Hello,
I would like to exclude just one user from forwarding logs and I am thinking if my solution will work:
in inputs.conf I would like to define:
[monitor:///home/nessus/.bash_history]
disabled = true
[monitor:///home/*/.bash_history]
disabled = false
The goal is to exclude logging data from user nessus but to log everybody else.
I am not sure if it's a good solution, maybe someone has better idea?
Check out the solution provided here:
In your case, it would be:
blacklist = \/nessus\/
Reference:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf