tests

Pushed by: admin
License: 61BF9B31-726 (Enterprise)
Timestamp: 2026-02-12T22:19:24.545034

apps/Splunk_TA_linux/VERSION

@@ -0,0 +1,2 @@
+2.1.0
+2.1.0

apps/Splunk_TA_linux/app.manifest

@@ -0,0 +1,63 @@
+{
+  "dependencies": null,
+  "incompatibleApps": null,
+  "info": {
+    "author": [
+      {
+        "name": "Splunk",
+        "email": null,
+        "company": null
+      }
+    ],
+    "classification": {
+      "categories": [
+        "IT Operations"
+      ],
+      "developmentStatus": "Production/Stable",
+      "intendedAudience": "IT"
+    },
+    "commonInformationModels": {
+      "Alerts": "==5.0.1",
+      "Authentication": "==5.0.1",
+      "Change": "==5.0.1",
+      "Intrusion Detection": "==5.0.1"
+    },
+    "description": "Splunk Add-on for Linux",
+    "id": {
+      "group": null,
+      "name": "Splunk_TA_linux",
+      "version": "2.1.0"
+    },
+    "license": {
+      "name": "Splunk Software License Agreement",
+      "text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
+      "uri": "http://www.splunk.com/view/SP-CAAAAFA"
+    },
+    "privacyPolicy": {
+      "name": null,
+      "text": null,
+      "uri": null
+    },
+    "releaseDate": null,
+    "releaseNotes": {
+      "name": "README",
+      "text": "./README.txt",
+      "uri": "https://docs.splunk.com/Documentation/AddOns/released/Linux/Releasenotes"
+    },
+    "title": "Splunk Add-on for Linux"
+  },
+  "inputGroups": null,
+  "platformRequirements": null,
+  "schemaVersion": "2.0.0",
+  "supportedDeployments": [
+    "_standalone",
+    "_distributed",
+    "_search_head_clustering"
+  ],
+  "targetWorkloads": [
+    "_search_heads",
+    "_indexers",
+    "_forwarders"
+  ],
+  "tasks": null
+}

apps/Splunk_TA_linux/default/app.conf

@@ -0,0 +1,28 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+
+[install]
+is_configured = false
+state = enabled
+build = 1658326316
+
+[launcher]
+author = Splunk
+version = 2.1.0
+description = Splunk Add-on for Linux
+
+[ui]
+is_visible = false
+label = Splunk Add-on for Linux
+docs_section_override = AddOns:released
+
+[package]
+id = Splunk_TA_linux
+
+[id]
+name = Splunk_TA_linux
+version = 2.1.0
+

apps/Splunk_TA_linux/default/eventtypes.conf

@@ -0,0 +1,76 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+[linux_collectd_cpu]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=cpu
+#tags = performance oshost cpu inventory
+
+[linux_collectd_memory]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=memory
+#tags = performance oshost memory inventory
+
+[linux_collectd_swap]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=swap
+#tags = performance oshost memory
+
+[linux_collectd_df]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=df
+#tags = performance oshost storage inventory
+
+[linux_collectd_interface]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=interface
+#tags = performance oshost network inventory
+
+[linux_collectd_disk]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=disk
+#tags = performance oshost storage
+
+[linux_collectd_load]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=load
+#tags = performance oshost
+
+[linux_collectd_processes]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=processes
+#tags = performance oshost process cpu
+
+[linux_collectd_protocols]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=protocols
+#tags = performance oshost
+
+[linux_collectd_irq]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=irq
+#tags = performance oshost
+
+[linux_collectd_tcpconns]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=tcpconns
+#tags = performance oshost network
+
+[linux_collectd_thermal]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=thermal
+#tags = performance oshost
+
+[linux_collectd_uptime]
+search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=uptime
+#tags = performance oshost os
+
+[linux_audit_anomalies]
+search = sourcetype=linux:audit type=ANOM_*
+#tags = ids attack alert
+
+[linux_audit_account_change]
+search = sourcetype=linux:audit type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK")
+#tags = change account
+
+[linux_audit_authentication]
+search = sourcetype=linux:audit type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ")
+#tags = authentication
+
+[linux_audit_endpoint]
+search = sourcetype=linux:audit (type=USER_CMD)
+#tags = process report
+
+[linux_audit_endpoint_services]
+search = sourcetype=linux:audit type IN ("SERVICE_START", "SERVICE_STOP")
+#tags = service report

apps/Splunk_TA_linux/default/props.conf

@@ -0,0 +1,284 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+[linux:collectd:graphite]
+category = Operating System
+description = Metrics collected from linux host using collectd-write_graphite plugin
+pulldown_type = true
+# Load balancing on UF
+EVENT_BREAKER_ENABLE = true
+SHOULD_LINEMERGE = false
+KV_MODE = none
+TIME_PREFIX = \S+\s+\S+\s+
+TIME_FORMAT = %s.%3N
+MAX_TIMESTAMP_LOOKAHEAD = 12
+
+EXTRACT-KVFORLINUX = ^[^\.]+[^\.\n]*\.[^\.]+\.(?<_KEY_1>\S+)\s+(?<_VAL_1>\S+)
+
+
+EXTRACT-collectd_data = ^(?<collectd_host>[^.\s]+)\.(?<object>[^.\s]+)\.(?P<metric>\S+)\s+(?P<value>\S+)\s+(?<timestamp>\S+)
+EXTRACT-plugin_info = (?<linux_collectd_plugin>[^\-]\w+)-*(?<plugin_instance>.*) in object
+EXTRACT-metric_type = (?<type>[^\-\.]\w+)-*(?<type_instance>[^\.]\w+)?\.* in metric
+
+FIELDALIAS-linux_collectd_plugin = linux_collectd_plugin AS plugin 
+EVAL-dsname = mvindex(split(metric, "."),1)
+FIELDALIAS-linux_host = collectd_host as host
+FIELDALIAS-linux_dest = collectd_host as dest
+
+## HOST_OS Model.Performance.Memory
+EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null())
+EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null())
+EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null())
+EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null())
+EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null())
+
+## HOST_OS Model.Performance.Storage
+EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null())
+EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null())
+
+## HOST_OS Model.Performance.Network
+EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null())
+EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null())
+EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null())
+
+## HOST_OS Model.Inventory.Machine Information
+
+## HOST_OS Model.Inventory.Storage Information
+EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null())
+
+## HOST_OS Model.Performance.CPU
+FIELDALIAS-cpu_interrupts = cpu_interrupt_value AS cpu_interrupts
+FIELDALIAS-cpu_load_percent = cpu_system_value AS cpu_load_percent
+FIELDALIAS-cpu_time = ps_cputime_syst AS cpu_time
+FIELDALIAS-cpu_user_percent = cpu_user_value AS cpu_user_percent
+
+## HOST_OS Model.Performance.Memory
+FIELDALIAS-mem_free_percent = percent_free_value AS mem_free_percent
+FIELDALIAS-mem_used_percent = percent_used_value AS mem_used_percent
+
+## HOST_OS Model.Performance.Storage
+FIELDALIAS-read_ops = disk_ops_read AS read_ops
+FIELDALIAS-storage_free_percent = percent_bytes_free_value AS storage_free_percent
+FIELDALIAS-storage_used_percent = percent_bytes_used_value AS storage_used_percent
+FIELDALIAS-write_ops = disk_ops_write AS write_ops
+
+## HOST_OS Model.Performance.Network
+FIELDALIAS-packets_in = if_packets_rx AS packets_in
+FIELDALIAS-packets_out = if_packets_tx AS packets_out
+
+## HOST_OS Model.Performance.OS
+FIELDALIAS-uptime = uptime_value AS uptime
+
+## HOST_OS Model.Inventory.Storage Information
+
+## HOST_OS Model.Inventory.Network Information
+
+[linux:collectd:http:json]
+category = Operating System
+description = Metrics collected from linux host using collectd-write_http plugin in json
+pulldown_type = true
+# Load balancing on UF
+EVENT_BREAKER_ENABLE = true
+EVENT_BREAKER = ([\[|\,]){\"values\":
+SHOULD_LINEMERGE = false
+LINE_BREAKER = ([\[|\,]){\"values\":
+SEDCMD-remove_tail = s/\}]$/}/
+KV_MODE = json
+TIME_PREFIX = "time":\s*
+TIME_FORMAT =  %s.%3N
+
+TRANSFORMS-linux_one_fields = http_one_item_field, http_one_item_field_no_type_instance
+TRANSFORMS-linux_two_fields = http_two_item_fields, http_two_item_fields_no_type_instance
+TRANSFORMS-linux_three_fields = http_three_item_fields, http_three_item_fields_no_type_instance
+
+EXTRACT-linux_collectd_host = \s*"host":\s*(?:"|)(?<collectd_host>[^"]*)(?:"|) 
+EXTRACT-linux_collectd_http_plugin = "plugin":\s*(?:"|)(?<linux_collectd_plugin>[^"]+)(?:"|),\s*"plugin_instance":
+
+FIELDALIAS-dsnames = dsnames{} as dsname
+FIELDALIAS-linux_value = values{} as value
+FIELDALIAS-linux_host = collectd_host as host
+FIELDALIAS-linux_dest = collectd_host as dest
+
+## HOST_OS Model.Performance.CPU
+FIELDALIAS-linux_cpu_interrupts = cpu_interrupt_value as cpu_interrupts 
+FIELDALIAS-linux_load_percent = cpu_system_value as cpu_load_percent
+FIELDALIAS-linux_cpu_time = ps_cputime_syst as cpu_time 
+FIELDALIAS-linux_cpu_user_percent = cpu_user_value as cpu_user_percent
+FIELDALIAS-system_threads_count = ps_count_threads as system_threads_count
+
+## HOST_OS Model.Performance.Memory
+FIELDALIAS-linux_mem_free_percent = percent_free_value as mem_free_percent 
+FIELDALIAS-linux_mem_used_percent = percent_used_value as mem_used_percent 
+
+EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null())
+EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null())
+EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null())
+EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null())
+EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null())
+
+## HOST_OS Model.Performance.Storage
+FIELDALIAS-linux_read_ops = disk_ops_read as read_ops
+FIELDALIAS-linux_write_ops = disk_ops_write as write_ops
+EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null())
+
+EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null())
+EVAL-storage_free_percent = percent_bytes_free_value
+EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null())
+EVAL-storage_used_percent = percent_bytes_used_value
+EVAL-total_ops = disk_ops_read + disk_ops_write
+
+## HOST_OS Model.Performance.Network
+FIELDALIAS-linux_packets_in = if_packets_rx as packets_in
+FIELDALIAS-linux_packets_out = if_packets_tx as packets_out
+
+EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null())
+EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null())
+EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null())
+EVAL-bytes = if(plugin=="interface" and isnotnull(if_octets_rx) and isnotnull(if_octets_tx), if(isnum(if_octets_rx), if_octets_rx, 0) + if(isnum(if_octets_tx), if_octets_tx, 0), null())
+EVAL-packets = packets_in + packets_out
+
+## HOST_OS Model.Performance.OS
+FIELDALIAS-linux_uptime = uptime_value as uptime
+
+[linux:collectd:http:metrics]
+category = Operating System
+description = Metrics collected from linux host using collectd-write_http plugin for metrics index
+# Load balancing on UF
+EVENT_BREAKER_ENABLE = true
+SHOULD_LINEMERGE = false
+
+## uncomment METRICS_PROTOCOL property if you want to collect metrics data in metrics index
+#METRICS_PROTOCOL = COLLECTD_HTTP
+KV_MODE = json
+TIME_PREFIX = "time":\s*
+TIME_FORMAT =  %s.%3N
+
+# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog
+#[syslog]
+#TRANSFORMS-linux_syslog = linux_syslog_audit
+
+[source::.../var/log/audit/audit.log(.\d+)?]
+sourcetype = linux:audit
+
+[linux:audit]
+category = Operating System
+description = Audit events from linux host using monitoring audit logs 
+# Load balancing on UF
+EVENT_BREAKER_ENABLE = true
+SHOULD_LINEMERGE = false
+TIME_PREFIX = msg=audit\(
+TIME_FORMAT = %s.%3N
+MAX_TIMESTAMP_LOOKAHEAD = 12
+FIELDALIAS-subj = subj AS subject
+FIELDALIAS-obj = obj AS object
+REPORT-event_id = event_id
+REPORT-op = op
+REPORT-subject = subject
+REPORT-object = object
+REPORT-res = res
+
+EVAL-vendor_product = "Linux Audit"
+FIELDALIAS-host = host AS dest
+
+# DM Endpoint.Processes
+EVAL-process = if(type=="USER_CMD" AND isnotnull(cmd), if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd), null())
+EVAL-process_current_directory = if(type=="USER_CMD" AND isnotnull(cwd), cwd, null())
+EVAL-process_path = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0)
+EVAL-process_exec = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0)
+EVAL-process_name =  mvindex(split(mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0),"/"),-1)
+
+# DM Endpoint.Services
+EVAL-service = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null())
+EVAL-service_name = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null())
+
+
+# # DM Authentication:Authentication
+EVAL-src = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"),case(isnotnull(hostname) AND hostname!="?", hostname,isnotnull(addr) AND addr!="?", addr), null())
+EVAL-src_ip = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(addr) AND addr!="?", addr, null())
+EVAL-signature = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"), type, null())
+EVAL-signature_id = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(event_id), event_id, null())
+EVAL-app = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(exe), exe, null())
+EVAL-reason = if(type IN ("USER_LOGIN") AND isnotnull(acct) AND match(acct,"^[0-9A-F]+$"), mvindex(split(mvindex(split(urldecode(replace(acct,"([0-9A-F]{2})","%\1")),"("),1),")"),0), null())
+EVAL-src_user_id = if(type IN ("USER_START") AND isnotnull(auid), auid, null())
+
+# DM Change:Account_Management
+EVAL-change_type = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "AAA", null())
+EVAL-command = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(exe), exe, null())
+EVAL-dvc = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(dest), dest, null())
+EVAL-result = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(res), res, null())
+EVAL-object_id = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(id), id, null())
+EVAL-linux_ev_ch_mgmt_user = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(AUID), AUID, if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(aiud), aiud, null()))
+EVAL-user_name = case(type IN ("ADD_GROUP") AND isnotnull(AUID), AUID,\
+                    type IN ("ADD_GROUP") AND isnotnull(auid), auid,\
+                    type IN ("DEL_GROUP") AND isnotnull(AUID), AUID,\
+                    type IN ("DEL_GROUP") AND isnotnull(auid), auid,\
+                    type IN ("ADD_USER") AND isnotnull(acct), acct,\
+                    type IN ("DEL_USER") AND isnotnull(ID), ID,\
+                    type IN ("GRP_MGMT") AND isnotnull(AUID), AUID,\
+                    type IN ("GRP_MGMT") AND isnotnull(auid), auid,\
+                    type IN ("USER_ACCT") AND isnotnull(AUID), AUID,\
+                    type IN ("USER_ACCT") AND isnotnull(auid), auid,\
+                    ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\
+                    ((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\
+                    ((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID), AUID,\
+                    ((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\
+                    true(), null())
+EVAL-object = case(type IN ("USER_ACCT") AND isnotnull(acct), acct,\
+                ((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER")) AND isnotnull(acct), acct,\
+                ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER")) AND isnotnull(ID), ID,\
+                type IN ("DEL_GROUP", "ADD_GROUP", "GRP_MGMT", "USER_CHAUTHTOK") AND isnotnull(ID), ID,\
+                true(), null())
+EVAL-object_category = case(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "user",\
+                            type=="USER_ACCT" AND op=="PAM:accounting", "user",\
+                            type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT"), "group",\
+                            true(), null())
+EVAL-src_user_name = if(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK", "USER_ACCT") AND isnotnull(AUID), AUID, null())
+
+# DM Authentication:Authentication, DM Endpoint.Processes, DM Change:Account_Management
+EVAL-action = case(type=="USER_CMD" AND (res=="success" OR res=="1"), "allowed",\
+                type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="success" OR res=="1"), "success",\
+                type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="failed" OR res=="0"), "failure",\
+                (type IN ("GRP_MGMT", "USER_ACCT", "USER_CHAUTHTOK", "USER_MGMT") OR \
+                ((type=="DEL_USER" AND op=="deleting user from group") OR \
+                (type=="ADD_USER" AND op=="adding user to group"))) AND (res=="success" OR res=="1"), "modified",\
+                type IN ("DEL_USER", "DEL_GROUP") AND (res=="success" OR res=="1"), "deleted",\
+                type IN ("ADD_GROUP", "ADD_USER") AND (res=="success" OR res=="1"), "created",\
+                true(), null())
+
+# DM Authentication:Authentication, DM Endpoint.Processes, DM Endpoint.Services, DM Change:Account_Management
+EVAL-user_id = case(type IN ("USER_CMD") AND isnotnull(auid), auid,\
+                    type IN ("USER_START") AND isnotnull(uid), uid,\
+                    type IN ("LOGIN", "USER_LOGIN", "CRED_ACQ") AND isnotnull(auid), auid,\
+                    true(), null())
+EVAL-user = case(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(UID), UID,\
+                type IN ("USER_LOGIN", "LOGIN", "USER_CMD", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_GROUP") AND isnotnull(AUID) AND AUID!="unset", AUID,\
+                type IN ("USER_START") AND isnotnull(acct), acct,\
+                type IN ("DEL_GROUP", "USER_ACCT", "GRP_MGMT", "ADD_GROUP") AND isnotnull(auid), auid,\
+                type IN ("ADD_USER") AND isnotnull(acct), acct,\
+                type IN ("DEL_USER") AND isnotnull(ID), ID,\
+                ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR \
+                (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\
+                ((type=="USER_MGMT" AND op=="add-user-to-group") OR \
+                (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\
+                ((type=="USER_MGMT" AND op=="changing-uid") OR \
+                (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID) AND AUID!="unset", AUID,\
+                ((type=="USER_MGMT" AND op=="changing-uid") OR \
+                (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\
+                true(), null())
+
+# DM Endpoint.Services, DM Endpoint.Processes
+EVAL-process_id = if(type IN ("USER_CMD", "SERVICE_START", "SERVICE_STOP") AND isnotnull(pid), pid, null())
+
+# DM Endpoint.Services, DM Change:Account_Management
+EVAL-status = case(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \
+                isnotnull(res) AND (res=="success" OR res=="1"), "success",\
+                type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \
+                isnotnull(res) AND (res=="failed" OR res=="0"), "failure",\
+                type IN ("SERVICE_START") AND (res=="success" OR res=="1"), "started",\
+                type IN ("SERVICE_STOP") AND (res=="success" OR res=="1"), "stopped",\
+                true(), null())
+
+# DM Authentication:Authentication, DM Change:Account_Management
+EVAL-src_user = case(type IN ("ADD_USER", "DEL_USER", "USER_ACCT", "USER_CHAUTHTOK", "USER_START") AND isnotnull(AUID), AUID, true(), null())

apps/Splunk_TA_linux/default/tags.conf

@@ -0,0 +1,90 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+[eventtype=linux_collectd_cpu]
+performance = enabled
+oshost = enabled
+cpu = enabled
+
+[eventtype=linux_collectd_memory]
+performance = enabled
+oshost = enabled
+memory = enabled
+
+[eventtype=linux_collectd_swap]
+performance = enabled
+oshost = enabled
+memory = enabled
+
+[eventtype=linux_collectd_df]
+performance = enabled
+oshost = enabled
+storage = enabled
+
+[eventtype=linux_collectd_interface]
+performance = enabled
+oshost = enabled
+network = enabled
+
+[eventtype=linux_collectd_disk]
+performance = enabled
+oshost = enabled
+storage = enabled
+
+[eventtype=linux_collectd_load]
+performance = enabled
+oshost = enabled
+
+[eventtype=linux_collectd_processes]
+performance = enabled
+oshost = enabled
+process = enabled
+cpu = enabled
+
+[eventtype=linux_collectd_protocols]
+performance = enabled
+oshost = enabled
+
+[eventtype=linux_collectd_irq]
+performance = enabled
+oshost = enabled
+
+[eventtype=linux_collectd_tcpconns]
+performance = enabled
+oshost = enabled
+network = enabled
+
+[eventtype=linux_collectd_thermal]
+performance = enabled
+oshost = enabled
+
+[eventtype=linux_collectd_uptime]
+performance = enabled
+oshost = enabled
+os = enabled
+uptime = enabled
+
+# [eventtype=linux_audit_anomalies]
+# ids = enabled
+# attack = enabled
+# alert = enabled
+
+[eventtype=linux_audit_account_change]
+change = enabled
+account = enabled
+
+[eventtype=linux_audit_authentication]
+authentication = enabled
+
+[eventtype=linux_audit_endpoint]
+process = enabled
+report = enabled
+
+# [eventtype=linux_audit_privileged]
+# privileged = enabled
+
+[eventtype=linux_audit_endpoint_services]
+service = enabled
+report = enabled

apps/Splunk_TA_linux/default/transforms.conf

@@ -0,0 +1,70 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+[http_one_item_field]
+# $1 = value[0], $2 = dsnames[0], $3 = type, $4 = type_instance
+REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\})
+FORMAT = $3_$4_$2::$1
+WRITE_META = true
+
+[http_one_item_field_no_type_instance]
+# $1 = value[0], $2 = dsnames[0], $3 = type
+REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\})
+FORMAT = $3_$2::$1
+WRITE_META = true
+
+[http_two_item_fields]
+# $1 = value[0], $2 = value[1],  $3 = dsnames[0], $4 = dsnames[1],  $5 = type,
+# $6 = type_instance
+REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\})
+FORMAT = $5_$6_$3::$1 $5_$6_$4::$2
+WRITE_META = true
+
+[http_two_item_fields_no_type_instance]
+# $1 = value[0], $2 = value[1],  $3 = dsnames[0], $4 = dsnames[1],  $5 = type
+REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\})
+FORMAT = $5_$3::$1 $5_$4::$2
+WRITE_META = true
+
+[http_three_item_fields]
+# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1],
+# $6 = dsnames[2], $7 = type, $8 = type_instance
+REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\})
+FORMAT = $7_$8_$4::$1 $7_$8_$5::$2 $7_$8_$6::$3
+WRITE_META = true
+
+[http_three_item_fields_no_type_instance]
+# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1],
+# $6 = dsnames[2], $7 = type
+REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\})
+FORMAT = $7_$4::$1 $7_$5::$2 $7_$6::$3
+WRITE_META = true
+
+# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog
+
+#[linux_syslog_audit]
+#DEST_KEY = MetaData:Sourcetype
+#REGEX = type=\S+\s+msg=audit
+#FORMAT = sourcetype::linux:audit
+
+[event_id]
+REGEX = msg=audit\(([^:]+):(.+)\):
+FORMAT = time_stamp::$1 event_id::$2
+
+[op]
+REGEX = op=([^=]+)\s+\S+=
+FORMAT = op::$1
+
+[subject]
+REGEX = subj=([^:]+):([^:]+):([^:]+):(\S+)
+FORMAT = subj_context_user::$1 subj_context_role::$2 subj_context_domain::$3 subj_context_sensitivity::$4
+
+[object]
+REGEX = obj=([^:]+):([^:]+):([^:]+):(\S+)
+FORMAT = obj_context_user::$1 obj_context_role::$2 obj_context_type::$3 obj_context_sensitivity::$4
+
+[res]
+REGEX = res=(1|0|success|failed)
+FORMAT = res::$1

apps/Splunk_TA_linux/metadata/default.meta

@@ -0,0 +1,7 @@
+
+# Application-level permissions
+
+[]
+owner = admin
+access = read : [ * ], write : [ admin, sc_admin ]
+export = system