Hello guys,
we used this in inputs.conf according to the Splunk CIM compliant addon for Unix and Linux :
[monitor:///var/log]
whitelist=(messages|secure|auth|maillog|audit\.log|cron)
blacklist=(lastlog|anaconda\.syslog)
disabled = 0
index = linux
However on UF it still looked for /var/log/anaconda/pre-anaconda.log and others, this looks weird behaviour?
Thanks.
Splunk enterprise 7.3.4
UF 7.1.4
Hi,
Your blacklist not correct, if you want to blacklist pre-anaconda.log then use below blacklist.
blacklist=(lastlog|pre-anaconda\.log)