Getting Data In

monitor files in /var/log with different source types

asdfasdfasdflkj
New Member

I've seen variations of the question, but there must surely be a way to do this.

All our logs files are in /var/log/. We don't want all the logs to be classified as the same source type, how can we split out files? Must we select them individually? Why doesnt this work?

[monitor:///var/log/app1/client.log]
    sourcetype = app1
[monitor:///var/log/apache2]
    sourcetype = apache
    index = main
    _whitelist = apache2/(access|error).log$
[monitor:///var/log/app2.log]
    sourcetype = app2
0 Karma

dmlee
Communicator

I think may be you mistyping :

[monitor:///var/log/apache2]
    sourcetype = apache
    index = main
    whitelist = (access|error)\.log$  # there is only one backslash before dot 

and you can try another way :
in inputs.conf

[monitor:///var/log]
    whitelist = /client\.log|/apache2/access\.log$|/apache2/error\.log$|/app2\.log # there is only one backslash before dot
    index = main

in props.conf

[source::/var/log/app1/client.log]
   sourcetype = app1
[source::/var/log/apache2/*.log]
   sourcetype = apache
[source::/var/log/app2.log]
   sourcetype = app2
0 Karma

pkeller
Contributor

Good answer. 🙂

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...