Splunk Enterprise Security

Is there documentation on best practice for which inputs to enable for Splunk add-on for Unix/Linux?

kbrown_splunk
Splunk Employee
Splunk Employee
0 Karma
1 Solution

mcronkrite
Splunk Employee
Splunk Employee

Turn everything on if you want all the dashboards in ES to light up.
Adjust the interval if you need to calm down the data rates.

[monitor:///var/log]
disabled = false
[monitor:///etc]
disabled = false
[monitor:///home/.../.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///var/adm]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]

must be super user to run

disabled = true
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]

needs /etc/ssh/sshd_config

disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false

View solution in original post

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

Turn everything on if you want all the dashboards in ES to light up.
Adjust the interval if you need to calm down the data rates.

[monitor:///var/log]
disabled = false
[monitor:///etc]
disabled = false
[monitor:///home/.../.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///var/adm]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]

must be super user to run

disabled = true
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]

needs /etc/ssh/sshd_config

disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false

0 Karma

ekost
Splunk Employee
Splunk Employee

Take a look at the add-on's default/tags.conf. The tags relate the various sources to the data models. There's a list of the data models populated by the add-on in its docs. Depending upon the use-case, you could prioritize specific data models by enabling only the inputs that feed them.

martin_mueller
SplunkTrust
SplunkTrust

Obvious answer: Enable the data required for your ES use case.
Less obvious answer: All data is security relevant, so enable all the things.

To summarize, it depends 🙂

Here's an overview of available inputs: http://docs.splunk.com/Documentation/UnixAddOn/5.2.2/User/Whatdataarecollected

ChrisG
Splunk Employee
Splunk Employee

I have to agree with Martin here. What are you really asking about? A specific security use case? Performance impact? Data volume? There are a lot of relevant sources. Unless there is a specific reason not to enable them all, then you should start by enabling them all and then see what it brings you.

Have you looked at the documentation for the add-on?

There are lots of add-ons available with Splunk Enterprise Security. Is there something specific about the Unix and Linux add-on that you are interested in?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...