Security

OS Impact of ADDON-21209 - Splunk Add-on for Unix and Linux - 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations'

sh1pit76
Explorer

Our organization would like to deploy the Splunk Add-on for Unix and Linux to gain support for Python 3 on our 7.2.3 Splunk deployment. However, due to our having a large number of CentOS systems in our infrastrucutre, there is some concern over the potential OS impact of ADDON-21209. If anyone can elaborate a bit more on this issue, and help me understand the potential implications of running this Add-On on our network, I would greatly appreciate it.

0 Karma
1 Solution

hkubavat_splunk
Splunk Employee
Splunk Employee

First of can you please help me to understand first why python 3 support in 7.2.3 Splunk. AFAIK python 3 support is in Quake(8.0.0).
Also, This addon is using shell script of data collection so there is not python code except the setup page. In this particular JIRA when field value contains the space than it gets trimmed.

[NIX] 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations

Event indexed into Splunk

Tue Feb 5 14:52:21 IST 2019 type=systemctl UNIT=vmtoolsd.service, LOADED=loaded, ACTIVE=active, SUB=running, DESCRIPTION=Service for virtual machines hosted on VMware

Extracted field from event:

DESCRIPTION= Service

Here DESCRIPTION field got trimmed out and not properly extracted.

View solution in original post

0 Karma

hkubavat_splunk
Splunk Employee
Splunk Employee

First of can you please help me to understand first why python 3 support in 7.2.3 Splunk. AFAIK python 3 support is in Quake(8.0.0).
Also, This addon is using shell script of data collection so there is not python code except the setup page. In this particular JIRA when field value contains the space than it gets trimmed.

[NIX] 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations

Event indexed into Splunk

Tue Feb 5 14:52:21 IST 2019 type=systemctl UNIT=vmtoolsd.service, LOADED=loaded, ACTIVE=active, SUB=running, DESCRIPTION=Service for virtual machines hosted on VMware

Extracted field from event:

DESCRIPTION= Service

Here DESCRIPTION field got trimmed out and not properly extracted.

0 Karma

sh1pit76
Explorer

My mistake. The Python 3 support mention was related to another add-on that we were looking at. I am mainly looking for validation of my assessment, that this add-on would not present any performance or security risks to targeted CentOS systems. If all we have to worry about are missing, malformed, or trimmed fields, then I would think that the risks to remote CentOS systems are moot.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...