Splunk Cloud Platform

Exclude events in index time /var/log/audit/audit.log

CarolinaHB
Explorer

Hello, 

I need to exclude and prevent the ingestion of data when these events occur.

Im using the TA_Linux and this event is the /var/log/audit/audit.log

Can you help me?

node=MXSPL1VMV803 type=SYSCALL msg=audit(1707180153.753:128962293): arch=c000003e syscall=87 success=yes exit=0 a0=7fb15c2fae20 a1=7fb0ea759e80 a2=7fb15c2fae20 a3=7fb1c0097b71 items=2 ppid=1 pid=1990 auid=3001 uid=3001 gid=3001 euid=3001 suid=3001 fsuid=3001 egid=3001 sgid=3001 fsgid=3001 tty=(none) ses=1 comm="elasticsearch[n" exe="/etc/elasticsearch/opendistroforelasticsearch/jdk/bin/java" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete-successful"

 

Regards

0 Karma

Richfez
SplunkTrust
SplunkTrust

What is it specifically about those events that you want to get rid of them?  (The "why" isn't important, what we probably need is "what in that event is the important bit that tells you that you can get rid of it")

ALSO The formatting of that event may have been broken - if you can edit your post and paste it in again, on this time use the </> button to paste it in as code, that might be helpful!

But pretending anything from `comm="elasticsearch"` can be gotten rid of, then...

1) Read the first section of this on discarding certain events and keeping the rest, it's not long but it's the pattern we'll use here.  https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_...

2) For this case, you'll want to create a local/props.conf entry in either the TA you are messing around with, or possibly in a new, specific tiny app you build just for these fixes:

[source::/var/log/audit/audit.log]
TRANSFORMS-null= setnull

3) Then as the docs say, you'll want a local/transforms.conf entry like this one

[setnull]
REGEX = comm="elasticsearch"
DEST_KEY = queue
FORMAT = nullQueue

I don't believe the quotes need escaping in that REGEX line, though I reserve the right to be wrong about that. 

Test, see if it works and let us know!

0 Karma

CarolinaHB
Explorer

Hello @Richfez 

 worked on what you mentioned, but it didn't work for me.

 

I also tried this

props.conf

[source::/var/log/audit/audit.log]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = comm="elastic.*"
DEST_KEY = queue
FORMAT = nullQueue

Regards

0 Karma

Richfez
SplunkTrust
SplunkTrust

I can't imagine anything other than that the regex doesn't match - all else looks fine.

AND - the data you provided I think was munged by the editor!

Can you repaste that sample event only be SURE to use the </> code button?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Also, you have to restart the Splunk system that's on in order for it to take effect. 

0 Karma

CarolinaHB
Explorer

I restarted but it doesn't take the changes. It Is the data `comm="elasticsearch[n"` correct with the special character `[`

0 Karma

Richfez
SplunkTrust
SplunkTrust

Ah, I believe you'll want

 

REGEX = comm="elasticsearch\[n"

 

 

Also just gonna say - I've done this before, I promise it can be made to work!  Don't lose hope even if it's a bit fiddly to get it set up sometimes!

 

0 Karma

CarolinaHB
Explorer

These settings can be applied universal forwarder

0 Karma

isoutamo
SplunkTrust
SplunkTrust
No, those (transforms and props) must be in 1st full splunk instance from UF to indexer(s).
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...