I want to watch .so .bin files in the /etc/security and its subfolders.
I applied a whitelist filter and a blacklist filter:
regex1 = (.+.so$|.+.bin$)
regex1 = .*
recurse = true
filters = whitelistf,blacklistf
Result : i can see the .so and .bin on /etc/security and not in the subfolders.
I guess that fschange apply the filters on the subfolders name too.
I tried to write some regex to include some subfolders but i dont get the waited result.
example of tried regex :
Any idea is welcome,
Thanks in advance,
I believe you need to make the change in the source, not the regex:
Thanks for your reply lukejadamec, i tried on Splunk Enterprise 6 but it doesn't work: No file added.