I have logs coming to a heavy forwarder being stored under directories based on IPs (i.e. " /var/log/remote/192.168.1.6"
How do I use inputs.conf to capture a range of IPs while setting the index and sourcetype? This doesn't work:
[monitor:///var/log/remote/192.168.1.*/*.log] host_segment=4 sourcetype=bar index=foo
To elaborate further, what I'm trying to do is tag all directories with IP names with the same index and sourcetype before being forwarded to my indexers. So:
The below did not work:
What you want is probably something like this. You want to do a recursive monitor. To be able to do this, you'll need a whitelist for it. I can't test it right now because I don't have any hosts stored as ip address file names. 😞
[monitor:///var/log/remote/.../*.log] host_segment=4 sourcetype=bar index=foo whitelist = your ip address regex
Put in your IP address regex here, for example:
whitelist = (\/var\/log\/remote\/192\.168\.1.)
Depending on which IP addresses you want to monitor.