What configuration settings should be changed to b...

deepak02 · ‎03-29-2017

Hi,

I would like to block logs which have certain terms in their source.

source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log => Allow
source=/dev/logs/JMS-rhel10y3h_node_1_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_2_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_3_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_4_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_5_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_6_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_7_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_8_Performance.log => Block
internal logs => Allow

The rule is:
allow all node_0 logs, allow all _internal logs.
If an Errorlog or Access log or any other log gets added to node_0 allow that as well.

I think we can do the above by modifying transforms.conf and props.conf. What settings should I change?

Please advise.

Thanks,
Deepak

woodcock · ‎03-29-2017

You do this with a fully-qualified monitor stanzas inside of inputs.conf:

[monitor:///source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log]
other
settings here

The splunk internal logs are already set to be forwarded and you don't need to do anything to make that happen.

somesoni2 · ‎03-29-2017

You should be able to whitelist only the node_0 in inputs.conf. This way your forwarder won't event monitor and send data from other nodes (reducing network traffic). See this for more information

https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Whitelistorblacklistspecificincomingdata

What configuration settings should be changed to block logs based on source?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes