Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitor Linux Directory

hartfoml
Motivator
‎02-22-2012 11:05 AM

I am using this stanza to monitor Linux directory

[monitor:///opt/nessus/var/nessus/users/*/reports/]
disabled = 0
followTail = 0
crcSalt =
whitelist = .nessus$
ignoreOlderThan = 30d
index = nessus
sourcetype = nessus

I get this error in the splunkd.log file on the U.F.

'02-22-2012 12:54:31.053 -0600 ERROR TailingProcessor - matching /opt/nessus/var/nessus/users/mikeh/reports/ against ^/opt/nessus/var/nessus/users/[^/]*/reports/$'

I also get the same error on other folders in the users directory. I have tried using the standard stanza like this, [monitor:///opt/nessus/var/nessus/users/.../reports/] but i get the same error messages

I had thought it was due to permissions but I fixed that problem.

Anyone know why I am getting errors on all the folders including the one I want to monitor?

Tags (1)
0 Karma
Reply

ujju219
Explorer
‎11-11-2022 01:07 AM

what could be the stanza for monitoring linux directory 

/home/cleo/Harmony/script/logs/Harmony_directory_monitor_1hr.conf.20220512.log

i tried [monitor:///home/cleo/Harmony/script/logs] with whitelist =*.log

0 Karma
Reply

jgedeon120
Contributor
‎02-24-2012 02:42 AM

whitelist = *.nessus$

0 Karma
Reply

jgedeon120
Contributor
‎02-22-2012 08:01 PM

If the full path is /opt/nessus/var/nessus/users/username/reports/report_name.nessus
Then it should be [monitor:///opt/nessus/var/nessus/users/*/reports] The * is for single directory depth where ... is one or more directories. So remove your trailing slash.

0 Karma
Reply

lguinn2
Legend
‎02-23-2012 11:08 AM

should be

whitelist=.*\.nessus$

if you want to match only pathnames that end in .nessus

Reply

hartfoml
Motivator
‎02-23-2012 06:05 AM

sorry 'whitelist = *\.nessus'

0 Karma
Reply

hartfoml
Motivator
‎02-23-2012 06:05 AM

you might be right. I tried just commenting out the whitelist item the 'whitelist = *.nessus'
it looks like this worked so I think the problem may be in the combo or the final directory name and the whitelist format

0 Karma
Reply

lguinn2
Legend
‎02-22-2012 05:11 PM

[monitor:///opt/nessus/var/nessus/users/.../reports/]

is the proper syntax.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...