diff --git a/apps/alert_webhook/README/alert_actions.conf.spec b/apps/alert_webhook/README/alert_actions.conf.spec new file mode 100755 index 00000000..db935a4b --- /dev/null +++ b/apps/alert_webhook/README/alert_actions.conf.spec @@ -0,0 +1,47 @@ +[webhook] + +param.user_agent = +* The value of the User-Agent HTTP header that the Splunk platform sends + to the webhook receiver. +* No default. + +enable_allowlist = +* Whether or not the Splunk platform alert webhook uses the webhook allowlist + when it performs a webhook query. +* The webhook allowlist defines the URLs for which webhook + alert actions can send HTTP POST requests. +* A value of "true" means that the webhook allowlist is turned on, and + that the Splunk platform lets the webhook action query against any endpoint. + See the CAUTION later in this description for details. +* A value of "false" means that the webhook allowlist is turned off. +* While this setting is valid within the alert-actions.conf file + within the alert_webhook app, it is also available in the + alert-actions.conf file in Splunk Enterprise. +* CAUTION: Be mindful when using this setting. If you give the setting + a value of "true", you must also configure the 'allowlist.' setting. + Failure to do so is a security risk, as the webhook alert action can then + query against any REST endpoint, including external endpoints that are not + in your control and could be malicious. +* Default (for Splunk Cloud Platform): true +* Default (for all other Splunk products including Splunk Enterprise): false + +allowlist. = +* A list of endpoints upon which the Splunk platform webhook action can query. +* Each allowlist entry must begin with the string "allowlist." and must be + on its own line. +* The component of an allowlist entry can be any string, but must be + unique for each entry. +* Values are regular expression strings which must match URLs which you allow + the webhook action to access. +* Following is an example allowlist: + * allowlist.endpoint1 = ^https:\/\/10\.201\..*\/ + * This allowlist entry lets the webhook action access URLs of endpoints that + begin with the string "https://10.201" and end with a forward slash (/). + * allowlist.endpoint2 = ^https:\/\/(.*\.|)company.com\/?.*\/ + * This allowlist entry lets the webhook action access URLs of endpoints that + begin with the string "https://", contain any machine within the domain + "company.com", and end with a forward slash (/). +* CAUTION: If you don't specify an allowlist after configuring the 'enable_allowlist' + setting with a value of "true", the Splunk platform lets the webhook + action query against any endpoint, which is a security risk. +* No default. diff --git a/apps/alert_webhook/README/savedsearches.conf.spec b/apps/alert_webhook/README/savedsearches.conf.spec new file mode 100755 index 00000000..a20b8e5a --- /dev/null +++ b/apps/alert_webhook/README/savedsearches.conf.spec @@ -0,0 +1,7 @@ +# Webook alert action settings + +action.webhook = [0|1] +* Enable webhook action + +action.webhook.param.url = +* URL to send the HTTP POST request to. Must be accessible from the Splunk server. \ No newline at end of file diff --git a/apps/alert_webhook/appserver/static/webhook.png b/apps/alert_webhook/appserver/static/webhook.png new file mode 100755 index 00000000..6f2dba2c Binary files /dev/null and b/apps/alert_webhook/appserver/static/webhook.png differ diff --git a/apps/alert_webhook/bin/webhook.py b/apps/alert_webhook/bin/webhook.py new file mode 100755 index 00000000..aaf5d820 --- /dev/null +++ b/apps/alert_webhook/bin/webhook.py @@ -0,0 +1,59 @@ +from __future__ import annotations +import sys +import json +import csv +import gzip +from collections import OrderedDict +from future.moves.urllib.request import urlopen, Request +from future.moves.urllib.error import HTTPError, URLError + +def send_webhook_request(url, body, user_agent=None) -> bool: + if url is None: + sys.stderr.write("ERROR No URL provided\n") + return False + sys.stderr.write("INFO Sending POST request to url=%s with size=%d bytes payload\n" % (url, len(body))) + sys.stderr.write("DEBUG Body: %s\n" % body) + try: + if sys.version_info >= (3, 0) and type(body) == str: + body = body.encode() + settings = {"Content-Type": "application/json"} + if user_agent is not None: + settings['User-Agent'] = user_agent + req = Request(url, body, settings) + res = urlopen(req) + if 200 <= res.code < 300: + sys.stderr.write("INFO Webhook receiver responded with HTTP status=%d\n" % res.code) + return True + else: + sys.stderr.write("ERROR Webhook receiver responded with HTTP status=%d\n" % res.code) + return False + except HTTPError as e: + sys.stderr.write("ERROR Error sending webhook request: %s\n" % e) + except URLError as e: + sys.stderr.write("ERROR Error sending webhook request: %s\n" % e) + except ValueError as e: + sys.stderr.write("ERROR Invalid URL: %s\n" % e) + return False + + +if __name__ == "__main__": + if len(sys.argv) < 2 or sys.argv[1] != "--execute": + sys.stderr.write("FATAL Unsupported execution mode (expected --execute flag)\n") + sys.exit(1) + try: + settings = json.loads(sys.stdin.read()) + url = settings['configuration'].get('url') + body = OrderedDict( + sid=settings.get('sid'), + search_name=settings.get('search_name'), + app=settings.get('app'), + owner=settings.get('owner'), + results_link=settings.get('results_link'), + result=settings.get('result') + ) + user_agent = settings['configuration'].get('user_agent', 'Splunk') + if not send_webhook_request(url, json.dumps(body), user_agent=user_agent): + sys.exit(2) + except Exception as e: + sys.stderr.write("ERROR Unexpected error: %s\n" % e) + sys.exit(3) diff --git a/apps/alert_webhook/default/alert_actions.conf b/apps/alert_webhook/default/alert_actions.conf new file mode 100755 index 00000000..a0722bfc --- /dev/null +++ b/apps/alert_webhook/default/alert_actions.conf @@ -0,0 +1,11 @@ +[webhook] +python.version = latest +is_custom = 1 +label = Webhook +description = Generic HTTP POST to a specified URL +icon_path = webhook.png +payload_format = json + +param.user_agent = Splunk/$server.guid$ + +enable_allowlist = false diff --git a/apps/alert_webhook/default/app.conf b/apps/alert_webhook/default/app.conf new file mode 100755 index 00000000..e1174fe5 --- /dev/null +++ b/apps/alert_webhook/default/app.conf @@ -0,0 +1,18 @@ +# Version 10.0.2 +# +# Splunk app configuration file +# + +[ui] +is_visible = 0 +label = Webhook Alert Action + +[launcher] +author = Splunk +description = Webhook Alert Action +version=10.0.2 + +[install] +state = enabled +is_configured = 1 +allows_disable = false diff --git a/apps/alert_webhook/default/data/ui/alerts/webhook.html b/apps/alert_webhook/default/data/ui/alerts/webhook.html new file mode 100755 index 00000000..4d6ef3d2 --- /dev/null +++ b/apps/alert_webhook/default/data/ui/alerts/webhook.html @@ -0,0 +1,21 @@ +
+
+ + +
+ +
+
+
+
+ + Specified URL to send JSON payload via HTTP POST + (ex., https://your.server.com/api/v1/webhook). +
+ Learn More + + +
+
+
\ No newline at end of file diff --git a/apps/alert_webhook/default/restmap.conf b/apps/alert_webhook/default/restmap.conf new file mode 100755 index 00000000..caf77848 --- /dev/null +++ b/apps/alert_webhook/default/restmap.conf @@ -0,0 +1,4 @@ +[validation:savedsearch] +# Require url to be set if webhook action is enabled +action.webhook = case('action.webhook' != "1", null(), 'action.webhook.param.url' == "action.webhook.param.url" OR 'action.webhook.param.url' == "", "No Webhook URL specified", 1==1, null()) +action.webhook.param.url = validate( match('action.webhook.param.url', "^https?://[^\s]+$"), "Webhook URL is invalid") \ No newline at end of file diff --git a/apps/alert_webhook/local/alert_actions.conf b/apps/alert_webhook/local/alert_actions.conf new file mode 100755 index 00000000..285c8917 --- /dev/null +++ b/apps/alert_webhook/local/alert_actions.conf @@ -0,0 +1,2 @@ +[webhook] + diff --git a/apps/alert_webhook/metadata/default.meta b/apps/alert_webhook/metadata/default.meta new file mode 100755 index 00000000..ddb8b569 --- /dev/null +++ b/apps/alert_webhook/metadata/default.meta @@ -0,0 +1,13 @@ +# Application-level permissions + +[] +access = read : [ * ], write : [ admin, power ] + +[alert_actions] +export = system + +[alerts] +export = system + +[restmap] +export = system \ No newline at end of file diff --git a/apps/introspection_generator_addon/bin/collector.path b/apps/introspection_generator_addon/bin/collector.path new file mode 100755 index 00000000..4b0f78b6 --- /dev/null +++ b/apps/introspection_generator_addon/bin/collector.path @@ -0,0 +1 @@ +"$SPLUNK_HOME/bin/splunkd" instrument-resource-usage diff --git a/apps/introspection_generator_addon/default/README b/apps/introspection_generator_addon/default/README new file mode 100755 index 00000000..12d5b97d --- /dev/null +++ b/apps/introspection_generator_addon/default/README @@ -0,0 +1,17 @@ +This add-on is packaged with Splunk; it provides platform instrumentation data. + +This data is consumed by splunk_monitoring_console. + +ONLY the following configuration parameters may be modified: + +* server.conf / [introspection:generator:disk_objects] / disabled +* server.conf / [introspection:generator:disk_objects] / acquireExtra_i_data +* server.conf / [introspection:generator:disk_objects] / collectionPeriodInSecs +* server.conf / [introspection:generator:resource_usage] / disabled +* server.conf / [introspection:generator:resource_usage] / acquireExtra_i_data +* server.conf / [introspection:generator:resource_usage] / collectionPeriodInSecs +* server.conf / [introspection:generator:resource_usage__iostats] / disabled +* server.conf / [introspection:generator:resource_usage__iostats] / collectionPeriodInSecs +* server.conf / [introspection:generator:resource_usage__iowait] / disabled + +Do NOT modify any other parameters. diff --git a/apps/introspection_generator_addon/default/app.conf b/apps/introspection_generator_addon/default/app.conf new file mode 100755 index 00000000..1f70b54a --- /dev/null +++ b/apps/introspection_generator_addon/default/app.conf @@ -0,0 +1,13 @@ +[install] +is_configured = true +state = enabled +allows_disable = true + +[ui] +is_visible = false + +[launcher] +author = Splunk +description = Affords and supports the Platform Instrumentation initiative. +version = 10.0.2 + diff --git a/apps/introspection_generator_addon/default/inputs.conf b/apps/introspection_generator_addon/default/inputs.conf new file mode 100755 index 00000000..4db31e92 --- /dev/null +++ b/apps/introspection_generator_addon/default/inputs.conf @@ -0,0 +1,8 @@ +# Version 10.0.2 + +[monitor://$SPLUNK_HOME/var/log/introspection] +index = _introspection + +[script://./bin/collector.path] +sourcetype = splunk_resource_usage__internal +interval = 0 diff --git a/apps/introspection_generator_addon/default/server.conf b/apps/introspection_generator_addon/default/server.conf new file mode 100755 index 00000000..7000c734 --- /dev/null +++ b/apps/introspection_generator_addon/default/server.conf @@ -0,0 +1,29 @@ +# Version 10.0.2 + +[introspection:generator:disk_objects] +disabled = false +acquireExtra_i_data = false +collectionPeriodInSecs = 600 + + +[introspection:generator:resource_usage] +disabled = false +acquireExtra_i_data = false +# collectionPeriodInSecs defaults to 600 (10 minutes) on UFs, 10 (1/6th of a minute) on non-UFs; this is done during packaging. + + +[introspection:generator:resource_usage__iostats] +disabled = false +collectionPeriodInSecs = 60 + + +[introspection:generator:resource_usage__iowait] +disabled = false + + +[introspection:generator:kvstore] +disabled = false +serverStatsCollectionPeriodInSecs = 27 +collectionStatsCollectionPeriodInSecs = 600 +profilingStatsCollectionPeriodInSecs = 5 +rsStatsCollectionPeriodInSecs = 60 diff --git a/apps/introspection_generator_addon/metadata/default.meta b/apps/introspection_generator_addon/metadata/default.meta new file mode 100755 index 00000000..98516741 --- /dev/null +++ b/apps/introspection_generator_addon/metadata/default.meta @@ -0,0 +1,2 @@ +[] +access = read : [ admin ], write : [ admin ] diff --git a/apps/journald_input/default/authorize.conf b/apps/journald_input/default/authorize.conf new file mode 100755 index 00000000..9db8455d --- /dev/null +++ b/apps/journald_input/default/authorize.conf @@ -0,0 +1,4 @@ +[capability::edit_modinput_journald] + +[role_admin] +edit_modinput_journald = enabled diff --git a/apps/journald_input/default/inputs.conf b/apps/journald_input/default/inputs.conf new file mode 100755 index 00000000..6a94fad9 --- /dev/null +++ b/apps/journald_input/default/inputs.conf @@ -0,0 +1,5 @@ +[journald] +interval = 30 +journalctl-quiet = true +journalctl-include-fields = PRIORITY,_SYSTEMD_UNIT,_SYSTEMD_CGROUP,_TRANSPORT,_PID,_UID,_MACHINE_ID,_GID,_COMM,_EXE +journalctl-exclude-fields = __MONOTONIC_TIMESTAMP,__SOURCE_REALTIME_TIMESTAMP diff --git a/apps/journald_input/metadata/default.meta b/apps/journald_input/metadata/default.meta new file mode 100755 index 00000000..05c779da --- /dev/null +++ b/apps/journald_input/metadata/default.meta @@ -0,0 +1,2 @@ +[] +access = read : [ * ], write : [ admin, power ] diff --git a/apps/pusher_app_prem_prem/local/app.conf b/apps/pusher_app_prem_prem/local/app.conf index fb84a268..de729018 100644 --- a/apps/pusher_app_prem_prem/local/app.conf +++ b/apps/pusher_app_prem_prem/local/app.conf @@ -1,2 +1,2 @@ [launcher] -author = JP \ No newline at end of file +author = JP- \ No newline at end of file