topic Re: SEDCMD not being applied? in Getting Data In

SEDCMD not being applied?

jdmclemore — Tue, 09 May 2017 22:02:28 GMT

I'm trying to do a seemingly simple SEDCMD replace of passwords in logs, but nothing is getting applied. I have pushed props.conf out to all the indexers in my cluster, but looking at new data nothing gets changed. Am I doing something wrong?

Sample log (sourcetype=access_log):
10.1.1.1 - - [09/May/2017:16:42:52 -0500] [GET /service/auth/login?user_name=JoeUser&password=realpassword HTTP/1.1] 200 2315 Cnt-Type=- Acc=- Resp-Cnt-Type=application/xml

Expected result:
10.1.1.1 - - [09/May/2017:16:42:52 -0500] [GET /service/auth/login?user_name=JoeUser&password=xxxxx HTTP/1.1] 200 2315 Cnt-Type=- Acc=- Resp-Cnt-Type=application/xml

In props.conf:

    [access_log]
    SEDCMD-replacepasswd = s/password=.+\s/password=xxxxx\s/g

Re: SEDCMD not being applied?

richgalloway — Wed, 10 May 2017 02:25:08 GMT

Did you restart the indexers after modifying props.conf?

Re: SEDCMD not being applied?

MuS — Wed, 10 May 2017 02:56:31 GMT

Also worth to mention that this must be on the parsing layer, so if there are heavy weight forwarder along the data pipe it must be put on them, see the docs for details about this http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline#Parsing_phase

cheers, MuS

Re: SEDCMD not being applied?

jdmclemore — Wed, 10 May 2017 03:53:19 GMT

Ah, that may be it - I do use Heavy Forwarders as my intermediate forwarders. I'll push props.conf out to them and report back.

Re: SEDCMD not being applied?

jdmclemore — Wed, 10 May 2017 04:19:11 GMT

Thanks Mus - that did the trick. I included my SEDCMD stanza in a props.conf that gets distributed to my intermediate Heavy Forwarders and all is good.