Version comparisons¶
See the following sections for information on the differences between versions 1.1.0 of the Splunk Add-on for Linux and 2.1.0 of the Splunk Add-on for Linux
2.0.0 - 2.1.0¶
Field added/removed¶
| Sourcetype | type, op | Added Fields | Removed Fields |
|---|---|---|---|
['linux:audit'] |
ADD_USER adding user, add-user | src_user | |
['linux:audit'] |
ADD_USER adding user to group | src_user | |
['linux:audit'] |
DEL_USER deleting user entries, deleting user from group | src_user | |
['linux:audit'] |
USER_ACCT changing /etc/passwd; group group_2/222222, new gid: 276, changing /etc/passwd; group group_2/222222, new gid: 10, changing /etc/passwd; group group_2/222222, new gid: 191, changing /etc/passwd; group group_2/222222, new gid: 177, changing /etc/passwd; group group_2/222222, new gid: 6 | src_user, src_user_name | |
['linux:audit'] |
USER_ACCT changing /etc/passwd; group group_2/222222, new gid: 136, changing /etc/passwd; group group_2/222222, new gid: 90, changing /etc/passwd; group group_2/222222, new gid: 76, changing /etc/passwd; group group_2/222222, new gid: 167 | src_user, src_user_name | |
['linux:audit'] |
USER_ACCT changing /etc/passwd; group group_2/222222, new gid: 18, changing /etc/passwd; group group_2/222222, new gid: 266, changing /etc/passwd; group group_2/222222, new gid: 250, changing /etc/passwd; group group_2/222222, new gid: 203, changing /etc/passwd; group group_2/222222, new gid: 89, changing /etc/passwd; group group_2/222222, new gid: 62, changing /etc/passwd; group group_2/222222, new gid: 28 | src_user, src_user_name | |
['linux:audit'] |
USER_CHAUTHTOK changing uid | object, src_user | |
['linux:audit'] |
USER_STARTPAM:session_open | user_id |
| Sourcetype | type, unit | Added Fields | Removed Fields |
|---|---|---|---|
['linux:audit'] |
SERVICE_START auditd | tag::eventtype, service, status, user, eventtype, service_name, process_id, tag | |
['linux:audit'] |
SERVICE_START collectd | tag::eventtype, service, status, user, eventtype, service_name, process_id, tag | |
['linux:audit'] |
SERVICE_START systemd-timedated | tag::eventtype, service, user, eventtype, service_name, process_id, tag | |
['linux:audit'] |
SERVICE_START systemd-tmpfiles-clean | tag::eventtype, service, status, user, eventtype, service_name, process_id, tag | |
['linux:audit'] |
SERVICE_START update-notifier-download | tag::eventtype, service, user, eventtype, service_name, process_id, tag | |
['linux:audit'] |
SERVICE_STOP auditd | tag::eventtype, service, status, user, eventtype, service_name, process_id, tag | |
['linux:audit'] |
SERVICE_STOP collectd | tag::eventtype, service, status, user, eventtype, service_name, process_id, tag | |
['linux:audit'] |
SERVICE_STOP systemd-timedated | tag::eventtype, service, status, user, eventtype, service_name, process_id, tag | |
['linux:audit'] |
SERVICE_STOP systemd-tmpfiles-clean | tag::eventtype, service, user, eventtype, service_name, process_id, tag | |
['linux:audit'] |
SERVICE_STOP update-notifier-download | tag::eventtype, service, status, user, eventtype, service_name, process_id, tag |
CIM Data Model changes¶
| Sourcetype | type | Previous CIM model | New CIM model |
|---|---|---|---|
linux:audit |
SERVICE_START, SERVICE_STOP | Endpoint.Services |
Fields modified¶
| Sourcetype | type, op | Field | v2.0.0 | v2.1.0 | v2.1.1 |
| — | — | — | — | — |
| linux:audit | USER_LOGIN, login | user | unset | MAX_TIMESTAMP_LOOKAHEAD |
1.1.0 - 2.0.0¶
Field mapping comparison¶
SourceType linux:collectd:graphite
| Fields | 1.1.0 extractions | 2.0.0 extractions |
|---|---|---|
| src | centos-7-202112200858 | - |
| dest | - | centos-7-202112200858 |
| tag | oshost performance inventory storage memory network cpu os process |
oshost performance storage memory network cpu os process uptime |
| tag::eventtype | oshost performance inventory storage memory network cpu os process |
oshost performance storage memory network cpu os process uptime |
