I'm currently using SQS Based s3 input for cloudtrail and I'm trying to drop nosey events such as GET and LIST.
The documentation says the standard input supports exclude_describe_events and blacklist to filter out unwanted events which I set but after further looking into it it seems that a props/transform is needed.
I have configured the following in props and transforms
props.conf
[aws:cloudtrail]
TRANSFORMS-filter = eventsDrop
transforms.conf
#Filters out events that are not needed
[eventsDrop]
REGEX = "^Describe|Get|List\p{Lu}|LookupEvents"
DEST_KEY = queue
FORMAT = nullQueue
I tested the regex and it matches events but the events are not being dropped as expected. This is on a HF as that collects the logs before going into indexers
I tried the same thing and found the same issue. I think the blacklist config is only compatible with the cloudtrail input NOT the sqs_based_s3 input. Really unfortunate as I wanted to switch to role based cloudtrail logging rather than aws account. Please put this on your bug litst Splunk.