Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Are Index Time Extractions of audittrail sourcetype not supported via props and transforms?

dc595
Explorer
‎04-27-2023 10:29 AM

Hi 

It's seems index time extractions for audittrail is not supported via the traditional props, transforms.  

Is this expected behavior and is there an approach that will allow to index a field from the audit.log?

Thankyou

Labels (3)
0 Karma
Reply

dc595
Explorer
‎04-28-2023 06:34 AM

Hi Rich,
I installed these settings under system/local on both SH and Indexer and also a single instance. btool checks out fine and I've applied the same transformation on the [scheduler] sourcetype and everything works as expected. 

Odd Behavior with the audit.log also the default inputs.conf  /etc/system/default/inputs.conf
states the following.

[fschange:$SPLUNK_HOME\etc]
disabled = false
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100


I'm under the impression Splunk's security measures lock the ability of transforming the audit log

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2023 01:43 PM

The audittrail sourcetype is like any other.  Its settings can be overridden by another app - subject to precedence.

Please describe the problem you are trying to solve.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dc595
Explorer
‎04-27-2023 02:20 PM

At index time I'm have trying to extract and index the field app from the audittrail 

Audit:[timestamp=04-27-2023 16:51:22.073, user=test, action=search, info=completed, search_id='1682628653.251613', has_error_warn=false, fully_completed_search=true, total_run_time=0.61, event_count=9, result_count=0, available_count=9, scan_count=9, drop_count=0, exec_time=1682628653, api_et=1682539200.000000000, api_lt=1682628653.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1682539200.000000000, search_lt=1682628653.000000000, is_realtime=0, savedsearch_name="", search_startup_time="88", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="E06599A7-7307-4983-8459-FD948B9F996B_search_argus_test_6d524bc0f6be8430", app="search", provenance="UI:Search", mode="historical",

From my tests it' doesn't matter what REGEX I used in the  transforms.conf, there seems to be a behavior where the [audittrail] is read only

props.conf

 

[audittrail]
TRANSFORMS-audit_addMetadata = add_app_to_metadata

 

transforms.conf

 

[add_app_to_metadata]
SOURCE_KEY = _raw
REGEX = app=\"([^"]+)
FORMAT = mApp::$1
WRITE_META = true

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-28-2023 06:17 AM

Where did you put the settings (which instance, which file path)?  Have you used btool to verify the settings are in effect?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...