SourceType linux:collectd:http
| src | ubuntu-16-202112200858 | - |
| dest | - | ubuntu-16-202112200858 |
| mount | xvda2 devtmpfs tmpfs |
xvda1 xvda2 devtmpfs tmpfs |
| tag | oshost performance inventory storage network memory cpu os process |
oshost performance storage network memory cpu os process uptime |
| tag::eventtype | oshost performance inventory storage network memory cpu os process |
oshost performance storage network memory cpu os process uptime |
SourceType linux:audit
| Fields | 1.1.0 extractions | 2.0.0 extractions |
|---|---|---|
| src_user | - | admin centos ec2-user ubuntu |
| object | - | user_2 group_1 user1 group_2 group_3 unknown(111111) |
| process_path | - | /bin/sh |
| user_name | - | user_2 admin user1 1000 centos ec2-user ubuntu |
| object_category | - | user group |
| vendor_product | - | Linux Audit |
| user_id | - | 1000 4294967295 0 |
| process_id | - | 10023 21366 21849 7021 7038 7286 8744 887 908 9102 9749 |
| src_user_name | - | admin centos ec2-user ubuntu |
| signature_id | - | 10557 10617 10653 10687 10783 10878 12989 13129 13264 13405 1774 1788 1833 1930 1952 1976 2108 2129 2130 2150 2153 2156 2174 2176 2198 2297 2321 2408 2500 2586 2620 2732 2817 2907 2911 2944 2999 3032 3498 3586 7346 7383 7390 7395 7432 7433 7466 7517 7523 7597 7648 7739 9651 9679 9760 |
| result | - | success |
| process_name | - | sh |
| process | - | /bin/sh -c echo BECOME-SUCCESS-dhtumxxtkcrxahvfesdyntewfpidbinb ; /usr/libexec/platform-python /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.935285-85400-258159253623075/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-qcssdifrutuskiaslrjulauiloilshzb ; /usr/libexec/platform-python /home/centos/.ansible/tmp/ansible-tmp-1640006080.967474-85356-163360540330224/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-rxaezcaecyjzdwtcgzrnvrczebzdteux ; /usr/bin/python /home/admin/.ansible/tmp/ansible-tmp-1640006080.997857-85362-116590561680052/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-tgrgbwfdpnprhqxomgoraaqxyjojcwpx ; /usr/bin/python /home/admin/.ansible/tmp/ansible-tmp-1640006080.972403-85358-162199036065355/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-txxfnpggclncjhsqgaknpbzspzithxec ; /usr/bin/python /home/centos/.ansible/tmp/ansible-tmp-1640006080.94751-85355-75901484427407/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-vqovioujwxvzhqadkoplmolqagqhioeg ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006088.9018528-85444-80063304780089/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-wfevtrhxsnwdxtnmjdydxdhxmbnufgat ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006088.885395-85443-191111467693802/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-xzisnyvrwjlborofkkiquvyglfrzpors ; /usr/bin/python3 /home/admin/.ansible/tmp/ansible-tmp-1640006080.991161-85360-123082352417003/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-zcnurlegkdamxdgcdjbhhfufazcqmiud ; /usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.904531-85399-214089969652421/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-zrutaialratlpiralyjuydqmarrwajeq ; /usr/bin/python3.6 /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.962355-85403-198294693487419/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-zzaswnvpdtgsqqpwnkaandhuaxwdxfik ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006085.35588-85411-67206222024209/AnsiballZ_group.py |
| tag::action | - | success failure |
| change_type | - | AAA |
| process_exec | - | /bin/sh |
| signature | - | USER_LOGIN CRED_ACQ LOGIN USER_START |
| object_id | - | 111111 22223 11111 333333 |
| src_user_id | - | 1000 |
| dest | - | splunk |
| process_current_directory | - | /home/admin /home/ec2-user /home/ubuntu /home/centos |
| linux_ev_ch_mgmt_user | - | admin centos ec2-user ubuntu |
| src_ip | - | 0.0.0.0 127.0.0.1 |
| reason | - | invalid user |
| action | success 1 failed |
modified success created deleted allowed failure |
| tag | account change authentication privileged |
