admingit
/
Splunk_Deploiement
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a0e9d3e2a0'
${ noResults }
Splunk_Deploiement/apps/Splunk_TA_linux/default/props.conf

285 lines
16 KiB
Raw Blame History

##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[linux:collectd:graphite]
category = Operating System
description = Metrics collected from linux host using collectd-write_graphite plugin
pulldown_type = true
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = false
KV_MODE = none
TIME_PREFIX = \S+\s+\S+\s+
TIME_FORMAT = %s.%3N
MAX_TIMESTAMP_LOOKAHEAD = 12
EXTRACT-KVFORLINUX = ^[^\.]+[^\.\n]*\.[^\.]+\.(?<_KEY_1>\S+)\s+(?<_VAL_1>\S+)
EXTRACT-collectd_data = ^(?<collectd_host>[^.\s]+)\.(?<object>[^.\s]+)\.(?P<metric>\S+)\s+(?P<value>\S+)\s+(?<timestamp>\S+)
EXTRACT-plugin_info = (?<linux_collectd_plugin>[^\-]\w+)-*(?<plugin_instance>.*) in object
EXTRACT-metric_type = (?<type>[^\-\.]\w+)-*(?<type_instance>[^\.]\w+)?\.* in metric
FIELDALIAS-linux_collectd_plugin = linux_collectd_plugin AS plugin
EVAL-dsname = mvindex(split(metric, "."),1)
FIELDALIAS-linux_host = collectd_host as host
FIELDALIAS-linux_dest = collectd_host as dest
## HOST_OS Model.Performance.Memory
EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null())
EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null())
EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null())
EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null())
EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null())
## HOST_OS Model.Performance.Storage
EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null())
EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null())
## HOST_OS Model.Performance.Network
EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null())
EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null())
EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null())
## HOST_OS Model.Inventory.Machine Information
## HOST_OS Model.Inventory.Storage Information
EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null())
## HOST_OS Model.Performance.CPU
FIELDALIAS-cpu_interrupts = cpu_interrupt_value AS cpu_interrupts
FIELDALIAS-cpu_load_percent = cpu_system_value AS cpu_load_percent
FIELDALIAS-cpu_time = ps_cputime_syst AS cpu_time
FIELDALIAS-cpu_user_percent = cpu_user_value AS cpu_user_percent
## HOST_OS Model.Performance.Memory
FIELDALIAS-mem_free_percent = percent_free_value AS mem_free_percent
FIELDALIAS-mem_used_percent = percent_used_value AS mem_used_percent
## HOST_OS Model.Performance.Storage
FIELDALIAS-read_ops = disk_ops_read AS read_ops
FIELDALIAS-storage_free_percent = percent_bytes_free_value AS storage_free_percent
FIELDALIAS-storage_used_percent = percent_bytes_used_value AS storage_used_percent
FIELDALIAS-write_ops = disk_ops_write AS write_ops
## HOST_OS Model.Performance.Network
FIELDALIAS-packets_in = if_packets_rx AS packets_in
FIELDALIAS-packets_out = if_packets_tx AS packets_out
## HOST_OS Model.Performance.OS
FIELDALIAS-uptime = uptime_value AS uptime
## HOST_OS Model.Inventory.Storage Information
## HOST_OS Model.Inventory.Network Information
[linux:collectd:http:json]
category = Operating System
description = Metrics collected from linux host using collectd-write_http plugin in json
pulldown_type = true
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\[|\,]){\"values\":
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\[|\,]){\"values\":
SEDCMD-remove_tail = s/\}]$/}/
KV_MODE = json
TIME_PREFIX = "time":\s*
TIME_FORMAT = %s.%3N
TRANSFORMS-linux_one_fields = http_one_item_field, http_one_item_field_no_type_instance
TRANSFORMS-linux_two_fields = http_two_item_fields, http_two_item_fields_no_type_instance
TRANSFORMS-linux_three_fields = http_three_item_fields, http_three_item_fields_no_type_instance
EXTRACT-linux_collectd_host = \s*"host":\s*(?:"|)(?<collectd_host>[^"]*)(?:"|)
EXTRACT-linux_collectd_http_plugin = "plugin":\s*(?:"|)(?<linux_collectd_plugin>[^"]+)(?:"|),\s*"plugin_instance":
FIELDALIAS-dsnames = dsnames{} as dsname
FIELDALIAS-linux_value = values{} as value
FIELDALIAS-linux_host = collectd_host as host
FIELDALIAS-linux_dest = collectd_host as dest
## HOST_OS Model.Performance.CPU
FIELDALIAS-linux_cpu_interrupts = cpu_interrupt_value as cpu_interrupts
FIELDALIAS-linux_load_percent = cpu_system_value as cpu_load_percent
FIELDALIAS-linux_cpu_time = ps_cputime_syst as cpu_time
FIELDALIAS-linux_cpu_user_percent = cpu_user_value as cpu_user_percent
FIELDALIAS-system_threads_count = ps_count_threads as system_threads_count
## HOST_OS Model.Performance.Memory
FIELDALIAS-linux_mem_free_percent = percent_free_value as mem_free_percent
FIELDALIAS-linux_mem_used_percent = percent_used_value as mem_used_percent
EVAL-mem_free = if(isnotnull(memory_free_value), memory_free_value/1024/1024, null())
EVAL-mem_used = if(isnotnull(memory_used_value), memory_used_value/1024/1024, null())
EVAL-swap_used = if(isnotnull(swap_used_value), swap_used_value/1024/1024, null())
EVAL-swap_free = if(isnotnull(swap_free_value), swap_free_value/1024/1024, null())
EVAL-swap_percent = if(plugin=="swap" and isnotnull(percent_used_value), percent_used_value, null())
## HOST_OS Model.Performance.Storage
FIELDALIAS-linux_read_ops = disk_ops_read as read_ops
FIELDALIAS-linux_write_ops = disk_ops_write as write_ops
EVAL-mount = if((plugin=="df" OR plugin=="disk") and isnotnull(plugin_instance), plugin_instance, null())
EVAL-storage_free = if(isnotnull(df_complex_free_value), df_complex_free_value/1024/1024, null())
EVAL-storage_free_percent = percent_bytes_free_value
EVAL-storage_used = if(isnotnull(df_complex_used_value), df_complex_used_value/1024/1024, null())
EVAL-storage_used_percent = percent_bytes_used_value
EVAL-total_ops = disk_ops_read + disk_ops_write
## HOST_OS Model.Performance.Network
FIELDALIAS-linux_packets_in = if_packets_rx as packets_in
FIELDALIAS-linux_packets_out = if_packets_tx as packets_out
EVAL-interface = if(plugin=="interface" and isnotnull(plugin_instance), plugin_instance, null())
EVAL-bytes_in = if(plugin=="interface" and isnotnull(if_octets_rx), if(isnum(if_octets_rx), if_octets_rx, 0), null())
EVAL-bytes_out = if(plugin=="interface" and isnotnull(if_octets_tx), if(isnum(if_octets_tx), if_octets_tx, 0), null())
EVAL-bytes = if(plugin=="interface" and isnotnull(if_octets_rx) and isnotnull(if_octets_tx), if(isnum(if_octets_rx), if_octets_rx, 0) + if(isnum(if_octets_tx), if_octets_tx, 0), null())
EVAL-packets = packets_in + packets_out
## HOST_OS Model.Performance.OS
FIELDALIAS-linux_uptime = uptime_value as uptime
[linux:collectd:http:metrics]
category = Operating System
description = Metrics collected from linux host using collectd-write_http plugin for metrics index
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = false
## uncomment METRICS_PROTOCOL property if you want to collect metrics data in metrics index
#METRICS_PROTOCOL = COLLECTD_HTTP
KV_MODE = json
TIME_PREFIX = "time":\s*
TIME_FORMAT = %s.%3N
# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog
#[syslog]
#TRANSFORMS-linux_syslog = linux_syslog_audit
[source::.../var/log/audit/audit.log(.\d+)?]
