Getting Data In

Monitor Linux Directory

hartfoml
Motivator

I am using this stanza to monitor Linux directory

[monitor:///opt/nessus/var/nessus/users/*/reports/]
disabled = 0
followTail = 0
crcSalt =
whitelist = .nessus$
ignoreOlderThan = 30d
index = nessus
sourcetype = nessus

I get this error in the splunkd.log file on the U.F.

'02-22-2012 12:54:31.053 -0600 ERROR TailingProcessor - matching /opt/nessus/var/nessus/users/mikeh/reports/ against ^/opt/nessus/var/nessus/users/[^/]*/reports/$'

I also get the same error on other folders in the users directory. I have tried using the standard stanza like this, [monitor:///opt/nessus/var/nessus/users/.../reports/] but i get the same error messages

I had thought it was due to permissions but I fixed that problem.

Anyone know why I am getting errors on all the folders including the one I want to monitor?

Tags (1)
0 Karma

ujju219
Explorer

what could be the stanza for monitoring linux directory 

/home/cleo/Harmony/script/logs/Harmony_directory_monitor_1hr.conf.20220512.log

i tried [monitor:///home/cleo/Harmony/script/logs] with whitelist =*.log

0 Karma

jgedeon120
Contributor

whitelist = *.nessus$

0 Karma

jgedeon120
Contributor

If the full path is /opt/nessus/var/nessus/users/username/reports/report_name.nessus
Then it should be [monitor:///opt/nessus/var/nessus/users/*/reports] The * is for single directory depth where ... is one or more directories. So remove your trailing slash.

0 Karma

lguinn2
Legend

should be

whitelist=.*\.nessus$

if you want to match only pathnames that end in .nessus

hartfoml
Motivator

sorry 'whitelist = *\.nessus'

0 Karma

hartfoml
Motivator

you might be right. I tried just commenting out the whitelist item the 'whitelist = *.nessus'
it looks like this worked so I think the problem may be in the combo or the final directory name and the whitelist format

0 Karma

lguinn2
Legend

[monitor:///opt/nessus/var/nessus/users/.../reports/]

is the proper syntax.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...