You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1320 lines
32 KiB
1320 lines
32 KiB
7 months ago
|
# Version 9.2.2.20240415
|
||
|
# DO NOT EDIT THIS FILE!
|
||
|
# Changes to default files will be lost on update and are difficult to
|
||
|
# manage and support.
|
||
|
#
|
||
|
# Please make any changes to system defaults by overriding them in
|
||
|
# apps or $SPLUNK_HOME/etc/system/local
|
||
|
# (See "Configuration file precedence" in the web documentation).
|
||
|
#
|
||
|
# To override a specific setting, copy the name of the stanza and
|
||
|
# setting to the file where you wish to override it.
|
||
|
#
|
||
|
# This file contains possible attribute/value pairs for configuring
|
||
|
# Splunk's processing properties.
|
||
|
#
|
||
|
|
||
|
[default]
|
||
|
CHARSET = UTF-8
|
||
|
LINE_BREAKER_LOOKBEHIND = 100
|
||
|
TRUNCATE = 10000
|
||
|
LB_CHUNK_BREAKER_TRUNCATE = 2000000
|
||
|
DATETIME_CONFIG = /etc/datetime.xml
|
||
|
ADD_EXTRA_TIME_FIELDS = True
|
||
|
ANNOTATE_PUNCT = True
|
||
|
HEADER_MODE =
|
||
|
MATCH_LIMIT = 100000
|
||
|
DEPTH_LIMIT = 1000
|
||
|
MAX_DAYS_HENCE=2
|
||
|
MAX_DAYS_AGO=2000
|
||
|
MAX_DIFF_SECS_AGO=3600
|
||
|
MAX_DIFF_SECS_HENCE=604800
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 128
|
||
|
DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
|
||
|
SHOULD_LINEMERGE = True
|
||
|
BREAK_ONLY_BEFORE =
|
||
|
BREAK_ONLY_BEFORE_DATE = True
|
||
|
MAX_EVENTS = 256
|
||
|
MUST_BREAK_AFTER =
|
||
|
MUST_NOT_BREAK_AFTER =
|
||
|
MUST_NOT_BREAK_BEFORE =
|
||
|
TRANSFORMS =
|
||
|
SEGMENTATION = indexing
|
||
|
SEGMENTATION-all = full
|
||
|
SEGMENTATION-inner = inner
|
||
|
SEGMENTATION-outer = outer
|
||
|
SEGMENTATION-raw = none
|
||
|
SEGMENTATION-standard = standard
|
||
|
LEARN_SOURCETYPE = true
|
||
|
LEARN_MODEL = true
|
||
|
termFrequencyWeightedDist = false
|
||
|
maxDist = 100
|
||
|
AUTO_KV_JSON = true
|
||
|
detect_trailing_nulls = false
|
||
|
sourcetype =
|
||
|
priority =
|
||
|
unarchive_cmd_start_mode = shell
|
||
|
|
||
|
########## APPLICATION SERVERS ##########
|
||
|
|
||
|
[log4j]
|
||
|
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
|
||
|
pulldown_type = true
|
||
|
maxDist = 75
|
||
|
category = Application
|
||
|
description = Output produced by any Java 2 Enterprise Edition (J2EE) application server using log4j
|
||
|
|
||
|
[log4php]
|
||
|
pulldown_type = true
|
||
|
BREAK_ONLY_BEFORE = ^\w{3} \w{3}
|
||
|
category = Application
|
||
|
description = Output produced by a machine that runs the log4php logging utility
|
||
|
|
||
|
[weblogic_stdout]
|
||
|
pulldown_type = true
|
||
|
maxDist = 60
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 34
|
||
|
MAX_EVENTS = 2048
|
||
|
REPORT-st = weblogic-code
|
||
|
category = Application
|
||
|
description = Output produced by the Oracle WebLogic Java EE application server
|
||
|
|
||
|
[websphere_activity]
|
||
|
pulldown_type = true
|
||
|
BREAK_ONLY_BEFORE = ^-----
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 500
|
||
|
REPORT-st = colon-line
|
||
|
category = Application
|
||
|
description = Activity logs produced by the Oracle WebLogic Java EE application server
|
||
|
|
||
|
[websphere_core]
|
||
|
pulldown_type = true
|
||
|
maxDist = 70
|
||
|
BREAK_ONLY_BEFORE = ^NULL\s
|
||
|
category = Application
|
||
|
description = Output produced by the IBM WebSphere application server
|
||
|
|
||
|
[websphere_trlog]
|
||
|
pulldown_type = true
|
||
|
REPORT-st = was-trlog-code
|
||
|
category = Application
|
||
|
description = Trace output produced by the IBM WebSphere application server
|
||
|
|
||
|
[log4net_xml]
|
||
|
maxDist = 75
|
||
|
NO_BINARY_CHECK = 1
|
||
|
SHOULD_LINEMERGE = true
|
||
|
BREAK_ONLY_BEFORE = <log4net:event
|
||
|
TIME_PREFIX = timestamp="
|
||
|
MAX_EVENTS = 1000
|
||
|
pulldown_type = 1
|
||
|
category = Application
|
||
|
description = An XML-formatted output of the Apache log4j framework to the Microsoft .NET runtime
|
||
|
|
||
|
[catalina]
|
||
|
BREAK_ONLY_BEFORE_DATE = true
|
||
|
SHOULD_LINEMERGE=true
|
||
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
||
|
TIME_PREFIX = ^
|
||
|
pulldown_type = 1
|
||
|
category = Application
|
||
|
description = Output produced by Apache Tomcat Catalina (System.out and System.err)
|
||
|
|
||
|
[ruby_on_rails]
|
||
|
TIME_PREFIX = (for [\d\.]+ at\s)
|
||
|
TIME_FORMAT = %Y-%m-%d %H:%M:%S %Z
|
||
|
BREAK_ONLY_BEFORE = Processing
|
||
|
pulldown_type = 1
|
||
|
category = Application
|
||
|
description = Output produced by a Ruby On Rails Web application framework
|
||
|
|
||
|
########## ARCHIVES ##########
|
||
|
|
||
|
[preprocess-bzip]
|
||
|
invalid_cause = archive
|
||
|
is_valid = False
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[preprocess-Z]
|
||
|
invalid_cause = archive
|
||
|
is_valid = False
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[preprocess-gzip]
|
||
|
invalid_cause = archive
|
||
|
is_valid = False
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[preprocess-tar]
|
||
|
invalid_cause = archive
|
||
|
is_valid = False
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[preprocess-zip]
|
||
|
invalid_cause = archive
|
||
|
is_valid = False
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[preprocess-targz]
|
||
|
invalid_cause = archive
|
||
|
is_valid = False
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
########## DATABASES ##########
|
||
|
|
||
|
[db2_diag]
|
||
|
pulldown_type = 1
|
||
|
maxDist = 90
|
||
|
REPORT-st = db2
|
||
|
category = Database
|
||
|
description = Diagnostic output produced by the IBM DB2 database server
|
||
|
|
||
|
[mysqld]
|
||
|
pulldown_type = 1
|
||
|
maxDist = 20
|
||
|
BREAK_ONLY_BEFORE = ^\d{6}\s
|
||
|
TIME_FORMAT = %y%m%d %k:%M:%S
|
||
|
category = Database
|
||
|
description = Output produced by the MySQL database server
|
||
|
|
||
|
[mysqld_error]
|
||
|
pulldown_type = 1
|
||
|
maxDist = 50
|
||
|
MAX_EVENTS = 1024
|
||
|
BREAK_ONLY_BEFORE = ^\d{6}\s
|
||
|
category = Database
|
||
|
description = Errors produced by the MySQL database server
|
||
|
|
||
|
[mysqld_bin]
|
||
|
pulldown_type = 1
|
||
|
maxDist = 20
|
||
|
BREAK_ONLY_BEFORE = ^#\d{6}
|
||
|
category = Database
|
||
|
description = Binary log output produced by the MySQL database server
|
||
|
|
||
|
[mysql_slow]
|
||
|
SHOULD_LINEMERGE = true
|
||
|
TIME_FORMAT = Time: %y%m%d %k:%M:%S %Z
|
||
|
BREAK_ONLY_BEFORE = #\sTime:\s\d{6}\s[\s\d]\d:\d\d:\d\d
|
||
|
MAX_EVENTS = 512
|
||
|
pulldown_type = 1
|
||
|
category = Database
|
||
|