sourcetype = linux:audit
[linux:audit]
category = Operating System
description = Audit events from linux host using monitoring audit logs
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = false
TIME_PREFIX = msg=audit\(
TIME_FORMAT = %s.%3N
MAX_TIMESTAMP_LOOKAHEAD = 12
FIELDALIAS-subj = subj AS subject
FIELDALIAS-obj = obj AS object
REPORT-event_id = event_id
REPORT-op = op
REPORT-subject = subject
REPORT-object = object
REPORT-res = res
EVAL-vendor_product = "Linux Audit"
FIELDALIAS-host = host AS dest
# DM Endpoint.Processes
EVAL-process = if(type=="USER_CMD" AND isnotnull(cmd), if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd), null())
EVAL-process_current_directory = if(type=="USER_CMD" AND isnotnull(cwd), cwd, null())
EVAL-process_path = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0)
EVAL-process_exec = mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0)
EVAL-process_name = mvindex(split(mvindex(split(if(match(cmd,"^[0-9A-F]+$"),urldecode(replace(cmd,"([0-9A-F]{2})","%\1")),cmd)," "),0),"/"),-1)
# DM Endpoint.Services
EVAL-service = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null())
EVAL-service_name = if(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(unit), unit, null())
# # DM Authentication:Authentication
EVAL-src = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"),case(isnotnull(hostname) AND hostname!="?", hostname,isnotnull(addr) AND addr!="?", addr), null())
EVAL-src_ip = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(addr) AND addr!="?", addr, null())
EVAL-signature = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ"), type, null())
EVAL-signature_id = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(event_id), event_id, null())
EVAL-app = if(type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND isnotnull(exe), exe, null())
EVAL-reason = if(type IN ("USER_LOGIN") AND isnotnull(acct) AND match(acct,"^[0-9A-F]+$"), mvindex(split(mvindex(split(urldecode(replace(acct,"([0-9A-F]{2})","%\1")),"("),1),")"),0), null())
EVAL-src_user_id = if(type IN ("USER_START") AND isnotnull(auid), auid, null())
# DM Change:Account_Management
EVAL-change_type = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "AAA", null())
EVAL-command = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(exe), exe, null())
EVAL-dvc = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(dest), dest, null())
EVAL-result = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(res), res, null())
EVAL-object_id = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(id), id, null())
EVAL-linux_ev_ch_mgmt_user = if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(AUID), AUID, if(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND isnotnull(aiud), aiud, null()))
EVAL-user_name = case(type IN ("ADD_GROUP") AND isnotnull(AUID), AUID,\
type IN ("ADD_GROUP") AND isnotnull(auid), auid,\
type IN ("DEL_GROUP") AND isnotnull(AUID), AUID,\
type IN ("DEL_GROUP") AND isnotnull(auid), auid,\
type IN ("ADD_USER") AND isnotnull(acct), acct,\
type IN ("DEL_USER") AND isnotnull(ID), ID,\
type IN ("GRP_MGMT") AND isnotnull(AUID), AUID,\
type IN ("GRP_MGMT") AND isnotnull(auid), auid,\
type IN ("USER_ACCT") AND isnotnull(AUID), AUID,\
type IN ("USER_ACCT") AND isnotnull(auid), auid,\
((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\
((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\
((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID), AUID,\
((type=="USER_MGMT" AND op=="changing-uid") OR (type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\
true(), null())
EVAL-object = case(type IN ("USER_ACCT") AND isnotnull(acct), acct,\
