Issues with applying blacklists on a light fowarde...

Pierceyuk · ‎03-12-2014

So I have a syslog-ng running and splunk running picking up everything under /var/log/syslog-ng/general/

My regex skills are almost non existent.
If there are a few hosts that I want to exclude (../general/-/-.log [a bad host] and ../general/1.1.1.1/1.1.1.1.log [a random IP Host I don't need] ) Am I best learning and coding some fancy regex code for this

blacklist=(/-/-)|(/--/--)|(/var/log/syslog-ng/general/1.1.1.1/1.1.1.1.log)

Which I know does not work and is not even close due to the dots meaning something else.
Can I code a monitor statement like:

[monitor:///var/log/syslog-ng/general/1.1.1.1/1.1.1.1.log]
blacklist=.

Or is there an even easier/fool proof method I can use when some of the hosts are junk and need to be stopped? (apart from obviously getting the end user to stop sending me junk...)

rakesh_498115 · ‎03-12-2014

Wat do you mean by stopping few hosts . you mean stopping Stopping syslog data from some unknown hosts ?? you can do that pretty well using transforms.conf configuration i.e applying filtering on the hostips

Pierceyuk · ‎03-12-2014

So I have 200+ hosts sending syslog to this box. Most is nicely formated and wanted. Some of it is junk data (hostname ="-") and some of it is pointless (host 1.1.1.1 sends a million events an hour all the same) I just want to do some quick filtering to say 'ignore this list of folders'

Issues with applying blacklists on a light fowarder

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases