I would like to block logs which have certain terms in their source.
source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log => Allow source=/dev/logs/JMS-rhel10y3h_node_1_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_2_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_3_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_4_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_5_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_6_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_7_Performance.log => Block source=/dev/logs/JMS-rhel10y3h_node_8_Performance.log => Block internal logs => Allow
The rule is:
allow all node0 logs, allow all _internal logs.
If an Errorlog or Access log or any other log gets added to node0 allow that as well.
I think we can do the above by modifying transforms.conf and props.conf. What settings should I change?
You should be able to whitelist only the node_0 in inputs.conf. This way your forwarder won't event monitor and send data from other nodes (reducing network traffic). See this for more information
You do this with a fully-qualified
monitor stanzas inside of
[monitor:///source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log] other settings here
The splunk internal logs are already set to be forwarded and you don't need to do anything to make that happen.