Re: How to filter off /var/spool events on linux?

remy06 · ‎03-15-2011

auditd is generating number of events on linux server.

For eg.this event is identified by session id=1336067(auto generated).

` type=PATH msg=audit(03/15/2011 17:04:01.513:1336067) : item=0 name=/etc/shadow inode=123456789 dev=fd:00 mode=file,400 ouid=root ogid=root rdev=00:00

type=CWD msg=audit(03/15/2011 17:03:01.493:1336067) : cwd=/var/spool `

I can filter off the 2nd line using the keyword "cwd=/var/spool" but for the first line there isn't any keyword i can use.

Is there a way to filter off both events by using the keyword="cwd=/var/spool" and relating the two events together by their session id?

netwrkr · ‎03-15-2011

One idea might be to use the transaction command to group similar events together. I think you would first need to teach splunk how to extract the 'session id' field. Once you did that you could do something like

eventtype=audit | transaction fields=sid maxspan=5s

where 'sid' is the session id field you previous taught splunk how to extract.

netwrkr · ‎03-16-2011

The way I suggested above is to group at search time. Splunk has a nice document which details how to extract fields here - http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

remy06 · ‎03-16-2011

I will need to filter them off before splunk indexes it.So that means I have to specific the REGEX in transforms.conf?If this is the only way then how do I specify a REGEX to filter off the events?

How to filter off /var/spool events on linux?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation