auditd is generating number of events on linux server.
For eg.this event is identified by session id=1336067(auto generated).
` type=PATH msg=audit(03/15/2011 17:04:01.513:1336067) : item=0 name=/etc/shadow inode=123456789 dev=fd:00 mode=file,400 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/15/2011 17:03:01.493:1336067) : cwd=/var/spool `
I can filter off the 2nd line using the keyword "cwd=/var/spool
" but for the first line there isn't any keyword i can use.
Is there a way to filter off both events by using the keyword="cwd=/var/spool
" and relating the two events together by their session id?
One idea might be to use the transaction command to group similar events together. I think you would first need to teach splunk how to extract the 'session id' field. Once you did that you could do something like
eventtype=audit | transaction fields=sid maxspan=5s
where 'sid' is the session id field you previous taught splunk how to extract.
The way I suggested above is to group at search time. Splunk has a nice document which details how to extract fields here - http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample
I will need to filter them off before splunk indexes it.So that means I have to specific the REGEX in transforms.conf?If this is the only way then how do I specify a REGEX to filter off the events?