Exclude events in index time /var/log/audit/audit....

CarolinaHB · ‎02-01-2024

Hello,

I need to exclude and prevent the ingestion of data when these events occur.

Im using the TA_Linux and this event is the /var/log/audit/audit.log

Can you help me?

node=MXSPL1VMV803 type=SYSCALL msg=audit(1707180153.753:128962293): arch=c000003e syscall=87 success=yes exit=0 a0=7fb15c2fae20 a1=7fb0ea759e80 a2=7fb15c2fae20 a3=7fb1c0097b71 items=2 ppid=1 pid=1990 auid=3001 uid=3001 gid=3001 euid=3001 suid=3001 fsuid=3001 egid=3001 sgid=3001 fsgid=3001 tty=(none) ses=1 comm="elasticsearch[n" exe="/etc/elasticsearch/opendistroforelasticsearch/jdk/bin/java" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete-successful"

Regards

Richfez · ‎02-05-2024

What is it specifically about those events that you want to get rid of them? (The "why" isn't important, what we probably need is "what in that event is the important bit that tells you that you can get rid of it")

ALSO The formatting of that event may have been broken - if you can edit your post and paste it in again, on this time use the </> button to paste it in as code, that might be helpful!

But pretending anything from `comm="elasticsearch"` can be gotten rid of, then...

1) Read the first section of this on discarding certain events and keeping the rest, it's not long but it's the pattern we'll use here. https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_...

2) For this case, you'll want to create a local/props.conf entry in either the TA you are messing around with, or possibly in a new, specific tiny app you build just for these fixes:

[source::/var/log/audit/audit.log]
TRANSFORMS-null= setnull

3) Then as the docs say, you'll want a local/transforms.conf entry like this one

[setnull]
REGEX = comm="elasticsearch"
DEST_KEY = queue
FORMAT = nullQueue

I don't believe the quotes need escaping in that REGEX line, though I reserve the right to be wrong about that.

Test, see if it works and let us know!

CarolinaHB · ‎02-05-2024

Hello @Richfez

worked on what you mentioned, but it didn't work for me.

I also tried this

props.conf

[source::/var/log/audit/audit.log]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = comm="elastic.*"
DEST_KEY = queue
FORMAT = nullQueue

Regards

Richfez · ‎02-06-2024

I can't imagine anything other than that the regex doesn't match - all else looks fine.

AND - the data you provided I think was munged by the editor!

Can you repaste that sample event only be SURE to use the </> code button?

Richfez · ‎02-06-2024

Also, you have to restart the Splunk system that's on in order for it to take effect.

CarolinaHB · ‎02-06-2024

I restarted but it doesn't take the changes. It Is the data `comm="elasticsearch[n"` correct with the special character `[`

Richfez · ‎02-06-2024

Ah, I believe you'll want

REGEX = comm="elasticsearch\[n"

Also just gonna say - I've done this before, I promise it can be made to work! Don't lose hope even if it's a bit fiddly to get it set up sometimes!

CarolinaHB · ‎02-07-2024

These settings can be applied universal forwarder

isoutamo · ‎02-09-2024

No, those (transforms and props) must be in 1st full splunk instance from UF to indexer(s).

Exclude events in index time /var/log/audit/audit.log

administration

troubleshooting

using Splunk Cloud

Splunk and Fraud

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...