Getting Data In

How to get linux logs to blacklist in input.conf?

shashilendra
Explorer

Hi Team,

getting huges audit logs and wanted to blacklist in input.conf  .

index=*linux* source="/var/log/audit/audit.log" type=proctitle

 

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'd start at the beginning of your process, not at its end.

Make sure you're logging (only) what you need with auditd and understand what you're logging and ingesting.

Cutting some parts of the logs blindly can result in missing information.

See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-und...

0 Karma

shashilendra
Explorer

Hi , Can i push prop.conf and transfrom.conf via deployment server to Universal Forwarder (installed on 600 Linux server)

i am thinking to create these prop and transfroms file on deployment server under /opt/splunk/etc/deployment-apps/<App Name>/local.

will it work

thanks

shashi  

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@shashilendra - Yes you can push the configuration from the deployment server to UF.

But, nullQueue configuration to the machine which parses the logs. Usually, that's Indexer (considering the UF is sending logs to Indexers directly.)

* UF does not have the capability to run TRANSFORM.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Deny ("black") lists apply only to files.  To filter individual events, use transforms as suggested by @VatsalJagani or try the new Ingest Action feature, which is similar but a little easier to use.  See https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/DataIngest

---
If this reply helps you, Karma would be appreciated.
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@shashilendra - I don't think what you are trying to do is possible at the input level with any built-in Splunk configuration.

You can do it by Null Queue (with props/transforms configuration) at the parsing stage.

 

props.conf

[source::/var/log/audit/audit.log]
TRANSFORMS-filter_some_logs

 

transforms.conf

[filter_some_logs]
REGEX = type=proctitle
DEST_KEY = queue
FORMAT = nullQueue

# NOTE - make sure your _raw event has "type=proctitle" in it, change it if the format is different.

 

Hope this helps. Kindly accept the answer and upvote the answer if this helps!!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...