Getting Data In

How to exclude files and folders from monitoring

catch_mili
Explorer

This is with respect to my earlier post /root monitoring.
Now I am able to captured activities done under /root, But I have one small query That, how can I exclude certain files and folders from monitoring.

Is there any way out ?

Because under /root there are number of files and folders, which I dont want to monitored all of them.

Tags (1)
0 Karma

MuS
Legend

Hi catch_mili

you black- and whitelist any input, read more at http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Whitelistorblacklistspecificincomingdata

cheers,
MuS

catch_mili
Explorer

Hi Ayn,

Appericiate, if you give me an example.

Even, I tried this one
[filter:blacklist:file.txt]
regex1 = .*txt
[fschange:/etc]
filters = file.txt

0 Karma

catch_mili
Explorer

[monitor:///etc]
blacklist = (xyzfile)

didnt worked, If i do any changes it is detected by Splunk, However, I have blacklisted that file.

Pls. help...

0 Karma

Ayn
Legend

Your syntax for fschange blacklisting is still wrong.

0 Karma

catch_mili
Explorer

[fschange:/]
followLinks=true
pollPeriod=120
index = os
disabled = 0
blacklist = .(txt)$

0 Karma

catch_mili
Explorer

[monitor:///etc]
_whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)
_blacklist = .(txt)$
index=os
disabled = 0

I have blacklist .txt files from monitoring, but if I do any modification in File it still shows under file modify Tab.

0 Karma

catch_mili
Explorer

What will be the syntax if I dont want to monitor /root/folder
below is just an example, assume, I dont want to monitor particular folder under /root

[monitor:///root]
blacklist = .(foldername)$

Will this work ?

0 Karma

catch_mili
Explorer

[fschange:/root]
followLinks=true
pollPeriod=120
index = os
disabled = 0
blacklist = . (tempfile) $

Actually, monitoring /root, under I have one tempfile which I dont want to monitored. But when I do changes its captured by Splunk, not sure where went wrong pasted entry above.

Pls. help.

0 Karma

Ayn
Legend

catch_mili, generally reading the docs is a good idea.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...