Re: Blacklisting directories without read permissi...

_smp_ · ‎08-23-2017

Hi. I have configured a 6.5.3 Linux Universal Forwarder with an inputs.conf like this:

[monitor:///www/*/logs/access_log*]
disabled = 0
index = web
sourcetype = access_combined
crcSalt = <SOURCE>
blacklist = \.gz$|lost\+found

I am trying to blacklist a directory named '/www/lost+found' because the splunk user does not have read-permission to this directory. But the blacklist regex isn't working because I am still seeing a WARN FilesystemChangeWatcher - error reading directory "/www/lost+found": Permission denied error in the _internal log. It seems to be ignoring .gz files as I would expect. Is this an issue with the regex? Or is this more of an order-of-operations type of situation where it needs to read the directory before processing the blacklist?

woodcock · ‎08-25-2017

Try this:

 blacklist = \.gz$|(lost\+found)

_smp_ · ‎08-25-2017

Unfortunately no, that didn't work either.

gcusello · ‎08-24-2017

Hi scottprigge,
try to use blacklist = lost\+found
and then restart Splunk on Forwarder.
Bye.
Giuseppe

_smp_ · ‎08-24-2017

Sorry, maybe I misunderstood something. But I already have that exact blacklist regex included in the stanza of my original post. The difference is that I also need to exclude files ending with a .gz extension so my regex looks like \.gz$|lost\+found

gcusello · ‎08-25-2017

Sorry I misunderstood,
try with

blacklist = \.gz$|lost\+found.

Bye.
Giuseppe

_smp_ · ‎08-25-2017

No, that doesn't seem to have made any difference.

Blacklisting directories without read permission

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!