Solved: Appending to a whitelist

Peter_B · ‎09-20-2010

We're using the unix app to monitor our linux machines. One of the files we need to monitor is /var/log/secure. The unix app has a monitor for /var/log with a _whitelist that does not include 'secure'. Rather than entirely overwrite that whitelist with an entry in in etc/system/local/inputs.conf, does anyone know of a way of appending to it (other than editing the inputs.conf in the unix app)? What I mean is can you do something like this -

[monitor:///var/log]
_whitelist=EXISTING-WHITELIST+'secure'

Thanks

Stephen_Sorkin · ‎09-20-2010

Your best bet is to add another inputs stanza, rather than to augment the existing one. For example:

[monitor:///var/log/secure*]

View solution in original post

Stephen_Sorkin · ‎09-20-2010

Your best bet is to add another inputs stanza, rather than to augment the existing one. For example:

[monitor:///var/log/secure*]

ftk · ‎09-20-2010

Unfortunately appending filters is only possible with the fschange monitor at this point.

Appending to a whitelist

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Appending to a whitelist

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk