Getting Data In
Highlighted

Blacklisting directories without read permission

Builder

Hi. I have configured a 6.5.3 Linux Universal Forwarder with an inputs.conf like this:

[monitor:///www/*/logs/access_log*]
disabled = 0
index = web
sourcetype = access_combined
crcSalt = <SOURCE>
blacklist = \.gz$|lost\+found

I am trying to blacklist a directory named '/www/lost+found' because the splunk user does not have read-permission to this directory. But the blacklist regex isn't working because I am still seeing a WARN FilesystemChangeWatcher - error reading directory "/www/lost+found": Permission denied error in the _internal log. It seems to be ignoring .gz files as I would expect. Is this an issue with the regex? Or is this more of an order-of-operations type of situation where it needs to read the directory before processing the blacklist?

0 Karma
Highlighted

Re: Blacklisting directories without read permission

Legend

Hi scottprigge,
try to use blacklist = lost\+found
and then restart Splunk on Forwarder.
Bye.
Giuseppe

0 Karma
Highlighted

Re: Blacklisting directories without read permission

Builder

Sorry, maybe I misunderstood something. But I already have that exact blacklist regex included in the stanza of my original post. The difference is that I also need to exclude files ending with a .gz extension so my regex looks like \.gz$|lost\+found

0 Karma
Highlighted

Re: Blacklisting directories without read permission

Legend

Sorry I misunderstood,
try with

blacklist = \.gz$|lost\+found.

Bye.
Giuseppe

0 Karma
Highlighted

Re: Blacklisting directories without read permission

Builder

No, that doesn't seem to have made any difference.

0 Karma
Highlighted

Re: Blacklisting directories without read permission

Esteemed Legend

Try this:

 blacklist = \.gz$|(lost\+found)
0 Karma
Highlighted

Re: Blacklisting directories without read permission

Builder

Unfortunately no, that didn't work either.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.