Getting Data In
Highlighted

fschange whitelist and blacklist cumbersome configuration

Path Finder

I want to monitor only exe and dll extension files located in:
C:\Windows\System32
and
C:\Windows\System

So far, I have set up filters - I have 50 regex - but there are still more and more file types which are going to splunk which I do not wish to monitor. is there any simpler way?

0 Karma
Highlighted

Re: fschange whitelist and blacklist cumbersome configuration

Path Finder

fschange black and whitelist do not work as monitor black/whitelist hence quite a bit of trial and error is needed to get it write. Yes, you can start to have hundreds of regex# and have no signs seeing the end of it.

The easiest workaround that I can suggest is to use props.conf and transforms.conf to index only those you wish to index and send others to nullQueue.

For examples, to make it simple I did c:\Windows fschange monitor filesystem:

Inputs.conf:
[fschange:c:\Windows]
index = fschange-prob
recurse = true
delayInMills = 3
pollPeriod = 3
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
sourcetype=exe-dll

props.conf:
[exe-dll]
TRANSFORMS-delindexfschange=deletefschange,sendtoparse

Transforms.conf:
[deletefschange]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[sendtoparse]
REGEX = (.*?).(EXE|exe|Exe|dll|Dll|DLL)\"
DEST_KEY = queue
FORMAT = indexQueue

Since you wish to monitor c:\Windows\system and c:\Windows\System32, you can edit your regex to filter further. The above will index all the files under c:\Windows whose extension is exe or dll, the rest will be sent to nullQueue and will not get indexed.

View solution in original post