Getting Data In

Transforms and Props for Linux Syslog Filtering

gkstev87
Loves-to-Learn Lots

Hello,

Our customer has decided to end use of Splunk in lieu of Sumo Logic, but we are looking to keep up internal use of Splunk due to 110GB worth of Perpetual licensing we have leftover.  We are currently filtering out non-essentials, and for us one of the big players is linux syslog.  I am attempting to use transforms and props to filter out everything that aren't authentication failures.  The regular expression is looking for the string of text "authentication failure".  I tested my regex in regex101 and everything checks out, but when I turn on the syslog sourcetype, the proverbial flood gates are still opening up.

Can someone take a look at these and let me know what looks wrong here?  The transforms are meant to bring in only events with "authentication failure" and toss out everything else.

Props.conf

[syslog]
TRANSFORMS-set=set_parsing,set_null


Transforms.conf

[set_parse]
REGEX = \bauthentication\b\s\bfailure\b
DEST_KEY = queue
FORMAT = indexQueue

[set_null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Labels (2)
0 Karma

jotne
Builder

Why not just:

REGEX = authentication\sfailure
0 Karma

Sucheta_new
Loves-to-Learn

Hi,

 

Can you try the below config in props:

[syslog]
TRANSFORMS-set=set_parse,set_null

As your transforms stanza says set_parse and props set_parsing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The regex is looking for 3 characters between "authentication" and "failure", but the event contains only 1.  Try

REGEX = \bauthentication\sfailure\b
---
If this reply helps you, Karma would be appreciated.
0 Karma

gkstev87
Loves-to-Learn Lots

Thank you for your help here Rich!  I replaced the regex with the one you provided and still am not seeing any data at all.  Both my regular expression, as well as the one you provided, worked to locate the string "authentication failure" in regex101.  This has left me more or less stumped.  It's like the Heavy Forwarder is completely ignoring the "set_parse" setting.  Perhaps the issue lies with props.conf?  I have use props and transforms before, just not sure what the issue is here.

What do you think?

Thanks

Grant

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's possible Splunk's regex library doesn't handle \b well.  Is there something else that indicates the start and end of the desired string?  Perhaps \Wauthentication\sfailure\W?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...