Getting Data In

How do you monitor certain files in the directory using whitelist?

Builder

Hi,

We have numerous files in the directory we want to monitor: different types logs files and their snapshots.

For example:

audit.log
audit.log.2018-05-21.log
audit.log.2018-05-20.log
server.log
server.log.1
server.log.2

We need to continuously monitor only audit.log and server.log logs.

This data input doesn't seem to work. Dated audit.log* were ingested as well.

[monitor://E:\dir\subdir1\subdir2\subdir3\log]
disabled = false
index = indexname
sourcetype = sourcename
followTail = 0 
whitelist = audit.log$|server.log$

Any advice on how would you do it?

0 Karma
1 Solution

Legend

Hi mlevsh,
you could try something like this:

 [monitor://E:\dir\subdir1\subdir2\subdir3\log\audit.log]
 disabled = false
 index = indexname
 sourcetype = sourcename
 followTail = 0 

 [monitor://E:\dir\subdir1\subdir2\subdir3\log\audit.log\server.log]
 disabled = false
 index = indexname
 sourcetype = sourcename
 followTail = 0 

Bye.
Giuseppe

View solution in original post

Legend

Hi mlevsh,
you could try something like this:

 [monitor://E:\dir\subdir1\subdir2\subdir3\log\audit.log]
 disabled = false
 index = indexname
 sourcetype = sourcename
 followTail = 0 

 [monitor://E:\dir\subdir1\subdir2\subdir3\log\audit.log\server.log]
 disabled = false
 index = indexname
 sourcetype = sourcename
 followTail = 0 

Bye.
Giuseppe

View solution in original post

Builder

@cusello , that was one of the options. I was looking for more elegant solution , maybe 🙂

0 Karma