description = Slow query log output produced by the MySQL database server
|
||
|
|
||
|
########## EMAIL ##########
|
||
|
|
||
|
[exim_main]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
[exim_reject]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
[postfix_syslog]
|
||
|
pulldown_type = 1
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 32
|
||
|
TIME_FORMAT = %b %d %H:%M:%S
|
||
|
TRANSFORMS-host = syslog-host
|
||
|
REPORT-syslog = syslog-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
category = Email
|
||
|
description = Output produced by the Postfix email server
|
||
|
|
||
|
[sendmail_syslog]
|
||
|
pulldown_type = 1
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 32
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_FORMAT = %b %d %H:%M:%S
|
||
|
TRANSFORMS = syslog-host
|
||
|
REPORT-syslog = sendmail-extractions
|
||
|
category = Email
|
||
|
description = Output produced by the Sendmail email server
|
||
|
|
||
|
[procmail]
|
||
|
pulldown_type = 1
|
||
|
BREAK_ONLY_BEFORE = procmail: \[\d+\]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 64
|
||
|
category = Email
|
||
|
description = Output produced by the Procmail email server
|
||
|
|
||
|
########## OSs ##########
|
||
|
|
||
|
[linux_messages_syslog]
|
||
|
pulldown_type = 1
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 32
|
||
|
TIME_FORMAT = %b %d %H:%M:%S
|
||
|
TRANSFORMS = syslog-host
|
||
|
REPORT-syslog = syslog-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
category = Operating System
|
||
|
description = Format found within the Linux log file /var/log/messages
|
||
|
|
||
|
[linux_secure]
|
||
|
pulldown_type = 1
|
||
|
REPORT-syslog = syslog-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
category = Operating System
|
||
|
description = Format for the /var/log/secure file containing all security related messages on a Linux machine
|
||
|
|
||
|
[linux_audit]
|
||
|
pulldown_type = 1
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
category = Operating System
|
||
|
description = Output produced by the auditd system daemon used to track changes on a Linux machine
|
||
|
|
||
|
[linux_bootlog]
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
|
||
|
[anaconda]
|
||
|
BREAK_ONLY_BEFORE = ^\*
|
||
|
|
||
|
[anaconda_syslog]
|
||
|
REPORT-syslog = syslog-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_FORMAT = %b %d %H:%M:%S
|
||
|
|
||
|
[osx_asl]
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
REPORT-asl = bracket-space
|
||
|
|
||
|
[osx_crashreporter]
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
|
||
|
[osx_crash_log]
|
||
|
BREAK_ONLY_BEFORE = gooblygook
|
||
|
MAX_EVENTS = 200000
|
||
|
|
||
|
[osx_install]
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
|
||
|
[osx_secure]
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
|
||
|
[osx_daily]
|
||
|
BREAK_ONLY_BEFORE = ^(Sun|Mon|Tue|Wed|Thu|Fri|Sat)
|
||
|
|
||
|
[osx_weekly]
|
||
|
BREAK_ONLY_BEFORE = ^(Sun|Mon|Tue|Wed|Thu|Fri|Sat)
|
||
|
|
||
|
[osx_monthly]
|
||
|
BREAK_ONLY_BEFORE = ^(Sun|Mon|Tue|Wed|Thu|Fri|Sat)
|
||
|
|
||
|
[osx_window_server]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
[windows_snare_syslog]
|
||
|
pulldown_type = 1
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 32
|
||
|
TRANSFORMS = syslog-host
|
||
|
REPORT-syslog = syslog-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_FORMAT = %b %d %H:%M:%S
|
||
|
category = Operating System
|
||
|
description = Output produced by the Snare syslog server on Windows
|
||
|
|
||
|
[dmesg]
|
||
|
pulldown_type = 1
|
||
|
BREAK_ONLY_BEFORE = ^\S
|
||
|
DATETIME_CONFIG = NONE
|
||
|
category = Operating System
|
||
|
description = Output produced by the "dmesg" *nix command, printing the *nix kernel ring buffer
|
||
|
|
||
|
[ftp]
|
||
|
pulldown_type = 0
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
|
||
|
[ssl_error]
|
||
|
pulldown_type = 0
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
|
||
|
[syslog]
|
||
|
pulldown_type = true
|
||
|
maxDist = 3
|
||
|
TIME_FORMAT = %b %d %H:%M:%S
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 32
|
||
|
TRANSFORMS = syslog-host
|
||
|
REPORT-syslog = syslog-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
category = Operating System
|
||
|
description = Output produced by many syslog daemons, as described in RFC3164 by the IETF
|
||
|
|
||
|
[sar]
|
||
|
; break on blanklines, clock-resets, or common headers attributes (/s, %, or alpha-)
|
||
|
BREAK_ONLY_BEFORE = (?:^\s*$)|00:00:0|/s|%|[a-z]-
|
||
|
MAX_EVENTS = 1000
|
||
|
|
||
|
[rpmpkgs]
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
########## NETWORK ##########
|
||
|
|
||
|
[novell_groupwise]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 9
|
||
|
TRANSFORMS-nov = novell-groupwise-arrival,novell-groupwise-queue,novell-groupwise-transfer
|
||
|
|
||
|
[tcp]
|
||
|
BREAK_ONLY_BEFORE = (=\+)+
|
||
|
KV_MODE = none
|
||
|
REPORT-tcp = tcpdump-endpoints, colon-kv
|
||
|
|
||
|
########## PRINTERS ##########
|
||
|
|
||
|
[cups_access]
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
|
||
|
[cups_error]
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
|
||
|
[spooler]
|
||
|
BREAK_ONLY_BEFORE_DATE = False
|
||
|
|
||
|
########## ROUTERS AND FIREWALLS ##########
|
||
|
|
||
|
[cisco_cdr]
|
||
|
maxDist = 1
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
[cisco_syslog]
|
||
|
pulldown_type = 0
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 32
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_FORMAT = %b %d %H:%M:%S
|
||
|
TRANSFORMS = syslog-host
|
||
|
REPORT-syslog = syslog-extractions
|
||
|
|
||
|
[cisco:asa]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
pulldown_type = 1
|
||
|
category = Network & Security
|
||
|
description = Output produced by the Cisco Adaptive Security Appliance (ASA) Firewall
|
||
|
|
||
|
[clavister]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
########## VoIP ##########
|
||
|
|
||
|
|
||
|
[asterisk_cdr]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 256
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
[asterisk_event]
|
||
|
maxDist = 3
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
[asterisk_messages]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
[asterisk_queue]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
########## WEBSERVERS ##########
|
||
|
|
||
|
[access_combined]
|
||
|
pulldown_type = true
|
||
|
maxDist = 28
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 128
|
||
|
REPORT-access = access-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_PREFIX = \[
|
||
|
category = Web
|
||
|
description = National Center for Supercomputing Applications (NCSA) combined format HTTP web server logs (can be generated by apache or other web servers)
|
||
|
|
||
|
[access_combined_wcookie]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 128
|
||
|
REPORT-access = access-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_PREFIX = \[
|
||
|
|
||
|
[access_common]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 128
|
||
|
REPORT-access = access-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_PREFIX = \[
|
||
|
|
||
|
[apache_error]
|
||
|
pulldown_type = true
|
||
|
maxDist = 50
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 128
|
||
|
BREAK_ONLY_BEFORE = ^\[
|
||
|
TIME_FORMAT = [%A %B %d %T %Y]
|
||
|
category = Web
|
||
|
description = Error log format produced by the Apache web server (typically error_log on *nix systems)
|
||
|
|
||
|
[iis]
|
||
|
pulldown_type = true
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 32
|
||
|
SHOULD_LINEMERGE = False
|
||
|
INDEXED_EXTRACTIONS = w3c
|
||
|
detect_trailing_nulls = auto
|
||
|
category = Web
|
||
|
description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server
|
||
|
|
||
|
|
||
|
########## MISC ##########
|
||
|
|
||
|
[snort]
|
||
|
pulldown_type = true
|
||
|
BREAK_ONLY_BEFORE = (=\+)+
|
||
|
KV_MODE = none
|
||
|
REPORT-tcp = tcpdump-endpoints, colon-kv
|
||
|
category = Network & Security
|
||
|
description = Output produced by the Snort network intrusion detection/prevention application
|
||
|
|
||
|
########## SPLUNK ##########
|
||
|
|
||
|
[splunk_com_php_error]
|
||
|
maxDist = 70
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
|
||
|
[splunkd]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
# splunkd TIME_FORMAT should be kept in synch with
|
||
|
# - etc/log.cfg
|
||
|
# - src/framework/SplunkdTimestamp.cpp
|
||
|
# This format won't, of course, match all older forwarders, but regex fallback
|
||
|
# will handle those cases
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
# logs from old forwarders (4.1 and prior) will not match the TIME_FORMAT, due to a lack of timezone.
|
||
|
# This will cause some events to be merged.
|
||
|
# Disable multiline support to get these case right.
|
||
|
# Splunkd data prior to 5.0 can have multiline events, but it is quite rare
|
||
|
# (debug output and bugs mostly), and 5.0+ explicitly disallows generating such
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TRUNCATE = 20000
|
||
|
|
||
|
[splunkd_crash_log]
|
||
|
SHOULD_LINEMERGE = True
|
||
|
MUST_BREAK_AFTER = ^(?i)terminating\.\.\.
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 1
|
||
|
DATETIME_CONFIG = NONE
|
||
|
MAX_EVENTS = 2048
|
||
|
|
||
|
[splunkd_misc]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 1
|
||
|
|
||
|
[splunkd_stderr]
|
||
|
TIME_FORMAT = %m-%d-%Y %T.%Q %z
|
||
|
SHOULD_LINEMERGE = False
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
LINE_BREAKER = ([\r\n]+)(?:\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d{3})
|
||
|
EVENT_BREAKER_ENABLE = true
|
||
|
EVENT_BREAKER = ([\r\n]+)(?:\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d{3})
|
||
|
|
||
|
[splunkd_stdout]
|
||
|
DATETIME_CONFIG = NONE
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
[splunk_python]
|
||
|
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N %z
|
||
|
LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
|
||
|
SHOULD_LINEMERGE = False
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
|
||
|
[splunk_pdfgen]
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M%S,%l
|
||
|
SHOULD_LINEMERGE = False
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
|
||
|
[splunk-blocksignature]
|
||
|
SEGMENTATION = whitespace-only
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
|
||
|
[splunk_directory_monitor]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
|
||
|
[splunk_directory_monitor_misc]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
|
||
|
[splunk_search_history]
|
||
|
BREAK_ONLY_BEFORE = ^\d
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
|
||
|
[splunk_search_messages]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TRUNCATE = 20000
|
||
|
EXTRACT-message = .*?(message=)(?<message>.*)$
|
||
|
EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) -
|
||
|
|
||
|
|
||
|
[splunkd_remote_searches]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
SHOULD_LINEMERGE = false
|
||
|
REPORT-fields = remote_searches_extractions_starting,remote_searches_extractions_terminated, remote_searches_extractions_starting_fallback
|
||
|
KV_MODE = none
|
||
|
TRUNCATE = 20000
|
||
|
|
||
|
[searches]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
|
||
|
[splunkd_access]
|
||
|
maxDist = 28
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 128
|
||
|
REPORT-access = access-extractions, extract_spent
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_PREFIX = \[
|
||
|
TRUNCATE = 20000
|
||
|
|
||
|
[wlm_monitor]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TRUNCATE = 20000
|
||
|
|
||
|
[splunkd_ui_access]
|
||
|
maxDist = 28
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 128
|
||
|
REPORT-access = access-extractions, extract_spent
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_PREFIX = \[
|
||
|
TRUNCATE = 20000
|
||
|
|
||
|
[splunk_web_access]
|
||
|
maxDist = 28
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 128
|
||
|
REPORT-access = access-extractions
|
||
|
SHOULD_LINEMERGE = False
|
||
|
TIME_PREFIX = \[
|
||
|
EXTRACT-extract_spent = \s(?<spent>\d+(\.\d+)?)ms$
|
||
|
TRUNCATE = 75000
|
||
|
|
||
|
[splunk_web_service]
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
REPORT-fields = splunk-service-extractions
|
||
|
TRUNCATE = 20000
|
||
|
|
||
|
[splunkd_conf]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TIMESTAMP_FIELDS = datetime
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
KV_MODE = none
|
||
|
TRUNCATE = 20000
|
||
|
|
||
|
[splunk_help]
|
||
|
BREAK_ONLY_BEFORE = gooblygook
|
||
|
MAX_EVENTS = 200000
|
||
|
TRANSFORMS-help = splunk_help
|
||
|
|
||
|
[mongod]
|
||
|
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z
|
||
|
SHOULD_LINEMERGE = False
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 40
|
||
|
|
||
|
[splunk_version]
|
||
|
DATETIME_CONFIG = CURRENT
|
||
|
MUST_NOT_BREAK_AFTER = .*
|
||
|
|
||
|
[source::.../var/log/splunk/searchhistory.log(.\d+)?]
|
||
|
TRANSFORMS = splunk_index_history
|
||
|
sourcetype = splunk_search_history
|
||
|
|
||
|
[source::.../var/log/splunk/(web|report)_access(-\d+)?.log(.\d+)?]
|
||
|
sourcetype = splunk_web_access
|
||
|
|
||
|
[source::.../var/log/splunk/(web|report)_service(-\d+)?.log(.\d+)?]
|
||
|
sourcetype = splunk_web_service
|
||
|
|
||
|
[source::.../var/log/splunk/metrics.log(.\d+)?]
|
||
|
sourcetype = splunkd
|
||
|
|
||
|
[source::.../var/log/splunk/license_usage(|_summary).log(.\d+)?]
|
||
|
sourcetype = splunkd
|
||
|
|
||
|
[source::.../splunkd.log(.\d+)?]
|
||
|
sourcetype = splunkd
|
||
|
|
||
|
[source::.../mergebuckets.log(.\d+)?]
|
||
|
sourcetype = splunkd
|
||
|
|
||
|
[source::.../var/log/splunk/configuration_change.log(.\d+)?]
|
||
|
sourcetype = splunk_configuration_change
|
||
|
TRUNCATE = 0
|
||
|
|
||
|
[source::.../var/log/splunk/splunkd-utility.log(.\d+)?]
|
||
|
sourcetype = splunkd
|
||
|
|
||
|
[source::.../var/log/splunk/scheduler.log(.\d+)?]
|
||
|
sourcetype = scheduler
|
||
|
|
||
|
[source::.../var/log/splunk/audit.log(.\d+)?]
|
||
|
TRANSFORMS = send_to_nullqueue
|
||
|
sourcetype = splunk_audit
|
||
|
|
||
|
[source::.../var/log/splunk/btool.log(.\d+)?]
|
||
|
sourcetype = splunk_btool
|
||
|
|
||
|
[source::.../var/log/splunk/intentions.log(.\d+)?]
|
||
|
sourcetype = splunk_intentions
|
||
|
|
||
|
[source::.../var/log/splunk/python.log(.\d+)?]
|
||
|
sourcetype = splunk_python
|
||
|
|
||
|
[source::.../var/log/splunk/pdfgen.log(.\d+)?]
|
||
|
sourcetype = splunk_pdfgen
|
||
|
|
||
|
[source::.../var/log/splunk/searches.log]
|
||
|
sourcetype = searches
|
||
|
|
||
|
[source::.../var/log/splunk/splunkd_stdout.log(.\d+)?]
|
||
|
sourcetype = splunkd_stdout
|
||
|
|
||
|
[source::.../var/log/splunk/splunkd_stderr.log(.\d+)?]
|
||
|
sourcetype = splunkd_stderr
|
||
|
|
||
|
[source::.../var/log/splunk/*crash-*.log]
|
||
|
sourcetype = splunkd_crash_log
|
||
|
|
||
|
[source::.../var/log/splunk/migration.log.*]
|
||
|
sourcetype = splunk_migration
|
||
|
|
||
|
[source::.../var/log/splunk/remote_searches.log(.\d+)?]
|
||
|
sourcetype = splunkd_remote_searches
|
||
|
|
||
|
[source::.../splunkd_access.log(.\d+)?]
|
||
|
sourcetype = splunkd_access
|
||
|
|
||
|
[source::.../wlm_monitor.log(.\d+)?]
|
||
|
sourcetype = wlm_monitor
|
||
|
|
||
|
[source::.../splunkd_ui_access.log(.\d+)?]
|
||
|
sourcetype = splunkd_ui_access
|
||
|
|
||
|
[source::.../var/log/splunk/conf.log(.\d+)?]
|
||
|
sourcetype = splunkd_conf
|
||
|
|
||
|
[source::.../var/log/splunk/mongod.log(.\d+)?]
|
||
|
sourcetype = mongod
|
||
|
|
||
|
[source::.../var/log/splunk/health.log(.\d+)?]
|
||
|
sourcetype = splunkd
|
||
|
|
||
|
[source::.../var/log/watchdog/watchdog.log(.\d+)?]
|
||
|
sourcetype = splunkd
|
||
|
|
||
|
[source::.../var/log/splunk/search_messages.log(.\d+)?]
