\"true\"" } + if ( $0 ~ /restart/ ) { RESTART="restart_required=\"true\"" } + printf "%s %s %s %s\n", DATE, PACKAGE, RECOMMENDED, RESTART + } + }' + + # Use sentinel value to skip all text prior to update list. + # shellcheck disable=SC2016 + PARSE_2='NR>1 && PROCESS==0 && $0 ~ /found[[:blank:]]the[[:blank:]]following/ { + PROCESS=1 + }' + + PARSE_3='END { + printf "%s total_updates=%s\n", DATE, TOTAL + }' + + MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3" + +else + # Exits + failUnsupportedScript +fi + +$CMD | tee "$TEE_DEST" | $AWK "$MESSAGE" +echo "Cmd = [$CMD]; | $AWK '$MESSAGE'" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/uptime.sh b/deployment-apps/Splunk_TA_nix/bin/uptime.sh new file mode 100755 index 0000000..a889846 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/uptime.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +PRINTF='END {printf "%s SystemUpTime=%s\n", DATE, UPTIME}' + +# On HP-UX the `ps` command will only recognize the `-o` option if +# the `UNIX95` environment variable is set. So do it. +# +# Careful: The `UNIX95` environment variable affects other common +# commands like `cp`. +if [ "$KERNEL" = "HP-UX" ]; then + export UNIX95=1 +fi + +# This should work for any POSIX-compliant system, but in case it doesn't +# we have left the individual OS names here to be broken out later on. +if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "$KERNEL" = "HP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand date + assertHaveCommand ps + CMD='eval date; LC_ALL=POSIX ps -o etime= -p 1' + # Get the date. + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + # Parse timestamp using only POSIX AWK functions. The match, do/while, + # and exponentiation commands may not be available on some systems. + # shellcheck disable=SC2016 + PARSE_1='NR==2 { + if (index($1,"-") != 0) { + split($1, array, "-") + UPTIME=86400*array[1] + num=split(array[2], TIME, ":") + } else { + UPTIME=0 + num=split($1, TIME, ":") + } + for (i=num; i>0; i--) { + SECS=TIME[i] + for (j=num-i; j>0; j--) { + SECS = SECS * 60 + } + UPTIME = UPTIME + SECS + } + }' + MASSAGE="$PARSE_0 $PARSE_1" +fi + +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/usersWithLoginPrivs.sh b/deployment-apps/Splunk_TA_nix/bin/usersWithLoginPrivs.sh new file mode 100755 index 0000000..1360c09 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/usersWithLoginPrivs.sh @@ -0,0 +1,45 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +HEADER='USERNAME UID GID HOME_DIR USER_INFO' +HEADERIZE="BEGIN {print \"$HEADER\"}" + +CMD='cat /etc/passwd' +AWK_IFS='-F:' +# shellcheck disable=SC2016 +FILTER='($NF !~ /sh$/) {next}' +# shellcheck disable=SC2016 +PRINTF='{printf "%-30.30s %-30.30s %-30.30s %-60.60s %s\n", $1, $3, $4, $6, $5}' + +if [ "$KERNEL" = "Linux" ] ; then + # shellcheck disable=SC2016 + FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}' +elif [ "$KERNEL" = "SunOS" ] ; then + # shellcheck disable=SC2016 + FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}' +elif [ "$KERNEL" = "AIX" ] ; then + # shellcheck disable=SC2016 + FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}' +elif [ "$KERNEL" = "HP-UX" ] ; then + # shellcheck disable=SC2016 + FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}' +elif [ "$KERNEL" = "Darwin" ] ; then + CMD='dscacheutil -q user' + AWK_IFS='' + # shellcheck disable=SC2016 + MASSAGE='/^name: / {username = $2} /^uid: / {UID = $2} /^gid: / {GID = $2} /^dir: / {homeDir = $2} /^shell: / {shell = $2} /^gecos: / {userInfo = $2; for (i=3; i<=NF; i++) userInfo = userInfo " " $i} !/^gecos: / {next}' + FILTER='{if (shell !~ /sh$/) next; if (homeDir ~ /^[0-9]+$/) next}' + PRINTF='{printf "%-30.30s %-30.30s %-30.30s %-60.60s %s\n", username, length(UID) ? UID : "?", length(GID) ? GID : "?", length(homeDir) ? homeDir : "?", userInfo}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + # shellcheck disable=SC2016 + FILL_BLANKS='{$5 || $5 = "?"; length($4) || $4 = "?"; length($3) || $3 = "?"}' +fi + +assertHaveCommand "$CMD" +# shellcheck disable=SC2086 +$CMD | tee "$TEE_DEST" | $AWK $AWK_IFS "$HEADERIZE $MASSAGE $FILTER $FILL_BLANKS $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK $AWK_IFS '$HEADERIZE $MASSAGE $FILTER $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/version.sh b/deployment-apps/Splunk_TA_nix/bin/version.sh new file mode 100755 index 0000000..05c7fda --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/version.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +PRINTF='END {printf "%s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER}' + + +if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then + assertHaveCommand date + assertHaveCommand uname + CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v ; eval uname -p' +elif [ "$KERNEL" = "HP-UX" ] ; then + # HP-UX lacks -p switch. + assertHaveCommand date + assertHaveCommand uname + CMD='eval date ; eval uname -m ; eval uname -r ; eval uname -s ; eval uname -v' +elif [ "$KERNEL" = "AIX" ] ; then + # AIX uses oslevel for version and release switch. + assertHaveCommand date + assertHaveCommand uname + CMD='eval date ; eval uname -m ; eval oslevel -r ; eval uname -s ; eval oslevel -s' +fi + +# Get the date. +# shellcheck disable=SC2016 +PARSE_0='NR==1 {DATE=$0}' +# shellcheck disable=SC2016 +PARSE_1='NR==2 {MACH_HW_NAME="machine_hardware_name=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_2='NR==3 {OS_REL="os_release=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_3='NR==4 {OS_NAME="os_name=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_4='NR==5 {OS_VER="os_version=\"" $0 "\""}' +# shellcheck disable=SC2016 +PARSE_5='NR==6 {MACH_ARCH_NAME="machine_architecture_name=\"" $0 "\""}' + +MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5" + +$CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $PRINTF" +echo "Cmd = [$CMD]; | $AWK '$MASSAGE $PRINTF'" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/vmstat.sh b/deployment-apps/Splunk_TA_nix/bin/vmstat.sh new file mode 100755 index 0000000..2a21e4a --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/vmstat.sh @@ -0,0 +1,181 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +# hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine +# the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so +# (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute. + +HEADER='memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS' +HEADERIZE="BEGIN {print \"$HEADER\"}" +PRINTF='END {printf "%10d %10d %10d %10.1f %10.1f %10s %10.1f %10s %10s %10s %10s %10s %10s %10.2f %10.2f %10.2f %10.2f %10.2f\n", memTotalMB, memFreeMB, memUsedMB, memFreePct, memUsedPct, pgPageOut, swapUsedPct, pgSwapOut, cSwitches, interrupts, forks, processes, threads, loadAvg1mi, waitThreads, interrupts_PS, pgPageIn_PS, pgPageOut_PS}' +DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsed ? (100.0*swapUsed)/(swapUsed+swapFree) : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}' + +if [ "$KERNEL" = "Linux" ] ; then + assertHaveCommand uptime + assertHaveCommand ps + assertHaveCommand vmstat + assertHaveCommand sar + # shellcheck disable=SC2016 + CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}' + # shellcheck disable=SC2016 + PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}' + # shellcheck disable=SC2016 + PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' + # shellcheck disable=SC2016 + PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}' + # shellcheck disable=SC2016 + PARSE_4='/^CPU_COUNT/ {cpuCount=$2}' + # shellcheck disable=SC2016 + PARSE_5='($3 ~ "INTR") {nr[NR+3]} NR in nr {interrupts_PS=$3}' + # shellcheck disable=SC2016 + PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$2; pgPageOut_PS=$3}' + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE" +elif [ "$KERNEL" = "SunOS" ] ; then + assertHaveCommand vmstat + assertHaveCommandGivenPath /usr/sbin/swap + assertHaveCommandGivenPath /usr/sbin/prtconf + assertHaveCommand prstat + assertHaveCommand sar + if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then + # shellcheck disable=SC2016 + CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2; ' + else + # shellcheck disable=SC2016 + CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2' + fi + # shellcheck disable=SC2016 + PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==5) {memFreeMB=$5 / 1024}' + # shellcheck disable=SC2016 + PARSE_1='(NR==2) {swapUsed=0+$(NF-3); swapFree=0+$(NF-1)}' + # shellcheck disable=SC2016 + PARSE_2='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}' + # shellcheck disable=SC2016 + PARSE_3='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1} / v?forks$/ {forks+=$1}' + # shellcheck disable=SC2016 + PARSE_4='/^Total: / {processes=$2; threads=$4; loadAvg1mi=0+$(NF-2)}' + # shellcheck disable=SC2016 + PARSE_5='/^CPU_COUNT/ {cpuCount=$2}' + # Sample output: http://opensolarisforum.org/man/man1/sar.html + if [ "$SOLARIS_10" = "true" ] || [ "$SOLARIS_11" = "true" ] ; then + # shellcheck disable=SC2016 + PARSE_6='($1 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$3;}' + # shellcheck disable=SC2016 + PARSE_7='($3 ~ "ppgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$3}' + else + # shellcheck disable=SC2016 + PARSE_6='($3 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$5}' + # shellcheck disable=SC2016 + PARSE_7='($3 ~ "pgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$4}' + fi + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE" +elif [ "$KERNEL" = "AIX" ] ; then + assertHaveCommand uptime + assertHaveCommand ps + assertHaveCommand vmstat + assertHaveCommandGivenPath /usr/sbin/lsps + assertHaveCommandGivenPath /usr/bin/svmon + # shellcheck disable=SC2016 + CMD='eval uptime ; ps -e | wc -l ; ps -em | wc -l ; /usr/sbin/lsps -s ; vmstat 1 1 | tail -1 ; vmstat -s ; svmon; `dirname $0`/hardware.sh;' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1-processes }' + # ps -em inclundes processes with there threads ( at least one), so processes must be excluded to count threads # + # shellcheck disable=SC2016 + PARSE_1='(NR==5) {swapUsedPercentage=substr( $NF, 1, length($NF)-1 )} (NR==6) {pgPageIn_PS=0+$(NF-13); pgPageOut_PS=0+$(NF-12)}' + # shellcheck disable=SC2016 + PARSE_2='/^memory / {memTotalMB=$2 / 256 ; memFreeMB=$4 / 256}' + # shellcheck disable=SC2016 + PARSE_3='/paging space page outs$/ {pgPageOut=$1 ; pgSwapOut="?" }' + # no pgSwapOut parameter and can't be monitored in AIX (by Jacky Ho, Systex) + # shellcheck disable=SC2016 + PARSE_4='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1 ; forks="?" }' + # shellcheck disable=SC2016 + PARSE_5='/^CPU_COUNT/ {cpuCount=$2}' + DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsedPercentage ? swapUsedPercentage : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}' + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $DERIVE" +elif [ "$KERNEL" = "HP-UX" ] ; then + assertHaveCommand uptime + assertHaveCommand ps + assertHaveCommand /usr/sbin/swapinfo + assertHaveCommand vmstat + # shellcheck disable=SC2016 + CMD='eval uptime ; ps -e | wc -l ; /usr/sbin/swapinfo -m; vmstat -f; vmstat -s; `dirname $0`/hardware.sh; vmstat 1 2' + # shellcheck disable=SC2016 + PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} {threads="?"}' + # shellcheck disable=SC2016 + PARSE_1='NR==5 {swapUsed=$3; swapFree=$4}' + # shellcheck disable=SC2016 + PARSE_2='/^memory / {memTotalMB=$2; memUsedMB=$3; memFreeMB=$4}' + # shellcheck disable=SC2016 + PARSE_3='(NR>=8 && $2=="forks,") {forks=$1}' + # shellcheck disable=SC2016 + PARSE_4='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}' + # shellcheck disable=SC2016 + PARSE_5='/interrupts$/ {interrupts=$1} /cpu context switches$/ {cSwitches=$1} /forks$/ {forks=$1}' + # shellcheck disable=SC2016 + PARSE_6='/^CPU_COUNT/ {cpuCount=$2}' + # Sample output: http://ibgwww.colorado.edu/~lessem/psyc5112/usail/man/hpux/vmstat.1.html + # shellcheck disable=SC2016 + PARSE_7='/^procs/ {nr[NR+3]} NR in nr {pgPageIn_PS=$8; pgPageOut_PS=$9; interrupts_PS=$13}' + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE" +elif [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand sysctl + assertHaveCommand top + assertHaveCommand sar + # shellcheck disable=SC2016 + CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2' + FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' + # shellcheck disable=SC2016 + PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}' + # shellcheck disable=SC2016 + PARSE_1='/^PhysMem:/ {memFreeMB=toMB($6)+toMB($10)}' # we count "inactive" as "free", since it can be made available w/o a pagein/swapin + # shellcheck disable=SC2016 + PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}' + # shellcheck disable=SC2016 + PARSE_3='/^VM:/ {pgPageOut=0+$7}' + if $OSX_GE_SNOW_LEOPARD; then + # shellcheck disable=SC2016 + PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' + else + # shellcheck disable=SC2016 + PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}' + fi + # shellcheck disable=SC2016 + PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}' + # shellcheck disable=SC2016 + PARSE_6='/^CPU_COUNT/ {cpuCount=$2}' + # shellcheck disable=SC2016 + PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}' + # shellcheck disable=SC2016 + PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}' + MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE" + FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + # shellcheck disable=SC2016 + CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' + FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' + # shellcheck disable=SC2016 + PARSE_0='(NR==1) {memTotalMB=$2 / (1024*1024)}' + # shellcheck disable=SC2016 + PARSE_1='/pager pages paged out$/ {pgPageOut+=$1} /fork\(\) calls$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}' + # shellcheck disable=SC2016 + PARSE_2='/load averages:/ {loadAvg1mi=$6} /^[0-9]+ processes: / {processes=$1}' + # shellcheck disable=SC2016 + PARSE_3='/^Swap: / {if(NF <= 5){ swapTotal=toMB($2); swapFree=toMB($4); swapUsed=swapTotal-swapFree; } else{ swapUsed=toMB($4); swapFree=toMB($6)}} /^Mem: / {memFreeMB=toMB($4)+toMB($12)}' + # shellcheck disable=SC2016 + PARSE_4='/^CPU_COUNT/ {cpuCount=$2}' + # shellcheck disable=SC2016 + PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}' + # shellcheck disable=SC2016 + PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}' + MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE" + FILL_BLANKS='END {threads=pgSwapOut="?"}' +fi + +$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER" +echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/vmstat_metric.sh b/deployment-apps/Splunk_TA_nix/bin/vmstat_metric.sh new file mode 100755 index 0000000..3c77a45 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/vmstat_metric.sh @@ -0,0 +1,193 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +# hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine +# the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so +# (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute. + +HEADER='memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS OSName OS_version IP_address' +HEADERIZE="BEGIN {print \"$HEADER\"}" +PRINTF='END {printf "%10d %10d %10d %10.1f %10.1f %10s %10.1f %10s %10s %10s %10s %10s %10s %10.2f %10.2f %13.2f %11.2f %12.2f %-35s %15s %-16s\n", memTotalMB, memFreeMB, memUsedMB, memFreePct, memUsedPct, pgPageOut, swapUsedPct, pgSwapOut, cSwitches, interrupts, forks, processes, threads, loadAvg1mi, waitThreads, interrupts_PS, pgPageIn_PS, pgPageOut_PS, OSName, OS_version, IP_address}' +DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsed ? (100.0*swapUsed)/(swapUsed+swapFree) : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}' +FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?"}' + +if [ "$KERNEL" = "Linux" ] ; then + assertHaveCommand uptime + assertHaveCommand ps + assertHaveCommand vmstat + assertHaveCommand sar + # shellcheck disable=SC2016 + CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2' + if [ ! -f "/etc/os-release" ] ; then + DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)" + else + DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)" + fi + # shellcheck disable=SC2016 + PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}' + # shellcheck disable=SC2016 + PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}' + # shellcheck disable=SC2016 + PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}' + # shellcheck disable=SC2016 + PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}' + # shellcheck disable=SC2016 + PARSE_4='/^CPU_COUNT/ {cpuCount=$2}' + # shellcheck disable=SC2016 + PARSE_5='($3 ~ "INTR") {nr[NR+3]} NR in nr {interrupts_PS=$3}' + # shellcheck disable=SC2016 + PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$2; pgPageOut_PS=$3}' + MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE" +elif [ "$KERNEL" = "SunOS" ] ; then + assertHaveCommand vmstat + assertHaveCommandGivenPath /usr/sbin/swap + assertHaveCommandGivenPath /usr/sbin/prtconf + assertHaveCommand prstat + assertHaveCommand sar + if [ "$SOLARIS_8" = "true" ] || [ "$SOLARIS_9" = "true" ] ; then + # shellcheck disable=SC2016 + CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2; ' + else + # shellcheck disable=SC2016 + CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 2 | sed "3d" ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2' + fi + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # shellcheck disable=SC2016 + PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==5) {memFreeMB=$5 / 1024}' + # shellcheck disable=SC2016 + PARSE_1='(NR==2) {swapUsed=0+$(NF-3); swapFree=0+$(NF-1)}' + # shellcheck disable=SC2016 + PARSE_2='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}' + # shellcheck disable=SC2016 + PARSE_3='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1} / v?forks$/ {forks+=$1}' + # shellcheck disable=SC2016 + PARSE_4='/^Total: / {processes=$2; threads=$4; loadAvg1mi=0+$(NF-2)}' + # shellcheck disable=SC2016 + PARSE_5='/^CPU_COUNT/ {cpuCount=$2}' + # Sample output: http://opensolarisforum.org/man/man1/sar.html + if [ "$SOLARIS_10" = "true" ] || [ "$SOLARIS_11" = "true" ] ; then + # shellcheck disable=SC2016 + PARSE_6='($1 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$3;}' + # shellcheck disable=SC2016 + PARSE_7='($3 ~ "ppgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$3}' + else + # shellcheck disable=SC2016 + PARSE_6='($3 ~ "atch*") {nr[NR+3]} NR in nr {pgPageIn_PS=$5}' + # shellcheck disable=SC2016 + PARSE_7='($3 ~ "pgout*") {nr2[NR+3]} NR in nr2 {pgPageOut_PS=$4}' + fi + MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE" +elif [ "$KERNEL" = "AIX" ] ; then + assertHaveCommand uptime + assertHaveCommand ps + assertHaveCommand vmstat + assertHaveCommandGivenPath /usr/sbin/lsps + assertHaveCommandGivenPath /usr/bin/svmon + # shellcheck disable=SC2016 + CMD='eval uptime ; ps -e | wc -l ; ps -em | wc -l ; /usr/sbin/lsps -s ; vmstat 1 1 | tail -1 ; vmstat -s ; svmon; `dirname $0`/hardware.sh;' + DEFINE="-v OSName=$(uname -s) -v OSVersion=$(oslevel -r | cut -d'-' -f1) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # shellcheck disable=SC2016 + PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1-processes }' + # ps -em inclundes processes with there threads ( at least one), so processes must be excluded to count threads # + # shellcheck disable=SC2016 + PARSE_1='(NR==5) {swapUsedPercentage=substr( $NF, 1, length($NF)-1 )} (NR==6) {pgPageIn_PS=0+$(NF-13); pgPageOut_PS=0+$(NF-12)}' + # shellcheck disable=SC2016 + PARSE_2='/^memory / {memTotalMB=$2 / 256 ; memFreeMB=$4 / 256}' + # shellcheck disable=SC2016 + PARSE_3='/paging space page outs$/ {pgPageOut=$1 ; pgSwapOut="?" }' + # no pgSwapOut parameter and can't be monitored in AIX (by Jacky Ho, Systex) + # shellcheck disable=SC2016 + PARSE_4='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1 ; forks="?" }' + # shellcheck disable=SC2016 + PARSE_5='/^CPU_COUNT/ {cpuCount=$2}' + PARSE_6='{OS_version=OSVersion/1000}' + DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsedPercentage ? swapUsedPercentage : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}' + MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE" +elif [ "$KERNEL" = "HP-UX" ] ; then + assertHaveCommand uptime + assertHaveCommand ps + assertHaveCommand /usr/sbin/swapinfo + assertHaveCommand vmstat + # shellcheck disable=SC2016 + CMD='eval uptime ; ps -e | wc -l ; /usr/sbin/swapinfo -m; vmstat -f; vmstat -s; `dirname $0`/hardware.sh; vmstat 1 2' + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + # shellcheck disable=SC2016 + PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} {threads="?"}' + # shellcheck disable=SC2016 + PARSE_1='NR==5 {swapUsed=$3; swapFree=$4}' + # shellcheck disable=SC2016 + PARSE_2='/^memory / {memTotalMB=$2; memUsedMB=$3; memFreeMB=$4}' + # shellcheck disable=SC2016 + PARSE_3='(NR>=8 && $2=="forks,") {forks=$1}' + # shellcheck disable=SC2016 + PARSE_4='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}' + # shellcheck disable=SC2016 + PARSE_5='/interrupts$/ {interrupts=$1} /cpu context switches$/ {cSwitches=$1} /forks$/ {forks=$1}' + # shellcheck disable=SC2016 + PARSE_6='/^CPU_COUNT/ {cpuCount=$2}' + # Sample output: http://ibgwww.colorado.edu/~lessem/psyc5112/usail/man/hpux/vmstat.1.html + # shellcheck disable=SC2016 + PARSE_7='/^procs/ {nr[NR+3]} NR in nr {pgPageIn_PS=$8; pgPageOut_PS=$9; interrupts_PS=$13}' + MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $DERIVE" +elif [ "$KERNEL" = "Darwin" ] ; then + assertHaveCommand sysctl + assertHaveCommand top + assertHaveCommand sar + # shellcheck disable=SC2016 + CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2' + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' + # shellcheck disable=SC2016 + PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}' + # shellcheck disable=SC2016 + PARSE_1='/^PhysMem:/ {memFreeMB=toMB($6)+toMB($10)}' # we count "inactive" as "free", since it can be made available w/o a pagein/swapin + # shellcheck disable=SC2016 + PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}' + # shellcheck disable=SC2016 + PARSE_3='/^VM:/ {pgPageOut=0+$7}' + if $OSX_GE_SNOW_LEOPARD; then + # shellcheck disable=SC2016 + PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}' + else + # shellcheck disable=SC2016 + PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}' + fi + # shellcheck disable=SC2016 + PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}' + # shellcheck disable=SC2016 + PARSE_6='/^CPU_COUNT/ {cpuCount=$2}' + # shellcheck disable=SC2016 + PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}' + # shellcheck disable=SC2016 + PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}' + MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE" + FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + # shellcheck disable=SC2016 + CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh' + DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)" + FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}' + # shellcheck disable=SC2016 + PARSE_0='(NR==1) {memTotalMB=$2 / (1024*1024)}' + # shellcheck disable=SC2016 + PARSE_1='/pager pages paged out$/ {pgPageOut+=$1} /fork\(\) calls$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}' + # shellcheck disable=SC2016 + PARSE_2='/load averages:/ {loadAvg1mi=$6} /^[0-9]+ processes: / {processes=$1}' + # shellcheck disable=SC2016 + PARSE_3='/^Swap: / {if(NF <= 5){ swapTotal=toMB($2); swapFree=toMB($4); swapUsed=swapTotal-swapFree; } else{ swapUsed=toMB($4); swapFree=toMB($6)}} /^Mem: / {memFreeMB=toMB($4)+toMB($12)}' + # shellcheck disable=SC2016 + PARSE_4='/^CPU_COUNT/ {cpuCount=$2}' + # shellcheck disable=SC2016 + PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}' + # shellcheck disable=SC2016 + PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}' + MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE" + FILL_BLANKS='END {threads=pgSwapOut="?"}' +fi +# shellcheck disable=SC2086 +$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF " header="$HEADER" +echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" diff --git a/deployment-apps/Splunk_TA_nix/bin/vsftpdChecker.sh b/deployment-apps/Splunk_TA_nix/bin/vsftpdChecker.sh new file mode 100755 index 0000000..f693b2a --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/vsftpdChecker.sh @@ -0,0 +1,65 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +# VSFTPD configuration file format is common to all platforms, but may be in one +# of several locations (and may also be restricted to root). +if [ -f /etc/vsftpd.conf ] ; then + VSFTPD_CONFIG_FILE=/etc/vsftpd.conf +elif [ -f /etc/vsftpd/vsftpd.conf ] ; then + VSFTPD_CONFIG_FILE=/etc/vsftpd/vsftpd.conf +elif [ -f /private/etc/vsftpd.conf ] ; then + # Usually MAC OS X + VSFTPD_CONFIG_FILE=/private/etc/vsftpd.conf +elif [ -f /usr/local/etc/vsftpd.conf ] ; then + # To support MAC OS 10.15 + VSFTPD_CONFIG_FILE=/usr/local/etc/vsftpd.conf +fi + +# Set the default. If the file is readable and has "anonymous_enable" commented +# out, the default behavior is to ALLOW anonymous FTP. Reset the value of +# anonymous_enable in the output if this is the case +# line, then the allowed protocols will be the default of "2,1". +FILL_BLANKS='END { + if (ANON_DEFAULT != 0) { + ANON_ENABLE=ANON_DEFAULT + }' +PRINTF='{printf "%s app=vsftp %s %s %s\n", DATE, FILEHASH, LOCAL_ENABLE, ANON_ENABLE}}' + +# If $VSFTPD_CONFIG_FILE file exists and is a regular file. +if [ -f "$VSFTPD_CONFIG_FILE" ] ; then + + assertHaveCommand cat + assertHaveCommand date + + # Get file hash + # shellcheck disable=SC2016 + CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $VSFTPD_CONFIG_FILE ; cat $VSFTPD_CONFIG_FILE' + + # Get the date. + # shellcheck disable=SC2016 + PARSE_0='NR==1 {DATE=$0}' + + # Try to use cross-platform case-insensitive matching for text. Note + # that "match", "tolower", IGNORECASE and other common awk commands or + # options are actually nawk/gawk extensions so avoid them if possible. + # shellcheck disable=SC2016 + PARSE_1='/[Ll][Oo][Cc][Aa][Ll][_][Ee][Nn][Aa][Bb][Ll][Ee]/ { split($0, arr, "=") ; LOCAL_ENABLE="local_enable=" arr[2] } ' + # shellcheck disable=SC2016 + PARSE_2='/^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss][_][Ee][Nn][Aa][Bb][Ll][Ee]/ { split($0, arr, "=") ; ANON_ENABLE="anonymous_enable=" arr[2] } ' + # The default behavior is to permit anonymous FTP + PARSE_3='/^[#]+[[:blank:]]*[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss][_][Ee][Nn][Aa][Bb][Ll][Ee]/ { ANON_DEFAULT="anonymous_enable=YES"} ' + # shellcheck disable=SC2016 + PARSE_4='/^SHA256/ {FILEHASH="file_hash=" $2}' + + MASSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4" + + $CMD | tee "$TEE_DEST" | $AWK "$MASSAGE $FILL_BLANKS $PRINTF" + echo "Cmd = [$CMD]; | $AWK '$MASSAGE $FILL_BLANKS $PRINTF'" >> "$TEE_DEST" + +else + echo "VSFTPD configuration file not found." >> "$TEE_DEST" +fi diff --git a/deployment-apps/Splunk_TA_nix/bin/who.sh b/deployment-apps/Splunk_TA_nix/bin/who.sh new file mode 100755 index 0000000..5696d39 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/bin/who.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2021 Splunk, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# shellcheck disable=SC1091 +. "$(dirname "$0")"/common.sh + +CMD='who -H' +HEADER='USERNAME LINE HOSTNAME TIME' +# shellcheck disable=SC2016 +HEADERIZE='{NR == 1 && $0 = header}' +# shellcheck disable=SC2016 +FORMAT='{length(hostname) || hostname=$NF; gsub("[)(]", "",hostname); time=$3; for (i=4; i<=lastTimeColumn; i++) time = time " " $i}' +# shellcheck disable=SC2016 +PRINTF='{if (NR == 1) {print $0} else {printf "%-14s %-10s %-40.40s %-s\n", $1,$2,hostname,time}}' + +if [ "$KERNEL" = "Linux" ] ; then + FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 5) {hostname = ""; lastTimeColumn = NF}}' +elif [ "$KERNEL" = "SunOS" ] ; then + FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = ""; lastTimeColumn = NF}}' +elif [ "$KERNEL" = "AIX" ] ; then + FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = ""; lastTimeColumn = NF}}' +elif [ "$KERNEL" = "HP-UX" ] ; then + CMD='who -HR' + FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 5) {hostname = ""; lastTimeColumn = NF}}' +elif [ "$KERNEL" = "Darwin" ] ; then + FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = ""; lastTimeColumn = NF}}' +elif [ "$KERNEL" = "FreeBSD" ] ; then + FILL_BLANKS='{hostname = ""; lastTimeColumn = NF-1; if (NF < 6) {hostname = ""; lastTimeColumn = NF}}' +fi + +assertHaveCommand "$CMD" + +out=$($CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILL_BLANKS $FORMAT $PRINTF" header="$HEADER") +lines=$(echo "$out" | wc -l) +if [ "$lines" -gt 1 ]; then + echo "$out" + echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILL_BLANKS $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST" +else + echo "No data is present" >> "$TEE_DEST" +fi diff --git a/deployment-apps/Splunk_TA_nix/default/app.conf b/deployment-apps/Splunk_TA_nix/default/app.conf new file mode 100644 index 0000000..60b453c --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/app.conf @@ -0,0 +1,29 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[install] +is_configured = 0 +state = enabled +build = 1686646279 + +[ui] +setup_view = ta_nix_configuration +is_visible = true +label = Splunk Add-on for Unix and Linux +docs_section_override = AddOns:released + +[launcher] +author = Splunk +version = 8.10.0 +description = Splunk Add-on for Unix and Linux + +[package] +id = Splunk_TA_nix + +[id] +name = Splunk_TA_nix +version = 8.10.0 + diff --git a/deployment-apps/Splunk_TA_nix/default/data/ui/nav/default.xml b/deployment-apps/Splunk_TA_nix/default/data/ui/nav/default.xml new file mode 100644 index 0000000..db16f8a --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/data/ui/nav/default.xml @@ -0,0 +1,8 @@ + + diff --git a/deployment-apps/Splunk_TA_nix/default/data/ui/views/ta_nix_configuration.env_cloud.xml b/deployment-apps/Splunk_TA_nix/default/data/ui/views/ta_nix_configuration.env_cloud.xml new file mode 100644 index 0000000..70598d5 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/data/ui/views/ta_nix_configuration.env_cloud.xml @@ -0,0 +1,17 @@ + + + + + + +

Please set up this add-on on your forwarders. Documentation on how to configure this add-on is + here +

+ + + + diff --git a/deployment-apps/Splunk_TA_nix/default/data/ui/views/ta_nix_configuration.xml b/deployment-apps/Splunk_TA_nix/default/data/ui/views/ta_nix_configuration.xml new file mode 100644 index 0000000..9164c27 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/data/ui/views/ta_nix_configuration.xml @@ -0,0 +1,96 @@ + + + + + + +

+ The Splunk Add-on for Unix and Linux provides pre-built data inputs to facilitate + Linux and Unix system monitoring using Splunk. Check out the + + Splunk for Unix Technical Add-on + page on Splunkbase + for support information, the latest updates, and more. +

+ +
+ This server is not running a known Unix or Linux operating system. + Install this add-on on Unix or Linux systems only. +
+ +
+

File and Directory Inputs:

+ + + + + + + +
NameEnable + (All) + Disable + (All) +
+
+ +
+

Scripted Metric Inputs:

+ + + + + + + + + +
NameEnable + (All) + Disable + (All) + Interval (sec)Index
+

Scripted Event Inputs:

+ + + + + + + + +
NameEnable + (All) + Disable + (All) + Interval (sec)
+
+ +
+ There was an unexpected problem while saving the inputs. + Please reload the page and try again. +
+ +
+ Field 'Index' is empty or invalid for the metric inputs. Change the index or disable the input. +
+ +
+ Field 'Interval' must be a positive integer value. +
+ +
+ +
+ + + diff --git a/deployment-apps/Splunk_TA_nix/default/eventtypes.conf b/deployment-apps/Splunk_TA_nix/default/eventtypes.conf new file mode 100644 index 0000000..50510c1 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/eventtypes.conf @@ -0,0 +1,722 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[nix_ta_custom_eventtype] +search = NOT * + +[nix_ta_data] +search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*)) + +###### Globals ###### +[nix_security] +search = sourcetype="*_secure" +#tags = os unix + +[nix_configs] +search = eventtype=nix_ta_data AND (source="/etc/*" OR source="*.conf" OR source="*.cfg") + +[nix_errors] +search = eventtype=nix_ta_data error OR critical OR failure OR fail OR failed OR fatal +#tags = error + + +###### DHCP ###### +[dhcpd_server] +search = sourcetype=dhcpd (DHCPACK OR DHCPNAK OR DHCPRELEASE) +#tags = dhcp network session unix + +[dhcpd_start] +search = sourcetype=dhcpd signature=DHCPACK +#tags = start + +[dhcpd_unable_unexpected] +search = sourcetype=dhcpd unable OR unexpected +#tags = error + +[dhcpd_server_dhcpack] +search = sourcetype=dhcpd DHCPACK + +[dhcpd_server_dhcpdiscover] +search = sourcetype=dhcpd DHCPDISCOVER + +[dhcpd_server_dhcpoffer] +search = sourcetype=dhcpd DHCPOFFER + +[dhcpd_server_dhcprelease] +search = sourcetype=dhcpd DHCPRELEASE +#tags = end + +[dhcpd_server_dhcprequest] +search = sourcetype=dhcpd DHCPREQUEST + + +###### Scripted Inputs ###### +## CPU stats +[cpu] +search = sourcetype=cpu +#tags = performance os resource report unix cpu + +[cpu_anomalous] +search = sourcetype=cpu PercentSystemTime>90 +#tags = enabled + +[df] +search = sourcetype=df +#tags = df host check success storage performance + +[iostat] +search = sourcetype=iostat + +[nfsiostat] +search = sourcetype=nfsiostat + +[lsof] +search = sourcetype=lsof + +[hardware] +search = sourcetype=hardware + +[interfaces] +search = sourcetype=interfaces +# tags = Inventory Network + +[lastlog] +search = sourcetype=lastlog + +[netstat] +search = sourcetype=netstat +# listening port + +[openPorts] +search = sourcetype=openPorts + +[package] +search = sourcetype=package + +[protocol] +search = sourcetype=protocol + +[ps] +search = sourcetype=ps +#tags = process oshost success ps cpu performance + +[top] +search = sourcetype=top + +[time] +search = sourcetype=time + +[usersWithLoginPrivs] +search = sourcetype=usersWithLoginPrivs + +[vmstat] +search = sourcetype=vmstat +#tags = performance os avail unix report vmstat resource success memory + +[who] +search = sourcetype=who + +[bandwidth] +search = sourcetype=bandwidth + + +###### System Logs ###### + +#### Account Management +[useradd] +search = eventtype=nix_ta_data useradd user +#tags = account management add change + +# Aug 20 20:21:12 host useradd[12811]: new account added - account=splunk, uid=1003, gid=1000, home=/opt/splunk, shell=/bin/false, by=0 +[useradd-suse] +search = eventtype=nix_ta_data useradd new account added +#tags = account management add change + +[userdel] +search = eventtype=nix_ta_data userdel user +#tags = account management delete change + +[groupadd] +search = eventtype=nix_ta_data groupadd group +#tags = account management add change + +#Aug 20 20:21:12 host useradd[12811]: account added to group - account=splunk, group=services, gid=33, by=0 +[groupadd-suse] +search = eventtype=nix_ta_data useradd account added group +#tags = account management add change + +[groupdel] +search = eventtype=nix_ta_data (NOT *deleting-user-from*) (groupdel OR userdel) group +#tags = account management delete change + +[linux-password-change] +search = eventtype=nix_ta_data process=passwd password changed +#tags = account management password modify change + +#Feb 21 11:24:45 host passwd[17805]: password change failed, pam error 11 - account=root, uid=0, by=0 +[linux-password-change-failed] +search = eventtype=nix_ta_data process=passwd password change failed +#tags = account management password modify change + + +#### acpi +[nix_acpi] +search = eventtype=nix_ta_data ACPI: +#tags = os unix power + + +#### agpgart +[nix_agpgart] +search = eventtype=nix_ta_data agpgart: +#tags = os unix graphics + + +#### apm +[nix_apm] +search = eventtype=nix_ta_data apm: +#tags = os unix power + + +#### auditd +[auditd] +search = sourcetype=auditd +#tags = os unix resource file + +[auditd_modify] +search = source=auditd PATH +#tags = modify + + +#### Authentication + +## ksu +[ksu_authentication] +# NOTE: May want to restrict search `ksu` to `cmd="ksu"` to reduce false positives. +search = eventtype=nix_ta_data ksu ("authentication failed" OR authenticated OR (Account authorization (failed OR successful))) +#tags = authentication + +## login +[login_authentication] +search = eventtype=nix_ta_data login: "Login failure on" +#tags = authentication + +## pam +[pam_unix_authentication] +search = eventtype=nix_ta_data pam_unix (gdm OR sudo OR su) ("authentication failure" OR "session opened") +#tags = authentication + +## passwd +#Oct 2 20:45:29 host passwd[15323]: User admin: Authentication failure +[passwd-auth-failure] +search = eventtype=nix_ta_data process=passwd Authentication failure punct="*__::_*_[]:__:__" +#tags = application authentication + +## rlogin +[rlogin_too_many_failures] +search = eventtype=nix_ta_data "general syslog msg" "TOO MANY LOGIN TRIES" +#tags = application attack watchlist + +## Detects a failed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server. +[remote_login_failure] +search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not allowed") +#tags = application authentication remote + +## Detects a allowed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server. +[remote_login_allowed] +search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to" +#tags = application authentication remote + +## sshd +[sshd_authentication] +# osx sshd authentication error +# Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1 +# Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host +search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") +#tags = authentication remote + +[ssh_login_postponed] +search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed +# no tags assigned to this eventtype + +[ssh_open] +search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) +#tags = communicate connect + +# example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246 +[ssh_close] +search = eventtype=nix_ta_data punct="*__::_*_[]:____*..." OR punct="*__::_*_[]:_(:):_____" OR punct="*__::_*_()[]:_____" sshd (Closing connection to) OR (Connection closed by) OR (session closed) +#tags = access stop logoff + +# example = Dec 17 18:31:44 domU-12-31-39-03-01-11 sshd[31792]: Received disconnect from 74.53.187.50: 11: Bye Bye +[ssh_disconnect] +search = eventtype=nix_ta_data punct="*__::_*_[]:___*...:_:__" Bye Received disconnect +#tags = access stop logoff + +[ssh_check_pass] +search = eventtype=nix_ta_data sshd check pass user unknown (punct="__*::_*_()[]:__;__" OR punct="*__::_*_[]:_(:):__;__") +#no tags assigned to this eventtype + +## su +[su_authentication] +# Example event, from su on CentOS7 +# type=USER_AUTH msg=audit(1611753517.687:2310): pid=10012 uid=0 auid=2024 ses=181 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=so1 addr=? terminal=pts/1 res=success' + +search = eventtype=nix_ta_data NOT "USER_CMD" ((from to) OR succeeded OR success OR successful OR failed OR failure) (cmd="su" OR ("USER_AUTH" AND exe=*/su*) OR ((NOT BAD) su: from to at)) +#tags = authentication + +[su_failed] +search = eventtype=nix_ta_data (("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR ("BAD SU ")) +#tags = authentication + +[su_session] +search = eventtype=nix_ta_data su: session +#tags = session + +[su_root_session] +search = eventtype=nix_ta_data su: session root +#tags = session privileged + +## Telnet +[wksh_authentication] +search = eventtype=nix_ta_data wksh "HANDLING TELNET CALL" +# no tags assigned to this eventtype + +#### automount +[nix_automount] +search = eventtype=nix_ta_data automount punct="::__::_*:_*" +#tags = os unix + + +#### Config +[nix_config_change] +search = eventtype=nix_ta_data Configuration changed +#tags = os unix host configuration modify + + +#### Console +[nix_console] +search = eventtype=nix_ta_data Console: +#tags = os unix + + +#### cron +[nix_cron] +search = eventtype=nix_ta_data cron OR crond punct="::__::_*:_*" NOT Install: NOT Updated: NOT Erased: +#tags = os unix + + +#### CUPS +[nix_cups_access] +search = eventtype=nix_ta_data punct="_-_-_[//:::_-]_\"_//._/.