topic Re: Exclude events in index time /var/log/audit/audit.log in Splunk Cloud Platform

Exclude events in index time /var/log/audit/audit.log

CarolinaHB — Tue, 06 Feb 2024 00:43:52 GMT

Hello,

I need to exclude and prevent the ingestion of data when these events occur.

Im using the TA_Linux and this event is the /var/log/audit/audit.log

Can you help me?

node=MXSPL1VMV803 type=SYSCALL msg=audit(1707180153.753:128962293): arch=c000003e syscall=87 success=yes exit=0 a0=7fb15c2fae20 a1=7fb0ea759e80 a2=7fb15c2fae20 a3=7fb1c0097b71 items=2 ppid=1 pid=1990 auid=3001 uid=3001 gid=3001 euid=3001 suid=3001 fsuid=3001 egid=3001 sgid=3001 fsgid=3001 tty=(none) ses=1 comm="elasticsearch[n" exe="/etc/elasticsearch/opendistroforelasticsearch/jdk/bin/java" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete-successful"

Regards

Re: Exclude events in index time /var/log/audit/audit.log

Richfez — Mon, 05 Feb 2024 20:34:00 GMT

What is it specifically about those events that you want to get rid of them? (The "why" isn't important, what we probably need is "what in that event is the important bit that tells you that you can get rid of it")

ALSO The formatting of that event may have been broken - if you can edit your post and paste it in again, on this time use the </> button to paste it in as code, that might be helpful!

But pretending anything from `comm="elasticsearch"` can be gotten rid of, then...

1) Read the first section of this on discarding certain events and keeping the rest, it's not long but it's the pattern we'll use here. https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues

2) For this case, you'll want to create a local/props.conf entry in either the TA you are messing around with, or possibly in a new, specific tiny app you build just for these fixes:

[source::/var/log/audit/audit.log] TRANSFORMS-null= setnull

3) Then as the docs say, you'll want a local/transforms.conf entry like this one

[setnull] REGEX = comm="elasticsearch" DEST_KEY = queue FORMAT = nullQueue

I don't believe the quotes need escaping in that REGEX line, though I reserve the right to be wrong about that.

Test, see if it works and let us know!

Re: Exclude events in index time /var/log/audit/audit.log

CarolinaHB — Tue, 06 Feb 2024 00:49:44 GMT

Hello @Richfez

worked on what you mentioned, but it didn't work for me.

I also tried this

props.conf

[source::/var/log/audit/audit.log] TRANSFORMS-null = setnull

transforms.conf

[setnull] REGEX = comm="elastic.*" DEST_KEY = queue FORMAT = nullQueue

Regards

Re: Exclude events in index time /var/log/audit/audit.log

Richfez — Tue, 06 Feb 2024 13:30:36 GMT

I can't imagine anything other than that the regex doesn't match - all else looks fine.

AND - the data you provided I think was munged by the editor!

Can you repaste that sample event only be SURE to use the </> code button?

Re: Exclude events in index time /var/log/audit/audit.log

Richfez — Tue, 06 Feb 2024 13:56:20 GMT

Also, you have to restart the Splunk system that's on in order for it to take effect.

Re: Exclude events in index time /var/log/audit/audit.log

CarolinaHB — Wed, 07 Feb 2024 01:01:27 GMT

I restarted but it doesn't take the changes. It Is the data `comm="elasticsearch[n"` correct with the special character `[`

Re: Exclude events in index time /var/log/audit/audit.log

Richfez — Wed, 07 Feb 2024 13:46:51 GMT

Ah, I believe you'll want

REGEX = comm="elasticsearch\[n"

Also just gonna say - I've done this before, I promise it can be made to work! Don't lose hope even if it's a bit fiddly to get it set up sometimes!

Re: Exclude events in index time /var/log/audit/audit.log

CarolinaHB — Thu, 08 Feb 2024 01:52:12 GMT

These settings can be applied universal forwarder

Re: Exclude events in index time /var/log/audit/audit.log

isoutamo — Fri, 09 Feb 2024 17:24:46 GMT

No, those (transforms and props) must be in 1st full splunk instance from UF to indexer(s).