What data the Splunk App and Splunk TA for Unix and Linux collect
This topic describes what data the Splunk App and the Splunk TA for Unix and Linux collect.
The full app and TA collect the following data using file inputs:
- Changes to files present in the
/etc
directory and subdirectories. - Changes to files present in the
/var/log
directory and subdirectories.
The full app and TA collect the following data using scripted inputs:
- CPU statistics via the
sar
,mpstat
andiostat
commands (cpu.sh
scripted input). - Free disk space available for each mount via the
df
command (df.sh
scripted input). - Hardware information - CPU type, count, and cache; hard drives; network interface cards and count; and memory via the
dmesg
,iostat
,ifconfig
, anddf
commands (hardware.sh
scripted input). - Information about the configured network interfaces via the
ifconfig
anddmesg
commands (interfaces.sh
scripted input). - Input/output statistics for block devices and partitions via the
iostat
command (iostat.sh
scripted input). - Last login times for system accounts via the
last
command (lastlog.sh
scripted input). - Information about files opened by processes via the
lsof
command (lsof.sh
scripted input). - Network connections, routing tables and network interface statistics via the
netstat
command (netstat.sh
scripted input). - Available network ports via the
netstat
command (openPorts.sh
scripted input). - Information about software packages or sets that are installed on the system via the
dpkg-query
,pkginfo
, andpkg_info
commands (package.sh
scripted input). - Information about TCP/UDP transfer statistics via the
netstat
command (protocol.sh
scripted input). - Status of current running processes via the
ps
command (ps.sh
scripted input). - Audit information recorded by the
auditd
daemon to/var/log/audit/audit.log
(rlog.sh
scripted input). - System date and time and NTP server time via the
date
andntpdate
commands (time.sh
scripted input). - List of running system processes via the
top
command (top.sh
scripted input). - User attribute information for the local system via the
/etc/passwd
file (usersWithLoginPrivs.sh
scripted input). - Process related memory usage information via the
top
,vmstat
, andps
commands (vmstat.sh
scripted input). - Information of all users currently logged in via the
who
command (who.sh
scripted input).
The Splunk App for Unix and Linux puts all the data it indexes into a special index called os
.
Note: Blank fields returned in events gathered by the scripted inputs described above are displayed as question marks ("?"). This is expected behavior to preserve field spacing, and is not cause for concern.
Platform and hardware requirements | Other deployment considerations |
This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 4.5, 4.6
Feedback submitted, thanks!