\"___-_-" +#tags = os unix access printer + +[nix_cups_error] +search = eventtype=nix_ta_data punct="_[//:::_-]_*" +#tags = os unix printer + +[nix_cups_page] +search = eventtype=nix_ta_data punct="___[//:::_-]___-_" +#tags = os unix printer + + +#### dhclient +[nix_dhclient] +search = eventtype=nix_ta_data dhclient punct="__::_*:_*" NOT punct="//_::_*:_*." NOT punct="\"///*\"" NOT Rule NOT Name +#tags = os unix + + +#### DMA +[nix_dma] +search = eventtype=nix_ta_data DMA zone: +#tags = os unix memory access + + +#### Firewall +# These firewall accept and deny rules are based on iptables logs. For additional firewalls the user must develop a device add +# on and tag their events with these tags +[iptables_firewall_accept] +search = eventtype=nix_ta_data signature=firewall action=PASS OR action=permit +#tags = os unix host firewall communicate success + +[iptables_firewall_deny] +search = eventtype=nix_ta_data signature=firewall action=BLOCK OR action=dropped +#tags = os unix host firewall communicate failure + + +#### FTP +[nix_ftp_xferlog] +search = eventtype=nix_ta_data punct="___*::___...__///*" +#tags = os unix ftp transfer + +[nix_ncftpd_logins] +search = eventtype=nix_ta_data ncftpd punct="*__::_*:_*" +#tags = os unix ftp authentication + + +#### Fingerprinting +[nix_fingerprinting] +search = eventtype=nix_ta_data Client OS detected: +#tags = os unix + + +#### gconfd +[nix_gconfd] +search = eventtype=nix_ta_data gconfd +#tags = os unix + +[nix_gconfd_error] +search = eventtype=nix_ta_data gconfd Error +#tags = error + +[nix_gconfd_exiting] +search = eventtype=nix_ta_data gconfd Exiting OR signal +#tags = stop + +[nix_gconfd_resolved_address] +search = eventtype=nix_ta_data gconfd Resolved address + +[nix_gconfd_starting] +search = eventtype=nix_ta_data gconfd starting +#tags = start + + +#### gdm +[nix_gdm] +search = eventtype=nix_ta_data gdm punct="*__::_*:_*" NOT scrollkeeper NOT Updated: NOT Installed: NOT Erased: NOT pam* +#tags = os unix + + +#### gpm +[nix_gpm] +search = eventtype=nix_ta_data gpm NOT Installed: NOT Updated: NOT Erased: NOT user NOT *.rpm punct="*__::_*:_*." +#tags = os unix + + +#### FreeBSD +[freebsd_refresh_na_answer] +search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_-____...#_(_...#)" +#tags = os unix + +[freebsd_refresh_retry_exceeded] +search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_____...#__(_...#)" +#tags = os unix + + +#### hald +[nix_hald] +search = eventtype=nix_ta_data hald punct="*__::_*:_*" +#tags = os unix + + +#### hpiod +[hpiod_Linux_syslog] +search = eventtype=nix_ta_data hpiod punct="*__::_*:_*" +#tags = os unix + + +#### kernel +[nix_kernel_attached] +search = eventtype=nix_ta_data kernel +#tags = os unix kernel + + +#### kill +[nix_process_kill] +search = eventtype=nix_ta_data exiting signal 15 +#tags = os unix process stop + + +#### mDNSResponder +[nix_mDNSResponder] +search = eventtype=nix_ta_data mDNSResponder punct="*__::_*:_*" +#tags = os unix dns + + +#### named +[nix_named1] +search = eventtype=nix_ta_data named punct="*__::_/_[]:__*" OR punct="*__::_..._[]:_*" +#tags = os unix dns + +[nix_named2] +search = eventtype=nix_ta_data named punct="*__::_*_[]:__*" NOT punct="__::_*_[]:_____..." +#tags = os unix dns + + +#### OSX Crash Log +[osx_crash_log] +search = eventtype=nix_ta_data Host Name Date/Time +#tags = os unix error + + +#### Netlabel +[nix_netlabel] +search = eventtype=nix_ta_data NetLabel: +#tags = os unix kernel + + +#### PCI +[nix_pci] +search = eventtype=nix_ta_data PCI: NOT BIOS +#tags = os unix + + +#### Plug-n-play +[nix_pnp] +search = eventtype=nix_ta_data pnp: +#tags = os unix + + +#### POP3 +[nix_popper] +search = eventtype=nix_ta_data popper +#tags = os unix mail + + +#### postfix +[nix_postfix] +search = eventtype=nix_ta_data postfix punct="*__::_*:_*" +#tags = os unix + + +#### Prelink +[nix_prelink] +search = eventtype=nix_ta_data /usr/sbin/prelink: OR Prelinking +#tags = os unix + + +#### RPC +[nix_rpc_statd] +search = eventtype=nix_ta_data rpc.statd +#tags = os unix + + +#### RPM +[nix_rpm] +search = eventtype=nix_ta_data *.rpm punct="*-*.*." +#tags = os update + + +#### Runlevel +[nix_runlevel_change] +search = eventtype=nix_ta_data init: punct="*__::_*:_*" +#tags = os unix configuration modify + + +#### SNMPD +[snmpd] +search = eventtype=nix_ta_data snmpd +#tags = os unix snmp + +[snmpd_failure] +search = eventtype=nix_ta_data snmpd SNMPD_*_FAILURE +#tags = failure + + +#### scrollkeeper +[nix_scrollkeeper] +search = eventtype=nix_ta_data scrollkeeper punct="__::__*" +#tags = os unix + + +## Shutdown +[nix_halt] +search = eventtype=nix_ta_data shutdown: system halt +#tags = os unix stop + +[nix_restart] +search = eventtype=nix_ta_data shutdown: system reboot +#tags = os unix stop + + +#### smartd +[nix_smartd] +search = eventtype=nix_ta_data smartd punct="*__::_*:_*" +#tags = os unix + + +#### Time +[nix_timesync] +search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR "MS Name/IP address") (("LastRx" AND "stratum") OR "Adjusting system clock" OR "synchronized to" OR "step time server" OR "adjust time server") +#tags = report time synchronize success + +[nix_timesync_failure] +search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR 506) ("NTP Server Unreachable" OR "Cannot talk to daemon") +#tags = report time synchronize failure + + +#### Update +[nix_yum_update] +search = eventtype=nix_ta_data yum Updated +#tags = report update success + + +#### udevd +[nix_udevd] +search = eventtype=nix_ta_data udevd +#tags = os unix kernel + + +#### USB +[nix_usb] +search = eventtype=nix_ta_data usb*: NOT punct="<>:__*" +#tags = os unix usb + + +#### userhelper +[nix_userhelper] +search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*" +#tags = os unix + + +###### ADDED FROM UNIX APP ###### +[failed_login] +search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for" +#tags = authentication + +[Failed_SU] +search = eventtype=nix_ta_data ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ") +#tags = authentication + +[nix-all-logs] +search = eventtype=nix_ta_data AND (source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog) + +###### END FROM UNIX APP ###### + +###### ADDED FROM TA-deploymentapps ###### + +###### Scripted Inputs ###### + +## Global +[aix_scripted_input] +search = sourcetype=AIX:* +#tags = check report + +[hpux_scripted_input] +search = sourcetype=HPUX:* +#tags = check report + +[linux_scripted_input] +search = sourcetype=Linux:* +#tags = check report + +[osx_scripted_input] +search = sourcetype=OSX:* +#tags = check report + +[solaris_scripted_input] +search = sourcetype=Solaris:* +#tags = check report + +[unix_scripted_input] +search = sourcetype=Unix:* +#tags = check report + +## CPUTime +[cputime] +search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime +#tags = performance os avail cpu + +[cputime_anomalous] +search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime PercentSystemTime>90 +#tags = anomalous + +## Disk +[freediskspace] +search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace +#tags = performance os avail disk storage + +[freediskspace_anomalous] +search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace PercentFreeSpace<10 +#tags = anomalous + +## Listening Ports +[listeningports] +search = (NOT sourcetype=WMI:ListeningPorts) sourcetype=*:ListeningPorts (NOT file_hash=*) +#tags = os config report + +## Local Processes +[localprocesses] +search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses +#tags = os avail process + +[localprocesses_anomalous] +search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses (PercentSystemTime>50 OR PercentMemory>50) NOT app=Total +#tags = anomalous + +## Memory +[memory] +search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory +#tags = performance os avail memory + +[memory_anomalous] +search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory mem_free<104857600 +#tags = anomalous + +## SELinux Config +[selinuxconfig] +search = sourcetype=Linux:SELinuxConfig +#tags = application config selinux + +## Service +[service] +search = (NOT sourcetype=WMI:Service) sourcetype=*:Service (NOT file_hash=*) +#tags = os config service report + +[service_runlevel_anomalous] +search = sourcetype=*:Service (runlevel0=on OR runlevel6=on) +#tags = anomalous + +## SSHD Config +[sshdconfig] +search = sourcetype=*:SSHDConfig +#tags = application config ssh + +[sshd_insecure] +search = eventtype=nix_ta_data sshd_protocol=*1* +#tags = insecure + +## Update +[update] +search = sourcetype=*:Update +#tags = os info update + +[update_status] +search = sourcetype=*:Update NOT total_updates +#tags = status + +## Uptime +[uptime] +search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime +#tags = os info report uptime performance + +[uptime_anomalous] +search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime SystemUpTime>2592000 +#tags = anomalous + +## User Accounts +[useraccounts] +search = sourcetype=*:UserAccounts (NOT file_hash=*) +#tags = (os) config user inventory + +[useraccounts_anomalous] +search = sourcetype=*:UserAccounts NOT password=x NOT password=\* (NOT file_hash=*) +#tags = anomalous + +## Version +[nix_version] +search = (NOT sourcetype=WMI:Version) sourcetype=*:Version +#tags = os info report system version inventory + +## VSFTDP Config +[vsftpd_config] +search = sourcetype=*:VSFTPDConfig +#tags = application config ftp cleartext + +[vsftpd_config_anonymous] +search = sourcetype=*:VSFTPDConfig anonymous_enable=YES +#tags = anonymous + +###### END FROM TA-deploymentapps ###### diff --git a/deployment-apps/Splunk_TA_nix/default/inputs.conf b/deployment-apps/Splunk_TA_nix/default/inputs.conf new file mode 100644 index 0000000..304709a --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/inputs.conf @@ -0,0 +1,270 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[script://./bin/vmstat_metric.sh] +sourcetype = vmstat_metric +source = vmstat +interval = 60 +disabled = 1 + +[script://./bin/iostat_metric.sh] +sourcetype = iostat_metric +source = iostat +interval = 60 +disabled = 1 + +[script://./bin/ps_metric.sh] +sourcetype = ps_metric +source = ps +interval = 30 +disabled = 1 + +[script://./bin/df_metric.sh] +sourcetype = df_metric +source = df +interval = 300 +disabled = 1 + +[script://./bin/interfaces_metric.sh] +sourcetype = interfaces_metric +source = interfaces +interval = 60 +disabled = 1 + +[script://./bin/cpu_metric.sh] +sourcetype = cpu_metric +source = cpu +interval = 30 +disabled = 1 + +################################################ +############### Event Inputs ################### +################################################ + +[script://./bin/vmstat.sh] +interval = 60 +sourcetype = vmstat +source = vmstat +disabled = 1 + +[script://./bin/iostat.sh] +interval = 60 +sourcetype = iostat +source = iostat +disabled = 1 + +[script://./bin/nfsiostat.sh] +interval = 60 +sourcetype = nfsiostat +source = nfsiostat +disabled = 1 + +[script://./bin/ps.sh] +interval = 30 +sourcetype = ps +source = ps +disabled = 1 + +[script://./bin/top.sh] +interval = 60 +sourcetype = top +source = top +disabled = 1 + +[script://./bin/netstat.sh] +interval = 60 +sourcetype = netstat +source = netstat +disabled = 1 + +[script://./bin/bandwidth.sh] +interval = 60 +sourcetype = bandwidth +source = bandwidth +disabled = 1 + +[script://./bin/protocol.sh] +interval = 60 +sourcetype = protocol +source = protocol +disabled = 1 + +[script://./bin/openPorts.sh] +interval = 300 +sourcetype = openPorts +source = openPorts +disabled = 1 + +[script://./bin/time.sh] +interval = 21600 +sourcetype = time +source = time +disabled = 1 + +[script://./bin/lsof.sh] +interval = 600 +sourcetype = lsof +source = lsof +disabled = 1 + +[script://./bin/df.sh] +interval = 300 +sourcetype = df +source = df +disabled = 1 + +# Shows current user sessions +[script://./bin/who.sh] +sourcetype = who +source = who +interval = 150 +disabled = 1 + +# Lists users who could login (i.e., they are assigned a login shell) +[script://./bin/usersWithLoginPrivs.sh] +sourcetype = usersWithLoginPrivs +source = usersWithLoginPrivs +interval = 3600 +disabled = 1 + +# Shows last login time for users who have ever logged in +[script://./bin/lastlog.sh] +sourcetype = lastlog +source = lastlog +interval = 300 +disabled = 1 + +# Shows stats per link-level Etherner interface (simply, NIC) +[script://./bin/interfaces.sh] +sourcetype = interfaces +source = interfaces +interval = 60 +disabled = 1 + +# Shows stats per CPU (useful for SMP machines) +[script://./bin/cpu.sh] +sourcetype = cpu +source = cpu +interval = 30 +disabled = 1 + +# This script reads the auditd logs translated with ausearch +[script://./bin/rlog.sh] +sourcetype = auditd +source = auditd +interval = 60 +disabled = 1 + +# Run package management tool collect installed packages +[script://./bin/package.sh] +sourcetype = package +source = package +interval = 3600 +disabled = 1 + +[script://./bin/hardware.sh] +sourcetype = hardware +source = hardware +interval = 36000 +disabled = 1 + +[monitor:///Library/Logs] +disabled = 1 + +[monitor:///var/log] +whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out) +blacklist=(lastlog|anaconda\.syslog) +disabled = 1 + +[monitor:///var/adm] +whitelist=(\.log|log$|messages) +disabled = 1 + +[monitor:///etc] +whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$) +disabled = 1 + +### bash history +[monitor:///root/.bash_history] +disabled = true +sourcetype = bash_history + +[monitor:///home/*/.bash_history] +disabled = true +sourcetype = bash_history + + + +##### Added for ES support +# Note that because the UNIX app uses a single script to retrieve information +# from multiple OS flavors, and is intended to run on Universal Forwarders, +# it is not possible to differentiate between OS flavors by assigning +# different sourcetypes for each OS flavor (e.g. Linux:SSHDConfig), as was +# the practice in the older deployment-apps included with ES. Instead, +# sourcetypes are prefixed with the generic "Unix". + +# May require Splunk forwarder to run as root on some platforms. +[script://./bin/openPortsEnhanced.sh] +disabled = true +interval = 3600 +source = Unix:ListeningPorts +sourcetype = Unix:ListeningPorts + +[script://./bin/passwd.sh] +disabled = true +interval = 3600 +source = Unix:UserAccounts +sourcetype = Unix:UserAccounts + +# Only applicable to Linux +[script://./bin/selinuxChecker.sh] +disabled = true +interval = 3600 +source = Linux:SELinuxConfig +sourcetype = Linux:SELinuxConfig + +# Currently only supports SunOS, Linux, OSX. +# May require Splunk forwarder to run as root on some platforms. +[script://./bin/service.sh] +disabled = true +interval = 3600 +source = Unix:Service +sourcetype = Unix:Service + +# Currently only supports SunOS, Linux, OSX. +# May require Splunk forwarder to run as root on some platforms. +[script://./bin/sshdChecker.sh] +disabled = true +interval = 3600 +source = Unix:SSHDConfig +sourcetype = Unix:SSHDConfig + +# Currently only supports Linux, OSX. +# May require Splunk forwarder to run as root on some platforms. +[script://./bin/update.sh] +disabled = true +interval = 86400 +source = Unix:Update +sourcetype = Unix:Update + +[script://./bin/uptime.sh] +disabled = true +interval = 86400 +source = Unix:Uptime +sourcetype = Unix:Uptime + +[script://./bin/version.sh] +disabled = true +interval = 86400 +source = Unix:Version +sourcetype = Unix:Version + +# This script may need to be modified to point to the VSFTPD configuration file. +[script://./bin/vsftpdChecker.sh] +disabled = true +interval = 86400 +source = Unix:VSFTPDConfig +sourcetype = Unix:VSFTPDConfig diff --git a/deployment-apps/Splunk_TA_nix/default/macros.conf b/deployment-apps/Splunk_TA_nix/default/macros.conf new file mode 100644 index 0000000..a6dc76b --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/macros.conf @@ -0,0 +1,7 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[nix-netmon-hosts-search] +definition = eventtype=netstat | stats count by host | sort +host diff --git a/deployment-apps/Splunk_TA_nix/default/props.conf b/deployment-apps/Splunk_TA_nix/default/props.conf new file mode 100644 index 0000000..3ee6634 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/props.conf @@ -0,0 +1,774 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +##################### +## Configuration Logs +##################### +[source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))] +sourcetype = config_file +CHECK_METHOD = modtime + +[config_file] +LINE_BREAKER = ^((?!))$ +TRUNCATE = 1000000 +SHOULD_LINEMERGE = false +DATETIME_CONFIG = NONE +CHECK_METHOD = modtime +KV_MODE = none +pulldown_type = true +SEGMENTATION-all = whitespace-only +SEGMENTATION-inner = whitespace-only +SEGMENTATION-outer = whitespace-only +SEGMENTATION-standard = whitespace-only +LEARN_MODEL = false +LEARN_SOURCETYPE = false + + +##################### +## DHCP +##################### +[source::....dhcpd] +sourcetype = dhcpd + +[dhcpd] +KV_MODE = none +SHOULD_LINEMERGE = false +# For Load Balancing on UF +EVENT_BREAKER_ENABLE = true +pulldown_type = true +category = Network & Security +description = DHCP Server system events + +REPORT-dhcp_discover_extract = dhcp_discover_extract + +REPORT-dhcp_offer_extract = dhcp_offer_extract + +REPORT-dhcp_request_extract = dhcp_request_extract + +REPORT-dhcp_ack_nak_extract_0 = dhcp_ack_nak_extract_0 + +REPORT-dhcp_ack_nak_extract_1 = dhcp_ack_nak_extract_1 + +REPORT-dhcp_decline_extract = dhcp_decline_extract + +REPORT-dhcp_release_extract = dhcp_release_extract + +REPORT-dhcp_inform_extract = dhcp_inform_extract + +REPORT-dhcp_unable_to_add_forward_map_extract = dhcp_unable_to_add_forward_map_extract + +REPORT-dhcp_add_new_forward_map_extract = dhcp_add_new_forward_map_extract + +REPORT-dhcp_added_reverse_map_extract = dhcp_added_reverse_map_extract + +REPORT-dhcp_abandon_ip_extract = dhcp_abandon_ip_extract + +REPORT-dhcp_lease_duplicate_extract = dhcp_lease_duplicate_extract + +REPORT-bind_update_fail_extract = bind_update_fail_extract + +REPORT-dhcp_block_action = dhcp_block_action + +REPORT-dhcp_icmp_echo_reply = dhcp_icmp_echo_reply + +REPORT-dhcp_reuse_lease = dhcp_reuse_lease + +EVAL-dest_ip = case(isnotnull(dest_ip),dest_ip,match(dest,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), dest, 1==1, server_ip) + +EVAL-action = if(isnotnull(block_action) or dhcp_type=="DHCPNAK" or dhcp_type=="DHCPDECLINE" or dhcp_type=="DHCPRELEASE", "blocked", "added") + +FIELDALIAS-signature = dhcp_type as signature + +FIELDALIAS-src_nt_host = src_host as src_nt_host + +FIELDALIAS-dest_nt_host = dest_host as dest_nt_host + + +######################### +## Scripted Metric Inputs +######################### + +[vmstat_metric] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = none +INDEXED_EXTRACTIONS = CSV +FIELD_DELIMITER=whitespace +TRANSFORMS-vmstat-metric-dimensions=eval_dimensions +METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_vmstat + +[cpu_metric] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = none +INDEXED_EXTRACTIONS = CSV +FIELD_DELIMITER=whitespace +TRANSFORMS-cpu-metric-dimensions=eval_dimensions +TRANSFORMS-cpu-metric-field=extract_cpu_metric_field +METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_cpu + +[df_metric] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = none +INDEXED_EXTRACTIONS = TSV +TRANSFORMS-df-metrics=extract_df_metrics +TRANSFORMS-df-metric-dimensions=eval_dimensions +METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_df + +[interfaces_metric] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = none +INDEXED_EXTRACTIONS = CSV +FIELD_DELIMITER=whitespace +EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex) +TRANSFORMS-interfaces-metric-dimensions=eval_dimensions +METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_interfaces + +[iostat_metric] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = none +INDEXED_EXTRACTIONS = CSV +FIELD_DELIMITER=whitespace +TRANSFORMS-iostat-metrics-field=extract_iostat_metrics_field +TRANSFORMS-iostat-metric-dimensions=eval_dimensions +METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_iostat + +[ps_metric] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = none +INDEXED_EXTRACTIONS = CSV +FIELD_DELIMITER=whitespace +TRANSFORMS-ps-metric-dimensions=eval_dimensions +TRANSFORMS-ps-metric-field=extract_ps_metric_field +METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_ps + +######################### +## Scripted Event Inputs +######################### +[cpu] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi +FIELDALIAS-dest_for_cpu = host as dest +FIELDALIAS-src_for_cpu = host as src + +EVAL-CPU = coalesce(cpu,CPU) +EVAL-cpu = coalesce(cpu,CPU) +EVAL-cpu_instance = coalesce(cpu,CPU) + +EVAL-pctIdle = coalesce(id,pctIdle) +EVAL-PercentIdleTime = coalesce(id,pctIdle) +EVAL-cpu_load_percent = if(isnull(pctIdle),100-id,100-pctIdle) + +EVAL-pctNice = coalesce(pctNice,"0") +EVAL-PercentNiceTime = coalesce(pctNice,"0") + +EVAL-pctUser = coalesce(us,pctUser) +EVAL-PercentUserTime = coalesce(us,pctUser) +EVAL-cpu_user_percent = coalesce(us,pctUser) + +EVAL-pctSystem = coalesce(sy,pctSystem) +EVAL-PercentSystemTime = coalesce(sy,pctSystem) + +EVAL-pctIowait = coalesce(wa,pctIowait) +EVAL-PercentWaitTime = coalesce(wa,pctIowait) + +# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive +HEADER_MODE = always + +[df] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi +FIELDALIAS-dest_for_df = host as dest +FIELDALIAS-filesystem_for_df = Filesystem AS filesystem +FIELDALIAS-filesystem_type_for_df = Type as filesystem_type +FIELDALIAS-mount_for_df = MountedOn AS mount +EVAL-Type = coalesce('Type',"?") +EVAL-filesystem_type = coalesce('Type',"?") +EVAL-Size = coalesce('Size','1024_blocks') +EVAL-INodes = coalesce('INodes','Inodes') +EVAL-IUsePct = coalesce('IUsePct','IUse_') +EVAL-UsePct = coalesce('UsePct', 'Use_', 'Capacity') +EVAL-Avail = coalesce('Avail', 'Available') +EVAL-IUsed = coalesce('IUsed', 'Iused', 'iused') +EVAL-IFree = coalesce('IFree', 'ifree', 'Ifree') +# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive +HEADER_MODE = always + + +EVAL-storage = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown") +EVAL-storage_free = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown") +# Redundancy required here because calculated fields are not evaluated in sequence. +EVAL-storage_free_percent = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10) +EVAL-storage_used = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown") +EVAL-storage_used_percent = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10) + +## Legacy fields + +# Note we don't elimininate one layer of indirection here by +# eliminating the redundant FIELDALIAS from FreeMegabytes -> FreeMBytes, etc. +# which was previously used. +EVAL-FreeMBytes = case(match(coalesce('Avail', 'Available'), "P[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'), "Pi"),10)*pow(1024,3), match(coalesce('Avail', 'Available'), "T[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ti"),10)*pow(1024,2), match(coalesce('Avail', 'Available'), "G[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Gi"),10)*pow(1024,1), match(coalesce('Avail', 'Available'), "M[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Mi"), 10), match(coalesce('Avail', 'Available'), "K[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Ki"), 10)/1024, match(coalesce('Avail', 'Available'), "B[i]*$"), tonumber(rtrim(coalesce('Avail', 'Available'),"Bi"), 10)/pow(1024,2), 1==1, "unknown") +EVAL-TotalMBytes = case(match(coalesce('Size','1024_blocks'), "P[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Pi"),10)*pow(1024,3), match(coalesce('Size','1024_blocks'), "T[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'), "Ti"),10)*pow(1024,2), match(coalesce('Size','1024_blocks'), "G[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Gi"),10)*pow(1024,1), match(coalesce('Size','1024_blocks'), "M[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Mi"), 10), match(coalesce('Size','1024_blocks'), "K[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Ki"), 10)/1024, match(coalesce('Size','1024_blocks'), "B[i]*$"), tonumber(rtrim(coalesce('Size','1024_blocks'),"Bi"), 10)/pow(1024,2), 1==1, "unknown") +EVAL-UsedMBytes = case(match(Used, "P[i]*$"), tonumber(rtrim(Used, "Pi"),10)*pow(1024,3), match(Used, "T[i]*$"), tonumber(rtrim(Used,"Ti"),10)*pow(1024,2), match(Used, "G[i]*$"), tonumber(rtrim(Used,"Gi"),10)*pow(1024,1), match(Used, "M[i]*$"), tonumber(rtrim(Used,"Mi"), 10), match(Used, "K[i]*$"), tonumber(rtrim(Used,"Ki"), 10)/1024, match(Used, "B[i]*$"), tonumber(rtrim(Used,"Bi"), 10)/pow(1024,2), 1==1, "unknown") +EVAL-PercentUsedSpace = tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10) +# Redundancy required here because calculated fields are not evaluated in sequence. +EVAL-PercentFreeSpace = 100.0-tonumber(rtrim(coalesce('UsePct', 'Use_', 'Capacity'),"%%"),10) + +[hardware] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +EVENT_BREAKER_ENABLE=true +EVENT_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +EXTRACT-RealMemory = (?i)MEMORY_REAL\s+(?P[^\s]*)[ ]? +EXTRACT-SwapMemory = (?i)MEMORY_SWAP\s+(?P[^\s]*)[ ]? +EXTRACT-Unit = (?i)MEMORY_REAL\s+\d+\.?\d*\s*(?P\w+)? +EVAL-RealMemoryMB = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown") +EVAL-SwapMemoryMB = case(match(Unit, "kB"), SwapMemory*pow(1024,-1), match(Unit, "KB"), SwapMemory*pow(1024,-1), match(Unit, "mB"), SwapMemory, match(Unit, "MB"), SwapMemory, match(Unit, "gB"), SwapMemory*pow(1024,1), match(Unit, "GB"), SwapMemory*pow(1024,1), match(Unit, "tB"), SwapMemory*pow(1024,2), match(Unit, "TB"), SwapMemory*pow(1024,2), match(Unit, "pB"), SwapMemory*pow(1024,3), match(Unit, "PB"), SwapMemory*pow(1024,3), 1==1, "unknown") +EXTRACT-cpu_cores = (?i)CPU_COUNT\s+(?P[^ \n]*)? +EXTRACT-cpu_type = (?i)CPU_TYPE\s+(?P[^\n]*)? +EXTRACT-cpu_freq = (?[^\s]+)(?[G|M]Hz) +EVAL-cpu_mhz = case(match(cpu_freq_unit,"GHz"),cpu_freq*1000,match(cpu_freq_unit,"MHz"),cpu_freq) +EVAL-mem = case(match(Unit, "kB"), RealMemory*pow(1024,-1), match(Unit, "KB"), RealMemory*pow(1024,-1), match(Unit, "mB"), RealMemory, match(Unit, "MB"), RealMemory, match(Unit, "gB"), RealMemory*pow(1024,1), match(Unit, "GB"), RealMemory*pow(1024,1), match(Unit, "tB"), RealMemory*pow(1024,2), match(Unit, "TB"), RealMemory*pow(1024,2), match(Unit, "pB"), RealMemory*pow(1024,3), match(Unit, "PB"), RealMemory*pow(1024,3), 1==1, "unknown") +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) + +[interfaces] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +EVENT_BREAKER_ENABLE=true +EVENT_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE=multi +EVAL-enabled = "true" +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) +EVAL-ip = if(isnull(inetAddr), inet6Addr, inetAddr) +EVAL-Duplex=case(Duplex==2,"Full", Duplex==1,"Half", Duplex==0, "Unknown", true(), Duplex) +FIELDALIAS-interface = Name as interface +FIELDALIAS-mac = MAC as mac + +[iostat] +SHOULD_LINEMERGE = false +LINE_BREAKER = (^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi +# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive +HEADER_MODE = always +# coalesce command is used to normalizes field names with the same value and for backward compatibility +EVAL-mount = coalesce(Device, Device_, device, "?") +EVAL-read_ops = coalesce(rReq_PS, r_s, "?") +EVAL-write_ops = coalesce(wReq_PS, w_s, "?") +EVAL-latency = coalesce(avgWaitMillis, await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?") +EVAL-total_ops = case(rReq_PS == "?", "?", wReq_PS == "?", "?", isnotnull(rReq_PS) AND isnotnull(wReq_PS), rReq_PS + wReq_PS, isnull(r_s), "?", isnull(w_s), "?", 1==1, r_s + w_s) + +EVAL-Device = coalesce(Device, Device_, device, "?") +EVAL-rReq_PS = coalesce(rReq_PS, r_s, "?") +EVAL-rKB_PS = coalesce(rKB_PS, rkB_s, Kb_read, kr_s, "?") +EVAL-rrqmPct = coalesce(rrqmPct, rrqm, "?") +EVAL-rAvgWaitMillis = coalesce(rAvgWaitMillis, r_await, "?") +EVAL-rAvgReqSZkb = coalesce(rAvgReqSZkb, rareq_sz, "?") + +EVAL-wReq_PS = coalesce(wReq_PS, w_s, "?") +EVAL-wKB_PS = coalesce(wKB_PS, wkB_s, Kb_wrtn, kw_s, "?") +EVAL-wrqmPct = coalesce(wrqmPct, wrqm, "?") +EVAL-wAvgWaitMillis = coalesce(wAvgWaitMillis, w_await, "?") +EVAL-wAvgReqSZkb = coalesce(wAvgReqSZkb, wareq_sz, "?") + +EVAL-avgQueueSZ = coalesce(avgQueueSZ, aqu_sz, avgqu_sz, "?") +EVAL-bandwUtilPct = coalesce(bandwUtilPct, util, tm_act, ms_o, b, "?") +EVAL-avgSvcMillis = coalesce(avgSvcMillis, svctm, ms_w, asvc_t, "?") +EVAL-avgWaitMillis = coalesce(avgWaitMillis, await, wsvc_t, if(isnotnull(ms_o), "?", null()), if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), "?") + +[source::...(nfsiostat)] +sourcetype = nfsiostat +HEADER_MODE = always +SHOULD_LINEMERGE = false + +[nfsiostat] +DATETIME_CONFIG = CURRENT +KV_MODE = multi +LINE_BREAKER = (^$|[\r\n]+[\r\n]+) + +FIELDALIAS-mount = Mount as mount +FIELDALIAS-read_latency = r_avg_exe as read_latency +FIELDALIAS-write_latency = w_avg_exe as write_latency +FIELDALIAS-read_ops = r_op_s as read_ops +FIELDALIAS-write_ops = w_op_s as write_ops +EVAL-total_ops = read_ops + write_ops +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) + +[lastlog] +## Override system/default lastlog sourcetype invalidation +invalid_cause = +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi + +[lsof] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +EVENT_BREAKER_ENABLE=true +EVENT_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi + +[netstat] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi +EVAL-src_port = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvindex(split(ForeignAddress, "."), -1),mvindex(split(ForeignAddress, ":"), -1)) +EVAL-src = if(mvindex(split(ForeignAddress, ":"), -1) == ForeignAddress OR match(mvindex(split(ForeignAddress, ":"), -1),"/."),mvjoin(mvindex(split(ForeignAddress, "."), 0, -2), "."),mvjoin(mvindex(split(ForeignAddress, ":"), 0, -2), ":")) +EVAL-dest_port = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvindex(split(LocalAddress, "."), -1),mvindex(split(LocalAddress, ":"), -1)) +EVAL-dest = if(mvindex(split(LocalAddress, ":"), -1) == LocalAddress OR match(mvindex(split(LocalAddress, ":"), -1),"/."),mvjoin(mvindex(split(LocalAddress, "."), 0, -2), "."),mvjoin(mvindex(split(LocalAddress, ":"), 0, -2), ":")) +FIELDALIAS-transport=Proto as transport +FIELDALIAS-state=State as state +EVAL-state = case(state=="LISTEN","listening",state=="ESTAB","established",true(),lower(state)) +EVAL-vendor_product = "nix" + +[bandwidth] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi + +EVAL-bytes=(rxKB_PS+txKB_PS)*1024 +EVAL-bytes_in=rxKB_PS*1024 +EVAL-thruput=rxKB_PS*1024 + txKB_PS*1024 +EVAL-bytes_out=txKB_PS*1024 +EVAL-packets=rxPackets_PS+txPackets_PS +FIELDALIAS-packets_in=rxPackets_PS as packets_in +FIELDALIAS-packets_out=txPackets_PS as packets_out + +[openPorts] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi + +FIELDALIAS-dest_port_for_open_ports_sh = Port AS dest_port +FIELDALIAS-dest_for_open_ports_sh = host AS dest +FIELDALIAS-transport_for_open_ports_sh = Proto AS transport +EVAL-transport_dest_port = Proto + "/" + Port +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) + +# extraction for sourcetype unix:listeningports +[Unix:ListeningPorts] +EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P[a-fA-F0-9]+) + +[package] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +EVENT_BREAKER_ENABLE=true +EVENT_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi + +[protocol] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE=multi +# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive +HEADER_MODE = always + +[ps] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +EVENT_BREAKER_ENABLE=true +EVENT_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE = multi +# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive +HEADER_MODE = always + +EVAL-pctCPU = coalesce(CPU, pctCPU) +EVAL-PercentProcessorTime = coalesce(CPU, pctCPU) +EVAL-cpu_load_percent = coalesce(CPU, pctCPU) +EVAL-process_cpu_used_percent = coalesce(CPU, pctCPU) + +FIELDALIAS-dest_for_ps = host as dest +FIELDALIAS-src_for_ps = host as src +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) + +FIELDALIAS-process_id_for_ps = PID AS pid,PID as process_id + +EVAL-pctMEM = coalesce(MEM, pctMEM) +EVAL-PercentMemory = coalesce(MEM, pctMEM) + +EVAL-RSZ_KB = coalesce(RSS, RSZ_KB) +EVAL-rss = coalesce(RSS, RSZ_KB) +EVAL-process_mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024) +# UsedBytes is calculated as RSZ_KB*1024. Previously it was calculated using +# %MEM and the "Mem:" header from "top -bn 1", which tended to underestimate +# compared to this value. This is a rough measure of resident set size (i.e., +# physical memory in use). +EVAL-mem_used = if(isnull(RSS), RSZ_KB*1024, RSS*1024) +EVAL-UsedBytes = if(isnull(RSS), RSZ_KB*1024, RSS*1024) + +EVAL-VSZ_KB = coalesce(VSZ, VSZ_KB) +EVAL-vsz = coalesce(VSZ, VSZ_KB) + +EVAL-TTY = coalesce(TTY, TT) +EVAL-tty = coalesce(TTY, TT) + +EVAL-S = coalesce(S, STAT) +EVAL-stat = coalesce(S, STAT) + +FIELDALIAS-user_for_ps = USER AS user + +# The "app" field is the conjunction of COMMAND plus ARGS +# Note that the UNIX app joins arguments with an underscore. +EVAL-app = if(ARGS!="", COMMAND." ".ARGS,COMMAND) +EVAL-process = if(ARGS!="", COMMAND." ".ARGS,COMMAND) +EVAL-process_name = replace(COMMAND, "[\[\]()]", "") + +EVAL-CPUTIME = coalesce(TIME, CPUTIME) +# Truncate needless leading zeroes from the cumulative CPU time field. +EVAL-cpu_time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", "")) +EVAL-time = if(isnull(TIME), replace(CPUTIME, "^00:[0]{0,1}", ""), replace(TIME, "^00:[0]{0,1}", "")) + +# Incorporating CIM review changes +EVAL-action = "allowed" +EVAL-process_exec = replace(COMMAND, "[\[\]()]", "") + + +[time] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +EVENT_BREAKER_ENABLE=true +EVENT_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT + +[top] +SHOULD_LINEMERGE=false +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +EVENT_BREAKER_ENABLE=true +EVENT_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE=multi +FIELDALIAS-user = USER as user +FIELDALIAS-process = COMMAND as process +FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) +# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive +HEADER_MODE = always + +[usersWithLoginPrivs] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE=multi + +[who] +SHOULD_LINEMERGE=false +LINE_BREAKER=^((?!))$ +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +KV_MODE=multi + +[vmstat] +LINE_BREAKER=(^$|[\r\n]+[\r\n]+) +TRUNCATE=1000000 +DATETIME_CONFIG = CURRENT +# the following setting is for eventgen stanzas to be able to use the ***SPLUNK*** directive +HEADER_MODE = always + +REPORT-0kv_for_vmstat = fields_for_vmstat_sh,vmstat_linux,vmstat_osx +FIELDALIAS-dest_for_vmstat = host as dest +EVAL-mem = if(isnotnull(memFreeMB) AND isnotnull(memUsedMB),(memFreeMB)+(memUsedMB),null()) +EVAL-mem_free = if(isnotnull(memFreeMB),memFreeMB,null()) +EVAL-mem_used = if(isnotnull(memUsedMB),memUsedMB,null()) +EVAL-mem_page_ops = pgPageIn_PS + pgPageOut_PS +FIELDALIAS-mem_free_percent = memFreePct as mem_free_percent +FIELDALIAS-wait_threads_count = waitThreads as wait_threads_count +FIELDALIAS-system_threads_count = threads as system_threads_count +FIELDALIAS-src_for_vmstat = host as src +FIELDALIAS-cpu_interrupts = interrupts_PS as cpu_interrupts +FIELDALIAS-swap_percent = swapUsedPct as swap_percent + +## Legacy fields +FIELDALIAS-FreeMBytes = memFreeMB AS FreeMBytes +EVAL-UsedBytes = tonumber(memUsedMB, 10)*1048756 +FIELDALIAS-UsedMBytes = memUsedMB AS UsedMBytes +FIELDALIAS-TotalMBytes = memTotalMB AS TotalMBytes + +##Memoey Paging per second fields +FIELDALIAS-mem_page_in = pgPageIn_PS AS mem_page_in +FIELDALIAS-mem_page_out = pgPageOut_PS AS mem_page_out + +[Unix:UserAccounts] +EVAL-description = "/etc/passwd file" +EVAL-enabled = "yes" +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) +FIELDALIAS-dest = host as dest + +##################### +## BEGIN SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps +##################### + +# Stanzas in this section are legacy configuration stanzas +# intended to support parsing of data created by scripts in +# TA-deploymentapps, which has since been retired. Systems that use +# Splunk_TA_nix on the search head but which may be searching data +# from forwarders on which the older scripts are still in use should +# be able to search new and old data seamlessly. + +###### Global ###### +# [source::...(linux.*|sample.*.linux)] +# TRANSFORMS-force_host_for_linux_eventgen = force_host_for_linux_eventgen + +# [source::...(osx.*|sample.*.osx)] +# TRANSFORMS-force_host_for_osx_eventgen = force_host_for_osx_eventgen + +# [source::...(solaris.*|sample.*.solaris)] +# TRANSFORMS-force_host_for_solaris_eventgen = force_host_for_solaris_eventgen + +# [source::...sample.*.unix] +# TRANSFORMS-force_host_for_unix_eventgen = force_host_for_unix_eventgen + +## support for linux only +[Linux:SELinuxConfig] +EVAL-note = "SELinux is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules" + +[linux_audit] +REPORT-command = command_for_linux_audit +EVAL-status = if('res'=="failed","failure",'res') +FIELDALIAS-object = id as object +FIELDALIAS-dvc = hostname as dvc +FIELDALIAS-dest = hostname as dest +FIELDALIAS-object_id = id as object_id +EVAL-op = if(op=="PAM:authentication", res, op) +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) +LOOKUP-action = nix_linux_audit_action_lookup op OUTPUT action,object_category +EVAL-object_attrs= case(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER",grp) +EVAL-app = "nix" +EVAL-change_type = "AAA" +EVAL-object = if((type="GRP_MGMT" OR type="DEL_GROUP" or type=="ADD_GROUP") AND isnotnull('grp'),'grp','object') +EVAL-user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user') +EVAL-user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_CMD") AND isnull('user'),'id',(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP") AND uid=="0" AND isnull('user'),"root", type=="USER_AUTH",'acct',isnull('user'),'uid',true(),'user') +EVAL-user_id = if(type=="GRP_MGMT" OR type=="DEL_GROUP" or type=="ADD_GROUP" ,'uid','id') +EVAL-src_user = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user') +EVAL-src_user_name = case((type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ) AND uid=="0" ,"root",type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH",'uid',true(),'src_user') +EVAL-src_user_id = if(type=="ADD_USER" OR type=="USER_MGMT" OR type=="DEL_USER" OR type=="USER_AUTH" ,'uid','src_user_id') +EVAL-reason = if(type="USER_AUTH" AND (res=="failed" OR res=="failure"),"other",'reason') + +[source::...Unix:Service] +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true +EVAL-service = coalesce(UNIT, app) +EVAL-service_name = coalesce(UNIT, app) +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) +LOOKUP-StartMode_for_linux_service = nix_linux_service_startmode_lookup runlevel0,runlevel1,runlevel2,runlevel3,runlevel4,runlevel5,runlevel6 OUTPUTNEW StartMode +EVAL-note = if(match(_raw,"runlevel[06]\=on"),"Runlevels 0 and 6 are reserved for halt and reboot respectively",null()) +EVAL-start_mode=case(isnotnull(StartMode),StartMode,1=1,"Auto") +FIELDALIAS-start_mode_for_solaris_service = StartMode as start_mode +FIELDALIAS-status_for_solaris_service = State as status +FIELDALIAS-dest = host as dest + +# extraction for sourcetype Unix:Service +[Unix:Service] +EXTRACT-file_hash = (?i)file_hash=(\s*\(?\w+\)?\s*=)?\s*(?P[a-fA-F0-9]+) + +# Incorporating CIM review changes +EVAL-status = case(ACTIVE=="active","started",ACTIVE=="inactive","stopped",ACTIVE=="activating","stopped",ACTIVE=="reloading","stopped",ACTIVE=="failed","critical",ACTIVE=="deactivating","stopped") + +## no windows application at this time +[source::*:SSHDConfig] +EVAL-note = if(match(sshd_protocol,"1"),"SSH-1 has inherent design flaws which make it vulnerable (e.g., man-in-the-middle attacks)",null()) + +###### Update ###### + +[source::...Unix:Update] +EVENT_BREAKER_ENABLE = true +FIELDALIAS-signature_for_update = package as signature +LOOKUP-status_for_update = nix_da_update_status_lookup sourcetype OUTPUTNEW status + +###### Uptime ###### + +[source::...Unix:Uptime] +FIELDALIAS-uptime_for_unix_uptime = SystemUpTime as uptime +FIELDALIAS-dest = host as dest + +###### Version ###### + +[source::...Unix:Version] +SHOULD_LINEMERGE = false +FIELDALIAS-family_for_nix_version = os_name as family +LOOKUP-range_for_nix_version = nix_da_version_range_lookup sourcetype OUTPUTNEW range +FIELDALIAS-version_for_nix_version = os_release as version +FIELDALIAS-cpu_architecture = machine_architecture_name as cpu_architecture +EVAL-os = if(isnotnull(os_name) AND isnotnull(os_release),os_name." ".os_release,null()) +EVAL-vendor_product = if(isnotnull(os_name),os_name,null()) +FIELDALIAS-dest_for_nix_version = host as dest + +###### VSFTPD Config ###### +## no windows application at this time + +[source::*:VSFTPDConfig] +EVAL-note = "FTP uses clear text to pass authentication credentials. Consider using SSH instead." + +##################### +## END SCRIPTED INPUT CONTENT IMPORTED FROM TA-deployment-apps +##################### + + +##################### +## System Logs +##################### + +###### Global ###### +[source::....nix] +sourcetype = linux_secure + +[source::/etc/passwd*] +sourcetype = ignored_type + +[source::/etc/shadow*] +sourcetype = ignored_type + +## Custom Sourcetype +#[source::....] +#sourcetype = + +#[] +### Event extractions by type +#REPORT-0authentication_for_your_sourcetype = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication +#EVAL-action = if(app="su" AND isnull(action),"success",action) +#REPORT-account_management_for_your_sourcetype = useradd, userdel +#REPORT-firewall_for_your_sourcetype = ipfw, ipfw-stealth, ipfw-icmp, pf +#REPORT-routing_for_your_sourcetype = iptables +#EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) +#REPORT-signature_for_your_sourcetype_timesync = signature_for_nix_timesync + +#REPORT-dest_for_your_sourcetype = host_as_dest +#LOOKUP-action_for_your_sourcetype = nix_action_lookup vendor_action OUTPUTNEW action +#REPORT-pid-process_for_your_sourcetype = syslog-extractions +#REPORT-src_for_your_sourcetype = src_dns_as_src, src_ip_as_src, host_as_src + +###### AIX Sourcetype ###### +[source::....aix_secure] +sourcetype = aix_secure + +[aix_secure] +EVENT_BREAKER_ENABLE = true +REPORT-0authentication_for_aix_secure = failed_login1, bad-su2, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication +EVAL-action = if(app="su" AND isnull(action),"success",action) + +REPORT-dest_for_aix_secure = loghost_as_dest +FIELDALIAS-dvc = dest as dvc +LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action +REPORT-src_for_aix_secure = src_dns_as_src, src_ip_as_src + +###### OSX Security ###### +[source::....osx_secure] +sourcetype = osx_secure + +[osx_secure] +EVENT_BREAKER_ENABLE = true + +## Event extractions by type +REPORT-0authentication_for_osx_secure = ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication +EVAL-action = if(app="su" AND isnull(action),"success",action) + +REPORT-dest_for_osx_secure = host_as_dest +LOOKUP-action_for_osx_secure = nix_action_lookup vendor_action OUTPUTNEW action +REPORT-src_for_osx_secure = src_dns_as_src, src_ip_as_src + +###### Linux Security ###### +[source::....linux_secure] +sourcetype = linux_secure + +[linux_secure] +EVENT_BREAKER_ENABLE = true + +## Event extractions by type +REPORT-0authentication_for_linux_secure = remote_login_allowed, remote_login_failure, passwd-auth-failure, bad-su, failed-su, ssh-invalid-user, ssh-login-failed, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication +EVAL-action = if(app="su" AND isnull(action),"success",action) +REPORT-account_management_for_linux_secure = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse +REPORT-password_change_for_linux_secure = pam-passwd-ok, passwd-change-fail +REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf +REPORT-routing = iptables +EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) + +REPORT-dest_for_linux_secure = loghost_as_dest +LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action +REPORT-src_for_linux_secure = src_dns_as_src, src_ip_as_src +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) +EVAL-object = case((command=="useradd" OR command=="userdel" OR command=="passwd") AND isnotnull(user), user, true(), object) +FIELDALIAS-dvc = dest as dvc +EVAL-src_user = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user') +FIELDALIAS-user_name = user as user_name +EVAL-src_user_name = case('src_user_id'=="0" AND isnull('src_user'),"root",isnull('src_user'),'src_user_id',true(),'src_user') + +###### Syslog ###### +[source::....syslog] +sourcetype = syslog + +[syslog] +EVENT_BREAKER_ENABLE = true + +## Event extractions by type +REPORT-0authentication_for_syslog = remote_login_failure, bad-su2, passwd-auth-failure, failed_login1, bad-su, failed-su, ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication +EVAL-action = if(app="su" AND isnull(action),"success",action) +REPORT-account_management_for_syslog = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse +REPORT-password_change_for_syslog = pam-passwd-ok, passwd-change-fail +REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf +REPORT-routing = iptables +EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) +REPORT-signature_for_syslog_timesync = signature_for_nix_timesync + +REPORT-dest_for_syslog = host_as_dest +LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action +REPORT-src_for_syslog = src_dns_as_src, src_ip_as_src +FIELDALIAS-dvc = dest as dvc + +EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) + +###### bash history ###### +[bash_history] +SHOULD_LINEMERGE=FALSE +EVENT_BREAKER_ENABLE = true +DATETIME_CONFIG=CURRENT +REPORT-bhist=bash_user,bash_user_root +FIELDALIAS-bhist=_raw AS bash_command +FIELDALIAS-dest_for_history = host as dest diff --git a/deployment-apps/Splunk_TA_nix/default/restmap.conf b/deployment-apps/Splunk_TA_nix/default/restmap.conf new file mode 100644 index 0000000..0a07313 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/restmap.conf @@ -0,0 +1,9 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[script:setup] +python.version = python3 +match=/SetupService +handler=setupservice.SetupService diff --git a/deployment-apps/Splunk_TA_nix/default/tags.conf b/deployment-apps/Splunk_TA_nix/default/tags.conf new file mode 100644 index 0000000..eae3742 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/tags.conf @@ -0,0 +1,851 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +###### Globals ###### +[eventtype=nix_security] +os = enabled +unix = enabled + +[eventtype=nix_errors] +error = enabled + +[eventtype=interfaces] +inventory = enabled +network = enabled + +###### DHCP ###### +[eventtype=dhcpd_server] +dhcp = enabled +network = enabled +session = enabled +unix = enabled + +[eventtype=dhcpd_start] +start = enabled + +[eventtype=dhcpd_unable_unexpected] +error = enabled + +[eventtype=dhcpd_server_dhcprelease] +end = enabled + + +###### Scripted Inputs ###### +[eventtype=cpu] +os = enabled +resource = enabled +report = enabled +unix = enabled +cpu = enabled +avail = enabled +performance = enabled +oshost = enabled + +[eventtype=cpu_anomalous] +anomalous = enabled + +[eventtype=df] +df = enabled +host = enabled +check = enabled +success = enabled +storage = enabled +performance = enabled +oshost = enabled + +[eventtype=iostat] +report = enabled +resource = enabled +iostat = enabled +performance = enabled +cpu = enabled +storage = enabled +success = enabled +oshost = enabled + +[eventtype=nfsiostat] +storage = enabled +performance = enabled + +[eventtype=lsof] +report = enabled +lsof = enabled +resource = enabled +file = enabled +success = enabled + +[eventtype=netstat] +report = enabled +netstat = enabled +os = enabled +cpu = enabled +success = enabled +listening = enabled +port = enabled + +[eventtype=ps] +performance = enabled +cpu = enabled +success = enabled +ps = enabled +oshost = enabled +process = enabled + +[eventtype=top] +top = enabled +os = enabled +success = enabled +process = enabled + +[eventtype=time] +report = enabled +os = enabled +success = enabled +time = enabled + +[eventtype=vmstat] +report = enabled +vmstat = enabled +resource = enabled +success = enabled +cpu = enabled +memory = enabled +performance = enabled +oshost = enabled + +[eventtype=bandwidth] +network = enabled +resource = enabled +success = enabled +performance = enabled +oshost = enabled + +[eventtype=hardware] +inventory = enabled +oshost = enabled +cpu = enabled +memory = enabled + +# For ESS: +os = enabled +avail = enabled +unix = enabled + +###### System Logs ###### + +#### Account Management +[eventtype=useradd] +account = enabled +management = enabled +add = enabled +change = enabled + +[eventtype=useradd-suse] +account = enabled +management = enabled +add = enabled +change = enabled + +[eventtype=userdel] +account = enabled +management = enabled +delete = enabled +change = enabled + +[eventtype=groupadd] +management = enabled +add = enabled +change = enabled + +[eventtype=groupadd-suse] +management = enabled +add = enabled +change = enabled +account = enabled + +[eventtype=groupdel] +management = enabled +delete = enabled +change = enabled + +[eventtype=linux-password-change] +account = enabled +management = enabled +password = enabled +modify = enabled +change = enabled + +[eventtype=linux-password-change-failed] +account = enabled +management = enabled +password = enabled +modify = enabled +change = enabled + + +#### acpi +[eventtype=nix_acpi] +os = enabled +unix = enabled +power = enabled + + +#### agpgart +[eventtype=nix_agpgart] +os = enabled +unix = enabled +graphics = enabled + + +#### apm +[eventtype=nix_apm] +os = enabled +unix = enabled +power = enabled + + +#### auditd +[eventtype=auditd] +os = enabled +unix = enabled +resource = enabled +file = enabled + +[eventtype=auditd_modify] +modify = enabled + + +#### Authentication + +## ksu +[eventtype=ksu_authentication] +authentication = enabled + +[app=ksu] +local = enabled +privileged = enabled + +[app=ksudo] +local = enabled +privileged = enabled + +## login +[eventtype=login_authentication] +authentication = enabled + +## pam +[eventtype=pam_unix_authentication] +authentication = enabled + +## passwd +[eventtype=passwd-auth-failure] +application = enabled +authentication = enabled + +## rlogin +[eventtype=rlogin_too_many_failures] +application = enabled +attack = enabled +watchlist = enabled + +[eventtype=remote_login_failure] +application = enabled +authentication = enabled +remote = enabled + +[eventtype=remote_login_allowed] +application = enabled +authentication = enabled +remote = enabled + +## sshd +[eventtype=sshd_authentication] +authentication = enabled +remote = enabled + +[eventtype=ssh_open] +communicate = enabled +connect = enabled + +[eventtype=ssh_close] +access = enabled +stop = enabled +logoff = enabled + +[eventtype=ssh_disconnect] +access = enabled +stop = enabled +logoff = enabled + +[eventtype=failed_login] +authentication = enabled + +[eventtype=Failed_SU] +authentication = enabled + +## su +[eventtype=su_authentication] +authentication = enabled + +[app=su] +local = enabled +privileged = enabled + +[app=sudo] +local = enabled +privileged = enabled + +[eventtype=su_failed] +authentication = enabled + +[eventtype=su_session] +session = enabled + +[eventtype=su_root_session] +session = enabled +privileged = enabled + +## Telnet + +[app=wksh] +cleartext = enabled + + +#### automount +[eventtype=nix_automount] +os = enabled +unix = enabled + + +#### Config +[eventtype=nix_config_change] +os = enabled +unix = enabled +host = enabled +configuration = enabled +modify = enabled + + +#### Console +[eventtype=nix_console] +os = enabled +unix = enabled + + +#### cron +[eventtype=nix_cron] +os = enabled +unix = enabled + + +#### CUPS +[eventtype=nix_cups_access] +os = enabled +unix = enabled +access = enabled +printer = enabled + +[eventtype=nix_cups_error] +os = enabled +unix = enabled +printer = enabled + +[eventtype=nix_cups_page] +os = enabled +unix = enabled +printer = enabled + + +#### dhclient +[eventtype=nix_dhclient] +os = enabled +unix = enabled + + +#### DMA +[eventtype=nix_dma] +os = enabled +unix = enabled +memory = enabled +access = enabled + + +#### Firewall +[eventtype=iptables_firewall_accept] +os = enabled +unix = enabled +host = enabled +firewall = enabled +communicate = enabled +success = enabled + +[eventtype=iptables_firewall_deny] +os = enabled +unix = enabled +host = enabled +firewall = enabled +communicate = enabled +failure = enabled + + +#### FTP +[eventtype=nix_ftp_xferlog] +os = enabled +unix = enabled +ftp = enabled +transfer = enabled + +[eventtype=nix_ncftpd_logins] +os = enabled +unix = enabled +ftp = enabled +authentication = enabled + + +#### Fingerprinting +[eventtype=nix_fingerprinting] +os = enabled +unix = enabled + + +#### gconfd +[eventtype=nix_gconfd] +os = enabled +unix = enabled + +[eventtype=nix_gconfd_error] +error = enabled + +[eventtype=nix_gconfd_exiting] +stop = enabled + +[eventtype=nix_gconfd_starting] +start = enabled + + +## gdm +[eventtype=nix_gdm] +os = enabled +unix = enabled + + +#### gpm +[eventtype=nix_gpm] +os = enabled +unix = enabled + + +#### FreeBSD +[eventtype=freebsd_refresh_na_answer] +os = enabled +unix = enabled + +[eventtype=freebsd_refresh_retry_exceeded] +os = enabled +unix = enabled + + +#### hald +[eventtype=nix_hald] +os = enabled +unix = enabled + + +#### hpiod +[eventtype=hpiod_Linux_syslog] +os = enabled +unix = enabled + + +#### kernel +[eventtype=nix_kernel_attached] +os = enabled +unix = enabled +kernel = enabled + + +#### kill +[eventtype=nix_process_kill] +os = enabled +unix = enabled +process = enabled +stop = enabled + + +#### mDNSResponder +[eventtype=nix_mDNSResponder] +os = enabled +unix = enabled +dns = enabled + + +#### named +[eventtype=nix_named1] +os = enabled +unix = enabled +dns = enabled + +[eventtype=nix_named2] +os = enabled +unix = enabled +dns = enabled + + +#### OSX +[eventtype=osx_crash_log] +os = enabled +unix = enabled +error = enabled + + +#### Netlabel +[eventtype=nix_netlabel] +os = enabled +unix = enabled +kernel = enabled + + +#### PCI +[eventtype=nix_pci] +os = enabled +unix = enabled + + +#### Plug-n-play +[eventtype=nix_pnp] +os = enabled +unix = enabled + + +#### POP3 +[eventtype=nix_popper] +os = enabled +unix = enabled +mail = enabled + + +#### postfix +[eventtype=nix_postfix] +os = enabled +unix = enabled + + +#### Prelink +[eventtype=nix_prelink] +os = enabled +unix = enabled + + +#### RPC +[eventtype=nix_rpc_statd] +os = enabled +unix = enabled + + +#### RPM +[eventtype=nix_rpm] +os = enabled +unix = enabled +update = enabled + + +#### Runlevel +[eventtype=nix_runlevel_change] +os = enabled +unix = enabled +configuration = enabled +modify = enabled + + +#### SNMPD +[eventtype=snmpd] +os = enabled +unix = enabled +snmp = enabled + +[eventtype=snmpd_failure] +failure = enabled + + +#### scrollkeeper +[eventtype=nix_scrollkeeper] +os = enabled +unix = enabled + + +## Shutdown +[eventtype=nix_halt] +os = enabled +unix = enabled +stop = enabled + +[eventtype=nix_restart] +os = enabled +unix = enabled +stop = enabled + + +#### smartd +[eventtype=nix_smartd] +os = enabled +unix = enabled + + +#### Time +[eventtype=nix_timesync] +report = enabled +time = enabled +synchronize = enabled +success = enabled + +os = enabled +performance = enabled + +[eventtype=nix_timesync_failure] +report = enabled +time = enabled +synchronize = enabled +failure = enabled + +os = enabled +performance = enabled + +#### Update +[eventtype=nix_yum_update] +report = enabled +update = enabled +success = enabled + + +#### udevd +[eventtype=nix_udevd] +os = enabled +unix = enabled +kernel = enabled + + +#### USB +[eventtype=nix_usb] +os = enabled +unix = enabled +usb = enabled + + +#### userhelper +[eventtype=nix_userhelper] +os = enabled +unix = enabled + + +#### Open ports +[eventtype=openPorts] +unix = enabled +report = enabled +os = enabled + + +###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ###### + +# Stanzas in this section are legacy configuration stanzas +# intended to support parsing of data created by scripts in +# TA-deploymentapps, which has since been retired. Systems that use +# Splunk_TA_nix on the search head but which may be searching data +# from forwarders on which the older scripts are still in use should +# be able to search new and old data seamlessly. + +###### Scripted Inputs ###### + +## Global +[eventtype=aix_scripted_input] +check = enabled +report = enabled + +[eventtype=hpux_scripted_input] +check = enabled +report = enabled + +[eventtype=linux_scripted_input] +check = enabled +report = enabled + +[eventtype=osx_scripted_input] +check = enabled +report = enabled + +[eventtype=solaris_scripted_input] +check = enabled +report = enabled + +[eventtype=unix_scripted_input] +check = enabled +report = enabled + +## CPUTime +[eventtype=cputime] +os = enabled +avail = enabled +cpu = enabled +performance = enabled +oshost = enabled + +[eventtype=cputime_anomalous] +anomalous = enabled + + +## Disk +[eventtype=freediskspace] +os = enabled +avail = enabled +disk = enabled +performance = enabled +oshost = enabled +storage = enabled + +[eventtype=freediskspace_anomalous] +anomalous = enabled + + +## Listening Ports +[eventtype=listeningports] +os = enabled +config = enabled +report = enabled + + +## Local Processes + +[eventtype=localprocesses_anomalous] +anomalous = enabled + + +## Memory +[eventtype=memory] +os = enabled +avail = enabled +memory = enabled +performance = enabled +oshost = enabled + +[eventtype=memory_anomalous] +anomalous = enabled + + +## SELinux Config +[eventtype=selinuxconfig] +application = enabled +config = enabled +selinux = enabled + +[selinux=disabled] +insecure = enabled + + +## Service +[eventtype=service] +os = enabled +config = enabled +service = enabled +report = enabled + +[eventtype=service_runlevel_anomalous] +anomalous = enabled + +[app=ntpd] +time = enabled +synchronize = enabled + +[app=%2Fnetwork%2Fntp%3Adefault] +time = enabled +synchronize = enabled + +[app=yum-updatesd] +automatic = enabled +update = enabled + + +## SSHD Config +[eventtype=sshdconfig] +application = enabled +config = enabled +ssh = enabled + +[eventtype=sshd_insecure] +insecure = enabled + + +## Update +[eventtype=update] +os = enabled +info = enabled +system = enabled +update = enabled + +[eventtype=update_status] +status = enabled + + +## Uptime +[eventtype=uptime] +os = enabled +info = enabled +report = enabled +uptime = enabled +performance = enabled + +[eventtype=uptime_anomalous] +anomalous = enabled + + +## User Accounts +[eventtype=useraccounts] +os = disabled +config = enabled +user = enabled +inventory = enabled + +[eventtype=useraccounts_anomalous] +anomalous = enabled + +[shell=%2Fbin%2Fbash] +interactive = enabled + +[shell=%2Fbin%2Fsh] +interactive = enabled + +[shell=%2Fusr%2Fbin%2Fbash] +interactive = enabled + +[shell=%2Fusr%2Fbin%2Fpfksh] +interactive = enabled + +[shell=%2Fusr%2Fbin%2Fpfsh] +interactive = enabled + + +## Version +[eventtype=nix_version] +os = enabled +info = enabled +report = enabled +system = enabled +version = enabled +inventory = enabled +oshost = enabled +cpu = enabled +memory = enabled + + +## VSFTDP Config +[eventtype=vsftpd_config] +application = enabled +config = enabled +ftp = enabled +cleartext = enabled + +[eventtype=vsftpd_config_anonymous] +anonymous = enabled + +###### END CONTENT IMPORTED FROM TA-deploymentapps ###### diff --git a/deployment-apps/Splunk_TA_nix/default/transforms.conf b/deployment-apps/Splunk_TA_nix/default/transforms.conf new file mode 100644 index 0000000..6fe10ef --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/transforms.conf @@ -0,0 +1,538 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +###### Globals ###### + +## Lookups +[nix_action_lookup] +filename = nix_vendor_actions.csv +case_sensitive_match = false + +## Aliases +[host_as_dest] +SOURCE_KEY = host +REGEX = (.+) +FORMAT = dest::"$1" + +[host_as_src] +SOURCE_KEY = host +REGEX = (.+) +FORMAT = src::"$1" + +[src_dns_as_src] +SOURCE_KEY = src_dns +REGEX = (.+) +FORMAT = src::"$1" + +[src_ip_as_src] +SOURCE_KEY = src_ip +REGEX = (.+) +FORMAT = src::"$1" + +[dest_nt_host_as_dest] +SOURCE_KEY = dest_nt_host +REGEX = (.+) +FORMAT = dest::"$1" + +[dest_mac_as_dest] +SOURCE_KEY = dest_mac +REGEX = (.+) +FORMAT = dest::"$1" + +[dest_ip_as_dest] +SOURCE_KEY = dest_ip +REGEX = (.+) +FORMAT = dest::"$1" + +## netstat + +[ip_and_ports_for_netstat] +REGEX = \w+\s+\d+\s+\d+\s+((?:\d+.\d+.\d+.\d+)|(?:\[[^\]]+\])|\*):([\S]+)\s+((?:\d+.\d+.\d+.\d+)|(?:\[[^\]]+\])|\*):([\S]+)\s+[\S]+ +FORMAT = dest::$1 dest_port::$2 src::$3 src_port::$4 +MV_ADD = true + +###### DHCP ###### +[dhcp_prefix_dest] +#when dhcp server is the dest, extract the dest and process fields +#format as below (fields are within the angle brackets): +# [process_id]|: +REGEX=\s+(?\S+)\s+(?:(?[^\s\[\]]+)\[(?[^\]\s]+)\]|(?[^\s\[\]]+)):\s+ + +[dhcp_prefix_src] +#when dhcp server is the src, extract the src and process fields +#format as below (fields are within the angle brackets): +# [process_id]|: +REGEX=\s+(?\S+)\s+(?:(?[^\s\[\]]+)\[(?[^\]\s]+)\]|(?[^\s\[\]]+)):\s+ + + +[dhcp_mac_hostname_for_dest] +#extract mac address and hostname for dest +#format as below (fields are within the angle brackets): +# () +#Note: dest_host may not exist +REGEX=\s+(?\S+)\s+(?:\((?[^)]+)\)\s+)? + +[dhcp_mac_hostname_for_src] +#extract mac address and hostname for src +#format as below (fields are within the angle brackets): +# () +#Note: src_host may not exist +REGEX=\s+(?\S+)\s+(?:\((?[^)]+)\)\s+)? + +[dhcp_relay] +#extract relay field +REGEX = (?[^\s:\\]+) + +[dhcp_block_action] +#extract blocked actions +REGEX = (?(REFUSED|Invalid|ignored|rejected|not authoritative|[uU]nable to add forward map)) + +[dhcp_discover_extract] +# for event of DHCPDISCOVER, format as below (fields are within the angle brackets): +# : DHCPDISCOVER from () via +# Note: src_host may not exist +REGEX=[[dhcp_prefix_dest]](?DHCPDISCOVER)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]] + + +[dhcp_offer_extract] +# for event of DHCPOFFER, format as below (fields are within the angle brackets): +# : DHCPOFFER on to () via +# Note: dest_host may not exist +REGEX=[[dhcp_prefix_src]](?DHCPOFFER)\s+on\s+(?\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]] + + +[dhcp_request_extract] +# for event of DHCPREQUEST, format as below (fields are within the angle brackets): +# : DHCPREQUEST for () from () via uid +# Note: server_ip, src_host, uuid may not exist +REGEX=[[dhcp_prefix_dest]](?DHCPREQUEST)\s+for\s+(?\S+)\s+(?:\((?[^)]+)\)\s+)?from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]](?:\s+uid\s+(?[^\s]+))? + + +[dhcp_ack_nak_extract_0] +# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets): +# : DHCPACK|DHCPNAK on to () via () relay lease-duration uid +# Note: dest_host, relay_ip, lease_duration, uuid may not exist +REGEX=[[dhcp_prefix_src]](?DHCPACK|DHCPNAK)\s+on\s+(?\S+)\s+to[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]](?:\s+relay\s+(?\S+)\s+lease-duration\s+(?\S+)\s+.*uid\s+(?\S+))? + + +[dhcp_ack_nak_extract_1] +# for event of DHCPACK or DHCPNAK, format as below (fields are within the angle brackets): +# : DHCPACK|DHCPNAK to () via +REGEX=[[dhcp_prefix_src]](?DHCPACK|DHCPNAK)\s+to\s+(?\S+)\s+\((?[^)]+)\)\s+via\s+[[dhcp_relay]] + + +[dhcp_decline_extract] +# for event of DHCPDECLINE, format as below (fields are within the angle brackets): +# : DHCPDECLINE of from () via +# Note: src_host may not exist +REGEX=[[dhcp_prefix_dest]](?DHCPDECLINE)\s+of\s+(?\S+)\s+from[[dhcp_mac_hostname_for_src]]via\s+[[dhcp_relay]] + + +[dhcp_release_extract] +# for event of DHCPRELEASE, format as below (fields are within the angle brackets): +# : DHCPRELEASE of from () via +# Note: src_host may not exist +REGEX=[[dhcp_prefix_src]](?DHCPRELEASE)\s+of\s+(?\S+)\s+from[[dhcp_mac_hostname_for_dest]]via\s+[[dhcp_relay]] + + +[dhcp_inform_extract] +# for event of DHCPINFORM, format as below (fields are within the angle brackets): +# : DHCPINFORM from via +REGEX=[[dhcp_prefix_dest]](?DHCPINFORM)\s+from\s+(?\S+)\s+via\s+[[dhcp_relay]] + + +[dhcp_unable_to_add_forward_map_extract] +# for event of unable to add forward map, format as below (fields are within the angle brackets): +# : Unable to add forward map from to +REGEX=[[dhcp_prefix_src]][uU]nable\s+to\s+add\s+forward\s+map\s+from\s+(?\S+)\s+to\s+(?[^\s:]+) + + +[dhcp_add_new_forward_map_extract] +# for event of add new forward map, format as below (fields are within the angle brackets): +# : Added new forward map from to +REGEX=[[dhcp_prefix_src]][aA]dded\s+new\s+forward\s+map\s+from\s+(?\S+)\s+to\s+(?[^\s:]+) + + +[dhcp_added_reverse_map_extract] +# for event of add reverse map, format as below (fields are within the angle brackets): +# : [aA]dded reverse map from to +REGEX=[[dhcp_prefix_dest]][aA]dded\s+reverse\s+map\s+from\s+(?\S+)\s+to\s+(?\S+) + + +[dhcp_abandon_ip_extract] +# for event of Abandon IP address, format as below (fields are within the angle brackets): +# : Abandoning IP address +REGEX=[[dhcp_prefix_src]]Abandoning\s+IP\s+address\s+(?[^\s:]+) + + +[dhcp_lease_duplicate_extract] +# for event of lease duplicate, format as below (fields are within the angle brackets): +# : uid lease for client is duplicate on +REGEX=\s+(?\S+)\s+(?[^\s:]+):\s+uid\s+lease\s+(?\S+)\s+for\s+client\s+(?\S+)\s+is\s+duplicate\s+on\s+(?\S+)/ + +[bind_update_fail_extract] +# for event of bind update reject, format as below (fields are within the angle brackets): +# : bind update on from rejected +REGEX=[[dhcp_prefix_dest]]bind\s+update\s+on\s+(?\S+)\s+from\s+(?\S+)\s+rejected.* + +[dhcp_icmp_echo_reply] +REGEX=[[dhcp_prefix_src]]ICMP\s+Echo\s+reply\s+while\s+lease\s+(?\S+) + +[dhcp_reuse_lease] +REGEX=[[dhcp_prefix_src]]reuse_lease:\s+lease\s+age.*under.*threshold,\s+reply\s+with\s+unaltered,\s+existing\s+lease\s+for\s+(?[^$]+) + +###### Scripted Metric Inputs ###### + +[eval_dimensions] +# Support for omitting the IPv6 Address field when the script output doesn't include an IPv6 Address +INGEST_EVAL = metric_name=sourcetype, entity_type="TA_Nix", OS_name=replace(OSName, "_", " "), IPv6_address = if(IPv6_Address=="?", null(), IPv6_Address) + +[extract_df_metrics] +INGEST_EVAL = UsePct=coalesce('UsePct','Capacity','Use'), Size_KB=coalesce('Size','1K_blocks','1024_blocks'), Used_KB='Used', Avail_KB=coalesce('Avail','Available'), INodes=coalesce('INodes','Inodes'), IUsed=coalesce('IUsed','iused','Iused'), IFree=coalesce('IFree','ifree','Ifree'), IUsePct=coalesce('IUsePct','IUse'), Size=coalesce('Size','1K_blocks','1024_blocks'), Avail=coalesce('Avail','Available'), Type=coalesce('Type',"?") + +[metric-schema:extract_metrics_interfaces] +METRIC-SCHEMA-MEASURES= Collisions,RXbytes,RXerrors,TXbytes,TXerrors,RXdropped,TXdropped +METRIC-SCHEMA-BLACKLIST-DIMS= OSName, IPv6_Address + +# added extract_iostat_metrics_field for backward compatibility +[extract_iostat_metrics_field] +INGEST_EVAL = rReq_PS=r_s, rKB_PS=coalesce(rkB_s, Kb_read, kr_s), rrqmPct=rrqm, rAvgWaitMillis=r_await, rAvgReqSZkb=rareq_sz, wReq_PS=w_s, wKB_PS=coalesce(wkB_s, Kb_wrtn, kw_s), wrqmPct=wrqm, wAvgWaitMillis=w_await, wAvgReqSZkb=wareq_sz, avgQueueSZ=coalesce(aqu_sz, avgqu_sz), bandwUtilPct=coalesce(util, tm_act, ms_o, b), avgSvcMillis=coalesce(svctm, ms_w, asvc_t), avgWaitMillis=coalesce(await, wsvc_t, if(isnull(await),if(r_s==0.00 AND w_s==0.00,0,(((r_s * r_await) + (w_s * w_await))/(r_s+ w_s))), await), null()) + +[extract_ps_metric_field] +INGEST_EVAL = pctCPU=coalesce(CPU,pctCPU), pctMEM=coalesce(MEM,pctMEM), RSZ_KB=coalesce(RSS,RSZ_KB), VSZ_KB=coalesce(VSZ, VSZ_KB) + +[extract_cpu_metric_field] +INGEST_EVAL = pctIdle=coalesce(id,pctIdle), pctIowait=coalesce(wa,pctIowait), pctSystem=coalesce(sy,pctSystem), pctUser=coalesce(us,pctUser), pctNice=coalesce(pctNice,"0"), CPU=coalesce(cpu,CPU) + +[metric-schema:extract_metrics_iostat] +METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address +METRIC-SCHEMA-BLACKLIST-DIMS= OSName + +[metric-schema:extract_metrics_vmstat] +METRIC-SCHEMA-MEASURES= memTotalMB,memFreeMB,memUsedMB,memFreePct,memUsedPct,pgPageOut,swapUsedPct,pgSwapOut,cSwitches,interrupts,forks,processes,threads,loadAvg1mi,waitThreads,interrupts_PS,pgPageIn_PS,pgPageOut_PS +METRIC-SCHEMA-BLACKLIST-DIMS= OSName + +[metric-schema:extract_metrics_df] +METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address, Filesystem, Type, MountedOn, IPv6_Address, IPv6_address +METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address + +[metric-schema:extract_metrics_cpu] +METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OSName, OS_name, OS_version, IP_address, cpu, CPU +METRIC-SCHEMA-BLACKLIST-DIMS= OSName + +[metric-schema:extract_metrics_ps] +METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ ARGS,COMMAND,CPUTIME,ELAPSED,PID,PSR,S,STAT,START,STARTED,TT,TTY,USER,OSName,OS_name,OS_version,IP_address,IPv6_Address,IPv6_address +METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address + +###### Scripted Event Inputs ###### + +[vmstat_osx] +REGEX = (?m)(?:Pages free:\s*(\d+)\.).*(?:Pages active:\s*(\d+)\.).*(?:Pages inactive:\s*(\d+)\.).*(?:Pages wired down:\s*(\d+)\.).*(?:Pageins:\s*(\d+)\.).*(?:Pageouts:\s*(\d+)\.) +FORMAT = free::$1 active::$2 inactive::$3 wired::$4 pageins::$5 pageouts::$6 + +#procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu---- +# r b swpd free inact active si so bi bo in cs us sy id wa +# 0 0 24 4272 172660 67124 0 0 2 1 0 1 0 0 100 0 +[vmstat_linux] +REGEX = (\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+) +FORMAT = proc_waiting::$1 proc_unitsleep::$2 swap::$3 free::$4 inactive::$5 active::$6 swap_in::$7 swap_out::$8 blocks_in::$9 blocks_out::$10 interrupts::$11 contextswitch::$12 usermode::$13 kernelmode::$14 idle::$15 waiting::$16 + + +#memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS +# 8192 4153 4039 50.7 49.3 1585619 5.0 ? ? ? ? 82 566 0.72 0.00 714.2 1.0 133.0 +[fields_for_vmstat_sh] +REGEX = \s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+) +FORMAT = memTotalMB::"$1" memFreeMB::"$2" memUsedMB::"$3" memFreePct::"$4" memUsedPct::"$5" pgPageOut::"$6" swapUsedPct::"$7" pgSwapOut::"$8" cSwitches::"$9" interrupts::"$10" forks::"$11" processes::"$12" threads::"$13" loadAvg1mi::"$14" waitThreads::"$15" interrupts_PS::"$16" pgPageIn_PS::"$17" pgPageOut_PS::"$18" + + +###### System Logs ###### + +# General + +[loghost_as_dest] +REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s(\S+)\s\w+[\w\s\[]* +FORMAT = dest::$1 + +## Account Management +[useradd] +REGEX = (useradd).*?(?:new (?:user|account))(?:: | (?:added) - )(?:name|account)=([^\,]+),(?:\s)(?:(?:UID|uid)=(\w+),)?(?:\s)(?:(?:GID|gid)=(\w+),)?(?:\s)*(?:home=((?:\/[^\/ ]*)+\/?),)?(?:.*uid=(\d+))? +FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"user" user::$2 change_type::"AAA" object_id::$3 object_path::$5 status::"success" object_attrs::$4 src_user_id::$6 + +[userdel] +REGEX = (userdel).*?(?:(?:delete)(?:\s)*(?:user|account)) .(\S+). +FORMAT = vendor_action::"delete" object_category::"user" action::"deleted" change_type::"AAA" command::$1 user::$2 status::"success" + +[userdel-grp] +REGEX = (userdel).*?(?:(?:removed)(?:\s)*(?:\w+)?(?:\s)*(group))\s+\'(\S+)\'\s+owned\s+by\s+\'(\S+)\' +FORMAT = action::"deleted" change_type::"AAA" command::$1 object_category::$2 object::$3 status::"success" "object_attrs"::$4 + +[groupdel] +REGEX = (groupdel).*(?:group)\s+'(\S+)'\s+removed(?:\s)*(?:(?:from\s+))?(\S+)? +FORMAT = action::"deleted" change_type::"AAA" command::$1 object::$2 object_category::"group" status::"success" object_path::$3 + +[groupadd] +REGEX = (groupadd).*?(?:group added to |new group: )(?:((?:\/[^\/ ]*)+\/?):)?\s*(?:name=(\w+))?(?:,\s*GID=(\w+))? +FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"group" object::$3 change_type::"AAA" object_id::$4 object_path::$2 status::"success" + +[groupadd-suse] +REGEX = (useradd).*?(?:account added to group -)\s*(?:account=([^,]+))?(?:,\s*)?(?:group=([^,]+))(?:,\s*)?(?:gid=(?:[^,]+))?\,\s+(?:by\s+\(uid=(\d+)\))? +FORMAT = vendor_action::"account added to group" action::"modified" command::$1 object_category::"user" user::$2 change_type::"AAA" object_attrs::$3 status::"success" src_user_id::$4 + +## password change +[pam-passwd-ok] +REGEX = (passwd).*pam_unix\((?:passwd):chauthtok\): password changed for (\S+) +FORMAT = action::"modified" change_type::"AAA" command::$1 object_attrs::"password" object_category::"user" status::"success" user::$2 + +[passwd-change-fail] +REGEX = (passwd).*(?:password change failed).*(?:account=)([^,\s]+),\s+uid=([^,\s]+)\,\s+by(?:\s+\(uid=(\d+)\))? +FORMAT = action::"modified" change_type::"AAA" command::$1 user::$2 object_attrs::"password" object_category::"user" status::"failure" object_id::$3 src_user_id::$4 + +[command_for_linux_audit] +REGEX = exe=.*\/(\S+)\" +FORMAT = command::$1 + + +## Authentication + +# Jan 14 12:14:04 host sshd[16247]: Accepted publickey for mark from ::ffff:XXX.XXX.XX.XXX port 50710 ssh2 +# Aug 21 11:25:06 host sshd[2544]: Accepted keyboard-interactive/pam for root from XXX.XXX.XX.XXX port 1274 ssh2 +[ssh-login-accepted] +REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Accepted).*?(\S+)\s+from.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +FORMAT = app::"ssh" action::"success" vendor_action::$1 user::$2 src::$3 src_port::$4 sshd_protocol::$5 + +# Aug 21 10:31:01 host sshd[1468]: error: PAM: Authentication failure for root from XXX.XXX.XX.XXX +# Nov 5 11:37:47 host sshd[3003]: Failed password for root from XXX.XXX.XX.XXX port 58356 ssh2 +[ssh-login-failed] +REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(failure|Failed).*?(\S+)\s+from.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +FORMAT = app::"ssh" action::"failure" vendor_action::$1 src::$3 user::$2 reason::"Failed password" src_port::$4 sshd_protocol::$5 + +# Apr 14 12:14:04 host sshd[16247]: Failed password for invalid user player rom XXX.XXX.XX.XXX port 343 ssh2 +# Apr 24 04:02:57 magmum.google.com sshd[12128]: Invalid user player from XXX.XXX.XX.XXX +[ssh-invalid-user] +REGEX = (?:sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?.*?(Invalid user|invalid user).*?(\S+)\s+from.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s+port\s+(\S+)\s+\w?\s*(ssh\d))? +FORMAT = app::"ssh" action::"failure" src::$3 user::$2 reason::$1 src_port::$4 sshd_protocol::$5 + + +# Jan 11 03:16:49 crest-aix-dev auth|security:info syslog: ssh: failed login attempt for root from XXX.XXX.XX.XXX +# Jan 8 06:00:56 crest-aix-dev auth|security:info syslog: pts/2: failed login attempt for root from qa-centos7x64-267.sv.splunk.com +[failed_login1] +REGEX = (?:syslog):.*(?:failed login attempt for)\s+(\S+)\s+from\s+(\S+) +FORMAT = app::"nix" action::"failure" src::$2 user::$1 reason::"failed login" + +# Mar 18 16:54:02 splunk5 sshd(pam_unix)[17183]: session opened for user mark by (uid=0) +# Mar 18 16:58:23 splunk5 sshd(pam_unix)[31639]: session closed for user mark +# Apr 30 17:45:35 magnum.google.com sshd[5019]: Connection closed by XXX.XXX.XX.XXX +[ssh-session-close] +REGEX = .* ((?:session|Connection) (?:opened|closed))(?: for user ([^ ]+))?(?: by \(uid=(\d+)\))?(?: by (\d+\.\d+\.\d+\.\d+))? +FORMAT = name::$1 user::$2 user_id::$3 src_ip::$4 + +# Apr 24 04:02:57 magmum.google.com sshd[12128]: Received disconnect from XXX.XXX.XX.XXX: 11: Bye Bye +[ssh-disconnect] +REGEX = .* (Received disconnect) from (.*): +FORMAT = name::$1 src_ip::$2 + +[sshd_authentication_kerberos_success] +REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authorized\s+to)\s+([^,]+)\,\s+krb5\s+principal\s+([^@]+) +FORMAT = app::$1 vendor_action::"$2" user::"$3" src_user::"$4" + +[sshd_authentication_refused] +REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+refused)\:.*?directory\s+\/home\/([^\/]+) +FORMAT = app::$1 vendor_action::"$2" user::"$3" + +[sshd_authentication_tried] +REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Authentication\s+tried)\s+for\s+([^\s]+)(?:.*?host\=([^,]+),\s+ip=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))? +FORMAT = app::$1 vendor_action::$2 user::"$3" src_dns::"$4" src_ip::"$5" + +[sshd_login_restricted] +REGEX = (sshd)\[\d+\]\:\s+(?:\[[^]]+]\s+)?(Login\s+restricted)\s+for\s+([^:]+) +FORMAT = app::$1 vendor_action::"$2" user::"$3" + +[pam_unix_authentication_failure] +REGEX = pam_unix\((?:[^:]+):\w+\)\:\s+authentication\s+(failure)\;\s+logname\=(?:[^\s]+)?\s+uid\=(?:[^\s]+)?\s+euid=(?:[^\s]+)?\s+tty=(?:[^\s]+)?\s+ruser=([^\s]+)?\s+rhost=([^\s]+)?\s*(?:user=([^\s]+)?)? +FORMAT = app::"ssh" action::$1 src::$3 user::$4 reason::"other" src_user::$2 + +[pam_unix_authentication_success] +REGEX = pam_unix\(([^:]+):\w+\)\:\s+(session\s+opened)\s+for\s+user\s+([^\s]+)\s+by\s+(.*?)\(uid=(\d+)\) +FORMAT = app::"$1" vendor_action::"$2" user::$3 src_user::$4 action::"success" user_id::$5 + +[passwd-auth-failure] +REGEX = (passwd)\[(?:\d+)\]:\s+User\s+(\w+):\s+(?:Authentication failure) +FORMAT = app::$1 action::"failure" user::$2 reason::"Authentication failure" + +[sudo_cannot_identify] +REGEX = pam_unix\(([^:]+):\w+\)\:\s+auth\s+(could\s+not\s+identify\s+password)\s+for\s+\[([^]]+) +FORMAT = app::"$1" vendor_action::"$2" user::"$3" reason::"could not identify password" + +[remote_login_allowed] +REGEX = (pam_rhosts_auth)\[\d+\]:\s+allowed\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+) +FORMAT = action::"success" app::$1 user::$2 vendor_action::"allowed" + +[remote_login_failure] +REGEX = (pam_rhosts_auth)\[\d+\]:\s+denied\s+to\s+(\w+)@(?:\S+)\s+as\s+(?:\w+) +FORMAT = action::"failure" app::$1 user::$2 vendor_action::"denied" reason::"access not allowed" + +[failed-su] +REGEX = \'(?:su)\s+(?:[^']+)\'\s+(failed)\s+for\s+([^\s]+) +FORMAT = vendor_action::$1 action::"failure" app::"nix" user::$2 reason::"other" + +[bad-su] +REGEX = (?:su):\s+BAD\s+SU\s+dcid\s+to\s+(\w+)\s+on\s+(?:(?:\/[^\/ \n]*)+) +FORMAT = action::"failure" app::"nix" user::$1 reason::"BAD SU dcid" + +[bad-su2] +REGEX = (?:su):\s+BAD\s+SU\s+from\s+(\S+)\s+to\s+(\S+)\s+at\s+(?:(?:\/[^\/ \n]*)+) +FORMAT = action::"failure" app::"nix" user::$2 src_user::$1 reason::"BAD SU" + +[ksu_authentication] +REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?\'ksu\s+([^']+)\'\s+(authentication\s+failed|authenticated).*?for\s+(\w+) +FORMAT = app::$1 user::"$2" vendor_action::"$3" src_user::$4 + +[ksu_authorization] +REGEX = (ksu)\[\d+\]\:\s+(?:\[[^]]+]\s+)?Account\s+([^:]+)\:\s+authorization\s+for\s+([^@]+).*?(failed|successful) +FORMAT = app::$1 user::"$2" src_user::"$3" vendor_action::$4 + +[login_authentication] +REGEX = (login)\:.*(failure).*from\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\,\s+(\S+))? +FORMAT = app::$1 action::$2 user::$4 src::$3 reason::"login failure" + +[su_simple] +REGEX = (?:su)\:\s+(?:\[[^]]+]\s+)?from\s+([^\s]+)\s+to\s+([^\s]+) +FORMAT = app::"nix" src_user::$1 user::$2 action::"success" + +[su_authentication] +REGEX = \'(?:su)\s+([^']+)\'\s+(succeeded|failed)\s+for\s+([^\s]+) +FORMAT = app::"nix" user::"$1" vendor_action::$2 src_user::$3 + +[su_successful] +REGEX = (Successful)\s+(?:su)\s+for\s+([^\s]+)\s+by\s+([^\s]+) +FORMAT = app::"nix" vendor_action::$1 user::$2 src_user::$3 + +[wksh_authentication] +REGEX = (wksh):\s+(HANDLING\s+TELNET\s+CALL)\s+\(User:\s+([^,]+),\s+Branch:\s+(?:[^,]+),\s+Client:\s+([^)]+) +FORMAT = app::$1 vendor_action::"$2" user::$3 src_dns::$4 + +[ftpd_authentication] +REGEX = (ftpd)\[\d+\]\:.*(FTP\s+LOGIN)\s+FROM\s+([^\s]+)\s+\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\,\s+(.