|
||
|
sourcetype = splunk_search_messages
|
||
|
|
||
|
[source::.../etc/splunk.version]
|
||
|
sourcetype = splunk_version
|
||
|
|
||
|
########## SPECIAL ##########
|
||
|
|
||
|
[__singleline]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
|
||
|
[too_small]
|
||
|
maxDist = 9999
|
||
|
BREAK_ONLY_BEFORE_DATE = True
|
||
|
PREFIX_SOURCETYPE = True
|
||
|
|
||
|
; same as too_small but for larger text that has special characters
|
||
|
[breakable_text]
|
||
|
BREAK_ONLY_BEFORE = (^(?:---|===|\*\*\*|___|=+=))|^\s*$
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[lastlog]
|
||
|
invalid_cause = binary
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[wtmp]
|
||
|
invalid_cause = binary
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[known_binary]
|
||
|
is_valid = False
|
||
|
invalid_cause = binary
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[ignored_type]
|
||
|
is_valid = False
|
||
|
invalid_cause = ignored_type
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[stash]
|
||
|
TRUNCATE = 0
|
||
|
# only look for ***SPLUNK*** on the first line
|
||
|
HEADER_MODE = firstline
|
||
|
# we can summary index past data, but rarely future data
|
||
|
MAX_DAYS_HENCE = 2
|
||
|
MAX_DAYS_AGO = 10000
|
||
|
# 5 years difference between two events
|
||
|
MAX_DIFF_SECS_AGO = 155520000
|
||
|
MAX_DIFF_SECS_HENCE = 155520000
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 64
|
||
|
LEARN_MODEL = false
|
||
|
# search time extractions
|
||
|
KV_MODE = none
|
||
|
REPORT-1 = stash_extract
|
||
|
|
||
|
[stash_new]
|
||
|
TRUNCATE = 0
|
||
|
# only look for ***SPLUNK*** on the first line
|
||
|
HEADER_MODE = firstline
|
||
|
# we can summary index past data, but rarely future data
|
||
|
MAX_DAYS_HENCE = 2
|
||
|
MAX_DAYS_AGO = 10000
|
||
|
# 5 years difference between two events
|
||
|
MAX_DIFF_SECS_AGO = 155520000
|
||
|
MAX_DIFF_SECS_HENCE = 155520000
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 64
|
||
|
LEARN_MODEL = false
|
||
|
# break .stash_new custom format into events
|
||
|
SHOULD_LINEMERGE = false
|
||
|
BREAK_ONLY_BEFORE_DATE = false
|
||
|
LINE_BREAKER = (\r?\n==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==\r?\n)
|
||
|
# change sourcetype to stash before indexing/forwarding this data (these events
|
||
|
# are feed to the stashparsing pipeline)
|
||
|
TRANSFORMS-sourcetype = set_sourcetype_to_stash
|
||
|
|
||
|
[stash_hec]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
pulldown_type = false
|
||
|
INDEXED_EXTRACTIONS = hec
|
||
|
# we can summary index past data, but rarely future data
|
||
|
MAX_DAYS_HENCE = 2
|
||
|
MAX_DAYS_AGO = 10000
|
||
|
# 5 years difference between two events
|
||
|
MAX_DIFF_SECS_AGO = 155520000
|
||
|
MAX_DIFF_SECS_HENCE = 155520000
|
||
|
|
||
|
[mcollect_stash]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
pulldown_type = true
|
||
|
INDEXED_EXTRACTIONS = csv
|
||
|
ADD_EXTRA_TIME_FIELDS = subseconds
|
||
|
KV_MODE = none
|
||
|
TIMESTAMP_FIELDS = metric_timestamp
|
||
|
TIME_FORMAT = %s.%Q
|
||
|
|
||
|
|
||
|
########## NON-LOG FILES ##########
|
||
|
|
||
|
# settings copied from zip
|
||
|
[source_archive]
|
||
|
invalid_cause = needs_preprocess
|
||
|
is_valid = False
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[web]
|
||
|
BREAK_ONLY_BEFORE=goblygook
|
||
|
MAX_EVENTS=200000
|
||
|
DATETIME_CONFIG = NONE
|
||
|
CHECK_METHOD = modtime
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[backup_file]
|
||
|
BREAK_ONLY_BEFORE=goblygook
|
||
|
MAX_EVENTS=10000
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[manpage]
|
||
|
BREAK_ONLY_BEFORE = gooblygook
|
||
|
MAX_EVENTS = 200000
|
||
|
DATETIME_CONFIG = NONE
|
||
|
CHECK_METHOD = modtime
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[misc_text]
|
||
|
BREAK_ONLY_BEFORE=goblygook
|
||
|
MAX_EVENTS=200000
|
||
|
DATETIME_CONFIG = NONE
|
||
|
CHECK_METHOD = modtime
|
||
|
pulldown_type = false
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[csv]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
pulldown_type = true
|
||
|
INDEXED_EXTRACTIONS = csv
|
||
|
KV_MODE = none
|
||
|
category = Structured
|
||
|
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
|
||
|
|
||
|
[psv]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
pulldown_type = true
|
||
|
INDEXED_EXTRACTIONS = psv
|
||
|
FIELD_DELIMITER=|
|
||
|
HEADER_FIELD_DELIMITER=|
|
||
|
KV_MODE = none
|
||
|
category = Structured
|
||
|
description = Pipe-separated value format. Set header and other settings in "Delimited Settings"
|
||
|
|
||
|
[tsv]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
pulldown_type = true
|
||
|
INDEXED_EXTRACTIONS = tsv
|
||
|
FIELD_DELIMITER=tab
|
||
|
HEADER_FIELD_DELIMITER=tab
|
||
|
KV_MODE = none
|
||
|
category = Structured
|
||
|
description = Tab-separated value format. Set header and other settings in "Delimited Settings"
|
||
|
|
||
|
[_json]
|
||
|
pulldown_type = true
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
KV_MODE = none
|
||
|
category = Structured
|
||
|
description = JavaScript Object Notation format. For more information, visit http://json.org/
|
||
|
|
||
|
[json_no_timestamp]
|
||
