Splunk Enterprise

Blacklist all files in windows folder and sub folders

Path Finder

I'm monitoring a Windows drive for any files ending in *.lrr and *.eve. This is because we have no control over where the files will be created. This may not be efficient but it works

I want to blacklist a folder on the drive and any sub folders so that the above files are not monitoring if they are in the blacklisted folder. The inputs.conf is

disabled = false
whitelist =
index = au_cpe_common_app
crcSalt = <SOURCE>

disabled = false
whitelist =
index = au_cpe_common_app
crcSalt = <SOURCE>

disabled = false
whitelist =
blacklist = .+
recursive = true

I would have expected the above blacklist to not monitor any files in the D:\DoNotMonitor folder recusively but it is ingesting files with source "D:\\DoNotMonitor\\donotmonitortest29042021\\_t_rep.eve"

What is the correct way to specify this? I can't find a well documented example of this specific use case

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...