Getting Data In

Auditd logs are not being discarded as expected!

sawwinnaung
Explorer

I am trying to setup props & transforms in indexers to send PROCTITLE events to null queue
i tried below regex but that doesn't seem to work. 

props.conf and transforms.conf location:   /app/splunk/etc/apps/TA-linux_auditd/local/

props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle
[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle

transforms.conf
[discard_proctitle]
REGEX = ^type=PROCTITLE.*
DEST_KEY = queue
FORMAT = nullQueue

sample event-  

type=PROCTITLE msg=audit(1750049138.587:1710xxxx): proctitle=737368643A206165705F667470757372205B70726xxxxx

 

type=PROCTITLE msg=audit(1750049130.891:1710xxxx): proctitle="(systemd)"

type=PROCTITLE msg=audit(1750049102.068:377xxxx): proctitle="/usr/lib/systemd/systemd-logind"

Could someone help me to fix this issue?


 

0 Karma
1 Solution

sawwinnaung
Explorer

When I applied below confs in HF, PROCTITLE has been discarded successfully .  Thanks for your help and suggestions.

props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle

[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle

transforms.conf
[discard_proctitle]
REGEX = ^type=PROCTITLE.*
DEST_KEY = queue
FORMAT = nullQueue

 

 

 

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sawwinnaung ,

at first use backslash when you have = in your regexes, anyway, where do you located these conf files?

they must be located in the first full Splunk instance that data are passing through, in other words, in the first Heavy Forwarder (if present) or in the Indexers (if there are no HFs), not on Universal Forwarder.

Ciao.

Giuseppe

0 Karma

sawwinnaung
Explorer

@gcusello 

 

             The props.conf and transforms.conf files are located on the indexer under the following path:
/app/splunk/etc/apps/TA-linux_auditd/local/

These configurations previously worked successfully. However, after upgrading the Splunk version and migrating the Linux environment, the configurations no longer seem to function as expected.

Thanks for your suggestions.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sawwinnaung ,

if you haven't any additional HF in your infrastructure, check the regex you're using (you can test it using the regex command in Splunk).

In this way you can check if there was some change in the logs structure.

Then try to use backslash to escape the = in your regex.

Ciao.

Giuseppe

0 Karma

sawwinnaung
Explorer

When I applied below confs in HF, PROCTITLE has been discarded successfully .  Thanks for your help and suggestions.

props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle

[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle

transforms.conf
[discard_proctitle]
REGEX = ^type=PROCTITLE.*
DEST_KEY = queue
FORMAT = nullQueue

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sawwinnaung ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sawwinnaung ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

PrewinThomas
Motivator

@sawwinnaung 

Try below,

props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle

[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle

transforms.conf
[discard_proctitle]
REGEX = type=PROCTITLE
DEST_KEY = queue
FORMAT = nullQueue


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

0 Karma

sawwinnaung
Explorer

@PrewinThomas 

 

          Thanks for your help. Even though I updated REGEX = type=PROCTITLE in transforms.conf located on the indexer, the filtering still isn’t working.

 

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...