https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/625312#M107474 <P>Hi , Can i push prop.conf and transfrom.conf via deployment server to Universal Forwarder (installed on 600 Linux server)</P><P>i am thinking to create these prop and transfroms file on deployment server under /opt/splunk/etc/deployment-apps/&lt;App Name&gt;/local.</P><P>will it work</P><P>thanks</P><P>shashi&nbsp;&nbsp;</P> Tue, 27 Dec 2022 09:13:30 GMT shashilendra 2022-12-27T09:13:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/623604#M107287 <P>Hi Team,</P> <P>getting huges audit logs and wanted to blacklist in input.conf&nbsp; .</P> <P>index=*linux* source="/var/log/audit/audit.log" type=proctitle</P> <P>&nbsp;</P> Wed, 07 Dec 2022 16:13:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/623604#M107287 shashilendra 2022-12-07T16:13:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/623616#M107292 <P class="lia-align-left"><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229470">@shashilendra</a>&nbsp;- I don't think what you are trying to do is possible at the input level with any built-in Splunk configuration.</P><P>You can do it by Null Queue (with props/transforms configuration) at the parsing stage.</P><P>&nbsp;</P><P>props.conf</P><LI-CODE lang="markup">[source::/var/log/audit/audit.log] TRANSFORMS-filter_some_logs</LI-CODE><P>&nbsp;</P><P>transforms.conf</P><LI-CODE lang="markup">[filter_some_logs] REGEX = type=proctitle DEST_KEY = queue FORMAT = nullQueue # NOTE - make sure your _raw event has "type=proctitle" in it, change it if the format is different.</LI-CODE><P>&nbsp;</P><P>Hope this helps. Kindly accept the answer and upvote the answer if this helps!!!</P> Wed, 07 Dec 2022 17:47:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/623616#M107292 VatsalJagani 2022-12-07T17:47:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/623631#M107296 <P>Deny ("black") lists apply only to files.&nbsp; To filter individual events, use transforms as suggested by&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93915">@VatsalJagani</a>&nbsp;or try the new Ingest Action feature, which is similar but a little easier to use.&nbsp; See&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/DataIngest" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/DataIngest</A></P> Wed, 07 Dec 2022 18:15:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/623631#M107296 richgalloway 2022-12-07T18:15:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/625312#M107474 <P>Hi , Can i push prop.conf and transfrom.conf via deployment server to Universal Forwarder (installed on 600 Linux server)</P><P>i am thinking to create these prop and transfroms file on deployment server under /opt/splunk/etc/deployment-apps/&lt;App Name&gt;/local.</P><P>will it work</P><P>thanks</P><P>shashi&nbsp;&nbsp;</P> Tue, 27 Dec 2022 09:13:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/625312#M107474 shashilendra 2022-12-27T09:13:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/625330#M107476 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229470">@shashilendra</a>&nbsp;- Yes you can push the configuration from the deployment server to UF.</P><P><STRONG>But</STRONG>, nullQueue configuration to the machine which <STRONG>parses the logs</STRONG>. Usually, that's <STRONG>Indexer</STRONG> (considering the UF is sending logs to Indexers directly.)</P><P>* UF does not have the capability to run TRANSFORM.</P><P>&nbsp;</P> Tue, 27 Dec 2022 12:48:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/625330#M107476 VatsalJagani 2022-12-27T12:48:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/625332#M107477 <P>I'd start at the beginning of your process, not at its end.</P><P>Make sure you're logging (only) what you need with auditd and understand what you're logging and ingesting.</P><P>Cutting some parts of the logs blindly can result in missing information.</P><P>See <A href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files" target="_blank">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files</A></P> Tue, 27 Dec 2022 14:51:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-linux-logs-to-blacklist-in-input-conf/m-p/625332#M107477 PickleRick 2022-12-27T14:51:45Z