Hi,
I would like to block logs which have certain terms in their source.
source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log => Allow
source=/dev/logs/JMS-rhel10y3h_node_1_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_2_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_3_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_4_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_5_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_6_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_7_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_8_Performance.log => Block
internal logs => Allow
The rule is:
allow all node_0 logs, allow all _internal logs.
If an Errorlog or Access log or any other log gets added to node_0 allow that as well.
I think we can do the above by modifying transforms.conf and props.conf. What settings should I change?
Please advise.
Thanks,
Deepak
You do this with a fully-qualified monitor
stanzas inside of inputs.conf
:
[monitor:///source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log]
other
settings here
The splunk internal logs are already set to be forwarded and you don't need to do anything to make that happen.
You should be able to whitelist only the node_0 in inputs.conf. This way your forwarder won't event monitor and send data from other nodes (reducing network traffic). See this for more information
https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Whitelistorblacklistspecificincomingdata