Hi. I have configured a 6.5.3 Linux Universal Forwarder with an inputs.conf like this:
[monitor:///www/*/logs/access_log*]
disabled = 0
index = web
sourcetype = access_combined
crcSalt = <SOURCE>
blacklist = \.gz$|lost\+found
I am trying to blacklist a directory named '/www/lost+found' because the splunk user does not have read-permission to this directory. But the blacklist regex isn't working because I am still seeing a WARN FilesystemChangeWatcher - error reading directory "/www/lost+found": Permission denied
error in the _internal log. It seems to be ignoring .gz files as I would expect. Is this an issue with the regex? Or is this more of an order-of-operations type of situation where it needs to read the directory before processing the blacklist?
Try this:
blacklist = \.gz$|(lost\+found)
Unfortunately no, that didn't work either.
Hi scottprigge,
try to use blacklist = lost\+found
and then restart Splunk on Forwarder.
Bye.
Giuseppe
Sorry, maybe I misunderstood something. But I already have that exact blacklist regex included in the stanza of my original post. The difference is that I also need to exclude files ending with a .gz extension so my regex looks like \.gz$|lost\+found
Sorry I misunderstood,
try with
blacklist = \.gz$|lost\+found.
Bye.
Giuseppe
No, that doesn't seem to have made any difference.