I am using this stanza to monitor Linux directory
[monitor:///opt/nessus/var/nessus/users/*/reports/]
disabled = 0
followTail = 0
crcSalt =
whitelist = .nessus$
ignoreOlderThan = 30d
index = nessus
sourcetype = nessus
I get this error in the splunkd.log file on the U.F.
'02-22-2012 12:54:31.053 -0600 ERROR TailingProcessor - matching /opt/nessus/var/nessus/users/mikeh/reports/ against ^/opt/nessus/var/nessus/users/[^/]*/reports/$'
I also get the same error on other folders in the users directory. I have tried using the standard stanza like this, [monitor:///opt/nessus/var/nessus/users/.../reports/] but i get the same error messages
I had thought it was due to permissions but I fixed that problem.
Anyone know why I am getting errors on all the folders including the one I want to monitor?
what could be the stanza for monitoring linux directory
/home/cleo/Harmony/script/logs/Harmony_directory_monitor_1hr.conf.20220512.log
i tried [monitor:///home/cleo/Harmony/script/logs] with whitelist =*.log
whitelist = *.nessus$
If the full path is /opt/nessus/var/nessus/users/username/reports/report_name.nessus
Then it should be [monitor:///opt/nessus/var/nessus/users/*/reports] The * is for single directory depth where ... is one or more directories. So remove your trailing slash.
should be
whitelist=.*\.nessus$
if you want to match only pathnames that end in .nessus
sorry 'whitelist = *\.nessus'
you might be right. I tried just commenting out the whitelist item the 'whitelist = *.nessus'
it looks like this worked so I think the problem may be in the combo or the final directory name and the whitelist format
[monitor:///opt/nessus/var/nessus/users/.../reports/]
is the proper syntax.