So I have a syslog-ng running and splunk running picking up everything under /var/log/syslog-ng/general/
My regex skills are almost non existent.
If there are a few hosts that I want to exclude (../general/-/-.log [a bad host] and ../general/1.1.1.1/1.1.1.1.log [a random IP Host I don't need] ) Am I best learning and coding some fancy regex code for this
blacklist=(/-/-)|(/--/--)|(/var/log/syslog-ng/general/1.1.1.1/1.1.1.1.log)
Which I know does not work and is not even close due to the dots meaning something else.
Can I code a monitor statement like:
[monitor:///var/log/syslog-ng/general/1.1.1.1/1.1.1.1.log]
blacklist=.
Or is there an even easier/fool proof method I can use when some of the hosts are junk and need to be stopped? (apart from obviously getting the end user to stop sending me junk...)
Wat do you mean by stopping few hosts . you mean stopping Stopping syslog data from some unknown hosts ?? you can do that pretty well using transforms.conf configuration i.e applying filtering on the hostips
So I have 200+ hosts sending syslog to this box. Most is nicely formated and wanted. Some of it is junk data (hostname ="-") and some of it is pointless (host 1.1.1.1 sends a million events an hour all the same) I just want to do some quick filtering to say 'ignore this list of folders'