I have the need to exclude AIX logs containing a certain field value.
This is the regex the parser is using to extract vendor_action filed:
I'm trying to exclude events that contain vedor_action=FILE_Unlink and these are my conf file located on Heavy Forwarder:
[aix:audit] TRANSFORMS-null= setnull
[setnull] REGEX = ^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+\d+\s+\d+\s+\S+\s+\S+\s+FILE_Unlink\s+\S+ DEST_KEY = queue FORMAT = nullQueue
There are sample logs: the first one should be excluded while the second one no:
Fri Jul 02 10:01:49 2021 34078844 8520050 dbloader rm FILE_Unlink OK Not supported filename /tmp/CSI_ODS_M_SIA__INFO_RILANCIO.txt Fri Jul 02 10:01:46 2021 34930828 4587668 root root lsvg FILE_Unlink OK filename /dev/__pv17.0.34930828
When I restart spunk all logs are excluded, so I think something is wrong with my REGEX even if on regex101 seems to work fine.
Thanks a lot