Getting Data In
Highlighted

What configuration settings should be changed to block logs based on source?

Path Finder

Hi,

I would like to block logs which have certain terms in their source.

source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log => Allow
source=/dev/logs/JMS-rhel10y3h_node_1_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_2_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_3_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_4_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_5_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_6_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_7_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_8_Performance.log => Block
internal logs => Allow

The rule is:
allow all node0 logs, allow all _internal logs.
If an Errorlog or Access log or any other log gets added to node
0 allow that as well.

I think we can do the above by modifying transforms.conf and props.conf. What settings should I change?

Please advise.

Thanks,
Deepak

0 Karma
Highlighted

Re: What configuration settings should be changed to block logs based on source?

SplunkTrust
SplunkTrust

You should be able to whitelist only the node_0 in inputs.conf. This way your forwarder won't event monitor and send data from other nodes (reducing network traffic). See this for more information

https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Whitelistorblacklistspecificincomingdata

0 Karma
Highlighted

Re: What configuration settings should be changed to block logs based on source?

Esteemed Legend

You do this with a fully-qualified monitor stanzas inside of inputs.conf:

[monitor:///source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log]
other
settings here

The splunk internal logs are already set to be forwarded and you don't need to do anything to make that happen.

0 Karma