Splunk Search
Highlighted

regex forwarder

Contributor

I am new to regex - so......

I want to filter out all events that contain the word sendmail

My messages look like the following

type=SYSCALL msg=audit(12/13/2011 05:41:01.898:11192536) : arch=x86_64 syscall=unlink success=yes exit=0 a0=2afe55cbc340 a1=2afe60dea7a6 a2=2afe55cbc352 a3=2afe55cbc340 items=2 ppid=5655 pid=5656 auid=unset uid=root gid=smmsp euid=root suid=root fsuid=root egid=smmsp sgid=smmsp fsgid=smmsp tty=(none) ses=4294967295 comm=sendmail exe=/usr/sbin/sendmail.sendmail key=(null)

This is what I have in my transforms.conf

[auditdNullsendmail]
# filter auditd, multiline, comm=sendmail
REGEX=(?ms)^comm=sendmail.+exe=/usr/sbin
DEST_KEY=queue
FORMAT=nullQueue

Does this look like it will work?

When I search for sendmail in realtime - I am seeing events come in, but they are from the past (like Splunk is catching up???)

Tags (1)
0 Karma
Highlighted

Re: regex forwarder

Legend

I don't think this is exactly what you want. Some parts of the regex that you are showing seem unnecessary, and some are wrong... Try this:

REGEX=\scomm=sendmail\s

The other lines appear correct to me.

0 Karma