- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How can I eliminate logs before indexing?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Someone can help me in filtering logs from Checkpoint before they are indexing?
I tried following that link: https://answers.splunk.com/answers/378972/how-to-filter-out-certain-events-from-checkpoint-d.html
but I think my REGEX doesn't work.
I need to ignore all events that the "message_info" field is equal to "Address spoofing", here is my props.conf and transforms.conf
props.conf:
[checkpoint:syslog]
TRANSFORMS-null= setnullCheckpoint
transforms.conf:
[setnullCheckpoint]
REGEX = message_info=Address spoofing
DEST_KEY = queue
FORMAT = nullQueue
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you are deploying the props.conf and transforms.conf to the indexers receiving the events.
I recommend removing the space between the attribute and values in your transforms.conf:
[setnullCheckpoint]
REGEX= message_info=Address spoofing
DEST_KEY= queue
FORMAT= nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you are deploying the props.conf and transforms.conf to the indexers receiving the events.
I recommend removing the space between the attribute and values in your transforms.conf:
[setnullCheckpoint]
REGEX= message_info=Address spoofing
DEST_KEY= queue
FORMAT= nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Solarboyz
I deployed props.conf and transforms.conf (folder "C:\Program Files\Splunk\etc\system\local\") on the indexer with your recommendation, but the events still indexing...
props.conf:
[checkpoint:syslog]
TRANSFORMS-null=setnullCheckpoint
transforms.conf
[setnullCheckpoint]
REGEX=message_info=Address spoofing
DEST_KEY=queue
FORMAT=nullQueue
Follow example of the event that I want to ignore, you can see the "message_info" near in the end of event:
May 17 16:24:14 192.168.63.61 1 2018-05-17 16:24:12 ngse CheckPoint 16009 - [action:"Detect"; flags:"393216"; ifdir:"inbound"; ifname:"eth5"; loguid:"{0x0,0x0,0x0,0x0}"; origin:"x.x.x.x"; originsicname:"CN=test,O=srv-test..pn95kt"; sequencenum:"6"; time:"1526585052"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={375400D5-214D-9B4A-A0D3-A1947AFD59A0};mgmt=test;date=1526490675;policy_name=name]"; dst:"x.x.x.x"; message_info:"Address spoofing"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"80"; service:"49153"; src:"x.x.x.x"; ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I solved the problem.
The problem was on the REGEX, I changed to REGEX=message_info:"Address spoofing" and no more events with that message was showed
Thanks for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears you're trying to match a field, not a regex in the raw event.
The raw events has:
message_info:"Address spoofing";
I believe your regex should be:
[setnullCheckpoint]
REGEX= message_info:\"Address spoofing\"
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
