I'm having trouble remembering how to correlate two separate events into one event for RHEL audit log events.
Im trying to capture 1309 events (file deletions) and the related 1307 event (directory of the file deletion). These events are logged at the same time, so im trying to use the transaction command with a maxspan of 1 second. But im only getting the same event types with in that time maxspan time not the related event. i.e two 1307s in that span.
I haven't done this is so long i cant wrap my head around how to do it anymore.
index=os host='hostname' type=1307 OR type=1309 | transaction maxspan=1s
Event examples im trying to correlate
2018-07-12T10:08:44.042301-04:00 'hostname' : type=1307 audit(1531417269.239:49430042): cwd="/apps/SAS/v9.4/config/Lev1/SASDataManagementDataServer/data"
2018-07-12T10:08:44.042301-04:00 'hostname' kernel: [1477027.861370] type=1309 audit(1531404524.033:48993388): argc=3 a0="rm" a1="-i" a2="gary.log"
any help would greatly be appreciated.
Like this:
index=os host='hostname' type=1307 OR type=1309
| stats values(type) by _time
Hi @mrcusanelli ,
Have you tried using startswith "type=1307"
and endswith type=1309
in the transaction?
https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Transaction#Optional_arguments
I'll give that a try