Getting Data In

How can I eliminate logs before indexing?

Communicator

Hi,

Someone can help me in filtering logs from Checkpoint before they are indexing?

I tried following that link: https://answers.splunk.com/answers/378972/how-to-filter-out-certain-events-from-checkpoint-d.html
but I think my REGEX doesn't work.

I need to ignore all events that the "message_info" field is equal to "Address spoofing", here is my props.conf and transforms.conf

props.conf:
[checkpoint:syslog]
TRANSFORMS-null= setnullCheckpoint

transforms.conf:
[setnullCheckpoint]
REGEX = message_info=Address spoofing
DEST_KEY = queue
FORMAT = nullQueue

Thank you!

0 Karma
1 Solution

Builder

Assuming you are deploying the props.conf and transforms.conf to the indexers receiving the events.

I recommend removing the space between the attribute and values in your transforms.conf:

[setnullCheckpoint]
REGEX= messageinfo=Address spoofing
DEST
KEY= queue
FORMAT= nullQueue

View solution in original post

0 Karma

Builder

Assuming you are deploying the props.conf and transforms.conf to the indexers receiving the events.

I recommend removing the space between the attribute and values in your transforms.conf:

[setnullCheckpoint]
REGEX= messageinfo=Address spoofing
DEST
KEY= queue
FORMAT= nullQueue

View solution in original post

0 Karma

Communicator

Hi Solarboyz

I deployed props.conf and transforms.conf (folder "C:\Program Files\Splunk\etc\system\local\") on the indexer with your recommendation, but the events still indexing...
props.conf:
[checkpoint:syslog]
TRANSFORMS-null=setnullCheckpoint

transforms.conf
[setnullCheckpoint]
REGEX=messageinfo=Address spoofing
DEST
KEY=queue
FORMAT=nullQueue

Follow example of the event that I want to ignore, you can see the "message_info" near in the end of event:

May 17 16:24:14 192.168.63.61 1 2018-05-17 16:24:12 ngse CheckPoint 16009 - [action:"Detect"; flags:"393216"; ifdir:"inbound"; ifname:"eth5"; loguid:"{0x0,0x0,0x0,0x0}"; origin:"x.x.x.x"; originsicname:"CN=test,O=srv-test..pn95kt"; sequencenum:"6"; time:"1526585052"; version:"5"; _policyidtag:"product=VPN-1 & FireWall-1[dbtag={375400D5-214D-9B4A-A0D3-A1947AFD59A0};mgmt=test;date=1526490675;policyname=name]"; dst:"x.x.x.x"; messageinfo:"Address spoofing"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"80"; service:"49153"; src:"x.x.x.x"; ]

0 Karma

Communicator

I solved the problem.

The problem was on the REGEX, I changed to REGEX=message_info:"Address spoofing" and no more events with that message was showed

Thanks for your help!

0 Karma

Builder

It appears you're trying to match a field, not a regex in the raw event.

The raw events has:
message_info:"Address spoofing";

I believe your regex should be:

[setnullCheckpoint]
REGEX= message_info:\"Address spoofing\"

0 Karma