I need to anonymize -p passwords that are appearing in syslog.
Used
props.conf
[syslog_log_control]
source::/var/log/syslog
TRANSFORMS = auth-password-anonymizer
transforms.conf
auth-password-anonymize]
REGEX = -p [0-9A-Za-z]\w{9,255}
FORMAT = $1-p =########$2
DEST_KEY = _raw
I am seeing syslog Cannot parse into key-value pair errors
02-01-2018 00:17:29.320 +0000 WARN ProcessTracker - (child_183__Fsck) IniFile - /opt/splunk/etc/slave-apps/_cluster/local/props.conf, line 95: Cannot parse into key-value pair: source::/var/log/syslog
Please advise
Thanks,
NP
You have no capture groups defined in your regex, and thus $1
and $2
can't be used. Try this:
REGEX = ^(.*)-p [0-9A-Za-z]\w{9,255}(.*?)$
FORMAT = $1-p ########$2
Though it may make sense to use SEDCMD here instead, because you can more easily replace part of a string (instead of rewriting the entire string from components, as you're doing above).
In props.conf:
[syslog_log_control]
SEDCMD-anonymize = s/-p [0-9A-Za-z]\w{9,255}/-p ########/
Thanks a lot to both .
props.conf
[source::/var/log/syslog]
TRANSFORMS = auth-password-anonymizer
transforms.conf
[auth-password-anonymizer]
REGEX = ^(.)-p [0-9A-Za-z]\w{9,255}(.?)$
FORMAT = $1-p ########$2
DEST_KEY = _raw
You have no capture groups defined in your regex, and thus $1
and $2
can't be used. Try this:
REGEX = ^(.*)-p [0-9A-Za-z]\w{9,255}(.*?)$
FORMAT = $1-p ########$2
Though it may make sense to use SEDCMD here instead, because you can more easily replace part of a string (instead of rewriting the entire string from components, as you're doing above).
In props.conf:
[syslog_log_control]
SEDCMD-anonymize = s/-p [0-9A-Za-z]\w{9,255}/-p ########/
are you trying to set the source to /var/log/syslog? Or is that the source you want to apply the transform to? I don't think your props is doing either correctly, which is why I think it's barking at you.
but it also looks like you may have typed that in above or missed some bits during copy/paste, so not sure if that's exactly how your config looks?