Single [monitor] stanza for multiple access log pa...

_smp_ · ‎06-19-2020

I have a set of web servers with an inconsistent logging configuration. I've been unable to come up with a single monitor stanza to cover the following requirements:

Input Paths

/usr/local2/webapps/brt/logs/access.log
/usr/local2/webapps/admin/conf/ssl/logs/access_log
/usr/local2/webapps/admin/logs/access.log

There are other filename patterns in these directories that I do not want to index:

<path>/access.log-2020-06-13-1592036161
<path>/access.log-2020-06-13-1592036161.gz

It seems I can pull everything in correctly with two [monitor] stanzas:

[monitor:///usr/local2/webapps/v-*/.../logs/access*]
index           = web
sourcetype      = access_combined
crcSalt         = <SOURCE>
whitelist       = access[\._]log$

[monitor:///usr/local2/webapps/v-*/logs/access*]
index           = web
sourcetype      = access_combined
crcSalt         = <SOURCE>
whitelist       = access[\._]log$

For my own education, I'm trying to produce a more simplistic input stanza by collapsing them into a single stanza and getting rid of the whitelist. So far I've been unsuccessful, it seems mostly due to the behavior of the ... and * wildcards.

Is there a way to combine and simplify those two inputs into one?

Single [monitor] stanza for multiple access log paths and filenames

inputs.conf

monitor

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?