Let's say I have the following in my inputs.conf file:
whitelist = def*.log$|ghi*.log$|jkl*.log$|mno*.log$|pqr*.log$
sourcetype = applogs
index = risk
disabled = false
And the directory contains the following files:
Why don't any of these match?
If you are only specifying the first few characters of the file name you must have the asterisk to wildcard the rest of the file name. You must also have the slash to escape the dot before the file extension. Have you tried using only one expression without the OR "|" ?