monitor files in /var/log with different source ty...

asdfasdfasdflkj · ‎08-04-2011

I've seen variations of the question, but there must surely be a way to do this.

All our logs files are in /var/log/. We don't want all the logs to be classified as the same source type, how can we split out files? Must we select them individually? Why doesnt this work?

[monitor:///var/log/app1/client.log]
    sourcetype = app1
[monitor:///var/log/apache2]
    sourcetype = apache
    index = main
    _whitelist = apache2/(access|error).log$
[monitor:///var/log/app2.log]
    sourcetype = app2

dmlee · ‎08-05-2011

I think may be you mistyping :

[monitor:///var/log/apache2]
    sourcetype = apache
    index = main
    whitelist = (access|error)\.log$  # there is only one backslash before dot

and you can try another way :
in inputs.conf

[monitor:///var/log]
    whitelist = /client\.log|/apache2/access\.log$|/apache2/error\.log$|/app2\.log # there is only one backslash before dot
    index = main

in props.conf

[source::/var/log/app1/client.log]
   sourcetype = app1
[source::/var/log/apache2/*.log]
   sourcetype = apache
[source::/var/log/app2.log]
   sourcetype = app2

pkeller · ‎06-22-2016

Good answer. 🙂

monitor files in /var/log with different source types

Extending Splunk AI Assistant for SPL to Splunk Enterprise customers!

Developer Spotlight with Qmulos

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

monitor files in /var/log with different source types

Extending Splunk AI Assistant for SPL to Splunk Enterprise customers!

Developer Spotlight with Qmulos

Leveraging Automated Threat Analysis Across the Splunk Ecosystem