Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Notable changes in the Splunk App for *Nix

Splunk App for *Nix

To improve and consolidate Unix performance and configuration data collection, the Splunk App for PCI Compliance contains a set of views in SA-EndpointProtection that display performance and configuration information from Solaris, Linux, and Mac OS X systems.

In previous versions, the collection of performance and configuration data from Unix systems was handled separately from Splunk "knowledge objects" (such as props.conf, transforms.conf, and related files) that parsed and interpreted the data.

These functions are now merged into the Splunk for Unix and Linux app and distributed with the Splunk App for PCI Compliance. A version of the Splunk for Unix and Linux app is also available as a separate download from Splunkbase.

In the earlier version of the Splunk App for PCI Compliance:

  • Deployment apps were distributed to forwarders to collect Unix performance and configuration data. These apps were located in $SPLUNK_HOME/etc/deployment_apps/ after installation. There were three of these apps:
   - linux_base
   - osx_base
   - solaris_base
These apps used Python-based scripted inputs to perform collection tasks, making them unsuitable for installation on universal forwarders. Universal forwarders do not contain a Python distribution.
  • The TA-nix, TA-deploymentapps, and SA-EndpointProtection all contained "knowledge objects" used to interpret the collected data.

In this version of the Splunk App for PCI Compliance:

  • A single app, Splunk for Unix and Linux (or Splunk_TA_nix) now replicates the functionality of the older TA_nix and TA-deploymentapps, which have been deprecated.

Note: SA-EndpointProtection has not been deprecated, but knowledge pertaining to Unix data collection has been migrated into Splunk_TA_nix.

  • Shell scripts are now used to perform data collection, so that the Splunk_TA_nix can be installed on universal forwarders.

For example, the functions provided by the following scripts in the older deployment apps are now performed by a single script in Splunk_TA-nix named "service.sh":

  • Outputs from the older Splunk_TA_nix have been leveraged to provide data in PCI Compliance. These outputs are:
    cpu.sh - provides CPU utilization data
    df.sh - provides filesystem utilization data
    ps.sh - provides process information data
    vmstat.sh - provides memory utilization data
  • Splunk_TA_nix contains all the knowledge objects necessary to parse data produced by the scripted inputs. A few minor modifications were made to SA-EndpointProtection to facilitate backwards compatibility.

Previously, scripted inputs in the deprecated deployment apps generated source and sourcetype values in the following format:

  <OS>:<script name or identifier>

For example, CPU data collected from a Linux, Solaris, or OS X host would have received the following source and sourcetype classifications:


In the new Splunk_TA_nix script architecture, it is not possible in all cases to distinguish the source operating system (OS) at the time of sourcetype classification. Therefore, sources and sourcetypes from scripted inputs in the unified Splunk_TA_nix app have the following, less granular format:

  Unix:<script name or identifier>

For example, CPU information collected from a Linux, Solaris, or OS X host using the new Splunk_TA_nix receive the following source and sourcetype classification irrespective of the source host's operating system:


Splunk administrators should be aware of this naming change, especially when writing searches that perform cross-platform comparison of data. For example, depending on the target system architecture, it might not be accurate to compare CPU utilization percentages directly.

Summary of *nix upgrade considerations

Consider these important changes as you upgrade:

  • If you were using the older deployment apps (linux_base, osx_base, solaris_base) and distributing these apps to forwarders, you can continue to do so without impact. The data collected by these older apps is still collected and interpreted correctly.
  • To begin data collection on universal forwarders, you can now distribute Splunk_TA_nix to your systems.
  • Splunk_TA_nix now supersedes the TA-nix and TA-deploymentapps apps. Both of theses older apps are disabled during installation. If custom modifications have been made to these apps, the changes need to be migrated manually into an appropriate app of your choosing.
Mapping the old scripts to the new scripts
Platform: linux_base
former script new script (or existing script)
linux_cputime.py (cpu.sh)
linux_disk.py (df.sh)
linux_listening_ports.py openPortsEnhanced.sh ***
linux_memory.py (vmstat.sh)
linux_passwd.py passwd.sh
linux_process.py (ps.sh)
linux_selinux_checker.py* selinuxChecker.sh
linux_service.py service.sh
linux_sshd_checker.py sshdChecker.sh ***
linux_update.py** update.sh
linux_uptime.py uptime.sh
linux_version.py version.sh
linux_vsftpd_checker.py vsftpdChecker.sh ***
Platform: osx_base
osx_cputime.py (cpu.sh)
osx_disk.py (df.sh)
osx_listening_ports.py openPortsEnhanced.sh ***
osx_memory.py (vmstat.sh)
osx_passwd.py passwd.sh
osx_process.py (ps.sh)
osx_service.py service.sh ***
osx_sshd_checker.py sshdChecker.sh
osx_update.py** update.sh ***
osx_uptime.py uptime.sh
osx_version.py version.sh
osx_vsftpd_checker.py vsftpdChecker.sh ***
Platform: solaris_base
solaris_cputime.py (cpu.sh)
solaris_disk.py (df.sh)
solaris_listening_ports.py openPortsEnhanced.sh
solaris_memory.py (vmstat.sh)
solaris_passwd.py passwd.sh
solaris_process.py (ps.sh)
solaris_service.py service.sh
solaris_sshd_checker.py sshdChecker.sh
solaris_uptime.py uptime.sh
solaris_version.py version.sh
solaris_vsftpd_checker.py vsftpdChecker.sh ***

* Only present on Linux

** Only present on Mac OS X and Linux

*** Might require root privileges to produce complete results on the indicated OS

Last modified on 26 October, 2015
Plan the upgrade
Upgrade Splunk App for PCI Compliance

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters