I've seen variations of the question, but there must surely be a way to do this.
All our logs files are in /var/log/. We don't want all the logs to be classified as the same source type, how can we split out files? Must we select them individually? Why doesnt this work?
[monitor:///var/log/app1/client.log]
sourcetype = app1
[monitor:///var/log/apache2]
sourcetype = apache
index = main
_whitelist = apache2/(access|error).log$
[monitor:///var/log/app2.log]
sourcetype = app2
I think may be you mistyping :
[monitor:///var/log/apache2]
sourcetype = apache
index = main
whitelist = (access|error)\.log$ # there is only one backslash before dot
and you can try another way :
in inputs.conf
[monitor:///var/log]
whitelist = /client\.log|/apache2/access\.log$|/apache2/error\.log$|/app2\.log # there is only one backslash before dot
index = main
in props.conf
[source::/var/log/app1/client.log]
sourcetype = app1
[source::/var/log/apache2/*.log]
sourcetype = apache
[source::/var/log/app2.log]
sourcetype = app2
Good answer. 🙂