Hi guys,
I'm trying to delete the events *action=drop* of Checkpoint firewalls.
I've already set my stanzas (opt/splunk/etc/system/ local) props.conf and transform.conf as follows, but it did not work.
**props.conf**
########## FILTER OUT FIREWALL ##########
[source::(/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity XXXXX)]
TRANSFORMS-null = setnull
**transforms.conf**
########## FILTER OUT FIREWALL ##########
[setnull]
REGEX=(.*)drop
DEST_KEY = queue
FORMAT = nullQueue
I tried several REGEX, but did not work. Can someone help me?
Thanks in advance!
↧