|
BREAK_ONLY_BEFORE = ^{
|
||
|
DATETIME_CONFIG = CURRENT
|
||
|
MAX_TIMESTAMP_LOOKAHEAD = 800
|
||
|
pulldown_type = 1
|
||
|
category = Structured
|
||
|
description = A variant of the JSON source type, with support for nonexistent timestamps
|
||
|
|
||
|
[fs_notification]
|
||
|
SHOULD_LINEMERGE=false
|
||
|
|
||
|
[exchange]
|
||
|
INDEXED_EXTRACTIONS = w3c
|
||
|
KV_MODE = none
|
||
|
|
||
|
[generic_single_line]
|
||
|
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N %Z
|
||
|
SHOULD_LINEMERGE = false
|
||
|
pulldown_type = 1
|
||
|
category = Miscellaneous
|
||
|
description = A common log format with a predefined timestamp. Customize timestamp in "Timestamp" options
|
||
|
|
||
|
|
||
|
|
||
|
########## RULE BASED CONDITIONS ##########
|
||
|
|
||
|
[rule::snort]
|
||
|
sourcetype = snort
|
||
|
# IF MORE THAN 5% OF LINES MATCH REGEX, MUST BE THIS TYPE
|
||
|
MORE_THAN_1 = (=\+)+
|
||
|
MORE_THAN_10 = (?:[0-9A-F]{2} ){16}
|
||
|
|
||
|
[rule::exim_main]
|
||
|
sourcetype = exim_main
|
||
|
# MORE THAN 2% HAVE <=, =>, 'queue'
|
||
|
MORE_THANA_2 = <=
|
||
|
MORE_THANB_2 = =>
|
||
|
MORE_THANC_2 = queue
|
||
|
|
||
|
[rule::postfix_syslog]
|
||
|
sourcetype = postfix_syslog
|
||
|
# IF 75% OF LINES MATCH REGEX, MUST BE THIS TYPE
|
||
|
MORE_THAN_75 = ^\w{3} +\d+ \d\d:\d\d:\d\d .* postfix(/\w+)?\[\d+\]:
|
||
|
|
||
|
[rule::sendmail_syslog]
|
||
|
sourcetype = sendmail_syslog
|
||
|
# IF 75% OF LINES MATCH REGEX, MUST BE THIS TYPE
|
||
|
MORE_THAN_75 = ^\w{3} +\d+ \d\d:\d\d:\d\d .* (sendmail|imapd|ipop3d)\[\d+\]:
|
||
|
|
||
|
[rule::access_common]
|
||
|
sourcetype = access_common
|
||
|
MORE_THAN_75 = ^\S+ \S+ \S+ \[[^\]]+\] "[^"]+" \S+ \S+$
|
||
|
|
||
|
[rule::access_combined]
|
||
|
sourcetype = access_combined
|
||
|
MORE_THAN_75 = ^\S+ \S+ \S+ \S* ?\[[^\]]+\] "[^"]*" \S+ \S+ \S+ "[^"]*"$
|
||
|
|
||
|
[rule::access_combined_wcookie]
|
||
|
sourcetype = access_combined_wcookie
|
||
|
# more restrictive version = ^\S+ \S+ \S+ \S* ?\[[^\]]+\] "[^"]*" \S+ \S+ \S+ "[^"]*" "[^"]*"$
|
||
|
MORE_THAN_75 = ^\S+ \S+ \S+ \S* ?\[[^\]]+\] "[^"]*" \S+ \S+(?: \S+)? "[^"]*" "[^"]*"
|
||
|
|
||
|
### DELAYED RULE BASED CONDITIONS. RUN AS LAST DITCH EFFORT BEFORE MAKING A NEW SOURCETYPE ###
|
||
|
|
||
|
# break text on ascii art and blanklines if more than 10% of lines
|
||
|
# have ascii art or blanklines, and less than 10% have timestamps
|
||
|
[delayedrule::breakable_text]
|
||
|
MORE_THAN_10 = (^(?:---|===|\*\*\*|___|=+=))|^\s*$
|
||
|
LESS_THAN_10 = [: ][012]?[0-9]:[0-5][0-9]
|
||
|
sourcetype = breakable_text
|
||
|
|
||
|
[delayedrule::syslog]
|
||
|
sourcetype = syslog
|
||
|
# IF MORE THAN 80% OF LINES MATCH REGEX, MUST BE THIS TYPE
|
||
|
MORE_THAN_80 = ^\w{3} +\d+ \d\d:\d\d:\d\d (?!AM|PM)[\w\-.]+ [\w\-/.]+(\[\d+\])?:
|
||
|
|
||
|
########## FILE MATCH CONDITIONS ##########
|
||
|
|
||
|
[source::.../var/log/anaconda.syslog(.\d+)?]
|
||
|
sourcetype = anaconda_syslog
|
||
|
|
||
|
[source::.../var/log/anaconda.log(.\d+)?]
|
||
|
sourcetype = anaconda
|
||
|
|
||
|
[source::.../var/log/httpd/error_log(.\d+)?]
|
||
|
sourcetype = apache_error
|
||
|
|
||
|
[source::.../var/log/cups/access_log(.\d+)?]
|
||
|
sourcetype = cups_access
|
||
|
|
||
|
[source::.../var/log/cups/error_log(.\d+)?]
|
||
|
sourcetype = cups_error
|
||
|
|
||
|
[source::.../var/log/dmesg(.\d+)?]
|
||
|
sourcetype = dmesg
|
||
|
|
||
|
[source::.../var/log/ftp.log(.\d+)?]
|
||
|
sourcetype = ftp
|
||
|
|
||
|
[source::.../(u_|)ex(tend|\d{4,8})*?.log]
|
||
|
sourcetype = iis
|
||
|
|
||
|
[source::.../var/log/lastlog(.\d+)?]
|
||
|
sourcetype = lastlog
|
||
|
|
||
|
[source::.../var/log/audit/audit.log(.\d+)?]
|
||
|
sourcetype = linux_audit
|
||
|
|
||
|
[source::.../var/log/boot.log(.\d+)?]
|
||
|
sourcetype = linux_bootlog
|
||
|
|
||
|
[source::.../var/log/secure(.\d+)?]
|
||
|
sourcetype = linux_secure
|
||
|
|
||
|
[source::.../man/man\d+/*.\d+]
|
||
|
sourcetype = manpage
|
||
|
|
||
|
[source::.../var/log/asl.log(.\d+)?]
|
||
|
sourcetype = osx_asl
|
||
|
|
||
|
[source::.../var/log/crashreporter.log(.\d+)?]
|
||
|
sourcetype = osx_crashreporter
|
||
|
|
||
|
[source::....crash.log(.\d+)?]
|
||
|
sourcetype = osx_crash_log
|
||
|
|
||
|
[source::.../var/log/install.log(.\d+)?]
|
||
|
sourcetype = osx_install
|
||
|
|
||
|
[source::.../var/log/secure.log(.\d+)?]
|
||
|
sourcetype = osx_secure
|
||
|
|
||
|
[source::.../var/log/daily.out(.\d+)?]
|
||
|
sourcetype = osx_daily
|
||
|
|
||
|
[source::.../var/log/weekly.out(.\d+)?]
|
||
|
sourcetype = osx_weekly
|
||
|
|
||
|
[source::.../var/log/monthly.out(.\d+)?]
|
||
|
sourcetype = osx_monthly
|
||
|
|
||
|
[source::.../private/var/log/windowserver.log(.\d+)?]
|
||
|
sourcetype = osx_window_server
|
||
|
|
||
|
[source::....Z(.\d+)?]
|
||
|
unarchive_cmd = gzip -cd -
|
||
|
sourcetype = preprocess-Z
|
||
|
NO_BINARY_CHECK = true
|
||
|
|
||
|
[source::....(tbz|tbz2)(.\d+)?]
|
||
|
unarchive_cmd = _auto
|
||
|
sourcetype = preprocess-bzip
|
||
|
NO_BINARY_CHECK = true
|
||
|
|
||
|
[source::....bz2?(.\d+)?]
|
||
|
unarchive_cmd = bzip2 -cd -
|
||
|
sourcetype = preprocess-bzip
|
||
|
NO_BINARY_CHECK = true
|
||
|
|
||
|
[source::....(?<!tar.)gz(.\d+)?]
|
||
|
unarchive_cmd = gzip -cd -
|
||
|
sourcetype = preprocess-gzip
|
||
|
NO_BINARY_CHECK = true
|
||
|
|
||
|
[source::....(tar.gz|tgz)(.\d+)?]
|
||
|
unarchive_cmd = _auto
|
||
|
sourcetype = preprocess-targz
|
||
|
NO_BINARY_CHECK = true
|
||
|
|
||
|
[source::....tar(.\d+)?]
|
||
|
unarchive_cmd = _auto
|
||
|
sourcetype = preprocess-tar
|
||
|
NO_BINARY_CHECK = true
|
||
|
|
||
|
[(?i)source::....zip(.\d+)?]
|
||
|
unarchive_cmd = _auto
|
||
|
sourcetype = preprocess-zip
|
||
|
NO_BINARY_CHECK = true
|
||
|
|
||
|
[source::.../var/log/rpmpkgs(.\d+)?]
|
||
|
sourcetype = rpmpkgs
|
||
|
|
||
|
[source::.../var/log/sa/sar\d+]
|
||
|
sourcetype = sar
|
||
|
|
||
|
[source::.../var/log/spooler(.\d+)?]
|
||
|
sourcetype = spooler
|
||
|
|
||
|
[source::.../var/log/httpd/httpd/ssl_error_log(.\d+)?]
|
||
|
sourcetype = ssl_error
|
||
|
|
||
|
[source::.../messages(.\d+)?]
|
||
|
sourcetype = syslog
|
||
|
|
||
|
[source::.../syslog(.\d+)?]
|
||
|
sourcetype = syslog
|
||
|
|
||
|
#[source::.../(www|apache|httpd).../access*]
|
||
|
#sourcetype = access_common
|
||
|
|
||
|
[source::.../(apache|httpd).../error*]
|
||
|
sourcetype = apache_error
|
||
|
|
||
|
[source::.../private/var/log/system.log(.\d+)?]
|
||
|
sourcetype = syslog
|
||
|
|
||
|
[source::.../private/var/log/mail.log(.\d+)?]
|
||
|
sourcetype = syslog
|
||
|
|
||
|
[source::.../var/log/wtmp(.\d+)?]
|
||
|
sourcetype = wtmp
|
||
|
|
||
|
[source::.../procmail(_|.)log]
|
||
|
sourcetype = procmail
|
||
|
|
||
|
[source::.../mysql.log(.\d+)?]
|
||
|
sourcetype = mysqld
|
||
|
|
||
|
[source::...stash]
|
||
|
sourcetype = stash
|
||
|
|
||
|
[source::...stash_new]
|
||
|
sourcetype = stash_new
|
||
|
|
||
|
|
||
|
####### NON-LOG FILES
|
||
|
|
||
|
[source::....(jar)(.\d+)?]
|
||
|
sourcetype = source_archive
|
||
|
|
||
|
[source::....(css|htm|html|sgml|shtml|template)]
|
||
|
sourcetype = web
|
||
|
|
||
|
[source::....csv]
|
||
|
sourcetype = csv
|
||
|
|
||
|
[source::...((.(bak|old))|,v|~|#)]
|
||
|
sourcetype = ignored_type
|
||
|
|
||
|
|
||
|
[source::.../(readme|README)...]
|
||
|
sourcetype=misc_text
|
||
|
|
||
|
[source::....(0t|a|ali|asa|au|bmp|cg|cgi|class|d|dat|deb|del|dot|dvi|dylib|elc|eps|exe|ftn|gif|hlp|hqx|hs|icns|ico|inc|iso|jame|jin|jpeg|jpg|kml|la|lhs|lib|lo|lock|mcp|mid|mp3|mpg|msf|nib|o|obj|odt|ogg|ook|opt|os|pal|pbm|pdf|pem|pgm|plo|png|po|pod|pp|ppd|ppm|ppt|prc|ps|psd|psym|pyc|pyd|p3d|rast|rb|rde|rdf|rdr|rgb|ro|rpm|rsrc|so|ss|stg|strings|tdt|tif|tiff|tk|uue|vhd|xbm|xlb|xls|xlw)]
|
||
|
sourcetype = known_binary
|
||
|
|
||
|
[source::....(cache|class|cxx|dylib|jar|lo|xslt|md5|rpm|deb|iso|vim)]
|
||
|
sourcetype = ignored_type
|
||
|
|
||
|
|
||
|
# internal sourcetype used in the fish bucket
|
||
|
[fileTrackerCrcLog]
|
||
|
SEGMENTATION = meta-tokenizer
|
||
|
KV_MODE = none
|
||
|
EXTRACT-1 = (?<_KEY_1>\S+)::(?<_VAL_1>\S+)
|
||
|
|
||
|
# MySQL example.
|
||
|
# See the Splunker's Guide for Splunk.com
|
||
|
# for the myunbinit script and sample MySQL setup
|
||
|
# This example is commented out.
|
||
|
#
|
||
|
# [mysql]
|
||
|
# match_filename1 = *.bin
|
||
|
# invalid_cause = needs_preprocess
|
||
|
# is_valid = False
|
||
|
#
|
||
|
|
||
|
# Dealing with all windows type data, even when we're a unix
|
||
|
# platform, incase these types of data is forwarded by a windows
|
||
|
# light weight forwarder
|
||
|
[ActiveDirectory]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
LINE_BREAKER = ([\r\n]+---splunk-admon-end-of-event---\r\n[\r\n]*)
|
||
|
EXTRACT-GUID = (?i)(?!=\w)(?:objectguid|guid)\s*=\s*(?<guid_lookup>[\w\-]+)
|
||
|
EXTRACT-SID = objectSid\s*=\s*(?<sid_lookup>\S+)
|
||
|
REPORT-MESSAGE = ad-kv
|
||
|
# some schema AD events may be very long
|
||
|
MAX_EVENTS = 10000
|
||
|
TRUNCATE = 100000
|
||
|
|
||
|
[WinRegistry]
|
||
|
DATETIME_CONFIG=NONE
|
||
|
LINE_BREAKER = ([\r\n]+---splunk-regmon-end-of-event---\r\n[\r\n]*)
|
||
|
|
||
|
[WinWinHostMon]
|
||
|
DATETIME_CONFIG=NONE
|
||
|
SHOULD_LINEMERGE = false
|
||
|
|
||
|
[WinPrintMon]
|
||
|
DATETIME_CONFIG=NONE
|
||
|
SHOULD_LINEMERGE = false
|
||
|
|
||
|
[wmi]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
LINE_BREAKER = ([\r\n]+---splunk-wmi-end-of-event---\r\n[\r\n]*)
|
||
|
CHARSET = UTF-8
|
||
|
|
||
|
[source::WMI...]
