What data the Splunk TA for Unix and Linux collects

This topic describes what data the Splunk TA for Unix and Linux collects.

The TA collects the following data using file inputs:

• Changes to files present in the /etc directory and subdirectories.
• Changes to files present in the /var/log directory and subdirectories.

The TA collects the following data using scripted inputs:

• CPU statistics via the sar, mpstat and iostat commands (cpu.sh scripted input).
• Free disk space available for each mount via the df command (df.sh scripted input).
• Hardware information - CPU type, count, and cache; hard drives; network interface cards and count; and memory via the dmesg, iostat, ifconfig, and df commands (hardware.sh scripted input).
• Information about the configured network interfaces via the ifconfig and dmesg commands (interfaces.sh scripted input).
• Input/output statistics for block devices and partitions via the iostat command (iostat.sh scripted input).
• Last login times for system accounts via the last command (lastlog.sh scripted input).
• Information about files opened by processes via the lsof command (lsof.sh scripted input).
• Network connections, routing tables and network interface statistics via the netstat command (netstat.sh scripted input).
• Available network ports via the netstat command (openPorts.sh and openPortsEnhanced.sh scripted inputs).
• Information about software packages or sets that are installed on the system via the dpkg-query, pkginfo, and pkg_info commands (package.sh scripted input).
• User nformation via the /etc/passwd file (passwd.sh scripted input)
• Information about TCP/UDP transfer statistics via the netstat command (protocol.sh scripted input).
• Status of current running processes via the ps command (ps.sh scripted input).
• Audit information recorded by the auditd daemon to /var/log/audit/audit.log (rlog.sh scripted input).
• Information on the status of SELinux on the system (selinuxChecker.sh scripted input).
• Information on installed services via the chkconfig (for Linux) or svcs (for Solaris) commands, or via a listing of the StartupItems directories for OS X (service.sh scripted input).
• Information on the secure shell daemon (sshd) configuration (sshdChecker.sh scripted input).
• System date and time and NTP server time via the date and ntpdate commands (time.sh scripted input).
• List of running system processes via the top command (top.sh scripted input).
• Information on the versions of software packages installed on the system via the yum (for Linux) and softwareupdate (for OS X) commands (update.sh scripted input).
• Information on the system's uptime (via the ps command (uptime.sh scripted input).
• Information about the system's kernel version and architecture via the uname command (version.sh scripted input).
• User attribute information for the local system via the /etc/passwd file (usersWithLoginPrivs.sh scripted input).
• Process related memory usage information via the top, vmstat, and ps commands (vmstat.sh scripted input).
• Information of all users currently logged in via the who command (who.sh scripted input).
• Information on the status and configuration of the Very Secure FTP daemon (VSFTPD) (vsftpdChecker.sh scripted input).

The Splunk Technology Add-on for Unix and Linux puts all the data it indexes into a special index called os.

Note: Blank fields returned in events gathered by the scripted inputs described above are displayed as question marks ("?"). This is expected behavior to preserve field spacing, and is not cause for concern.