I am using rsyslog with a forwarder to send syslog to Splunk. All of the syslog hosts are in /log as directories of xxx.xxx.xxx.com. I need anything from xxx.net.xxx.com to go to a "network" index and everything else to go to an "infotech" index.
How do I blacklist xxx.net.xxx.com from going to the "infotech" index? Or is there a better way to do this?
Negating the word "net" with [^net] doesn't work as anything with the letters "n", "e", or "t" are matched (xxx.etn.xxx.com for example).
I have tried whitelisting with .+.\bnet\b.ku.edu but the "catchall" monitor statement " [monitor:///log/.../*] " always overrides it and puts the logs into the infotech index.
Am I going about this wrong? Is there a better way???
Thanks!
Have xxx.net.xxx.com
send to a different port is the best option. Short of that, define a filter for that host and write it to a different directory. Be sure that you are doing this (with directories):
Have xxx.net.xxx.com
send to a different port is the best option. Short of that, define a filter for that host and write it to a different directory. Be sure that you are doing this (with directories):
Thanks! We are pretty much doing everything in that link. The problem comes when the default monitor statement overrides anything specific since they are all in the same /log directory.
I think I have a "template" working with rsyslog to put logs from specific hosts into a different base directory "/netlog".
Appreciate the help!
Check the below link,
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Routeandfilterdatad