## ## SPDX-FileCopyrightText: 2021 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## ## [linux:collectd:graphite] category = Operating System description = Metrics collected from linux host using collectd-write_graphite plugin pulldown_type = true # Load balancing on UF EVENT_BREAKER_ENABLE = true SHOULD_LINEMERGE = false KV_MODE = none TIME_PREFIX = \S+\s+\S+\s+ TIME_FORMAT = %s.%3N MAX_TIMESTAMP_LOOKAHEAD = 12 EXTRACT-KVFORLINUX = ^[^\.]+[^\.\n]*\.[^\.]+\.(?<_KEY_1>\S+)\s+(?<_VAL_1>\S+) EXTRACT-collectd_data = ^(?[^.\s]+)\.(?[^.\s]+)\.(?P\S+)\s+(?P\S+)\s+(?\S+) EXTRACT-plugin_info = (?[^\-]\w+)-*(?.*) in object EXTRACT-metric_type = (?[^\-\.]\w+)-*(?[^\.]\w+)?\.* in metric FIELDALIAS-linux_collectd_plugin = linux_collectd_plugin AS plugin EVAL-dsname = mvindex(split(metric, "."),1) FIELDALIAS-linux_host = collectd_host as host FIELDALIAS-linux_dest = collectd_host as dest ## HOST_OS Model.Performance.Memory EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null()) EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null()) EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null()) EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null()) EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null()) ## HOST_OS Model.Performance.Storage EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null()) EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null()) ## HOST_OS Model.Performance.Network EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null()) EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null()) EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null()) ## HOST_OS Model.Inventory.Machine Information ## HOST_OS Model.Inventory.Storage Information EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null()) ## HOST_OS Model.Performance.CPU FIELDALIAS-cpu_interrupts = cpu_interrupt_value AS cpu_interrupts FIELDALIAS-cpu_load_percent = cpu_system_value AS cpu_load_percent FIELDALIAS-cpu_time = ps_cputime_syst AS cpu_time FIELDALIAS-cpu_user_percent = cpu_user_value AS cpu_user_percent ## HOST_OS Model.Performance.Memory FIELDALIAS-mem_free_percent = percent_free_value AS mem_free_percent FIELDALIAS-mem_used_percent = percent_used_value AS mem_used_percent ## HOST_OS Model.Performance.Storage FIELDALIAS-read_ops = disk_ops_read AS read_ops FIELDALIAS-storage_free_percent = percent_bytes_free_value AS storage_free_percent FIELDALIAS-storage_used_percent = percent_bytes_used_value AS storage_used_percent FIELDALIAS-write_ops = disk_ops_write AS write_ops ## HOST_OS Model.Performance.Network FIELDALIAS-packets_in = if_packets_rx AS packets_in FIELDALIAS-packets_out = if_packets_tx AS packets_out ## HOST_OS Model.Performance.OS FIELDALIAS-uptime = uptime_value AS uptime ## HOST_OS Model.Inventory.Storage Information ## HOST_OS Model.Inventory.Network Information [linux:collectd:http:json] category = Operating System description = Metrics collected from linux host using collectd-write_http plugin in json pulldown_type = true # Load balancing on UF EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\[|\,]){\"values\": SHOULD_LINEMERGE = false LINE_BREAKER = ([\[|\,]){\"values\": SEDCMD-remove_tail = s/\}]$/}/ KV_MODE = json TIME_PREFIX = "time":\s* TIME_FORMAT = %s.%3N TRANSFORMS-linux_one_fields = http_one_item_field, http_one_item_field_no_type_instance TRANSFORMS-linux_two_fields = http_two_item_fields, http_two_item_fields_no_type_instance TRANSFORMS-linux_three_fields = http_three_item_fields, http_three_item_fields_no_type_instance EXTRACT-linux_collectd_host = \s*"host":\s*(?:"|)(?[^"]*)(?:"|) EXTRACT-linux_collectd_http_plugin = "plugin":\s*(?:"|)(?[^"]+)(?:"|),\s*"plugin_instance": FIELDALIAS-dsnames = dsnames{} as dsname FIELDALIAS-linux_value = values{} as value FIELDALIAS-linux_host = collectd_host as host FIELDALIAS-linux_dest = collectd_host as dest ## HOST_OS Model.Performance.CPU FIELDALIAS-linux_cpu_interrupts = cpu_interrupt_value as cpu_interrupts FIELDALIAS-linux_load_percent = cpu_system_value as cpu_load_percent FIELDALIAS-linux_cpu_time = ps_cputime_syst as cpu_time FIELDALIAS-linux_cpu_user_percent = cpu_user_value as cpu_user_percent FIELDALIAS-system_threads_count = ps_count_threads as system_threads_count ## HOST_OS Model.Performance.Memory FIELDALIAS-linux_mem_free_percent = percent_free_value as mem_free_percent FIELDALIAS-linux_mem_used_percent = percent_used_value as mem_used_percent EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null()) EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null()) EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null()) EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null()) EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null()) ## HOST_OS Model.Performance.Storage FIELDALIAS-linux_read_ops = disk_ops_read as read_ops FIELDALIAS-linux_write_ops = disk_ops_write as write_ops EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null()) EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null()) EVAL-storage_free_percent = percent_bytes_free_value EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null()) EVAL-storage_used_percent = percent_bytes_used_value EVAL-total_ops = disk_ops_read + disk_ops_write ## HOST_OS Model.Performance.Network FIELDALIAS-linux_packets_in = if_packets_rx as packets_in FIELDALIAS-linux_packets_out = if_packets_tx as packets_out EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null()) EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null()) EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null()) EVAL-bytes = if(plugin=="interface" and isnotnull(if_octets_rx) and isnotnull(if_octets_tx), if(isnum(if_octets_rx), if_octets_rx, 0) + if(isnum(if_octets_tx), if_octets_tx, 0), null()) EVAL-packets = packets_in + packets_out ## HOST_OS Model.Performance.OS FIELDALIAS-linux_uptime = uptime_value as uptime [linux:collectd:http:metrics] category = Operating System description = Metrics collected from linux host using collectd-write_http plugin for metrics index # Load balancing on UF EVENT_BREAKER_ENABLE = true SHOULD_LINEMERGE = false ## uncomment METRICS_PROTOCOL property if you want to collect metrics data in metrics index #METRICS_PROTOCOL = COLLECTD_HTTP KV_MODE = json TIME_PREFIX = "time":\s* TIME_FORMAT = %s.%3N # uncomment below stanza if you are collecting data using syslog server with sourcetype syslog #[syslog] #TRANSFORMS-linux_syslog = linux_syslog_audit [source::.../var/log/audit/audit.log(.\d+)?] sourcetype = linux:audit [linux:audit] category = Operating System description = Audit events from linux host using monitoring audit logs # Load balancing on UF EVENT_BREAKER_ENABLE = true SHOULD_LINEMERGE = false TIME_PREFIX = msg=audit\( TIME_FORMAT = %s.%3N MAX_TIMESTAMP_LOOKAHEAD = 12 FIELDALIAS-subj = subj AS subject FIELDALIAS-obj = obj AS object REPORT-event_id = event_id REPORT-op = op REPORT-subject = subject REPORT-object = object REPORT-res = res EVAL-vendor_product = "Linux Audit" FIELDALIAS-host = host AS dest # DM Endpoint.Processes EVAL-process = if(type=="USER_CMD" AND isnotnull(cmd), if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd), null()) EVAL-process_current_directory = if(type=="USER_CMD" AND isnotnull(cwd), cwd, null()) EVAL-process_path = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0) EVAL-process_exec = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0) EVAL-process_name = mvindex(split(mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0),"/"),-1) # DM Endpoint.Services EVAL-service = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null()) EVAL-service_name = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null()) # # DM Authentication:Authentication EVAL-src = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"),case(isnotnull(hostname) AND hostname!="?", hostname,isnotnull(addr) AND addr!="?", addr), null()) EVAL-src_ip = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(addr) AND addr!="?", addr, null()) EVAL-signature = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"), type, null()) EVAL-signature_id = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(event_id), event_id, null()) EVAL-app = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(exe), exe, null()) EVAL-reason = if(type IN ("USER_LOGIN") AND isnotnull(acct) AND match(acct,"^[0-9A-F]+$"), mvindex(split(mvindex(split(urldecode(replace(acct,"([0-9A-F]{2})","%\1")),"("),1),")"),0), null()) EVAL-src_user_id = if(type IN ("USER_START") AND isnotnull(auid), auid, null()) # DM Change:Account_Management EVAL-change_type = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "AAA", null()) EVAL-command = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(exe), exe, null()) EVAL-dvc = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(dest), dest, null()) EVAL-result = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(res), res, null()) EVAL-object_id = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(id), id, null()) EVAL-linux_ev_ch_mgmt_user = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(AUID), AUID, if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(aiud), aiud, null())) EVAL-user_name = case(type IN ("ADD_GROUP") AND isnotnull(AUID), AUID,\ type IN ("ADD_GROUP") AND isnotnull(auid), auid,\ type IN ("DEL_GROUP") AND isnotnull(AUID), AUID,\ type IN ("DEL_GROUP") AND isnotnull(auid), auid,\ type IN ("ADD_USER") AND isnotnull(acct), acct,\ type IN ("DEL_USER") AND isnotnull(ID), ID,\ type IN ("GRP_MGMT") AND isnotnull(AUID), AUID,\ type IN ("GRP_MGMT") AND isnotnull(auid), auid,\ type IN ("USER_ACCT") AND isnotnull(AUID), AUID,\ type IN ("USER_ACCT") AND isnotnull(auid), auid,\ ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\ ((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\ ((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID), AUID,\ ((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\ true(), null()) EVAL-object = case(type IN ("USER_ACCT") AND isnotnull(acct), acct,\ ((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER")) AND isnotnull(acct), acct,\ ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER")) AND isnotnull(ID), ID,\ type IN ("DEL_GROUP", "ADD_GROUP", "GRP_MGMT", "USER_CHAUTHTOK") AND isnotnull(ID), ID,\ true(), null()) EVAL-object_category = case(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "user",\ type=="USER_ACCT" AND op=="PAM:accounting", "user",\ type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT"), "group",\ true(), null()) EVAL-src_user_name = if(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK", "USER_ACCT") AND isnotnull(AUID), AUID, null()) # DM Authentication:Authentication, DM Endpoint.Processes, DM Change:Account_Management EVAL-action = case(type=="USER_CMD" AND (res=="success" OR res=="1"), "allowed",\ type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="success" OR res=="1"), "success",\ type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="failed" OR res=="0"), "failure",\ (type IN ("GRP_MGMT", "USER_ACCT", "USER_CHAUTHTOK", "USER_MGMT") OR \ ((type=="DEL_USER" AND op=="deleting user from group") OR \ (type=="ADD_USER" AND op=="adding user to group"))) AND (res=="success" OR res=="1"), "modified",\ type IN ("DEL_USER", "DEL_GROUP") AND (res=="success" OR res=="1"), "deleted",\ type IN ("ADD_GROUP", "ADD_USER") AND (res=="success" OR res=="1"), "created",\ true(), null()) # DM Authentication:Authentication, DM Endpoint.Processes, DM Endpoint.Services, DM Change:Account_Management EVAL-user_id = case(type IN ("USER_CMD") AND isnotnull(auid), auid,\ type IN ("USER_START") AND isnotnull(uid), uid,\ type IN ("LOGIN", "USER_LOGIN", "CRED_ACQ") AND isnotnull(auid), auid,\ true(), null()) EVAL-user = case(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(UID), UID,\ type IN ("USER_LOGIN", "LOGIN", "USER_CMD", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_GROUP") AND isnotnull(AUID) AND AUID!="unset", AUID,\ type IN ("USER_START") AND isnotnull(acct), acct,\ type IN ("DEL_GROUP", "USER_ACCT", "GRP_MGMT", "ADD_GROUP") AND isnotnull(auid), auid,\ type IN ("ADD_USER") AND isnotnull(acct), acct,\ type IN ("DEL_USER") AND isnotnull(ID), ID,\ ((type=="USER_MGMT" AND op=="deleting-user-from-group") OR \ (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\ ((type=="USER_MGMT" AND op=="add-user-to-group") OR \ (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\ ((type=="USER_MGMT" AND op=="changing-uid") OR \ (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID) AND AUID!="unset", AUID,\ ((type=="USER_MGMT" AND op=="changing-uid") OR \ (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\ true(), null()) # DM Endpoint.Services, DM Endpoint.Processes EVAL-process_id = if(type IN ("USER_CMD", "SERVICE_START", "SERVICE_STOP") AND isnotnull(pid), pid, null()) # DM Endpoint.Services, DM Change:Account_Management EVAL-status = case(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \ isnotnull(res) AND (res=="success" OR res=="1"), "success",\ type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \ isnotnull(res) AND (res=="failed" OR res=="0"), "failure",\ type IN ("SERVICE_START") AND (res=="success" OR res=="1"), "started",\ type IN ("SERVICE_STOP") AND (res=="success" OR res=="1"), "stopped",\ true(), null()) # DM Authentication:Authentication, DM Change:Account_Management EVAL-src_user = case(type IN ("ADD_USER", "DEL_USER", "USER_ACCT", "USER_CHAUTHTOK", "USER_START") AND isnotnull(AUID), AUID, true(), null())