What data the Splunk App and Splunk Add-on for Unix and Linux collect
This topic describes what data the Splunk Add-on for Unix and Linux collects.
Data collection
The add-on collects the following data using file inputs:
- Changes to files present in the
/etc
directory and subdirectories. - Changes to files present in the
/var/log
directory and subdirectories.
The add-on collects the following data using scripted inputs:
- CPU statistics via the
sar
,mpstat
andiostat
commands (cpu.sh
scripted input). - Free disk space available for each mount via the
df
command (df.sh
scripted input). - Hardware information - CPU type, count, and cache; hard drives; network interface cards and count; and memory via the
dmesg
,iostat
,ifconfig
, anddf
commands (hardware.sh
scripted input). - Information about the configured network interfaces via the
ifconfig
anddmesg
commands (interfaces.sh
scripted input). - Input/output statistics for block devices and partitions via the
iostat
command (iostat.sh
scripted input). - Last login times for system accounts via the
last
command (lastlog.sh
scripted input). - Information about files opened by processes via the
lsof
command (lsof.sh
scripted input). - Network connections, routing tables and network interface statistics via the
netstat
command (netstat.sh
scripted input). - Available network ports via the
netstat
command (openPorts.sh
scripted input). - Information about software packages or sets that are installed on the system via the
dpkg-query
,pkginfo
, andpkg_info
commands (package.sh
scripted input). - Information about TCP/UDP transfer statistics via the
netstat
command (protocol.sh
scripted input). - Status of current running processes via the
ps
command (ps.sh
scripted input). - Audit information recorded by the
auditd
daemon to/var/log/audit/audit.log
(rlog.sh
scripted input). - System date and time and NTP server time via the
date
andntpdate
commands (time.sh
scripted input). - List of running system processes via the
top
command (top.sh
scripted input). - User attribute information for the local system via the
/etc/passwd
file (usersWithLoginPrivs.sh
scripted input). - Process related memory usage information via the
top
,vmstat
, andps
commands (vmstat.sh
scripted input). - Information of all users currently logged in via the
who
command (who.sh
scripted input).
Note: Blank fields returned in events gathered by the scripted inputs described above display as question marks ("?"). This is expected behavior to preserve field spacing, and is not cause for concern.
Index locations
The Splunk Add-on for Unix and Linux creates an index called os
. It puts all the data it collects there.
The Splunk Supporting Add-on for Unix and Linux creates two indexes: unix_summary
and firedalerts
. It uses these indexes to maintain the list of triggered alert events.
Indexing volume
The Splunk App for Unix and Linux collects around 200 megabytes of data per host per day. The app can collect slightly more or less based on individual host activity.
Platform and hardware requirements | Other deployment considerations |
This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 5.2.1
Feedback submitted, thanks!