Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitor Linux Directory
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitor Linux Directory
hartfoml
Motivator
02-22-2012
11:05 AM
I am using this stanza to monitor Linux directory
[monitor:///opt/nessus/var/nessus/users/*/reports/]
disabled = 0
followTail = 0
crcSalt =
whitelist = .nessus$
ignoreOlderThan = 30d
index = nessus
sourcetype = nessus
I get this error in the splunkd.log file on the U.F.
'02-22-2012 12:54:31.053 -0600 ERROR TailingProcessor - matching /opt/nessus/var/nessus/users/mikeh/reports/ against ^/opt/nessus/var/nessus/users/[^/]*/reports/$'
I also get the same error on other folders in the users directory. I have tried using the standard stanza like this, [monitor:///opt/nessus/var/nessus/users/.../reports/] but i get the same error messages
I had thought it was due to permissions but I fixed that problem.
Anyone know why I am getting errors on all the folders including the one I want to monitor?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ujju219
Explorer
11-11-2022
01:07 AM
what could be the stanza for monitoring linux directory
/home/cleo/Harmony/script/logs/Harmony_directory_monitor_1hr.conf.20220512.log
i tried [monitor:///home/cleo/Harmony/script/logs] with whitelist =*.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgedeon120
Contributor
02-24-2012
02:42 AM
whitelist = *.nessus$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgedeon120
Contributor
02-22-2012
08:01 PM
If the full path is /opt/nessus/var/nessus/users/username/reports/report_name.nessus
Then it should be [monitor:///opt/nessus/var/nessus/users/*/reports] The * is for single directory depth where ... is one or more directories. So remove your trailing slash.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
02-23-2012
11:08 AM
should be
whitelist=.*\.nessus$
if you want to match only pathnames that end in .nessus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hartfoml
Motivator
02-23-2012
06:05 AM
sorry 'whitelist = *\.nessus'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hartfoml
Motivator
02-23-2012
06:05 AM
you might be right. I tried just commenting out the whitelist item the 'whitelist = *.nessus'
it looks like this worked so I think the problem may be in the combo or the final directory name and the whitelist format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
02-22-2012
05:11 PM
[monitor:///opt/nessus/var/nessus/users/.../reports/]
is the proper syntax.
Get Updates on the Splunk Community!
Transforming Financial Data into Fraud Intelligence
Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...
How to send events & findings from AWS to Splunk using Amazon EventBridge
Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
