Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Auditd logs are not being discarded as expected!

sawwinnaung
Explorer
‎06-15-2025 09:53 PM

I am trying to setup props & transforms in indexers to send PROCTITLE events to null queue
i tried below regex but that doesn't seem to work. 

props.conf and transforms.conf location:   /app/splunk/etc/apps/TA-linux_auditd/local/

props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle
[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle

transforms.conf
[discard_proctitle]
REGEX = ^type=PROCTITLE.*
DEST_KEY = queue
FORMAT = nullQueue

sample event-  

type=PROCTITLE msg=audit(1750049138.587:1710xxxx): proctitle=737368643A206165705F667470757372205B70726xxxxx

 

type=PROCTITLE msg=audit(1750049130.891:1710xxxx): proctitle="(systemd)"

type=PROCTITLE msg=audit(1750049102.068:377xxxx): proctitle="/usr/lib/systemd/systemd-logind"

Could someone help me to fix this issue?


 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sawwinnaung
Explorer
‎06-16-2025 03:00 AM

When I applied below confs in HF, PROCTITLE has been discarded successfully .  Thanks for your help and suggestions.

props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle

[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle

transforms.conf
[discard_proctitle]
REGEX = ^type=PROCTITLE.*
DEST_KEY = queue
FORMAT = nullQueue

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2025 11:59 PM

Hi @sawwinnaung ,

at first use backslash when you have = in your regexes, anyway, where do you located these conf files?

they must be located in the first full Splunk instance that data are passing through, in other words, in the first Heavy Forwarder (if present) or in the Indexers (if there are no HFs), not on Universal Forwarder.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

sawwinnaung
Explorer
‎06-16-2025 01:09 AM

@gcusello 

 

             The props.conf and transforms.conf files are located on the indexer under the following path:
/app/splunk/etc/apps/TA-linux_auditd/local/

These configurations previously worked successfully. However, after upgrading the Splunk version and migrating the Linux environment, the configurations no longer seem to function as expected.

Thanks for your suggestions.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2025 01:18 AM

Hi @sawwinnaung ,

if you haven't any additional HF in your infrastructure, check the regex you're using (you can test it using the regex command in Splunk).

In this way you can check if there was some change in the logs structure.

Then try to use backslash to escape the = in your regex.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

sawwinnaung
Explorer
‎06-16-2025 03:00 AM

When I applied below confs in HF, PROCTITLE has been discarded successfully .  Thanks for your help and suggestions.

props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle

[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle

transforms.conf
[discard_proctitle]
REGEX = ^type=PROCTITLE.*
DEST_KEY = queue
FORMAT = nullQueue

 

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2025 08:05 AM

Hi @sawwinnaung ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2025 03:11 AM

Hi @sawwinnaung ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

PrewinThomas
Motivator
‎06-15-2025 10:33 PM

@sawwinnaung 

Try below,

props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle

[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle

transforms.conf
[discard_proctitle]
REGEX = type=PROCTITLE
DEST_KEY = queue
FORMAT = nullQueue


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

0 Karma
Reply
Solved! Jump to solution

sawwinnaung
Explorer
‎06-16-2025 12:46 AM

@PrewinThomas 

 

          Thanks for your help. Even though I updated REGEX = type=PROCTITLE in transforms.conf located on the indexer, the filtering still isn’t working.

 

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...