Splunk Search

extracting user, uid and gid from /etc/passwd

mariof
New Member

Hi all,
I'd like to extract or create fields for username, uid and gid from /etc/passwd. basically I'd like to generate a report that shows all usernames across all my unix/linux systems and any clashes that there may be.
Any ideas?

Tags (3)
0 Karma

Damien_Dallimor
Ultra Champion

You can use the Command Modular Input to do this : http://apps.splunk.com/app/1553/

The command you will execute is :

awk -F':' '{ print "user="$1" uid="$3" gid="$4}' /etc/passwd

And then you will have exactly what you want indexed in Splunk , no indexing of unneeded data , and no extractions to write.

A few screenshots :

alt text
alt text
alt text

You could push this out to forwarders on all of your machines using Deployment Manaager , Chef , Puppet etc...

Or, for an agentless approach , you could execute the command remotely over SSH to all of the target machines.So from one central Splunk instance you could setup a stanza for each target machine.

inputs.conf

[command://User Info at 192.168.0.1]
command_args = someuser@192.168.0.1 'awk -F':' '{ print "user="$1" uid="$3" gid="$4}' /etc/passwd'
command_name = ssh
sourcetype = user_info
index = myindex
host = 192.168.0.1
streaming_output = 0
disabled = 1

[command://User Info at 192.168.0.2]
command_args = someuser@192.168.0.2 'awk -F':' '{ print "user="$1" uid="$3" gid="$4}' /etc/passwd'
command_name = ssh
sourcetype = user_info
index = myindex
host = 192.168.0.2
streaming_output = 0
disabled = 1

Here is info on SSH remote command execution and setting up authentication using shared keys so that you do not need to hard code a password into your setup.

http://linuxers.org/howto/how-run-commands-remote-machine-using-ssh

http://linuxers.org/article/ssh-login-without-password

0 Karma

Damien_Dallimor
Ultra Champion

Updated my answer above with deployment approaches.

0 Karma

mariof
New Member

would i need to use the deployment manager in order to run this on all my machines?

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Try this:

(?<user>\w+):x:(?<uid>\d+):(?<gid>\d+):.*

You can go to Manager » Fields » Field extractions hit New then add inline the above extract in a single entry for search time extractions.

--
Jesse Trucks
Minister of Magic
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can install Splunk Forwarders in all your Unix/Linux boxes and make them monitor /etc/passwd file. The entries in the passwd files are ":" separated so once they are indexed in Splunk, you can do field extraction to get all the required fields. Splunk will add host name in all the events based on from where the passwd file was indexed, so you can do comparision and any kind of reporting.

UPDATE
my bad, I should've known.

If you just want to extract the same during any search, jtrucks rex works fine. If you want these fields to be present as field extraction during search time, you can add following to your props.conf, under respective sourcetype. This should extract all the fields and they will be avaialble for searching/reporting.EXTRACT-userName = (?i)^(?P[^:]+)

EXTRACT-password = (?i)^[^:]*:(?P<password>[^:]+)
EXTRACT-uid = (?i)^(?:[^:]*:){2}(?P<uid>[^:]+)
EXTRACT-gid = (?i)^(?:[^:]*:){3}(?P<gid>[^:]+)
EXTRACT-userInfo = (?i)^(?:[^:]*:){4}(?P<userInfo>[^:]+)
EXTRACT-homedir = (?i)^(?:[^:]*:){5}(?P<homedir>[^:]+)
EXTRACT-userShell = (?i)^(?:[^:]*:){6}(?P<userShell>[^:]+)
0 Karma

mariof
New Member

The suggestion by jtracks with creating an inline extract works to an extent, except that it only extracts the first instance of the line - a bit like ed and then ignores the rest. it works ok if I only have one user added at a time, but may not cope with multiple changes

0 Karma

mariof
New Member

Firstly, thanks to both of you for your help:
root:x:0:0:root on redacted:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

0 Karma

somesoni2
SplunkTrust
SplunkTrust

can you paste some of your events. Will be helpful in generating exact regex.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

You can have all of those on a single EXTRACT line like:

EXTRACT-passwdfilestuff = (?)^(?\w+):x:(?\d+):(?\d+):.*

--
Jesse Trucks
Minister of Magic
0 Karma

jtrucks
Splunk Employee
Splunk Employee

mariof, does the regex I submitted in the other answer work for you?

--
Jesse Trucks
Minister of Magic
0 Karma

mariof
New Member

Hi somesoni2,
I'm already doing this. I'm also monitoring the group file, but the auto field extract tool is only picking up the root user.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...