About the Splunk Add-on for Unix and Linux¶
| Version | 10.2.0 |
| Vendor products | All supported Unix operating systems. See documentation for more information. |
| Add-on has web UI | Yes. This add-on contains views for configuration. |
The Splunk Add-on for Unix and Linux allows a Splunk software administrator to collect data from Unix and Linux hosts. Install the Splunk Add-on for Unix and Linux on a forwarder to send data from any number of hosts to a Splunk Enterprise indexer or group of indexers. You can also use the add-on to provide data for other apps, such as Splunk IT Service Intelligence (ITSI) or Splunk Enterprise Security.
File monitoring inputs¶
The Splunk Add-on for Unix and Linux collects the following data using file inputs:
- Monitoring
/etcdirectory - Monitoring
/var/logdirectory - Monitoring
/home/*/.bash_historydirectory - Monitoring
/root/.bash_historydirectory - Monitoring
/var/admdirectory - Monitoring
/Library/Logs
Scripted inputs¶
The add-on collects data with the following scripted inputs:
| Input | Description |
|---|---|
bandwidth.sh |
Network statistics via the shell commands dlstat, netstat, and sar |
cpu.sh |
CPU statistics via the shell commands sar, mpstat, and iostat |
cpu_metric.sh |
CPU statistics and OS info via the shell commands hostname, ifconfig, uname, sar, mpstat, and iostat |
df.sh |
Free disk space for each mount point via the shell commands df, mount, and fstyp |
df_metric.sh |
Statistics of free disk space for each mount point and OS info via the shell commands hostname, ifconfig, uname, df, mount, and fstyp |
hardware.sh |
Hardware information via the shell commands cpuinfo, df, dmesg, hwinfo, ifconfig, ioscan, iostat, ip, lanscan, lsattr, lscfg, lsdev, lsps, lspv, meminfo, mpstat, prtconf, prtdiag, sysctl, system_profiler, swap, swapinfo, and top |
interfaces.sh |
Configured network interfaces via the shell commands dmesg, ethtool, ifconfig, kstat, lanscan, lanadmin, and netstat |
interfaces_metric.sh |
Statistics of configured network interfaces and OS info via the shell commands hostname, ifconfig, uname, dmesg, ethtool, ifconfig, kstat, lanscan, lanadmin, and netstat |
iostat.sh |
Input/output statistics for block devices and partitions via the shell commands darwin_disk_stats, iostat, and sar |
iostat_metric.sh |
Statistics of Input/output statistics for block devices and partitions and OS info via the shell commands hostname, ifconfig, uname, darwin_disk_stats, iostat, and sar |
lastlog.sh |
Last login times for system accounts via the shell commands last and lastb |
lsof.sh |
Process information via the shell command lsof |
netstat.sh |
Network connections, routing tables, and network interface information via the shell command netstat |
nfsiostat.sh |
Collects NFS mounts data via the shell command nfsiostat. Requires the nfs-utils package. |
openPorts.sh |
Available network ports via the shell command netstat |
openPortsEnhanced.sh |
TCP/UDP ports in a listening state, and information on process, process ID, IP version, and so on. via the shell commands lsof, and netstat |
package.sh |
Lists installed software packages via the shell commands dpkg-query, pkginfo, pkg_info, pkg info, system_profiler, and swlist |
passwd.sh |
Shows username and associated user ID, user group ID, and shell |
protocol.sh |
TCP/UDP transfer statistics via the shell commands netstat or nstat |
ps.sh |
Status of current running processes via the shell command ps |
ps_metric.sh |
Statistics of the status of currently running processes and OS info via the shell command hostname, ifconfig, uname, and ps |
rlog.sh |
Linux Auditing System events information recorded in /var/log/audit/audit.log by auditd |
selinuxChecker.sh |
Parses /etc/sysconfig/selinux to check if SELinux is configured |
service.sh |
Running services and associated details via the shell commands chkconfig, dscl, svcs, and systemctl |
sshdChecker.sh |
Parses sshd_config for information local sshd configurations |
time.sh |
System date and time, and NTP server time via the shell commands and chronyc, date and ntpdate |
top.sh |
List of running system processes via the shell commands ps and top |
update.sh |
Available software updates for installed packages via the shell commands softwareupdate, yum and zypper |
uptime.sh |
System date and uptime information via the shell command date |
usersWithLoginPrivs.sh |
Shows system username information |
version.sh |
OS/kernel version details via the shell commands uname, sw_vers, oslevel and from /etc/*-release file. |
vmstat.sh |
Process-related memory usage information via the shell commands prstat, prtconf, ps, sar, svmon, swap, swapinfo, sysctl, top, uptime, and vmstat |
vmstat_metric.sh |
Statistics of process-related memory usage information and OS info via the shell commands hostname, ifconfig, uname, prstat, prtconf, ps, sar, svmon, swap, swapinfo, sysctl, top, uptime, and vmstat |
vsftpdChecker.sh |
Parses vsftpd.conf for information about local VSFTP server configurations in /etc, /etc/vsftpd, or /private/etc |
who.sh |
Information about all users currently logged in via the shell command who |
The add-on displays question marks (“?”) for blank fields that the scripted inputs return within individual events. This is expected behavior to preserve field spacing.
Download the Splunk Add-on for Unix and Linux from Splunkbase.
For a summary of new features, fixed issues, and known issues, see Release notes for the Splunk Add-on for Unix and Linux.
For information about installing and configuring the Splunk Add-on for Unix and Linux, see Installation and configuration overview for the Splunk Add-on for Unix and Linux.
See Splunk Community page for questions related to Splunk Add-on for Unix and Linux on Splunk Answers.