Hi. I have configured a 6.5.3 Linux Universal Forwarder with an inputs.conf like this:
[monitor:///www/*/logs/access_log*] disabled = 0 index = web sourcetype = access_combined crcSalt = <SOURCE> blacklist = \.gz$|lost\+found
I am trying to blacklist a directory named '/www/lost+found' because the splunk user does not have read-permission to this directory. But the blacklist regex isn't working because I am still seeing a
WARN FilesystemChangeWatcher - error reading directory "/www/lost+found": Permission denied error in the _internal log. It seems to be ignoring .gz files as I would expect. Is this an issue with the regex? Or is this more of an order-of-operations type of situation where it needs to read the directory before processing the blacklist?
Sorry, maybe I misunderstood something. But I already have that exact blacklist regex included in the stanza of my original post. The difference is that I also need to exclude files ending with a .gz extension so my regex looks like