Splunk Search

How to filter off /var/spool events on linux?

remy06
Contributor

auditd is generating number of events on linux server.

For eg.this event is identified by session id=1336067(auto generated).

` type=PATH msg=audit(03/15/2011 17:04:01.513:1336067) : item=0 name=/etc/shadow inode=123456789 dev=fd:00 mode=file,400 ouid=root ogid=root rdev=00:00

type=CWD msg=audit(03/15/2011 17:03:01.493:1336067) : cwd=/var/spool `

I can filter off the 2nd line using the keyword "cwd=/var/spool" but for the first line there isn't any keyword i can use.

Is there a way to filter off both events by using the keyword="cwd=/var/spool" and relating the two events together by their session id?

Tags (3)

netwrkr
Communicator

One idea might be to use the transaction command to group similar events together. I think you would first need to teach splunk how to extract the 'session id' field. Once you did that you could do something like

eventtype=audit | transaction fields=sid maxspan=5s

where 'sid' is the session id field you previous taught splunk how to extract.

0 Karma

netwrkr
Communicator

The way I suggested above is to group at search time. Splunk has a nice document which details how to extract fields here - http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

0 Karma

remy06
Contributor

I will need to filter them off before splunk indexes it.So that means I have to specific the REGEX in transforms.conf?If this is the only way then how do I specify a REGEX to filter off the events?

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...