Getting Data In

Appending to a whitelist

Peter_B
Explorer

We're using the unix app to monitor our linux machines. One of the files we need to monitor is /var/log/secure. The unix app has a monitor for /var/log with a _whitelist that does not include 'secure'. Rather than entirely overwrite that whitelist with an entry in in etc/system/local/inputs.conf, does anyone know of a way of appending to it (other than editing the inputs.conf in the unix app)? What I mean is can you do something like this -

[monitor:///var/log]
_whitelist=EXISTING-WHITELIST+'secure'

Thanks

Tags (1)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

Your best bet is to add another inputs stanza, rather than to augment the existing one. For example:

[monitor:///var/log/secure*]

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

Your best bet is to add another inputs stanza, rather than to augment the existing one. For example:

[monitor:///var/log/secure*]

ftk
Motivator

Unfortunately appending filters is only possible with the fschange monitor at this point.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...