Hi, I am trying to construct an input.conf stanza + whitelist/blacklist rule to look for the following:
accept all **.log* files but specifically ignore
log4j.log, broker.log, somefile.log
This is how the input.conf file looks like right now:
[monitor://D:\ProgramName\logs]
whitelist=\.log$
blacklist=log4j|broker|somefile
disabled=false
sourcetype=newsourcetype
but at the moment it doesnt look like anything is being picked up with this combination. I have confirmed that the universal forwarder has installed this app.
Try :
[monitor://D:\ProgramName\logs\*.log]
blacklist = (log4j|broker|somefile)
disabled=false
sourcetype=newsourcetype
Also you might want to review these :
Well then there is another underlying issue because that is a valid input stanza. Are other files/directories being monitored on this machine and is that data visible from the search-head? Is this a manual deploy or are you using deployment server to push your changes ?
Sorry, this doesn't work either.