I would like to block logs which have certain terms in their source.
source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log => Allow
source=/dev/logs/JMS-rhel10y3h_node_1_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_2_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_3_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_4_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_5_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_6_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_7_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_8_Performance.log => Block
internal logs => Allow
The rule is:
allow all node_0 logs, allow all _internal logs.
If an Errorlog or Access log or any other log gets added to node_0 allow that as well.
I think we can do the above by modifying transforms.conf and props.conf. What settings should I change?
You do this with a fully-qualified monitor stanzas inside of inputs.conf:
The splunk internal logs are already set to be forwarded and you don't need to do anything to make that happen.
You should be able to whitelist only the node_0 in inputs.conf. This way your forwarder won't event monitor and send data from other nodes (reducing network traffic). See this for more information