((type=="USER_MGMT" AND op=="add-user-to-group") OR (type=="ADD_USER")) AND isnotnull(acct), acct,\
((type=="USER_MGMT" AND op=="deleting-user-from-group") OR (type=="DEL_USER")) AND isnotnull(ID), ID,\
type IN ("DEL_GROUP", "ADD_GROUP", "GRP_MGMT", "USER_CHAUTHTOK") AND isnotnull(ID), ID,\
true(), null())
EVAL-object_category = case(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK"), "user",\
type=="USER_ACCT" AND op=="PAM:accounting", "user",\
type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT"), "group",\
true(), null())
EVAL-src_user_name = if(type IN ("ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK", "USER_ACCT") AND isnotnull(AUID), AUID, null())
# DM Authentication:Authentication, DM Endpoint.Processes, DM Change:Account_Management
EVAL-action = case(type=="USER_CMD" AND (res=="success" OR res=="1"), "allowed",\
type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="success" OR res=="1"), "success",\
type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ") AND (res=="failed" OR res=="0"), "failure",\
(type IN ("GRP_MGMT", "USER_ACCT", "USER_CHAUTHTOK", "USER_MGMT") OR \
((type=="DEL_USER" AND op=="deleting user from group") OR \
(type=="ADD_USER" AND op=="adding user to group"))) AND (res=="success" OR res=="1"), "modified",\
type IN ("DEL_USER", "DEL_GROUP") AND (res=="success" OR res=="1"), "deleted",\
type IN ("ADD_GROUP", "ADD_USER") AND (res=="success" OR res=="1"), "created",\
true(), null())
# DM Authentication:Authentication, DM Endpoint.Processes, DM Endpoint.Services, DM Change:Account_Management
EVAL-user_id = case(type IN ("USER_CMD") AND isnotnull(auid), auid,\
type IN ("USER_START") AND isnotnull(uid), uid,\
type IN ("LOGIN", "USER_LOGIN", "CRED_ACQ") AND isnotnull(auid), auid,\
true(), null())
EVAL-user = case(type IN ("SERVICE_START", "SERVICE_STOP") AND isnotnull(UID), UID,\
type IN ("USER_LOGIN", "LOGIN", "USER_CMD", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_GROUP") AND isnotnull(AUID) AND AUID!="unset", AUID,\
type IN ("USER_START") AND isnotnull(acct), acct,\
type IN ("DEL_GROUP", "USER_ACCT", "GRP_MGMT", "ADD_GROUP") AND isnotnull(auid), auid,\
type IN ("ADD_USER") AND isnotnull(acct), acct,\
type IN ("DEL_USER") AND isnotnull(ID), ID,\
((type=="USER_MGMT" AND op=="deleting-user-from-group") OR \
(type=="DEL_USER" AND op=="deleting user from group")) AND isnotnull(ID), ID,\
((type=="USER_MGMT" AND op=="add-user-to-group") OR \
(type=="ADD_USER" AND op=="adding user to group")) AND isnotnull(acct), acct,\
((type=="USER_MGMT" AND op=="changing-uid") OR \
(type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(AUID) AND AUID!="unset", AUID,\
((type=="USER_MGMT" AND op=="changing-uid") OR \
(type=="USER_CHAUTHTOK" AND op=="changing uid")) AND isnotnull(auid), auid,\
true(), null())
# DM Endpoint.Services, DM Endpoint.Processes
EVAL-process_id = if(type IN ("USER_CMD", "SERVICE_START", "SERVICE_STOP") AND isnotnull(pid), pid, null())
# DM Endpoint.Services, DM Change:Account_Management
EVAL-status = case(type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \
isnotnull(res) AND (res=="success" OR res=="1"), "success",\
type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK") AND \
isnotnull(res) AND (res=="failed" OR res=="0"), "failure",\
type IN ("SERVICE_START") AND (res=="success" OR res=="1"), "started",\
type IN ("SERVICE_STOP") AND (res=="success" OR res=="1"), "stopped",\
true(), null())
# DM Authentication:Authentication, DM Change:Account_Management
EVAL-src_user = case(type IN ("ADD_USER", "DEL_USER", "USER_ACCT", "USER_CHAUTHTOK", "USER_START") AND isnotnull(AUID), AUID, true(), null())
Reference in new issue View Git Blame Copy Permalink