diff --git a/apps/Splunk_TA_linux/VERSION b/apps/Splunk_TA_linux/VERSION new file mode 100755 index 00000000..dd36387e --- /dev/null +++ b/apps/Splunk_TA_linux/VERSION @@ -0,0 +1,2 @@ +2.1.0 +2.1.0 \ No newline at end of file diff --git a/apps/Splunk_TA_linux/app.manifest b/apps/Splunk_TA_linux/app.manifest new file mode 100755 index 00000000..6d531f13 --- /dev/null +++ b/apps/Splunk_TA_linux/app.manifest @@ -0,0 +1,63 @@ +{ + "dependencies": null, + "incompatibleApps": null, + "info": { + "author": [ + { + "name": "Splunk", + "email": null, + "company": null + } + ], + "classification": { + "categories": [ + "IT Operations" + ], + "developmentStatus": "Production/Stable", + "intendedAudience": "IT" + }, + "commonInformationModels": { + "Alerts": "==5.0.1", + "Authentication": "==5.0.1", + "Change": "==5.0.1", + "Intrusion Detection": "==5.0.1" + }, + "description": "Splunk Add-on for Linux", + "id": { + "group": null, + "name": "Splunk_TA_linux", + "version": "2.1.0" + }, + "license": { + "name": "Splunk Software License Agreement", + "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "uri": "http://www.splunk.com/view/SP-CAAAAFA" + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseDate": null, + "releaseNotes": { + "name": "README", + "text": "./README.txt", + "uri": "https://docs.splunk.com/Documentation/AddOns/released/Linux/Releasenotes" + }, + "title": "Splunk Add-on for Linux" + }, + "inputGroups": null, + "platformRequirements": null, + "schemaVersion": "2.0.0", + "supportedDeployments": [ + "_standalone", + "_distributed", + "_search_head_clustering" + ], + "targetWorkloads": [ + "_search_heads", + "_indexers", + "_forwarders" + ], + "tasks": null +} \ No newline at end of file diff --git a/apps/Splunk_TA_linux/default/app.conf b/apps/Splunk_TA_linux/default/app.conf new file mode 100755 index 00000000..42a94915 --- /dev/null +++ b/apps/Splunk_TA_linux/default/app.conf @@ -0,0 +1,28 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[install] +is_configured = false +state = enabled +build = 1658326316 + +[launcher] +author = Splunk +version = 2.1.0 +description = Splunk Add-on for Linux + +[ui] +is_visible = false +label = Splunk Add-on for Linux +docs_section_override = AddOns:released + +[package] +id = Splunk_TA_linux + +[id] +name = Splunk_TA_linux +version = 2.1.0 + diff --git a/apps/Splunk_TA_linux/default/eventtypes.conf b/apps/Splunk_TA_linux/default/eventtypes.conf new file mode 100755 index 00000000..74bc89a9 --- /dev/null +++ b/apps/Splunk_TA_linux/default/eventtypes.conf @@ -0,0 +1,76 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[linux_collectd_cpu] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=cpu +#tags = performance oshost cpu inventory + +[linux_collectd_memory] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=memory +#tags = performance oshost memory inventory + +[linux_collectd_swap] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=swap +#tags = performance oshost memory + +[linux_collectd_df] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=df +#tags = performance oshost storage inventory + +[linux_collectd_interface] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=interface +#tags = performance oshost network inventory + +[linux_collectd_disk] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=disk +#tags = performance oshost storage + +[linux_collectd_load] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=load +#tags = performance oshost + +[linux_collectd_processes] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=processes +#tags = performance oshost process cpu + +[linux_collectd_protocols] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=protocols +#tags = performance oshost + +[linux_collectd_irq] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=irq +#tags = performance oshost + +[linux_collectd_tcpconns] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=tcpconns +#tags = performance oshost network + +[linux_collectd_thermal] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=thermal +#tags = performance oshost + +[linux_collectd_uptime] +search = (sourcetype=linux:collectd:graphite OR sourcetype=linux:collectd:http:json) linux_collectd_plugin=uptime +#tags = performance oshost os + +[linux_audit_anomalies] +search = sourcetype=linux:audit type=ANOM_* +#tags = ids attack alert + +[linux_audit_account_change] +search = sourcetype=linux:audit type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") +#tags = change account + +[linux_audit_authentication] +search = sourcetype=linux:audit type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") +#tags = authentication + +[linux_audit_endpoint] +search = sourcetype=linux:audit (type=USER_CMD) +#tags = process report + +[linux_audit_endpoint_services] +search = sourcetype=linux:audit type IN ("SERVICE_START", "SERVICE_STOP") +#tags = service report diff --git a/apps/Splunk_TA_linux/default/props.conf b/apps/Splunk_TA_linux/default/props.conf new file mode 100755 index 00000000..a43affd5 --- /dev/null +++ b/apps/Splunk_TA_linux/default/props.conf @@ -0,0 +1,284 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[linux:collectd:graphite] +category = Operating System +description = Metrics collected from linux host using collectd-write_graphite plugin +pulldown_type = true +# Load balancing on UF +EVENT_BREAKER_ENABLE = true +SHOULD_LINEMERGE = false +KV_MODE = none +TIME_PREFIX = \S+\s+\S+\s+ +TIME_FORMAT = %s.%3N +MAX_TIMESTAMP_LOOKAHEAD = 12 + +EXTRACT-KVFORLINUX = ^[^\.]+[^\.\n]*\.[^\.]+\.(?<_KEY_1>\S+)\s+(?<_VAL_1>\S+) + + +EXTRACT-collectd_data = ^(?[^.\s]+)\.(?[^.\s]+)\.(?P\S+)\s+(?P\S+)\s+(?\S+) +EXTRACT-plugin_info = (?[^\-]\w+)-*(?.*) in object +EXTRACT-metric_type = (?[^\-\.]\w+)-*(?[^\.]\w+)?\.* in metric + +FIELDALIAS-linux_collectd_plugin = linux_collectd_plugin AS plugin +EVAL-dsname = mvindex(split(metric, "."),1) +FIELDALIAS-linux_host = collectd_host as host +FIELDALIAS-linux_dest = collectd_host as dest + +## HOST_OS Model.Performance.Memory +EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null()) +EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null()) +EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null()) +EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null()) +EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null()) + +## HOST_OS Model.Performance.Storage +EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null()) +EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null()) + +## HOST_OS Model.Performance.Network +EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null()) +EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null()) +EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null()) + +## HOST_OS Model.Inventory.Machine Information + +## HOST_OS Model.Inventory.Storage Information +EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null()) + +## HOST_OS Model.Performance.CPU +FIELDALIAS-cpu_interrupts = cpu_interrupt_value AS cpu_interrupts +FIELDALIAS-cpu_load_percent = cpu_system_value AS cpu_load_percent +FIELDALIAS-cpu_time = ps_cputime_syst AS cpu_time +FIELDALIAS-cpu_user_percent = cpu_user_value AS cpu_user_percent + +## HOST_OS Model.Performance.Memory +FIELDALIAS-mem_free_percent = percent_free_value AS mem_free_percent +FIELDALIAS-mem_used_percent = percent_used_value AS mem_used_percent + +## HOST_OS Model.Performance.Storage +FIELDALIAS-read_ops = disk_ops_read AS read_ops +FIELDALIAS-storage_free_percent = percent_bytes_free_value AS storage_free_percent +FIELDALIAS-storage_used_percent = percent_bytes_used_value AS storage_used_percent +FIELDALIAS-write_ops = disk_ops_write AS write_ops + +## HOST_OS Model.Performance.Network +FIELDALIAS-packets_in = if_packets_rx AS packets_in +FIELDALIAS-packets_out = if_packets_tx AS packets_out + +## HOST_OS Model.Performance.OS +FIELDALIAS-uptime = uptime_value AS uptime + +## HOST_OS Model.Inventory.Storage Information + +## HOST_OS Model.Inventory.Network Information + +[linux:collectd:http:json] +category = Operating System +description = Metrics collected from linux host using collectd-write_http plugin in json +pulldown_type = true +# Load balancing on UF +EVENT_BREAKER_ENABLE = true +EVENT_BREAKER = ([\[|\,]){\"values\": +SHOULD_LINEMERGE = false +LINE_BREAKER = ([\[|\,]){\"values\": +SEDCMD-remove_tail = s/\}]$/}/ +KV_MODE = json +TIME_PREFIX = "time":\s* +TIME_FORMAT = %s.%3N + +TRANSFORMS-linux_one_fields = http_one_item_field, http_one_item_field_no_type_instance +TRANSFORMS-linux_two_fields = http_two_item_fields, http_two_item_fields_no_type_instance +TRANSFORMS-linux_three_fields = http_three_item_fields, http_three_item_fields_no_type_instance + +EXTRACT-linux_collectd_host = \s*"host":\s*(?:"|)(?[^"]*)(?:"|) +EXTRACT-linux_collectd_http_plugin = "plugin":\s*(?:"|)(?[^"]+)(?:"|),\s*"plugin_instance": + +FIELDALIAS-dsnames = dsnames{} as dsname +FIELDALIAS-linux_value = values{} as value +FIELDALIAS-linux_host = collectd_host as host +FIELDALIAS-linux_dest = collectd_host as dest + +## HOST_OS Model.Performance.CPU +FIELDALIAS-linux_cpu_interrupts = cpu_interrupt_value as cpu_interrupts +FIELDALIAS-linux_load_percent = cpu_system_value as cpu_load_percent +FIELDALIAS-linux_cpu_time = ps_cputime_syst as cpu_time +FIELDALIAS-linux_cpu_user_percent = cpu_user_value as cpu_user_percent +FIELDALIAS-system_threads_count = ps_count_threads as system_threads_count + +## HOST_OS Model.Performance.Memory +FIELDALIAS-linux_mem_free_percent = percent_free_value as mem_free_percent +FIELDALIAS-linux_mem_used_percent = percent_used_value as mem_used_percent + +EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null()) +EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null()) +EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null()) +EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null()) +EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null()) + +## HOST_OS Model.Performance.Storage +FIELDALIAS-linux_read_ops = disk_ops_read as read_ops +FIELDALIAS-linux_write_ops = disk_ops_write as write_ops +EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null()) + +EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null()) +EVAL-storage_free_percent = percent_bytes_free_value +EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null()) +EVAL-storage_used_percent = percent_bytes_used_value +EVAL-total_ops = disk_ops_read + disk_ops_write + +## HOST_OS Model.Performance.Network +FIELDALIAS-linux_packets_in = if_packets_rx as packets_in +FIELDALIAS-linux_packets_out = if_packets_tx as packets_out + +EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null()) +EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null()) +EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null()) +EVAL-bytes = if(plugin=="interface" and isnotnull(if_octets_rx) and isnotnull(if_octets_tx), if(isnum(if_octets_rx), if_octets_rx, 0) + if(isnum(if_octets_tx), if_octets_tx, 0), null()) +EVAL-packets = packets_in + packets_out + +## HOST_OS Model.Performance.OS +FIELDALIAS-linux_uptime = uptime_value as uptime + +[linux:collectd:http:metrics] +category = Operating System +description = Metrics collected from linux host using collectd-write_http plugin for metrics index +# Load balancing on UF +EVENT_BREAKER_ENABLE = true +SHOULD_LINEMERGE = false + +## uncomment METRICS_PROTOCOL property if you want to collect metrics data in metrics index +#METRICS_PROTOCOL = COLLECTD_HTTP +KV_MODE = json +TIME_PREFIX = "time":\s* +TIME_FORMAT = %s.%3N + +# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog +#[syslog] +#TRANSFORMS-linux_syslog = linux_syslog_audit + +[source::.../var/log/audit/audit.log(.\d+)?] +sourcetype = linux:audit + +[linux:audit] +category = Operating System +description = Audit events from linux host using monitoring audit logs +# Load balancing on UF +EVENT_BREAKER_ENABLE = true +SHOULD_LINEMERGE = false +TIME_PREFIX = msg=audit\( +TIME_FORMAT = %s.%3N +MAX_TIMESTAMP_LOOKAHEAD = 12 +FIELDALIAS-subj = subj AS subject +FIELDALIAS-obj = obj AS object +REPORT-event_id = event_id +REPORT-op = op +REPORT-subject = subject +REPORT-object = object +REPORT-res = res + +EVAL-vendor_product = "Linux Audit" +FIELDALIAS-host = host AS dest + +# DM Endpoint.Processes +EVAL-process = if(type=="USER_CMD" AND isnotnull(cmd), if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd), null()) +EVAL-process_current_directory = if(type=="USER_CMD" AND isnotnull(cwd), cwd, null()) +EVAL-process_path = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0) +EVAL-process_exec = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0) +EVAL-process_name = mvindex(split(mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0),"/"),-1) + +# DM Endpoint.Services +EVAL-service = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null()) +EVAL-service_name = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null()) + + +# # DM Authentication:Authentication +EVAL-src = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"),case(isnotnull(hostname) AND hostname!="?", hostname,isnotnull(addr) AND addr!="?", addr), null()) +EVAL-src_ip = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(addr) AND addr!="?", addr, null()) +EVAL-signature = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"), type, null()) +EVAL-signature_id = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(event_id), event_id, null()) +EVAL-app = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(exe), exe, null()) +EVAL-reason = if(type IN ("USER_LOGIN") AND isnotnull(acct) AND match(acct,"^[0-9A-F]+$"), mvindex(split(mvindex(split(urldecode(replace(acct,"([0-9A-F]{2})","%\1")),"("),1),")"),0), null()) +EVAL-src_user_id = if(type IN ("USER_START") AND isnotnull(auid), auid, null()) + +# DM Change:Account_Management +EVAL-change_type = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "AAA", null()) +EVAL-command = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(exe), exe, null()) +EVAL-dvc = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(dest), dest, null()) +EVAL-result = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(res), res, null()) +EVAL-object_id = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(id), id, null()) +EVAL-linux_ev_ch_mgmt_user = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(AUID), AUID, if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(aiud), aiud, null())) +EVAL-user_name = case(type IN ("ADD_GROUP") AND isnotnull(AUID), AUID,\ + type IN ("ADD_GROUP") AND isnotnull(auid), auid,\ + type IN ("DEL_GROUP") AND isnotnull(AUID), AUID,\ + type IN ("DEL_GROUP") AND isnotnull(auid), auid,\ + type IN ("ADD_USER") AND isnotnull(acct), acct,\ + type IN ("DEL_USER") AND isnotnull(ID), ID,\ + type IN ("GRP_MGMT") AND isnotnull(AUID), AUID,\ + type IN ("GRP_MGMT") AND isnotnull(auid), auid,\ + type IN ("USER_ACCT") AND isnotnull(AUID), AUID,\ + type IN ("USER_ACCT") AND isnotnull(auid), auid,\ + ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\ + ((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\ + ((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID), AUID,\ + ((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\ + true(), null()) +EVAL-object = case(type IN ("USER_ACCT") AND isnotnull(acct), acct,\ + ((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER")) AND isnotnull(acct), acct,\ + ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER")) AND isnotnull(ID), ID,\ + type IN ("DEL_GROUP", "ADD_GROUP", "GRP_MGMT", "USER_CHAUTHTOK") AND isnotnull(ID), ID,\ + true(), null()) +EVAL-object_category = case(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "user",\ + type=="USER_ACCT" AND op=="PAM:accounting", "user",\ + type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT"), "group",\ + true(), null()) +EVAL-src_user_name = if(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK", "USER_ACCT") AND isnotnull(AUID), AUID, null()) + +# DM Authentication:Authentication, DM Endpoint.Processes, DM Change:Account_Management +EVAL-action = case(type=="USER_CMD" AND (res=="success" OR res=="1"), "allowed",\ + type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="success" OR res=="1"), "success",\ + type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="failed" OR res=="0"), "failure",\ + (type IN ("GRP_MGMT", "USER_ACCT", "USER_CHAUTHTOK", "USER_MGMT") OR \ + ((type=="DEL_USER" AND op=="deleting user from group") OR \ + (type=="ADD_USER" AND op=="adding user to group"))) AND (res=="success" OR res=="1"), "modified",\ + type IN ("DEL_USER", "DEL_GROUP") AND (res=="success" OR res=="1"), "deleted",\ + type IN ("ADD_GROUP", "ADD_USER") AND (res=="success" OR res=="1"), "created",\ + true(), null()) + +# DM Authentication:Authentication, DM Endpoint.Processes, DM Endpoint.Services, DM Change:Account_Management +EVAL-user_id = case(type IN ("USER_CMD") AND isnotnull(auid), auid,\ + type IN ("USER_START") AND isnotnull(uid), uid,\ + type IN ("LOGIN", "USER_LOGIN", "CRED_ACQ") AND isnotnull(auid), auid,\ + true(), null()) +EVAL-user = case(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(UID), UID,\ + type IN ("USER_LOGIN", "LOGIN", "USER_CMD", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_GROUP") AND isnotnull(AUID) AND AUID!="unset", AUID,\ + type IN ("USER_START") AND isnotnull(acct), acct,\ + type IN ("DEL_GROUP", "USER_ACCT", "GRP_MGMT", "ADD_GROUP") AND isnotnull(auid), auid,\ + type IN ("ADD_USER") AND isnotnull(acct), acct,\ + type IN ("DEL_USER") AND isnotnull(ID), ID,\ + ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR \ + (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\ + ((type=="USER_MGMT" AND op=="add-user-to-group") OR \ + (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\ + ((type=="USER_MGMT" AND op=="changing-uid") OR \ + (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID) AND AUID!="unset", AUID,\ + ((type=="USER_MGMT" AND op=="changing-uid") OR \ + (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\ + true(), null()) + +# DM Endpoint.Services, DM Endpoint.Processes +EVAL-process_id = if(type IN ("USER_CMD", "SERVICE_START", "SERVICE_STOP") AND isnotnull(pid), pid, null()) + +# DM Endpoint.Services, DM Change:Account_Management +EVAL-status = case(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \ + isnotnull(res) AND (res=="success" OR res=="1"), "success",\ + type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \ + isnotnull(res) AND (res=="failed" OR res=="0"), "failure",\ + type IN ("SERVICE_START") AND (res=="success" OR res=="1"), "started",\ + type IN ("SERVICE_STOP") AND (res=="success" OR res=="1"), "stopped",\ + true(), null()) + +# DM Authentication:Authentication, DM Change:Account_Management +EVAL-src_user = case(type IN ("ADD_USER", "DEL_USER", "USER_ACCT", "USER_CHAUTHTOK", "USER_START") AND isnotnull(AUID), AUID, true(), null()) diff --git a/apps/Splunk_TA_linux/default/tags.conf b/apps/Splunk_TA_linux/default/tags.conf new file mode 100755 index 00000000..1f5d0ecb --- /dev/null +++ b/apps/Splunk_TA_linux/default/tags.conf @@ -0,0 +1,90 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[eventtype=linux_collectd_cpu] +performance = enabled +oshost = enabled +cpu = enabled + +[eventtype=linux_collectd_memory] +performance = enabled +oshost = enabled +memory = enabled + +[eventtype=linux_collectd_swap] +performance = enabled +oshost = enabled +memory = enabled + +[eventtype=linux_collectd_df] +performance = enabled +oshost = enabled +storage = enabled + +[eventtype=linux_collectd_interface] +performance = enabled +oshost = enabled +network = enabled + +[eventtype=linux_collectd_disk] +performance = enabled +oshost = enabled +storage = enabled + +[eventtype=linux_collectd_load] +performance = enabled +oshost = enabled + +[eventtype=linux_collectd_processes] +performance = enabled +oshost = enabled +process = enabled +cpu = enabled + +[eventtype=linux_collectd_protocols] +performance = enabled +oshost = enabled + +[eventtype=linux_collectd_irq] +performance = enabled +oshost = enabled + +[eventtype=linux_collectd_tcpconns] +performance = enabled +oshost = enabled +network = enabled + +[eventtype=linux_collectd_thermal] +performance = enabled +oshost = enabled + +[eventtype=linux_collectd_uptime] +performance = enabled +oshost = enabled +os = enabled +uptime = enabled + +# [eventtype=linux_audit_anomalies] +# ids = enabled +# attack = enabled +# alert = enabled + +[eventtype=linux_audit_account_change] +change = enabled +account = enabled + +[eventtype=linux_audit_authentication] +authentication = enabled + +[eventtype=linux_audit_endpoint] +process = enabled +report = enabled + +# [eventtype=linux_audit_privileged] +# privileged = enabled + +[eventtype=linux_audit_endpoint_services] +service = enabled +report = enabled diff --git a/apps/Splunk_TA_linux/default/transforms.conf b/apps/Splunk_TA_linux/default/transforms.conf new file mode 100755 index 00000000..bda86090 --- /dev/null +++ b/apps/Splunk_TA_linux/default/transforms.conf @@ -0,0 +1,70 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[http_one_item_field] +# $1 = value[0], $2 = dsnames[0], $3 = type, $4 = type_instance +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\}) +FORMAT = $3_$4_$2::$1 +WRITE_META = true + +[http_one_item_field_no_type_instance] +# $1 = value[0], $2 = dsnames[0], $3 = type +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\}) +FORMAT = $3_$2::$1 +WRITE_META = true + +[http_two_item_fields] +# $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type, +# $6 = type_instance +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\}) +FORMAT = $5_$6_$3::$1 $5_$6_$4::$2 +WRITE_META = true + +[http_two_item_fields_no_type_instance] +# $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\}) +FORMAT = $5_$3::$1 $5_$4::$2 +WRITE_META = true + +[http_three_item_fields] +# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1], +# $6 = dsnames[2], $7 = type, $8 = type_instance +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\}) +FORMAT = $7_$8_$4::$1 $7_$8_$5::$2 $7_$8_$6::$3 +WRITE_META = true + +[http_three_item_fields_no_type_instance] +# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1], +# $6 = dsnames[2], $7 = type +REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\}) +FORMAT = $7_$4::$1 $7_$5::$2 $7_$6::$3 +WRITE_META = true + +# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog + +#[linux_syslog_audit] +#DEST_KEY = MetaData:Sourcetype +#REGEX = type=\S+\s+msg=audit +#FORMAT = sourcetype::linux:audit + +[event_id] +REGEX = msg=audit\(([^:]+):(.+)\): +FORMAT = time_stamp::$1 event_id::$2 + +[op] +REGEX = op=([^=]+)\s+\S+= +FORMAT = op::$1 + +[subject] +REGEX = subj=([^:]+):([^:]+):([^:]+):(\S+) +FORMAT = subj_context_user::$1 subj_context_role::$2 subj_context_domain::$3 subj_context_sensitivity::$4 + +[object] +REGEX = obj=([^:]+):([^:]+):([^:]+):(\S+) +FORMAT = obj_context_user::$1 obj_context_role::$2 obj_context_type::$3 obj_context_sensitivity::$4 + +[res] +REGEX = res=(1|0|success|failed) +FORMAT = res::$1 diff --git a/apps/Splunk_TA_linux/metadata/default.meta b/apps/Splunk_TA_linux/metadata/default.meta new file mode 100755 index 00000000..1231cfad --- /dev/null +++ b/apps/Splunk_TA_linux/metadata/default.meta @@ -0,0 +1,7 @@ + +# Application-level permissions + +[] +owner = admin +access = read : [ * ], write : [ admin, sc_admin ] +export = system diff --git a/apps/Splunk_TA_linux/static/appIcon.png b/apps/Splunk_TA_linux/static/appIcon.png new file mode 100755 index 00000000..88f67e72 Binary files /dev/null and b/apps/Splunk_TA_linux/static/appIcon.png differ diff --git a/apps/Splunk_TA_linux/static/appIconAlt.png b/apps/Splunk_TA_linux/static/appIconAlt.png new file mode 100755 index 00000000..88f67e72 Binary files /dev/null and b/apps/Splunk_TA_linux/static/appIconAlt.png differ diff --git a/apps/Splunk_TA_linux/static/appIconAlt_2x.png b/apps/Splunk_TA_linux/static/appIconAlt_2x.png new file mode 100755 index 00000000..c638b3f1 Binary files /dev/null and b/apps/Splunk_TA_linux/static/appIconAlt_2x.png differ diff --git a/apps/Splunk_TA_linux/static/appIcon_2x.png b/apps/Splunk_TA_linux/static/appIcon_2x.png new file mode 100755 index 00000000..c638b3f1 Binary files /dev/null and b/apps/Splunk_TA_linux/static/appIcon_2x.png differ diff --git a/apps/pusher_app_prem_prem/local/app.conf b/apps/pusher_app_prem_prem/local/app.conf index 68b6d939..a8b44cd0 100644 --- a/apps/pusher_app_prem_prem/local/app.conf +++ b/apps/pusher_app_prem_prem/local/app.conf @@ -1,3 +1,3 @@ [launcher] author = JP- -version = 1.2.0 \ No newline at end of file +version = 1.2.1 \ No newline at end of file