Splunk Enterprise Security

Is there documentation on best practice for which inputs to enable for Splunk add-on for Unix/Linux?

kbrown_splunk
Splunk Employee
Splunk Employee
0 Karma
1 Solution

mcronkrite
Splunk Employee
Splunk Employee

Turn everything on if you want all the dashboards in ES to light up.
Adjust the interval if you need to calm down the data rates.

[monitor:///var/log]
disabled = false
[monitor:///etc]
disabled = false
[monitor:///home/.../.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///var/adm]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]

must be super user to run

disabled = true
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]

needs /etc/ssh/sshd_config

disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false

View solution in original post

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

Turn everything on if you want all the dashboards in ES to light up.
Adjust the interval if you need to calm down the data rates.

[monitor:///var/log]
disabled = false
[monitor:///etc]
disabled = false
[monitor:///home/.../.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///var/adm]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]

must be super user to run

disabled = true
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]

needs /etc/ssh/sshd_config

disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false

View solution in original post

0 Karma

ekost
Splunk Employee
Splunk Employee

Take a look at the add-on's default/tags.conf. The tags relate the various sources to the data models. There's a list of the data models populated by the add-on in its docs. Depending upon the use-case, you could prioritize specific data models by enabling only the inputs that feed them.

martin_mueller
SplunkTrust
SplunkTrust

Obvious answer: Enable the data required for your ES use case.
Less obvious answer: All data is security relevant, so enable all the things.

To summarize, it depends 🙂

Here's an overview of available inputs: http://docs.splunk.com/Documentation/UnixAddOn/5.2.2/User/Whatdataarecollected

ChrisG
Splunk Employee
Splunk Employee

I have to agree with Martin here. What are you really asking about? A specific security use case? Performance impact? Data volume? There are a lot of relevant sources. Unless there is a specific reason not to enable them all, then you should start by enabling them all and then see what it brings you.

Have you looked at the documentation for the add-on?

There are lots of add-ons available with Splunk Enterprise Security. Is there something specific about the Unix and Linux add-on that you are interested in?

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!