I have a simply Splunk set-up. about 120 or so Linux servers (that are all basically appliances) w/ universal forwarder installed, and a single Linux server running Splunk Enterprise acting as the indexer, search head, etc. The problem I have is that the forwarders must feed the server's audit log into Splunk. That feed is actually working fine, but it's flooding the server, and causing me to go over my license limit. Specifically, the appliance app has an event in cron that runs very often, and it's flooding the audit log with file access, file mod, etc events, which is ballooning the amount of data I send to Splunk Enterprise. Data that IO simply do not need. What I want to do is filter out these specific events, but ONLY for this specific user. I believe this can be done using transforms.conf and props.conf on the indexer, but I'm having trouble getting the syntax and fields right. Can anyone assist with this? Here's the data I need to remove... sourcetype=auditd
acct=appuser
exe=/usr/sbin/crond
exe=/usr/bin/crontab So basically ANY events in the audit log for user "appuser" that reference either "/usr/bin/crontab" or "usr/bin/crontab" need to be dropped. Here are 2 examples of the events I want to drop. type=USER_END msg=audit(03/04/2024 15:58:02.701:5726) : pid=26919 uid=root auid=appuser ses=184 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct=appuser exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(03/04/2024 15:58:02.488:5723) : pid=26947 uid=appuser auid=appuser ses=184 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct=appuser exe=/usr/bin/crontab hostname=? addr=? terminal=cron res=success' Can this be done?
... View more