Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Monitor Linux Directory
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitor Linux Directory
I am using this stanza to monitor Linux directory
[monitor:///opt/nessus/var/nessus/users/*/reports/]
disabled = 0
followTail = 0
crcSalt =
whitelist = .nessus$
ignoreOlderThan = 30d
index = nessus
sourcetype = nessus
I get this error in the splunkd.log file on the U.F.
'02-22-2012 12:54:31.053 -0600 ERROR TailingProcessor - matching /opt/nessus/var/nessus/users/mikeh/reports/ against ^/opt/nessus/var/nessus/users/[^/]*/reports/$'
I also get the same error on other folders in the users directory. I have tried using the standard stanza like this, [monitor:///opt/nessus/var/nessus/users/.../reports/] but i get the same error messages
I had thought it was due to permissions but I fixed that problem.
Anyone know why I am getting errors on all the folders including the one I want to monitor?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what could be the stanza for monitoring linux directory
/home/cleo/Harmony/script/logs/Harmony_directory_monitor_1hr.conf.20220512.log
i tried [monitor:///home/cleo/Harmony/script/logs] with whitelist =*.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whitelist = *.nessus$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the full path is /opt/nessus/var/nessus/users/username/reports/report_name.nessus
Then it should be [monitor:///opt/nessus/var/nessus/users/*/reports] The * is for single directory depth where ... is one or more directories. So remove your trailing slash.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
should be
whitelist=.*\.nessus$
if you want to match only pathnames that end in .nessus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry 'whitelist = *\.nessus'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you might be right. I tried just commenting out the whitelist item the 'whitelist = *.nessus'
it looks like this worked so I think the problem may be in the combo or the final directory name and the whitelist format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[monitor:///opt/nessus/var/nessus/users/.../reports/]
is the proper syntax.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...
Index This | What has goals but no motivation?
Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security
