I would like to block logs which have certain terms in their source.
source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log => Allow source=/dev/logs/JMS-rhel10y3h_node_1_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_2_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_3_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_4_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_5_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_6_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_7_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_8_Performance.log => Block internal logs => Allow
The rule is:
allow all node0 logs, allow all _internal logs.
If an Errorlog or Access log or any other log gets added to node0 allow that as well.
I think we can do the above by modifying transforms.conf and props.conf. What settings should I change?
You do this with a fully-qualified
monitor stanzas inside of
[monitor:///source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log] other settings here
The splunk internal logs are already set to be forwarded and you don't need to do anything to make that happen.
You should be able to whitelist only the node_0 in inputs.conf. This way your forwarder won't event monitor and send data from other nodes (reducing network traffic). See this for more information