Splunk® Supported Add-ons

Splunk Add-on for Linux

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Version comparisons

See the following sections for information on the differences between versions 1.1.0 of the Splunk Add-on for Linux and 2.1.0 of the Splunk Add-on for Linux


2.0.0 - 2.1.0

Field Added/Removed

Sourcetype type, op Added Fields Removed Fields
['linux:audit'] ADD_USER adding user, add-user src_user
['linux:audit'] ADD_USER adding user to group src_user
['linux:audit'] DEL_USER deleting user entries, deleting user from group src_user
['linux:audit'] USER_ACCT changing /etc/passwd; group group_2/222222, new gid: 276, changing /etc/passwd; group group_2/222222, new gid: 10, changing /etc/passwd; group group_2/222222, new gid: 191, changing /etc/passwd; group group_2/222222, new gid: 177, changing /etc/passwd; group group_2/222222, new gid: 6 src_user, src_user_name
['linux:audit'] USER_ACCT changing /etc/passwd; group group_2/222222, new gid: 136, changing /etc/passwd; group group_2/222222, new gid: 90, changing /etc/passwd; group group_2/222222, new gid: 76, changing /etc/passwd; group group_2/222222, new gid: 167 src_user, src_user_name
['linux:audit'] USER_ACCT changing /etc/passwd; group group_2/222222, new gid: 18, changing /etc/passwd; group group_2/222222, new gid: 266, changing /etc/passwd; group group_2/222222, new gid: 250, changing /etc/passwd; group group_2/222222, new gid: 203, changing /etc/passwd; group group_2/222222, new gid: 89, changing /etc/passwd; group group_2/222222, new gid: 62, changing /etc/passwd; group group_2/222222, new gid: 28 src_user, src_user_name
['linux:audit'] USER_CHAUTHTOK changing uid object, src_user
['linux:audit'] USER_STARTPAM:session_open user_id
Sourcetype type, unit Added Fields Removed Fields


['linux:audit'] SERVICE_START auditd tag::eventtype, service, status, user, eventtype, service_name, process_id, tag
['linux:audit'] SERVICE_START collectd tag::eventtype, service, status, user, eventtype, service_name, process_id, tag
['linux:audit'] SERVICE_START systemd-timedated tag::eventtype, service, user, eventtype, service_name, process_id, tag
['linux:audit'] SERVICE_START systemd-tmpfiles-clean tag::eventtype, service, status, user, eventtype, service_name, process_id, tag
['linux:audit'] SERVICE_START update-notifier-download tag::eventtype, service, user, eventtype, service_name, process_id, tag
['linux:audit'] SERVICE_STOP auditd tag::eventtype, service, status, user, eventtype, service_name, process_id, tag
['linux:audit'] SERVICE_STOP collectd tag::eventtype, service, status, user, eventtype, service_name, process_id, tag
['linux:audit'] SERVICE_STOP systemd-timedated tag::eventtype, service, status, user, eventtype, service_name, process_id, tag
['linux:audit'] SERVICE_STOP systemd-tmpfiles-clean tag::eventtype, service, user, eventtype, service_name, process_id, tag
['linux:audit'] SERVICE_STOP update-notifier-download tag::eventtype, service, status, user, eventtype, service_name, process_id, tag

CIM Data Model Changes

Sourcetype type Previous CIM model New CIM model
linux:audit SERVICE_START, SERVICE_STOP Endpoint.Services

Fields Modified

Sourcetype type, op Field v2.0.0 v2.1.0
linux:audit USER_LOGIN, login user unset


1.1.0 - 2.0.0

Field mapping comparison

SourceType linux:collectd:graphite

Fields 1.1.0 extractions 2.0.0 extractions
src centos-7-202112200858
-
dest
-
 centos-7-202112200858
tag