*) +FORMAT = app::$1 vendor_action::"$2" src::$3 src_ip::$4 user::"$5" + + +## Firewall +[ipfw] +REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*(\d+) (Deny|Accept) (UDP|TCP) ([^:]*):(\d+) ([^:]*):(\d+) (in|out) via ([^\s]+) +FORMAT = rule_number::$1 action::$2 proto::$3 dest_ip::$4 dest_port::$5 src_ip::$6 src_port::$7 direction::$8 interface::$9 + +[ipfw-stealth] +REGEX = ^.* \d{2}:\d{2}:\d{2}.*? ipfw:\s*Stealth Mode connection (attempt) to (UDP|TCP) ([^:]*):(\d+) from ([^:]*):(\d+) +FORMAT = action::$1 proto::$2 src_ip::$3 src_port::$4 dest_ip::$5 dest_port::$6 + +[ipfw-icmp] +#REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via ([^\s])*\s* +REGEX = ^.*? ipfw:\s*(\d+) (Deny|Accept) (ICMP):([^ ]*) ([^ ]*) ([^ ]*) (out|in) via (.*) +FORMAT = rule_number::$1 action::$2 proto::$3 application::$4 src_ip::$5 dest_ip::$6 direction::$7 interface::$8 + +[pf] +REGEX = rule ([-\d]+\/\d+)\(.*?\): (pass|block) (in|out) on (\w+): (\d+\.\d+\.\d+\.\d+)\.?(\d*) [<>] (\d+\.\d+\.\d+\.\d+)\.?(\d*): (?:.*) +FORMAT = rule_number::$1 action::$2 direction::$3 interface::$4 src_ip::$5 src_port::$6 dest_ip::$7 dest_port::$8 + + +## Routing +# Mar 26 11:03:20 splunk4 kernel: BLOCK IN=eth0 OUT= MAC=00:15:c5:e0:ba:45:00:10:db:ff:20:70:08:00 SRC=10.1.5.78 DST=10.2.1.44 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=64317 DF PROTO=TCP SPT=57293 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0 +[iptables] +REGEX = kernel:\s+(\w+ ?\w*) IN=(\w+) OUT=(\w*) .*SRC=(\d+\.\d+\.\d+\.\d+) DST=(\d+\.\d+\.\d+\.\d+).*PROTO=(\w+) SPT=(\w+) DPT=(\w+) +FORMAT = action::"$1" inbound_interface::$2 outbound_interface::$3 src_ip::$4 dest_ip::$5 proto::$6 src_port::$7 dest_port::$8 + +## bash +[bash_user] +SOURCE_KEY=source +REGEX=^\/home\/([^\/]+)\/ +FORMAT=user_name::$1 + +[bash_user_root] +SOURCE_KEY=source +REGEX=^\/(root)\/ +FORMAT=user_name::$1 + +## Time synchronization +[signature_for_nix_timesync] +REGEX = ((?:Adjusting\s+system\s+clock)|(?:synchronized\s+to)|(?:step\s+time\s+server)|(?:adjust\s+time\s+server)|(?:NTP\s+Server\s+Unreachable)) +FORMAT = signature::$1 + + +###### BEGIN CONTENT IMPORTED FROM TA-deploymentapps ###### + +# Stanzas in this section are legacy configuration stanzas +# intended to support parsing of data created by scripts in +# TA-deploymentapps, which has since been retired. Systems that use +# Splunk_TA_nix on the search head but which may be searching data +# from forwarders on which the older scripts are still in use should +# be able to search new and old data seamlessly. + +###### Scripted Inputs ###### + +## Global + +## + +[force_host_for_linux_eventgen] +DEST_KEY = MetaData:Host +REGEX = . +FORMAT = host::ACME-001 + +[force_host_for_osx_eventgen] +DEST_KEY = MetaData:Host +REGEX = . +FORMAT = host::ACME-002 + +[force_host_for_solaris_eventgen] +DEST_KEY = MetaData:Host +REGEX = . +FORMAT = host::ACME-003 + +[force_host_for_unix_eventgen] +DEST_KEY = MetaData:Host +REGEX = . +FORMAT = host::ACME-004 + +## Service +[nix_linux_service_startmode_lookup] +filename = nix_linux_service_startmodes.csv + +## Update +[nix_da_update_status_lookup] +filename = nix_da_update_status.csv + +[Description_for_installedupdates] +REGEX = ^Description=([^\r\n]+) +FORMAT = Description::$1 + +## Version +[nix_da_version_range_lookup] +filename = nix_da_version_ranges.csv + +[nix_linux_audit_action_lookup] +filename = nix_linux_audit_action_object_category.csv + +[force_host_for_linux_cpu] +DEST_KEY=MetaData:Host +REGEX=^\S+\s+\S+\s+\S+\s+(\S+) +FORMAT=host::$1 + +[force_host_for_linux_memory] +DEST_KEY=MetaData:Host +REGEX=^\S+\s+\S+\s+\S+\s+(\S+) +FORMAT=host::$1 + +[force_host_for_linux_io] +DEST_KEY=MetaData:Host +REGEX=^\S+\s+\S+\s+\S+\s+(\S+) +FORMAT=host::$1 + +[force_host_for_linux_disk] +DEST_KEY=MetaData:Host +REGEX=^\S+\s+\S+\s+\S+\s+(\S+) +FORMAT=host::$1 + +###### END CONTENT IMPORTED FROM TA-deploymentapps ###### diff --git a/deployment-apps/Splunk_TA_nix/default/web.conf b/deployment-apps/Splunk_TA_nix/default/web.conf new file mode 100644 index 0000000..5ac46b4 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/default/web.conf @@ -0,0 +1,8 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[expose:setup] +pattern=SetupService +methods=GET,POST diff --git a/deployment-apps/Splunk_TA_nix/lookups/nix_da_update_status.csv b/deployment-apps/Splunk_TA_nix/lookups/nix_da_update_status.csv new file mode 100644 index 0000000..945da42 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/lookups/nix_da_update_status.csv @@ -0,0 +1,8 @@ +sourcetype,status +AIX:Update,available +FreeBSD:Update,available +HPUX:Update,available +Linux:Update,available +OSX:Update,available +Solaris:Update,available +Unix:Update,available diff --git a/deployment-apps/Splunk_TA_nix/lookups/nix_da_version_ranges.csv b/deployment-apps/Splunk_TA_nix/lookups/nix_da_version_ranges.csv new file mode 100644 index 0000000..e97a2e5 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/lookups/nix_da_version_ranges.csv @@ -0,0 +1,8 @@ +sourcetype,range +AIX:Version,aix +FreeBSD:Version,freebsd +HPUX:Version,hpux +Linux:Version,linux +OSX:Version,osx +Solaris:Version,solaris +Unix:Version,unix diff --git a/deployment-apps/Splunk_TA_nix/lookups/nix_linux_audit_action_object_category.csv b/deployment-apps/Splunk_TA_nix/lookups/nix_linux_audit_action_object_category.csv new file mode 100644 index 0000000..a5c101d --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/lookups/nix_linux_audit_action_object_category.csv @@ -0,0 +1,12 @@ +op,action,object_category +add-user,created,user +add-home-dir,created,user +add-group,created,group +add-shadow-group,created,group +delete-user,deleted,user +deleting-user-from-group,modified,user +deleting-user-from-shadow-group,modified,user +delete-shadow-group,deleted,group +delete-group,deleted,group +success,success,user +failed,failure,user diff --git a/deployment-apps/Splunk_TA_nix/lookups/nix_linux_service_startmodes.csv b/deployment-apps/Splunk_TA_nix/lookups/nix_linux_service_startmodes.csv new file mode 100644 index 0000000..24c8303 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/lookups/nix_linux_service_startmodes.csv @@ -0,0 +1,129 @@ +runlevel0,runlevel1,runlevel2,runlevel3,runlevel4,runlevel5,runlevel6,StartMode +off,off,off,off,off,off,off,Disabled +off,off,off,off,off,off,on,Auto +off,off,off,off,off,on,off,Auto +off,off,off,off,off,on,on,Auto +off,off,off,off,on,off,off,Auto +off,off,off,off,on,off,on,Auto +off,off,off,off,on,on,off,Auto +off,off,off,off,on,on,on,Auto +off,off,off,on,off,off,off,Auto +off,off,off,on,off,off,on,Auto +off,off,off,on,off,on,off,Auto +off,off,off,on,off,on,on,Auto +off,off,off,on,on,off,off,Auto +off,off,off,on,on,off,on,Auto +off,off,off,on,on,on,off,Auto +off,off,off,on,on,on,on,Auto +off,off,on,off,off,off,off,Auto +off,off,on,off,off,off,on,Auto +off,off,on,off,off,on,off,Auto +off,off,on,off,off,on,on,Auto +off,off,on,off,on,off,off,Auto +off,off,on,off,on,off,on,Auto +off,off,on,off,on,on,off,Auto +off,off,on,off,on,on,on,Auto +off,off,on,on,off,off,off,Auto +off,off,on,on,off,off,on,Auto +off,off,on,on,off,on,off,Auto +off,off,on,on,off,on,on,Auto +off,off,on,on,on,off,off,Auto +off,off,on,on,on,off,on,Auto +off,off,on,on,on,on,off,Auto +off,off,on,on,on,on,on,Auto +off,on,off,off,off,off,off,Auto +off,on,off,off,off,off,on,Auto +off,on,off,off,off,on,off,Auto +off,on,off,off,off,on,on,Auto +off,on,off,off,on,off,off,Auto +off,on,off,off,on,off,on,Auto +off,on,off,off,on,on,off,Auto +off,on,off,off,on,on,on,Auto +off,on,off,on,off,off,off,Auto +off,on,off,on,off,off,on,Auto +off,on,off,on,off,on,off,Auto +off,on,off,on,off,on,on,Auto +off,on,off,on,on,off,off,Auto +off,on,off,on,on,off,on,Auto +off,on,off,on,on,on,off,Auto +off,on,off,on,on,on,on,Auto +off,on,on,off,off,off,off,Auto +off,on,on,off,off,off,on,Auto +off,on,on,off,off,on,off,Auto +off,on,on,off,off,on,on,Auto +off,on,on,off,on,off,off,Auto +off,on,on,off,on,off,on,Auto +off,on,on,off,on,on,off,Auto +off,on,on,off,on,on,on,Auto +off,on,on,on,off,off,off,Auto +off,on,on,on,off,off,on,Auto +off,on,on,on,off,on,off,Auto +off,on,on,on,off,on,on,Auto +off,on,on,on,on,off,off,Auto +off,on,on,on,on,off,on,Auto +off,on,on,on,on,on,off,Auto +off,on,on,on,on,on,on,Auto +on,off,off,off,off,off,off,Auto +on,off,off,off,off,off,on,Auto +on,off,off,off,off,on,off,Auto +on,off,off,off,off,on,on,Auto +on,off,off,off,on,off,off,Auto +on,off,off,off,on,off,on,Auto +on,off,off,off,on,on,off,Auto +on,off,off,off,on,on,on,Auto +on,off,off,on,off,off,off,Auto +on,off,off,on,off,off,on,Auto +on,off,off,on,off,on,off,Auto +on,off,off,on,off,on,on,Auto +on,off,off,on,on,off,off,Auto +on,off,off,on,on,off,on,Auto +on,off,off,on,on,on,off,Auto +on,off,off,on,on,on,on,Auto +on,off,on,off,off,off,off,Auto +on,off,on,off,off,off,on,Auto +on,off,on,off,off,on,off,Auto +on,off,on,off,off,on,on,Auto +on,off,on,off,on,off,off,Auto +on,off,on,off,on,off,on,Auto +on,off,on,off,on,on,off,Auto +on,off,on,off,on,on,on,Auto +on,off,on,on,off,off,off,Auto +on,off,on,on,off,off,on,Auto +on,off,on,on,off,on,off,Auto +on,off,on,on,off,on,on,Auto +on,off,on,on,on,off,off,Auto +on,off,on,on,on,off,on,Auto +on,off,on,on,on,on,off,Auto +on,off,on,on,on,on,on,Auto +on,on,off,off,off,off,off,Auto +on,on,off,off,off,off,on,Auto +on,on,off,off,off,on,off,Auto +on,on,off,off,off,on,on,Auto +on,on,off,off,on,off,off,Auto +on,on,off,off,on,off,on,Auto +on,on,off,off,on,on,off,Auto +on,on,off,off,on,on,on,Auto +on,on,off,on,off,off,off,Auto +on,on,off,on,off,off,on,Auto +on,on,off,on,off,on,off,Auto +on,on,off,on,off,on,on,Auto +on,on,off,on,on,off,off,Auto +on,on,off,on,on,off,on,Auto +on,on,off,on,on,on,off,Auto +on,on,off,on,on,on,on,Auto +on,on,on,off,off,off,off,Auto +on,on,on,off,off,off,on,Auto +on,on,on,off,off,on,off,Auto +on,on,on,off,off,on,on,Auto +on,on,on,off,on,off,off,Auto +on,on,on,off,on,off,on,Auto +on,on,on,off,on,on,off,Auto +on,on,on,off,on,on,on,Auto +on,on,on,on,off,off,off,Auto +on,on,on,on,off,off,on,Auto +on,on,on,on,off,on,off,Auto +on,on,on,on,off,on,on,Auto +on,on,on,on,on,off,off,Auto +on,on,on,on,on,off,on,Auto +on,on,on,on,on,on,off,Auto +on,on,on,on,on,on,on,Auto diff --git a/deployment-apps/Splunk_TA_nix/lookups/nix_vendor_actions.csv b/deployment-apps/Splunk_TA_nix/lookups/nix_vendor_actions.csv new file mode 100644 index 0000000..2293e08 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/lookups/nix_vendor_actions.csv @@ -0,0 +1,22 @@ +vendor_action,action +accepted,success +add,created +added,created +create,created +authenticated,success +"authentication failed",failure +"authentication refused",failure +"authentication tried",failure +"authorized to",success +"could not identify password",failure +delete,deleted +failed,failure +"ftp login",success +"handling telnet call",success +"invalid user",failure +"login restricted",failure +remove,deleted +"session opened",success +succeeded,success +successful,success +"account added to group",modified diff --git a/deployment-apps/Splunk_TA_nix/metadata/default.meta b/deployment-apps/Splunk_TA_nix/metadata/default.meta new file mode 100644 index 0000000..bbfc245 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/metadata/default.meta @@ -0,0 +1,11 @@ +# Application-level permissions +[] +access = read : [ * ], write : [ admin , sc_admin ] +export = system + +[savedsearches] +owner = admin + +## Exclude export of custom alert actions +[alert_actions/email] +export = none diff --git a/deployment-apps/Splunk_TA_nix/splunkbase.manifest b/deployment-apps/Splunk_TA_nix/splunkbase.manifest new file mode 100644 index 0000000..9b2dff6 --- /dev/null +++ b/deployment-apps/Splunk_TA_nix/splunkbase.manifest @@ -0,0 +1,353 @@ +{ + "version": "1.0", + "date": "2023-06-16T18:27:09.187109199Z", + "hashAlgorithm": "SHA-256", + "app": { + "id": 833, + "version": "8.10.0", + "files": [ + { + "path": "LICENSES/Apache-2.0.txt", + "hash": "d3910dee6fe9fe134856d76268fe82adb1ade1ecf51b3568b7da6b94894b88f3" + }, + { + "path": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "hash": "37906d637abbbeca35cfb2efcb658cabbc0208d101848372c1e55fbf9ba62e47" + }, + { + "path": "README/restmap.conf.spec", + "hash": "db1641a66cc6703fb2aa4f8d26f4041091e7685843befee21ae01cc9735b75c3" + }, + { + "path": "README.txt", + "hash": "229729a9533d76ddf7352d064d780cf7242104ad50785939dd42cdb53c979e3f" + }, + { + "path": "THIRDPARTY", + "hash": "73e046ee6823db5317f756098d1b9376701cde8b55d90fe3edeed366c5cc9e7c" + }, + { + "path": "VERSION", + "hash": "a8e8864e5c57f868056321c8f6d21e8e23ea1754db0d538b653851355737a105" + }, + { + "path": "app.manifest", + "hash": "2d823a0227d741f9353770fbf7307e0b2053c6104a58c685c05abe9b74e67b6c" + }, + { + "path": "appserver/static/appIcon.png", + "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" + }, + { + "path": "appserver/static/components/js_sdk_extensions/common.js", + "hash": "295fe307ec286b9b4eb89c4b59dbd6204376e63b7346c26fd1b087446db372c2" + }, + { + "path": "appserver/static/components/js_sdk_extensions/monitor_inputs.js", + "hash": "27af704acaeb3b98c78ad5322a6171e1b748b5650be809f5d92a4e5618529123" + }, + { + "path": "appserver/static/components/js_sdk_extensions/scripted_inputs.js", + "hash": "6fe5d6f31a60a86d9988170e1641f13eb315351f890c2247c6de83b3aa372e26" + }, + { + "path": "appserver/static/setup.css", + "hash": "f27882e6a07bbd87f99f95d77211439e71959efae6d52ce4771ce26d06e0bcc9" + }, + { + "path": "appserver/static/setup.js", + "hash": "a3d4e2567779b605a97daa3ced2fc49a8e487a5ec4ee95080392824eb74e7e11" + }, + { + "path": "bin/bandwidth.sh", + "hash": "4da182e234d9f1ac7375f1f73dc381a175de6f6727442760a7a94c202a0d27ee" + }, + { + "path": "bin/common.sh", + "hash": "8e62abdfdcc59dd1da11c343fc27d82245c5f656b7a83697d1f59b5c0f1cc847" + }, + { + "path": "bin/cpu.sh", + "hash": "5a08b99fc719ddb2a52c0e14851c41a3ec00fcab1d22266776a9663bd0ad513a" + }, + { + "path": "bin/cpu_metric.sh", + "hash": "d586ebd5828bb859784bbd38508615dece134c309c4d4648743de8de2e23145b" + }, + { + "path": "bin/df.sh", + "hash": "cf44d7fc37f3e8bd0ad45ad52c6ead1e4eba0c24b7df6591ea81ed9ccefd86a5" + }, + { + "path": "bin/df_metric.sh", + "hash": "fd80b682cc891492b2ac0814ee100ac602a44784d26090e68c3bf43a65033d2d" + }, + { + "path": "bin/hardware.sh", + "hash": "91a7b459aa0902c0279301d1fcb48045a765e949f313f01b537115100849c438" + }, + { + "path": "bin/interfaces.sh", + "hash": "1201660100788ee93cf04fd204e9cac5fbef57a2e8bfbfe73cf2d8d23e186f15" + }, + { + "path": "bin/interfaces_metric.sh", + "hash": "2a9d04640b257a3db77d8c156390bf28b6899d43b223c06160a1bd6005a52354" + }, + { + "path": "bin/iostat.sh", + "hash": "e061b38ecc91dac97e3866303ec9cebdd66bda4c8840f9892ac3a11d6e1119e9" + }, + { + "path": "bin/iostat_metric.sh", + "hash": "00cd13732819423428e4e0e3e7755ab6166d497eef1532c00a21d4247467a2d3" + }, + { + "path": "bin/lastlog.sh", + "hash": "49780f6191857ff198d686a5816df33e647953f6b4e2c0b8b74da7544f81d1a1" + }, + { + "path": "bin/lsof.sh", + "hash": "16271b65b56ed86bd12e4c1f4ab6764ae3a6569303172f816839828cabc7d378" + }, + { + "path": "bin/netstat.sh", + "hash": "cf59f2d06335063e39c34fc7f943b5036ab950a56e7c854a58c23961f85728cf" + }, + { + "path": "bin/nfsiostat.sh", + "hash": "b59c6a5209c3d8713fc13b9c6ba5d208c7e5926c7276067bf8059c4ff0515755" + }, + { + "path": "bin/openPorts.sh", + "hash": "78c65c42a30407cf83e6e5cc02f38a1582892a8b174f2908c9ff6c5008a5185f" + }, + { + "path": "bin/openPortsEnhanced.sh", + "hash": "84bbce81c94dcad1b4d355c5376e2fce87254345e3ab4691b1ca6f594c78729a" + }, + { + "path": "bin/package.sh", + "hash": "969e87b45c30d33f97d71f6dee5207ab316fc002974dcc7173fe4282cac49deb" + }, + { + "path": "bin/passwd.sh", + "hash": "43bbaf6f474b19eaa33bbd3a211c5f05baaca1c8054bb27111300066e8a2a4bc" + }, + { + "path": "bin/protocol.sh", + "hash": "aa6b5ee56486ff766d7d7fe392a9c19be778dee6f3e4d0c98d10973d150d15ba" + }, + { + "path": "bin/ps.sh", + "hash": "a6410a2fd13baf04293dabc1bdf87dfb27f9053093c314e7247ef7d7949134fa" + }, + { + "path": "bin/ps_metric.sh", + "hash": "f64f1823d7d5e5666bb6e9762411695de17721e61bb8cd133c0feeba2d00452a" + }, + { + "path": "bin/rlog.sh", + "hash": "003f20fcbbc9025938346224a7d8e4482451a70ae4b58d6331519e55d5711c4c" + }, + { + "path": "bin/selinuxChecker.sh", + "hash": "d53a56969fd63fb03b83dfa4f15b176340616c2d90e7786e9c2915de10007c0f" + }, + { + "path": "bin/service.sh", + "hash": "0fb7c94bb476c4509cf0694ea365efbe2b820b547068d310cff11b35a201d252" + }, + { + "path": "bin/setup.sh", + "hash": "102460dd7db695c753a2710cb7b8202e9a1543eb670d48384eb2b5c014231f8f" + }, + { + "path": "bin/setupservice.py", + "hash": "67c36b304a1693772b6efea6e06ea23657461d394062e2520f62672ec3fc6766" + }, + { + "path": "bin/sshdChecker.sh", + "hash": "d01610d6ce7204e7de063bc72b7452c7839de390a764a4bb596f8334b05b6ca5" + }, + { + "path": "bin/time.sh", + "hash": "86e46cbd14715419905341ebf6894f6df67c38200277b8230c1607ddae70f574" + }, + { + "path": "bin/top.sh", + "hash": "78281eb09ba3aee954f4fe1e23f03c3f0626cd6d4e7a0b8897a872a88de3caa5" + }, + { + "path": "bin/update.sh", + "hash": "949192d59612d2703cb09df17f653211c1a8e17094c9bc593d387fe07d5f2b1a" + }, + { + "path": "bin/uptime.sh", + "hash": "9d47de23f02e8df2d115916aa2d39c670d3906ef535e2ce5d61a9b6040dd2941" + }, + { + "path": "bin/usersWithLoginPrivs.sh", + "hash": "c9d69fcf12821ba5fdf113d488761811f3e10070587f25ab40a260285678bb4c" + }, + { + "path": "bin/version.sh", + "hash": "93df3b8c69c7764966d9e86c40ebe0fe68adfa1e41b1ebcb43a2988c1bed15d2" + }, + { + "path": "bin/vmstat.sh", + "hash": "8d6c38f4ecca1129656aa922d7f3c571b1732c0d097163df62915e1abc27f6ba" + }, + { + "path": "bin/vmstat_metric.sh", + "hash": "a1329bdb5c7e1768b9cc3b7e2dda9f786b5577635fafe61c6814d3954702bfc9" + }, + { + "path": "bin/vsftpdChecker.sh", + "hash": "53723f1c6b60bf066aee58d1c9e326ccf393b379d82ff4e01f44a461530c42ed" + }, + { + "path": "bin/who.sh", + "hash": "ba5c25645e57938297bf85f5869924b9a006f27511b4e7f067e196a9049898cf" + }, + { + "path": "default/app.conf", + "hash": "fe7aa54896c9407bd862171e53d2d7dd56e710cc9e74ff5ef14e446fb791dab2" + }, + { + "path": "default/data/ui/nav/default.xml", + "hash": "36078398f91fa377c21f2369271797cc0016b8ba1a6f271e327cce2809f2711d" + }, + { + "path": "default/data/ui/views/ta_nix_configuration.env_cloud.xml", + "hash": "d353c157375a04dc5f1dabc3229ef927a2277d6b42d3974b862df50c40b830ae" + }, + { + "path": "default/data/ui/views/ta_nix_configuration.xml", + "hash": "2d30308510e08aea0a190984fda45b708ab373768796494202a4813c37ef74d2" + }, + { + "path": "default/eventtypes.conf", + "hash": "5b517737ba9e2543fc3e46d2fc7619451f97c89623225687fb1fbbbafb740ec0" + }, + { + "path": "default/inputs.conf", + "hash": "2fd8e1d795313cffad4a000d4df4c21813fb73df59d081e7655c956524c2d14a" + }, + { + "path": "default/macros.conf", + "hash": "1654b2a87cb8c728837d048ecf1f2e9edec701618eae8a9d1d8c3f85958518ae" + }, + { + "path": "default/props.conf", + "hash": "f9b55acbbeacf6613c84b21431b60fedd1c204fdcdb1e7bb0038ba1350770fc7" + }, + { + "path": "default/restmap.conf", + "hash": "0c8a09ad79c266a28d987730706ecd7cd06802aecd1dbf4a3b01fe689fd0d0e7" + }, + { + "path": "default/tags.conf", + "hash": "c3e8aa2f96f145fb51a5ed3e24f21d1e6c5f4832c888c2581b3f96347c0df192" + }, + { + "path": "default/transforms.conf", + "hash": "2ce1dc83c2ea48959707fe64443eed6612209a505a4d8701086cba1f0a524d8b" + }, + { + "path": "default/web.conf", + "hash": "e469e328c8e94caae6059bb3675ac1578a5d7c14a7757b784c1cb988adca9572" + }, + { + "path": "lookups/nix_da_update_status.csv", + "hash": "a9a794b39377946e0dcb5f70c9c8ba6114fec1728512c9f39cfb0f3eca46159c" + }, + { + "path": "lookups/nix_da_version_ranges.csv", + "hash": "992529c548d8273e073a988d089fbd5c7fa5c1ef47d51243e9da9dfb77eba6d2" + }, + { + "path": "lookups/nix_linux_audit_action_object_category.csv", + "hash": "5838950fd3cade537dea91d1dcdcbd10532457fa7de07d397bfc699e56a19867" + }, + { + "path": "lookups/nix_linux_service_startmodes.csv", + "hash": "dd669b358909f4d9be9d0aef9f4720e78a290e422a90ec3e3cdabe39ed9b8be2" + }, + { + "path": "lookups/nix_vendor_actions.csv", + "hash": "f287b03905a705fed92dd4a1d1cf060c16b9521aba80b06494af8d5e8530fa97" + }, + { + "path": "metadata/default.meta", + "hash": "6fa3057938996152cdfeddb46b20a1c079966ba87a56cf7c13c9d35f3caaf2e7" + }, + { + "path": "static/appIcon.png", + "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" + }, + { + "path": "static/appIconAlt.png", + "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" + }, + { + "path": "static/appIconAlt_2x.png", + "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" + }, + { + "path": "static/appIconLg.png", + "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" + }, + { + "path": "static/appIconLg_2x.png", + "hash": "11ca7ef68587f5f1bacbbcb24b85924089724bcf02610b512f899fadac186f34" + }, + { + "path": "static/appIcon_2x.png", + "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" + } + ] + }, + "products": [ + { + "platform": "splunk", + "product": "enterprise", + "versions": [ + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + }, + { + "platform": "splunk", + "product": "cloud", + "versions": [ + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + } + ] +} \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_nix/static/appIcon.png b/deployment-apps/Splunk_TA_nix/static/appIcon.png new file mode 100644 index 0000000..88f67e7 Binary files /dev/null and b/deployment-apps/Splunk_TA_nix/static/appIcon.png differ diff --git a/deployment-apps/Splunk_TA_nix/static/appIconAlt.png b/deployment-apps/Splunk_TA_nix/static/appIconAlt.png new file mode 100644 index 0000000..88f67e7 Binary files /dev/null and b/deployment-apps/Splunk_TA_nix/static/appIconAlt.png differ diff --git a/deployment-apps/Splunk_TA_nix/static/appIconAlt_2x.png b/deployment-apps/Splunk_TA_nix/static/appIconAlt_2x.png new file mode 100644 index 0000000..c638b3f Binary files /dev/null and b/deployment-apps/Splunk_TA_nix/static/appIconAlt_2x.png differ diff --git a/deployment-apps/Splunk_TA_nix/static/appIconLg.png b/deployment-apps/Splunk_TA_nix/static/appIconLg.png new file mode 100644 index 0000000..c638b3f Binary files /dev/null and b/deployment-apps/Splunk_TA_nix/static/appIconLg.png differ diff --git a/deployment-apps/Splunk_TA_nix/static/appIconLg_2x.png b/deployment-apps/Splunk_TA_nix/static/appIconLg_2x.png new file mode 100644 index 0000000..b67ed66 Binary files /dev/null and b/deployment-apps/Splunk_TA_nix/static/appIconLg_2x.png differ diff --git a/deployment-apps/Splunk_TA_nix/static/appIcon_2x.png b/deployment-apps/Splunk_TA_nix/static/appIcon_2x.png new file mode 100644 index 0000000..c638b3f Binary files /dev/null and b/deployment-apps/Splunk_TA_nix/static/appIcon_2x.png differ diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/.DS_Store b/deployment-apps/Splunk_TA_sysmon-for-linux/.DS_Store new file mode 100644 index 0000000..0f32880 Binary files /dev/null and b/deployment-apps/Splunk_TA_sysmon-for-linux/.DS_Store differ diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/THIRDPARTY b/deployment-apps/Splunk_TA_sysmon-for-linux/THIRDPARTY new file mode 100644 index 0000000..a0ba3ff --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/THIRDPARTY @@ -0,0 +1,61 @@ +================================================================================ +================================================================================ + + Third-Party Software for splunk-add-on-for-sysmon-for-linux + +-------------------------------------------------------------------------------- + +The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-sysmon-for-linux. Any information relevant to third-party vendors listed below are collected using common, reasonable means. + +Date generated: 2022-10-24 + +Revision ID: 532ef5d523c4c212a653d2169fba73ebade75ff5 + +================================================================================ +================================================================================ + + + + +================================================================================ + + Declared License + +================================================================================ + +No declared license found for splunk-add-on-for-sysmon-for-linux + + + + +================================================================================ + + First Party Licenses + +================================================================================ + +No licenses found + + + + + +================================================================================ + + Dependencies + +================================================================================ + + + + +================================================================================ + License + +================================================================================ + + +-------------------------------------------------------------------------------- +-------------------------------------------------------------------------------- + +Report Generated by FOSSA on 2022-10-24 diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/VERSION b/deployment-apps/Splunk_TA_sysmon-for-linux/VERSION new file mode 100644 index 0000000..08a4a7a --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/VERSION @@ -0,0 +1,2 @@ +1.0.0 +1.0.0 \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/app.manifest b/deployment-apps/Splunk_TA_sysmon-for-linux/app.manifest new file mode 100644 index 0000000..199d872 --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/app.manifest @@ -0,0 +1,58 @@ +{ + "dependencies": null, + "incompatibleApps": null, + "info": { + "author": [ + { + "name": "Splunk, Inc.", + "email": null, + "company": null + } + ], + "classification": { + "categories": [ + "Security, Fraud & Compliance" + ], + "developmentStatus": "Production/Stable", + "intendedAudience": "IT Professionals" + }, + "commonInformationModels": null, + "description": "Splunk Add-on for Sysmon For Linux", + "id": { + "group": null, + "name": "Splunk_TA_sysmon-for-linux", + "version": "1.0.0" + }, + "license": { + "name": null, + "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "uri": null + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseDate": null, + "releaseNotes": { + "name": "README", + "text": "README.txt", + "uri": "https://docs.splunk.com/Documentation/AddOns/McAfeeEPOSyslog/About" + }, + "title": "Splunk Add-on for Sysmon For Linux" + }, + "inputGroups": null, + "platformRequirements": null, + "schemaVersion": "2.0.0", + "supportedDeployments": [ + "_standalone", + "_distributed", + "_search_head_clustering" + ], + "targetWorkloads": [ + "_search_heads", + "_forwarders", + "_indexers" + ], + "tasks": null +} \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/default/app.conf b/deployment-apps/Splunk_TA_sysmon-for-linux/default/app.conf new file mode 100644 index 0000000..274aac5 --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/default/app.conf @@ -0,0 +1,28 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[install] +is_configured = false +state = enabled +build = 1666608684 + +[launcher] +author = Splunk, Inc. +description = Splunk Add-on for Sysmon For Linux +version = 1.0.0 + +[ui] +is_visible = false +label = Splunk Add-on for Sysmon For Linux +docs_section_override = AddOns:released + +[package] +id = Splunk_TA_sysmon-for-linux + +[id] +name = Splunk_TA_sysmon-for-linux +version = 1.0.0 + diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/default/eventtypes.conf b/deployment-apps/Splunk_TA_sysmon-for-linux/default/eventtypes.conf new file mode 100644 index 0000000..46765b4 --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/default/eventtypes.conf @@ -0,0 +1,17 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[sysmon-linux-network] +search = sourcetype="sysmon:linux" EventID="3" + +[sysmon-linux-process] +search = sourcetype="sysmon:linux" (EventID IN ("1","5","9") ) + +[sysmon-linux-filemod] +search = sourcetype="sysmon:linux" (EventID IN ("11","23") ) + +[sysmon-linux-service] +search = sourcetype="sysmon:linux" (EventID IN ("4","16") ) diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/default/inputs.conf b/deployment-apps/Splunk_TA_sysmon-for-linux/default/inputs.conf new file mode 100644 index 0000000..cfc3a04 --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/default/inputs.conf @@ -0,0 +1,13 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[journald://sysmon] +interval = 30 +journalctl-quiet = true +journalctl-include-fields = PRIORITY,_SYSTEMD_UNIT,_SYSTEMD_CGROUP,_TRANSPORT,_PID,_UID,_MACHINE_ID,_GID,_COMM,_EXE +journalctl-exclude-fields = __MONOTONIC_TIMESTAMP,__SOURCE_REALTIME_TIMESTAMP +journalctl-filter = _SYSTEMD_UNIT=sysmon.service +sourcetype = sysmon:linux diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/default/props.conf b/deployment-apps/Splunk_TA_sysmon-for-linux/default/props.conf new file mode 100644 index 0000000..fe05125 --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/default/props.conf @@ -0,0 +1,95 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[sysmon:linux] +TIME_PREFIX = +TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N% +TZ = UTC + +REPORT-sysmon = sysmon-eventid,sysmon-keywords,sysmon-computer,sysmon-data,sysmon-filename + +FIELDALIAS-dvc = Computer AS dvc + +EVAL-file_hash = case( EventID IN ("23") AND NOT Hashes IN ("-"), Hashes ) +EVAL-process_hash = case( EventID IN ("1") AND NOT Hashes IN ("-"), Hashes ) +EVAL-action = case( EventID IN ("1", "3", "9"), "allowed", \ +EventID="5", "blocked", \ +(EventID = "11" AND UtcTime==CreationUtcTime), "created", \ +EventID IN ("23"), "deleted", \ +(EventID = "11" AND UtcTime!=CreationUtcTime), "modified" ) +EVAL-dest = case( EventID IN ("1","4","5","9","11","16","23"), Computer, \ +EventID="3" AND isnotnull(DestinationHostname) AND DestinationHostname != "-", DestinationHostname, \ +EventID="3", DestinationIp ) + +# ID 1 only +EVAL-parent_process = case( EventID="1", ParentCommandLine) +FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory +EVAL-original_file_name = case( EventID="1", replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) + +# ID 3 only (DNS query) +FIELDALIAS-dest_port = DestinationPort AS dest_port +FIELDALIAS-SourcePort = SourcePort AS src_port +FIELDALIAS-Protocol = Protocol AS transport +EVAL-dest_host = case( EventID="3" AND DestinationHostname != '-', DestinationHostname) +FIELDALIAS-dest_ip = DestinationIp AS dest_ip +FIELDALIAS-dvc_ip = SourceIp AS dvc_ip +FIELDALIAS-src_ip = SourceIp AS src_ip +EVAL-src_host = case( EventID="3" AND NOT SourceHostname IN ("-"), SourceHostname ) +EVAL-app = case( EventID="3", Image ) +EVAL-creation_time = case( EventID=="3",UtcTime ) +EVAL-direction = case( EventID="3" AND Initiated=="true","outbound", EventID="3", "inbound" ) +EVAL-protocol = case( EventID="3", "IP" ) +EVAL-protocol_version = case( EventID="3" AND DestinationIsIpv6="true", "ipv6", EventID="3", "ipv4" ) +EVAL-rule = case( EventID="3" AND isnotnull(RuleName) AND RuleName != '-', RuleName) +EVAL-state = case(EventID=="3", "established") +EVAL-transport_dest_port = mvzip(transport,dest_port,"/") + + +EVAL-vendor_product = "Sysmon For Linux" + +EVAL-src = case( EventID IN ("3"), SourceIp, \ +isnotnull(SourceHostname), SourceHostname, \ +isnotnull(SourceIp), SourceIp ) + +# ID 4, 16 only +# Endpoint:Services +EVAL-description = case( EventID="4", "Sysmon state changed", \ +EventID="16", "Sysmon configuration changed") +EVAL-service = case( EventID IN ("4","16"), "Linux-Sysmon" ) +EVAL-service_name = case( EventID IN ("4","16"), "Linux-Sysmon" ) + + +EVAL-user = case( EventID IN ("3"), User, UserId="0","root") +FIELDALIAS-UserId = UserId AS user_id +EVAL-os = case( EventID IN ("1","5","9"),"Linux" ) +EVAL-parent_process_path = case( EventID="1", ParentImage ) +EVAL-parent_process_exec = case( EventID="1", replace(ParentImage,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) +EVAL-parent_process_name = case( EventID="1", replace(ParentImage,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) +EVAL-parent_process_id = case( EventID="1", ParentProcessId ) +EVAL-parent_process_guid = case( EventID="1", ParentProcessGuid ) +EVAL-process = case( EventID IN ("1"), CommandLine, EventID IN ("5"), Image ) +EVAL-process_path = case( EventID IN ("1","5","9","11","23"), Image ) +EVAL-process_exec = case( EventID IN ("1","3","5","9","11","23"), replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) +EVAL-process_name = case( EventID IN ("1","3","5","9","11","23"), replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") ) +EVAL-process_guid = case( EventID IN ("1","3","5","9","11","23"), ProcessGuid ) +EVAL-process_id = case( EventID IN ("4","16"), ProcessID, \ +EventID IN ("1","3","5","9","11","23"), ProcessId ) +FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level + +EVAL-status = case( (EventID=14 AND Keywords="0x8000000000000000"),"success", \ +EventID="16","started", \ +EventID="4",lower(State) ) + +FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time +EVAL-file_modify_time = case( EventID IN ("23"),UtcTime ) +EVAL-file_path = case ( EventID IN ("11", "23"), replace(TargetFilename,"(:[\w\. ]+)",""), EventID IN ("16"), Configuration ) +EVAL-file_name = case ( EventID IN ("11","23"), replace(replace(TargetFilename,"(.*/)",""),"(:[\w\. ]+)","") ) + +EVAL-object_category = case( EventID IN ("11","23"), "file" ) + +#Fields for ChangeAnalysis DM +LOOKUP-sysmon-eventid-lookup = sysmon-eventid-lookup EventID OUTPUTNEW EventDescription EventDescription AS signature +FIELDALIAS-signature_id = EventID AS signature_id diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/default/tags.conf b/deployment-apps/Splunk_TA_sysmon-for-linux/default/tags.conf new file mode 100644 index 0000000..ff27bd4 --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/default/tags.conf @@ -0,0 +1,21 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[eventtype=sysmon-linux-network] +network = enabled +communicate = enabled + +[eventtype=sysmon-linux-process] +process = enabled +report = enabled + +[eventtype=sysmon-linux-filemod] +endpoint = enabled +filesystem = enabled + +[eventtype=sysmon-linux-service] +service = enabled +report = enabled diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/default/transforms.conf b/deployment-apps/Splunk_TA_sysmon-for-linux/default/transforms.conf new file mode 100644 index 0000000..0bf3b03 --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/default/transforms.conf @@ -0,0 +1,30 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[sysmon-eventid] +REGEX = (\d+) +FORMAT = EventID::$1 + +[sysmon-keywords] +REGEX = (0x[0-9a-fA-F]+) +FORMAT = Keywords::$1 + +[sysmon-computer] +REGEX = (.*?) +FORMAT = Computer::$1 + +[sysmon-data] +REGEX = (.*?) +FORMAT = $1::$2 + +[sysmon-filename] +SOURCE_KEY = TargetFilename +REGEX = (?[^\\\\]+$) + +[sysmon-eventid-lookup] +default_match = Unknown +filename = sysmon_for_linux_eventid.csv +min_matches = 1 diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/lookups/sysmon_for_linux_eventid.csv b/deployment-apps/Splunk_TA_sysmon-for-linux/lookups/sysmon_for_linux_eventid.csv new file mode 100644 index 0000000..13dcbf8 --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/lookups/sysmon_for_linux_eventid.csv @@ -0,0 +1,28 @@ +EventID,EventDescription +1,"Process creation" +2,"A process changed a file creation time" +3,"Network connection" +4,"Sysmon service state changed" +5,"Process terminated" +6,"Driver loaded" +7,"Image loaded" +8,"CreateRemoteThread" +9,"RawAccessRead" +10,"ProcessAccess" +11,"FileCreate" +12,"RegistryEvent (Object create and delete)" +13,"RegistryEvent (Value Set)" +14,"RegistryEvent (Key and Value Rename)" +15,"FileCreateStreamHash" +16,"ServiceConfigurationChange" +17,"PipeEvent (Pipe Created)" +18,"PipeEvent (Pipe Connected)" +19,"WmiEvent (WmiEventFilter activity detected)" +20,"WmiEvent (WmiEventConsumer activity detected)" +21,"WmiEvent (WmiEventConsumerToFilter activity detected)" +22,"DNSEvent (DNS query)" +23,"FileDelete (File Delete archived)" +24,"ClipboardChange (New content in the clipboard)" +25,"ProcessTampering (Process image change)" +26,"FileDeleteDetected (File Delete logged)" +255,"Error" diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/metadata/default.meta b/deployment-apps/Splunk_TA_sysmon-for-linux/metadata/default.meta new file mode 100644 index 0000000..4ca100a --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/metadata/default.meta @@ -0,0 +1,9 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[] +access = read : [ * ], write : [ admin ] +export = system diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/splunkbase.manifest b/deployment-apps/Splunk_TA_sysmon-for-linux/splunkbase.manifest new file mode 100644 index 0000000..6c2e7a7 --- /dev/null +++ b/deployment-apps/Splunk_TA_sysmon-for-linux/splunkbase.manifest @@ -0,0 +1,80 @@ +{ + "version": "1.0", + "date": "2022-11-16T12:02:02.501806783Z", + "hashAlgorithm": "SHA-256", + "app": { + "id": 6652, + "version": "1.0.0", + "files": [ + { + "path": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "hash": "37906d637abbbeca35cfb2efcb658cabbc0208d101848372c1e55fbf9ba62e47" + }, + { + "path": "README.txt", + "hash": "1817cfdf33f7ae5f748991eaeb79df6d93a28af602a6653db5d5de76ed3b6bb9" + }, + { + "path": "THIRDPARTY", + "hash": "25a1509f53be75657d938fc6631fffe87bff760c6ed9893ae6088c4dff168574" + }, + { + "path": "VERSION", + "hash": "38024632b0080371099bd731d332249560cbb11c67912f033f2e3f263df78135" + }, + { + "path": "app.manifest", + "hash": "286bc29e1f9ef4a37f548dfa27ee8be982d9582f36f8b578957349ccd3bcfda1" + }, + { + "path": "default/app.conf", + "hash": "851649f26105146c7bb7a4c468f528ae38dcb8c9d2762d4a1091837865dac618" + }, + { + "path": "default/eventtypes.conf", + "hash": "2c6c0a711c5611e95b81fee30f5e832d7e32e63e92e4c6ef6c5b918a8cfba4c2" + }, + { + "path": "default/inputs.conf", + "hash": "7dae697d7a665d0d8c843a19014818b56f7d00fb4d18c1845d99b4083f07e761" + }, + { + "path": "default/props.conf", + "hash": "83e42ed7ecd5e3f0ade383cbef013fd372be91197a796471d74615787f8be26f" + }, + { + "path": "default/tags.conf", + "hash": "f6b20fbf2c48c53a2623d0d086720be06abe2f5529808f2a84c50806e4f40dbd" + }, + { + "path": "default/transforms.conf", + "hash": "cf112c952c441e3050edc0b26d98fa0f4529650965fca740705c542bf20b9f1e" + }, + { + "path": "lookups/sysmon_for_linux_eventid.csv", + "hash": "3360acec00f01368acc2317b40a1e8eeacc1f6ec5a13977308a50088c27d576e" + }, + { + "path": "metadata/default.meta", + "hash": "60f7e16db18974bfad68f6ea039f15b5ec75658e729c8d9a2f6c27d731a2193b" + }, + { + "path": "static/appIcon.png", + "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" + }, + { + "path": "static/appIconAlt.png", + "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a" + }, + { + "path": "static/appIconAlt_2x.png", + "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" + }, + { + "path": "static/appIcon_2x.png", + "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c" + } + ] + }, + "products": null +} \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIcon.png b/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIcon.png new file mode 100644 index 0000000..88f67e7 Binary files /dev/null and b/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIcon.png differ diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIconAlt.png b/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIconAlt.png new file mode 100644 index 0000000..88f67e7 Binary files /dev/null and b/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIconAlt.png differ diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIconAlt_2x.png b/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIconAlt_2x.png new file mode 100644 index 0000000..c638b3f Binary files /dev/null and b/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIconAlt_2x.png differ diff --git a/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIcon_2x.png b/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIcon_2x.png new file mode 100644 index 0000000..c638b3f Binary files /dev/null and b/deployment-apps/Splunk_TA_sysmon-for-linux/static/appIcon_2x.png differ