Solved: Appending to a whitelist

Peter_B · ‎09-20-2010

We're using the unix app to monitor our linux machines. One of the files we need to monitor is /var/log/secure. The unix app has a monitor for /var/log with a _whitelist that does not include 'secure'. Rather than entirely overwrite that whitelist with an entry in in etc/system/local/inputs.conf, does anyone know of a way of appending to it (other than editing the inputs.conf in the unix app)? What I mean is can you do something like this -

[monitor:///var/log]
_whitelist=EXISTING-WHITELIST+'secure'

Thanks

Stephen_Sorkin · ‎09-20-2010

Your best bet is to add another inputs stanza, rather than to augment the existing one. For example:

[monitor:///var/log/secure*]

View solution in original post

Stephen_Sorkin · ‎09-20-2010

Your best bet is to add another inputs stanza, rather than to augment the existing one. For example:

[monitor:///var/log/secure*]

ftk · ‎09-20-2010

Unfortunately appending filters is only possible with the fschange monitor at this point.

Appending to a whitelist

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation