Splunk Enterprise Security

Is there documentation on best practice for which inputs to enable for Splunk add-on for Unix/Linux?

kbrown_splunk
Splunk Employee
Splunk Employee
0 Karma
1 Solution

mcronkrite
Splunk Employee
Splunk Employee

Turn everything on if you want all the dashboards in ES to light up.
Adjust the interval if you need to calm down the data rates.

[monitor:///var/log]
disabled = false
[monitor:///etc]
disabled = false
[monitor:///home/.../.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///var/adm]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]

must be super user to run

disabled = true
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]

needs /etc/ssh/sshd_config

disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false

View solution in original post

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

Turn everything on if you want all the dashboards in ES to light up.
Adjust the interval if you need to calm down the data rates.

[monitor:///var/log]
disabled = false
[monitor:///etc]
disabled = false
[monitor:///home/.../.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///var/adm]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]

must be super user to run

disabled = true
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]

needs /etc/ssh/sshd_config

disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false

0 Karma

ekost
Splunk Employee
Splunk Employee

Take a look at the add-on's default/tags.conf. The tags relate the various sources to the data models. There's a list of the data models populated by the add-on in its docs. Depending upon the use-case, you could prioritize specific data models by enabling only the inputs that feed them.

martin_mueller
SplunkTrust
SplunkTrust

Obvious answer: Enable the data required for your ES use case.
Less obvious answer: All data is security relevant, so enable all the things.

To summarize, it depends 🙂

Here's an overview of available inputs: http://docs.splunk.com/Documentation/UnixAddOn/5.2.2/User/Whatdataarecollected

ChrisG
Splunk Employee
Splunk Employee

I have to agree with Martin here. What are you really asking about? A specific security use case? Performance impact? Data volume? There are a lot of relevant sources. Unless there is a specific reason not to enable them all, then you should start by enabling them all and then see what it brings you.

Have you looked at the documentation for the add-on?

There are lots of add-ons available with Splunk Enterprise Security. Is there something specific about the Unix and Linux add-on that you are interested in?

Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...