oshost

performance

inventory

storage

memory

network

cpu

os

process

oshost

performance

storage

memory

network

cpu

os

process

uptime

tag::eventtype

oshost

performance

inventory

storage

memory

network

cpu

os

process

oshost

performance

storage

memory

network

cpu

os

process

uptime

SourceType linux:collectd:http

src ubuntu-16-202112200858
-
dest
-
 ubuntu-16-202112200858
mount

xvda2

devtmpfs

tmpfs

xvda1

xvda2

devtmpfs

tmpfs

tag

oshost

performance

inventory

storage

network

memory

cpu

os

process

oshost

performance

storage

network

memory

cpu

os

process

uptime

tag::eventtype

oshost

performance

inventory

storage

network

memory

cpu

os

process

oshost

performance

storage

network

memory

cpu

os

process

uptime

SourceType linux:audit

Fields 1.1.0 extractions 2.0.0 extractions
src_user
-

admin

centos

ec2-user

ubuntu

object
-

user_2

group_1

user1

group_2

group_3

unknown(111111)

process_path
-

/bin/sh

user_name
-

user_2

admin

user1

1000

centos

ec2-user

ubuntu

object_category
-

user

group

vendor_product
-

Linux Audit

user_id
-

1000

4294967295

0

process_id
-

10023

21366

21849

7021

7038

7286

8744

887

908

9102

9749

src_user_name
-

admin

centos

ec2-user

ubuntu

signature_id
-

10557

10617

10653

10687

10783

10878

12989

13129

13264

13405

1774

1788

1833

1930

1952

1976

2108

2129

2130

2150

2153

2156

2174

2176

2198

2297

2321

2408

2500

2586

2620

2732

2817

2907

2911

2944

2999

3032

3498

3586

7346

7383

7390

7395

7432

7433

7466

7517

7523

7597

7648

7739

9651

9679

9760

result
-

success

process_name
-

sh

process
-

/bin/sh -c echo BECOME-SUCCESS-dhtumxxtkcrxahvfesdyntewfpidbinb ; /usr/libexec/platform-python /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.935285-85400-258159253623075/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-qcssdifrutuskiaslrjulauiloilshzb ; /usr/libexec/platform-python /home/centos/.ansible/tmp/ansible-tmp-1640006080.967474-85356-163360540330224/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-rxaezcaecyjzdwtcgzrnvrczebzdteux ; /usr/bin/python /home/admin/.ansible/tmp/ansible-tmp-1640006080.997857-85362-116590561680052/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-tgrgbwfdpnprhqxomgoraaqxyjojcwpx ; /usr/bin/python /home/admin/.ansible/tmp/ansible-tmp-1640006080.972403-85358-162199036065355/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-txxfnpggclncjhsqgaknpbzspzithxec ; /usr/bin/python /home/centos/.ansible/tmp/ansible-tmp-1640006080.94751-85355-75901484427407/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-vqovioujwxvzhqadkoplmolqagqhioeg ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006088.9018528-85444-80063304780089/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-wfevtrhxsnwdxtnmjdydxdhxmbnufgat ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006088.885395-85443-191111467693802/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-xzisnyvrwjlborofkkiquvyglfrzpors ; /usr/bin/python3 /home/admin/.ansible/tmp/ansible-tmp-1640006080.991161-85360-123082352417003/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-zcnurlegkdamxdgcdjbhhfufazcqmiud ; /usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.904531-85399-214089969652421/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-zrutaialratlpiralyjuydqmarrwajeq ; /usr/bin/python3.6 /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.962355-85403-198294693487419/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-zzaswnvpdtgsqqpwnkaandhuaxwdxfik ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006085.35588-85411-67206222024209/AnsiballZ_group.py

