Getting Data In

whitelist and blacklist input

virtualpony
Path Finder

Hi, I am trying to construct an input.conf stanza + whitelist/blacklist rule to look for the following:

accept all **.log* files but specifically ignore
log4j.log, broker.log, somefile.log

This is how the input.conf file looks like right now:

[monitor://D:\ProgramName\logs]
whitelist=\.log$
blacklist=log4j|broker|somefile
disabled=false
sourcetype=newsourcetype

but at the moment it doesnt look like anything is being picked up with this combination. I have confirmed that the universal forwarder has installed this app.

Tags (1)

JSapienza
Contributor

Try :

[monitor://D:\ProgramName\logs\*.log]
blacklist = (log4j|broker|somefile)
disabled=false
sourcetype=newsourcetype

Also you might want to review these :

Whitelist or blacklist specific incoming data

Edit Inputs.conf

0 Karma

JSapienza
Contributor

Well then there is another underlying issue because that is a valid input stanza. Are other files/directories being monitored on this machine and is that data visible from the search-head? Is this a manual deploy or are you using deployment server to push your changes ?

0 Karma

virtualpony
Path Finder

Sorry, this doesn't work either.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...