Security

OS Impact of ADDON-21209 - Splunk Add-on for Unix and Linux - 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations'

sh1pit76
Explorer

Our organization would like to deploy the Splunk Add-on for Unix and Linux to gain support for Python 3 on our 7.2.3 Splunk deployment. However, due to our having a large number of CentOS systems in our infrastrucutre, there is some concern over the potential OS impact of ADDON-21209. If anyone can elaborate a bit more on this issue, and help me understand the potential implications of running this Add-On on our network, I would greatly appreciate it.

0 Karma
1 Solution

hkubavat_splunk
Splunk Employee
Splunk Employee

First of can you please help me to understand first why python 3 support in 7.2.3 Splunk. AFAIK python 3 support is in Quake(8.0.0).
Also, This addon is using shell script of data collection so there is not python code except the setup page. In this particular JIRA when field value contains the space than it gets trimmed.

[NIX] 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations

Event indexed into Splunk

Tue Feb 5 14:52:21 IST 2019 type=systemctl UNIT=vmtoolsd.service, LOADED=loaded, ACTIVE=active, SUB=running, DESCRIPTION=Service for virtual machines hosted on VMware

Extracted field from event:

DESCRIPTION= Service

Here DESCRIPTION field got trimmed out and not properly extracted.

View solution in original post

0 Karma

hkubavat_splunk
Splunk Employee
Splunk Employee

First of can you please help me to understand first why python 3 support in 7.2.3 Splunk. AFAIK python 3 support is in Quake(8.0.0).
Also, This addon is using shell script of data collection so there is not python code except the setup page. In this particular JIRA when field value contains the space than it gets trimmed.

[NIX] 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations

Event indexed into Splunk

Tue Feb 5 14:52:21 IST 2019 type=systemctl UNIT=vmtoolsd.service, LOADED=loaded, ACTIVE=active, SUB=running, DESCRIPTION=Service for virtual machines hosted on VMware

Extracted field from event:

DESCRIPTION= Service

Here DESCRIPTION field got trimmed out and not properly extracted.

0 Karma

sh1pit76
Explorer

My mistake. The Python 3 support mention was related to another add-on that we were looking at. I am mainly looking for validation of my assessment, that this add-on would not present any performance or security risks to targeted CentOS systems. If all we have to worry about are missing, malformed, or trimmed fields, then I would think that the risks to remote CentOS systems are moot.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...