tag::action
-

success

failure

change_type
-

AAA

process_exec
-

/bin/sh

signature
-

USER_LOGIN

CRED_ACQ

LOGIN

USER_START

object_id
-

111111

22223

11111

333333

src_user_id
-

1000

dest
-

splunk

process_current_directory
-

/home/admin

/home/ec2-user

/home/ubuntu

/home/centos

linux_ev_ch_mgmt_user
-

admin

centos

ec2-user

ubuntu

src_ip
-

0.0.0.0

127.0.0.1

reason
-

invalid user

action success

1

failed

modified

success

created

deleted

allowed

failure

tag account

change

authentication

privileged

account

change

authentication

success

error

failure

process

report

tag::eventtype account

change

authentication

privileged

account

change

authentication

error

process

report

app /usr/sbin/sshd

/usr/sbin/useradd

/usr/sbin/userdel

/usr/sbin/groupdel

/usr/bin/sudo

/usr/sbin/groupadd

/usr/sbin/usermod

/usr/sbin/groupmod

/usr/sbin/cron

/usr/sbin/sshd

/usr/bin/sudo

/usr/sbin/cron

status success

1

failed

success
eventtype linux_audit_account_change

linux_audit_authentication

linux_audit_privileged

linux_audit_account_change

linux_audit_authentication

linux_audit_endpoint

command /bin/sh -c echo BECOME-SUCCESS-dhtumxxtkcrxahvfesdyntewfpidbinb ; /usr/libexec/platform-python /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.935285-85400-258159253623075/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-qcssdifrutuskiaslrjulauiloilshzb ; /usr/libexec/platform-python /home/centos/.ansible/tmp/ansible-tmp-1640006080.967474-85356-163360540330224/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-rxaezcaecyjzdwtcgzrnvrczebzdteux ; /usr/bin/python /home/admin/.ansible/tmp/ansible-tmp-1640006080.997857-85362-116590561680052/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-tgrgbwfdpnprhqxomgoraaqxyjojcwpx ; /usr/bin/python /home/admin/.ansible/tmp/ansible-tmp-1640006080.972403-85358-162199036065355/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-txxfnpggclncjhsqgaknpbzspzithxec ; /usr/bin/python /home/centos/.ansible/tmp/ansible-tmp-1640006080.94751-85355-75901484427407/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-vqovioujwxvzhqadkoplmolqagqhioeg ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006088.9018528-85444-80063304780089/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-wfevtrhxsnwdxtnmjdydxdhxmbnufgat ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006088.885395-85443-191111467693802/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-xzisnyvrwjlborofkkiquvyglfrzpors ; /usr/bin/python3 /home/admin/.ansible/tmp/ansible-tmp-1640006080.991161-85360-123082352417003/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-zcnurlegkdamxdgcdjbhhfufazcqmiud ; /usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.904531-85399-214089969652421/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-zrutaialratlpiralyjuydqmarrwajeq ; /usr/bin/python3.6 /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.962355-85403-198294693487419/AnsiballZ_group.py

/bin/sh -c echo BECOME-SUCCESS-zzaswnvpdtgsqqpwnkaandhuaxwdxfik ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006085.35588-85411-67206222024209/AnsiballZ_group.py

/usr/sbin/useradd

/usr/sbin/userdel

/usr/sbin/groupdel

/usr/sbin/groupadd

/usr/sbin/usermod

/usr/sbin/groupmod

user root

user_2

group_2

28696E76616C6964207573657229

(unknown)

ec2-user

centos

user1

admin

admin

user_2

centos

ec2-user

ubuntu

user1

1000

unset

root

src splunk 0.0.0.0

hostname

127.0.0.1

Event Type comparison

SourceType EventType 1.1.0 search term 2.0.0 search term
linux:audit linux_audit_authentication linux:audit (type=USER_LOGIN OR type=USER_CMD OR type=GRP_AUTH OR type=USER_AUTH) linux:audit type IN ("LOGIN", "USER_LOGIN", "USER_START", "CRED_ACQ")
linux:audit linux_audit_privileged eventtype=linux_audit_authentication type=USER_CMD OR acct=root
-
linux:audit linux_audit_account_change sourcetype=linux:audit (type=ADD_* OR type=CHGRP_ID OR type=CHUSER_ID OR type=GRP_MGMT OR type=USER_MGMT OR type=DEL_*) linux:audit type IN ("ADD_GROUP", "DEL_GROUP", "GRP_MGMT", "USER_ACCT", "ADD_USER", "DEL_USER", "USER_MGMT", "USER_CHAUTHTOK")

DM comparison

SourceType EventType 1.1.0 DM 2.0.0 DM
linux:audit linux_audit_anomalies Intrusion Detection, Alerts
linux:audit linux_audit_account_change Change Analysis Change
linux:audit linux_audit_privileged Authentication
Last modified on 25 July, 2022
PREVIOUS
Troubleshoot the Splunk Add-on for Linux 		 

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters