Getting Data In

What configuration settings should be changed to block logs based on source?

Path Finder


I would like to block logs which have certain terms in their source.

source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log => Allow
source=/dev/logs/JMS-rhel10y3h_node_1_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_2_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_3_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_4_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_5_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_6_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_7_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_8_Performance.log => Block
internal logs => Allow

The rule is:
allow all node_0 logs, allow all _internal logs.
If an Errorlog or Access log or any other log gets added to node_0 allow that as well.

I think we can do the above by modifying transforms.conf and props.conf. What settings should I change?

Please advise.


0 Karma

Esteemed Legend

You do this with a fully-qualified monitor stanzas inside of inputs.conf:

settings here

The splunk internal logs are already set to be forwarded and you don't need to do anything to make that happen.

0 Karma

Revered Legend

You should be able to whitelist only the node_0 in inputs.conf. This way your forwarder won't event monitor and send data from other nodes (reducing network traffic). See this for more information

0 Karma