Hi Team,
getting huges audit logs and wanted to blacklist in input.conf .
index=*linux* source="/var/log/audit/audit.log" type=proctitle
I'd start at the beginning of your process, not at its end.
Make sure you're logging (only) what you need with auditd and understand what you're logging and ingesting.
Cutting some parts of the logs blindly can result in missing information.
Hi , Can i push prop.conf and transfrom.conf via deployment server to Universal Forwarder (installed on 600 Linux server)
i am thinking to create these prop and transfroms file on deployment server under /opt/splunk/etc/deployment-apps/<App Name>/local.
will it work
thanks
shashi
@shashilendra - Yes you can push the configuration from the deployment server to UF.
But, nullQueue configuration to the machine which parses the logs. Usually, that's Indexer (considering the UF is sending logs to Indexers directly.)
* UF does not have the capability to run TRANSFORM.
Deny ("black") lists apply only to files. To filter individual events, use transforms as suggested by @VatsalJagani or try the new Ingest Action feature, which is similar but a little easier to use. See https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/DataIngest
@shashilendra - I don't think what you are trying to do is possible at the input level with any built-in Splunk configuration.
You can do it by Null Queue (with props/transforms configuration) at the parsing stage.
props.conf
[source::/var/log/audit/audit.log]
TRANSFORMS-filter_some_logs
transforms.conf
[filter_some_logs]
REGEX = type=proctitle
DEST_KEY = queue
FORMAT = nullQueue
# NOTE - make sure your _raw event has "type=proctitle" in it, change it if the format is different.
Hope this helps. Kindly accept the answer and upvote the answer if this helps!!!