|
||
|
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
|
||
|
TRANSFORMS-FIELDS = wmi-host, wmi-override-host
|
||
|
SHOULD_LINEMERGE = false
|
||
|
|
||
|
[source::WinEventLog...]
|
||
|
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
|
||
|
KV_MODE=none
|
||
|
# Note the below settings are effectively legacy, in place here to handle
|
||
|
# data coming from much much older forwarders (3.x & 4.x)
|
||
|
SHOULD_LINEMERGE = false
|
||
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
||
|
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
|
||
|
TRANSFORMS-FIELDS = strip-winevt-linebreaker
|
||
|
|
||
|
[PerformanceMonitor]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
LINE_BREAKER = ([\r\n]+---splunk-perfmon-end-of-event---\r\n[\r\n]*)
|
||
|
REPORT-MESSAGE = perfmon-kv
|
||
|
|
||
|
[source::....(?i)(evt|evtx)(.\d+)?]
|
||
|
sourcetype = preprocess-winevt
|
||
|
NO_BINARY_CHECK = true
|
||
|
SHOULD_LINEMERGE = false
|
||
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
||
|
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
|
||
|
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
|
||
|
|
||
|
[preprocess-winevt]
|
||
|
invalid_cause = winevt
|
||
|
is_valid = False
|
||
|
LEARN_MODEL = false
|
||
|
|
||
|
[source::PerfmonMk...]
|
||
|
EXTRACT-collection,category,object = collection=\"?(?P<collection>[^\"\n]+)\"?\ncategory=\"?(?P<category>[^\"\n]+)\"?\nobject=\"?(?P<object>[^\"\n]+)\"?\n
|
||
|
KV_MODE = multi_PerfmonMk
|
||
|
NO_BINARY_CHECK = 1
|
||
|
pulldown_type = 1
|
||
|
|
||
|
[WinNetMonMk]
|
||
|
KV_MODE = multi_WinNetMonMk
|
||
|
NO_BINARY_CHECK = 1
|
||
|
pulldown_type = 0
|
||
|
|
||
|
[source::.../disk_objects.log(.\d+)?]
|
||
|
sourcetype = splunk_disk_objects
|
||
|
|
||
|
[source::.../resource_usage.log(.\d+)?]
|
||
|
sourcetype = splunk_resource_usage
|
||
|
|
||
|
[source::.../kvstore.log(.\d+)?]
|
||
|
sourcetype = kvstore
|
||
|
|
||
|
[source::.../token_input_metrics.log(.\d+)?]
|
||
|
sourcetype = token_endpoint_metrics
|
||
|
|
||
|
[source::.../http_event_collector_metrics.log(.\d+)?]
|
||
|
sourcetype = http_event_collector_metrics
|
||
|
|
||
|
[splunk_disk_objects]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TIMESTAMP_FIELDS = datetime
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
KV_MODE = none
|
||
|
JSON_TRIM_BRACES_IN_ARRAY_NAMES = true
|
||
|
|
||
|
[splunk_resource_usage]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TIMESTAMP_FIELDS = datetime
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
KV_MODE = none
|
||
|
JSON_TRIM_BRACES_IN_ARRAY_NAMES = true
|
||
|
|
||
|
[kvstore]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TIMESTAMP_FIELDS = datetime
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
KV_MODE = none
|
||
|
TRUNCATE = 1000000
|
||
|
JSON_TRIM_BRACES_IN_ARRAY_NAMES = true
|
||
|
|
||
|
[token_input_metrics]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TIMESTAMP_FIELDS = datetime
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
KV_MODE = none
|
||
|
JSON_TRIM_BRACES_IN_ARRAY_NAMES = true
|
||
|
|
||
|
[collectd_http]
|
||
|
METRICS_PROTOCOL = collectd_http
|
||
|
NO_BINARY_CHECK = true
|
||
|
SHOULD_LINEMERGE = false
|
||
|
ADD_EXTRA_TIME_FIELDS = false
|
||
|
ANNOTATE_PUNCT = false
|
||
|
pulldown_type = true
|
||
|
TIMESTAMP_FIELDS = time
|
||
|
KV_MODE=none
|
||
|
category = Metrics
|
||
|
description = Collectd daemon format. Uses the write_http plugin to send metrics data to a Splunk platform data input via the HTTP Event Collector.
|
||
|
|
||
|
[http_event_collector_metrics]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TIMESTAMP_FIELDS = datetime
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
KV_MODE = none
|
||
|
JSON_TRIM_BRACES_IN_ARRAY_NAMES = true
|
||
|
|
||
|
[statsd]
|
||
|
METRICS_PROTOCOL = statsd
|
||
|
NO_BINARY_CHECK = true
|
||
|
SHOULD_LINEMERGE = false
|
||
|
DATETIME_CONFIG = CURRENT
|
||
|
# remove indextime fields that aren't super useful.
|
||
|
ADD_EXTRA_TIME_FIELDS = false
|
||
|
ANNOTATE_PUNCT = false
|
||
|
pulldown_type = true
|
||
|
category = Metrics
|
||
|
description = Statsd daemon output format. Accepts the plain StatsD line metric protocol or the StatsD line metric protocol with dimensions extension.
|
||
|
|
||
|
[metrics_csv]
|
||
|
SHOULD_LINEMERGE = False
|
||
|
pulldown_type = true
|
||
|
INDEXED_EXTRACTIONS = csv
|
||
|
ADD_EXTRA_TIME_FIELDS = subseconds
|
||
|
KV_MODE = none
|
||
|
TIMESTAMP_FIELDS = metric_timestamp
|
||
|
TIME_FORMAT = %s.%Q
|
||
|
category = Metrics
|
||
|
description = Comma-separated value format for metrics. Must have metric_timestamp, metric_name, and _value fields.
|
||
|
|
||
|
[search_telemetry]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
TRUNCATE = 1000000
|
||
|
KV_MODE = none
|
||
|
description = JSON-formatted file containing search related telemetry.
|
||
|
|
||
|
[splunk_cloud_telemetry]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TIMESTAMP_FIELDS = datetime
|
||
|
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
KV_MODE = none
|
||
|
JSON_TRIM_BRACES_IN_ARRAY_NAMES = true
|
||
|
|
||
|
[splunkd_latency_tracker]
|
||
|
SHOULD_LINEMERGE = false
|
||
|
TIMESTAMP_FIELDS = datetime
|
||
|
TIME_FORMAT = %s.%l
|
||
|
INDEXED_EXTRACTIONS = json
|
||
|
KV_MODE = none
|