Splunk Enterprise Security

Is there documentation on best practice for which inputs to enable for Splunk add-on for Unix/Linux?

kbrown_splunk
Splunk Employee
Splunk Employee
0 Karma
1 Solution

mcronkrite
Splunk Employee
Splunk Employee

Turn everything on if you want all the dashboards in ES to light up.
Adjust the interval if you need to calm down the data rates.

[monitor:///var/log]
disabled = false
[monitor:///etc]
disabled = false
[monitor:///home/.../.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///var/adm]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]

must be super user to run

disabled = true
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]

needs /etc/ssh/sshd_config

disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false

View solution in original post

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

Turn everything on if you want all the dashboards in ES to light up.
Adjust the interval if you need to calm down the data rates.

[monitor:///var/log]
disabled = false
[monitor:///etc]
disabled = false
[monitor:///home/.../.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///var/adm]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]

must be super user to run

disabled = true
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]

needs /etc/ssh/sshd_config

disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false

0 Karma

ekost
Splunk Employee
Splunk Employee

Take a look at the add-on's default/tags.conf. The tags relate the various sources to the data models. There's a list of the data models populated by the add-on in its docs. Depending upon the use-case, you could prioritize specific data models by enabling only the inputs that feed them.

martin_mueller
SplunkTrust
SplunkTrust

Obvious answer: Enable the data required for your ES use case.
Less obvious answer: All data is security relevant, so enable all the things.

To summarize, it depends 🙂

Here's an overview of available inputs: http://docs.splunk.com/Documentation/UnixAddOn/5.2.2/User/Whatdataarecollected

ChrisG
Splunk Employee
Splunk Employee

I have to agree with Martin here. What are you really asking about? A specific security use case? Performance impact? Data volume? There are a lot of relevant sources. Unless there is a specific reason not to enable them all, then you should start by enabling them all and then see what it brings you.

Have you looked at the documentation for the add-on?

There are lots of add-ons available with Splunk Enterprise Security. Is there something specific about the Unix and Linux add-on that you are interested in?

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...