Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transforms and Props for Linux Syslog Filtering

gkstev87
Loves-to-Learn Lots
‎10-12-2023 06:58 AM

Hello,

Our customer has decided to end use of Splunk in lieu of Sumo Logic, but we are looking to keep up internal use of Splunk due to 110GB worth of Perpetual licensing we have leftover.  We are currently filtering out non-essentials, and for us one of the big players is linux syslog.  I am attempting to use transforms and props to filter out everything that aren't authentication failures.  The regular expression is looking for the string of text "authentication failure".  I tested my regex in regex101 and everything checks out, but when I turn on the syslog sourcetype, the proverbial flood gates are still opening up.

Can someone take a look at these and let me know what looks wrong here?  The transforms are meant to bring in only events with "authentication failure" and toss out everything else.

Props.conf

[syslog]
TRANSFORMS-set=set_parsing,set_null


Transforms.conf

[set_parse]
REGEX = \bauthentication\b\s\bfailure\b
DEST_KEY = queue
FORMAT = indexQueue

[set_null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Labels (2)
Labels
0 Karma
Reply

jotne
Builder
‎03-16-2024 10:47 PM

Why not just:

REGEX = authentication\sfailure
0 Karma
Reply

Sucheta_new
Loves-to-Learn
‎03-15-2024 09:03 PM

Hi,

 

Can you try the below config in props:

[syslog]
TRANSFORMS-set=set_parse,set_null

As your transforms stanza says set_parse and props set_parsing.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2023 07:34 AM

The regex is looking for 3 characters between "authentication" and "failure", but the event contains only 1.  Try

REGEX = \bauthentication\sfailure\b
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gkstev87
Loves-to-Learn Lots
‎10-12-2023 11:50 AM

Thank you for your help here Rich!  I replaced the regex with the one you provided and still am not seeing any data at all.  Both my regular expression, as well as the one you provided, worked to locate the string "authentication failure" in regex101.  This has left me more or less stumped.  It's like the Heavy Forwarder is completely ignoring the "set_parse" setting.  Perhaps the issue lies with props.conf?  I have use props and transforms before, just not sure what the issue is here.

What do you think?

Thanks

Grant

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2023 05:30 PM

It's possible Splunk's regex library doesn't handle \b well.  Is there something else that indicates the start and end of the desired string?  Perhaps \Wauthentication\sfailure\W?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...