How to filter off /var/spool events on linux?

remy06 · ‎03-15-2011

auditd is generating number of events on linux server.

For eg.this event is identified by session id=1336067(auto generated).

` type=PATH msg=audit(03/15/2011 17:04:01.513:1336067) : item=0 name=/etc/shadow inode=123456789 dev=fd:00 mode=file,400 ouid=root ogid=root rdev=00:00

type=CWD msg=audit(03/15/2011 17:03:01.493:1336067) : cwd=/var/spool `

I can filter off the 2nd line using the keyword "cwd=/var/spool" but for the first line there isn't any keyword i can use.

Is there a way to filter off both events by using the keyword="cwd=/var/spool" and relating the two events together by their session id?

netwrkr · ‎03-15-2011

One idea might be to use the transaction command to group similar events together. I think you would first need to teach splunk how to extract the 'session id' field. Once you did that you could do something like

eventtype=audit | transaction fields=sid maxspan=5s

where 'sid' is the session id field you previous taught splunk how to extract.

netwrkr · ‎03-16-2011

The way I suggested above is to group at search time. Splunk has a nice document which details how to extract fields here - http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

remy06 · ‎03-16-2011

I will need to filter them off before splunk indexes it.So that means I have to specific the REGEX in transforms.conf?If this is the only way then how do I specify a REGEX to filter off the events?

How to filter off /var/spool events on linux?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!