Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get linux logs to blacklist in input.conf?

shashilendra
Explorer
‎12-07-2022 08:00 AM

Hi Team,

getting huges audit logs and wanted to blacklist in input.conf  .

index=*linux* source="/var/log/audit/audit.log" type=proctitle

 

Labels (2)
Labels
Preview file
179 KB
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-27-2022 06:51 AM

I'd start at the beginning of your process, not at its end.

Make sure you're logging (only) what you need with auditd and understand what you're logging and ingesting.

Cutting some parts of the logs blindly can result in missing information.

See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-und...

0 Karma
Reply

shashilendra
Explorer
‎12-27-2022 01:13 AM

Hi , Can i push prop.conf and transfrom.conf via deployment server to Universal Forwarder (installed on 600 Linux server)

i am thinking to create these prop and transfroms file on deployment server under /opt/splunk/etc/deployment-apps/<App Name>/local.

will it work

thanks

shashi  

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎12-27-2022 04:48 AM

@shashilendra - Yes you can push the configuration from the deployment server to UF.

But, nullQueue configuration to the machine which parses the logs. Usually, that's Indexer (considering the UF is sending logs to Indexers directly.)

* UF does not have the capability to run TRANSFORM.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-07-2022 10:15 AM

Deny ("black") lists apply only to files.  To filter individual events, use transforms as suggested by @VatsalJagani or try the new Ingest Action feature, which is similar but a little easier to use.  See https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/DataIngest

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎12-07-2022 09:47 AM

@shashilendra - I don't think what you are trying to do is possible at the input level with any built-in Splunk configuration.

You can do it by Null Queue (with props/transforms configuration) at the parsing stage.

 

props.conf

[source::/var/log/audit/audit.log]
TRANSFORMS-filter_some_logs

 

transforms.conf

[filter_some_logs]
REGEX = type=proctitle
DEST_KEY = queue
FORMAT = nullQueue

# NOTE - make sure your _raw event has "type=proctitle" in it, change it if the format is different.

 

Hope this helps. Kindly accept the answer and upvote the answer if this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...