account change authentication success error failure process report |
| tag::eventtype | account change authentication privileged |
account change authentication error process report |
| app | /usr/sbin/sshd /usr/sbin/useradd /usr/sbin/userdel /usr/sbin/groupdel /usr/bin/sudo /usr/sbin/groupadd /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/cron |
/usr/sbin/sshd /usr/bin/sudo /usr/sbin/cron |
| status | success 1 failed |
success |
| eventtype | linux_audit_account_change linux_audit_authentication linux_audit_privileged |
linux_audit_account_change linux_audit_authentication linux_audit_endpoint |
| command | /bin/sh -c echo BECOME-SUCCESS-dhtumxxtkcrxahvfesdyntewfpidbinb ; /usr/libexec/platform-python /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.935285-85400-258159253623075/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-qcssdifrutuskiaslrjulauiloilshzb ; /usr/libexec/platform-python /home/centos/.ansible/tmp/ansible-tmp-1640006080.967474-85356-163360540330224/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-rxaezcaecyjzdwtcgzrnvrczebzdteux ; /usr/bin/python /home/admin/.ansible/tmp/ansible-tmp-1640006080.997857-85362-116590561680052/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-tgrgbwfdpnprhqxomgoraaqxyjojcwpx ; /usr/bin/python /home/admin/.ansible/tmp/ansible-tmp-1640006080.972403-85358-162199036065355/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-txxfnpggclncjhsqgaknpbzspzithxec ; /usr/bin/python /home/centos/.ansible/tmp/ansible-tmp-1640006080.94751-85355-75901484427407/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-vqovioujwxvzhqadkoplmolqagqhioeg ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006088.9018528-85444-80063304780089/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-wfevtrhxsnwdxtnmjdydxdhxmbnufgat ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006088.885395-85443-191111467693802/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-xzisnyvrwjlborofkkiquvyglfrzpors ; /usr/bin/python3 /home/admin/.ansible/tmp/ansible-tmp-1640006080.991161-85360-123082352417003/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-zcnurlegkdamxdgcdjbhhfufazcqmiud ; /usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.904531-85399-214089969652421/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-zrutaialratlpiralyjuydqmarrwajeq ; /usr/bin/python3.6 /home/ec2-user/.ansible/tmp/ansible-tmp-1640006084.962355-85403-198294693487419/AnsiballZ_group.py /bin/sh -c echo BECOME-SUCCESS-zzaswnvpdtgsqqpwnkaandhuaxwdxfik ; /usr/bin/python3 /home/ubuntu/.ansible/tmp/ansible-tmp-1640006085.35588-85411-67206222024209/AnsiballZ_group.py |
/usr/sbin/useradd /usr/sbin/userdel /usr/sbin/groupdel /usr/sbin/groupadd /usr/sbin/usermod /usr/sbin/groupmod |
| user | root user_2 group_2 28696E76616C6964207573657229 (unknown) ec2-user centos user1 admin |
admin user_2 centos ec2-user ubuntu user1 1000 unset root |
| src | splunk | 0.0.0.0 hostname 127.0.0.1 |
Event Type comparison¶
| SourceType | EventType | 1.1.0 search term | 2.0.0 search term |
|---|---|---|---|
| linux:audit | linux_audit_authentication | linux:audit (type=USER_LOGIN OR type=USER_CMD OR type=GRP_AUTH OR type=USER_AUTH) | linux:audit type IN (“LOGIN”, “USER_LOGIN”, “USER_START”, “CRED_ACQ”) |
| linux:audit | linux_audit_privileged | eventtype=linux_audit_authentication type=USER_CMD OR acct=root | - |
| linux:audit | linux_audit_account_change | sourcetype=linux:audit (type=ADD_* OR type=CHGRP_ID OR type=CHUSER_ID OR type=GRP_MGMT OR type=USER_MGMT OR type=DEL_*) | linux:audit type IN (“ADD_GROUP”, “DEL_GROUP”, “GRP_MGMT”, “USER_ACCT”, “ADD_USER”, “DEL_USER”, “USER_MGMT”, “USER_CHAUTHTOK”) |
DM comparison¶
| SourceType | EventType | 1.1.0 DM | 2.0.0 DM |
|---|---|---|---|
| linux:audit | linux_audit_anomalies | Intrusion Detection, Alerts | |
| linux:audit | linux_audit_account_change | Change Analysis | Change |
| linux:audit | linux_audit_privileged | Authentication |