i would like to monitor the following in different sourcetypes, but doesnt seem to get the whitelist correct
there will be other different folders and search just does not go to these other folders
/var/logs/.../mq-e*
/var/logs/.../err-*
/var/logs/.../warn-*
/var/logs/.../*
/var/logs/DNS/SU3000/WDNSAH8700/mq-eWDNSAH8700.log.th
in messagequeue
/var/logs/DNS/SU3000/WDNSAH8700/err-WDNSAH8700.log.th
in errorlog
/var/logs/DNS/SU3000/WDNSAH8700/warn-WDNSAH8700.log.th
in warninglog
/var/logs/DNS/SU3000/WDNSAH8700/WDNSAH8700.log.th
in mainlog
i tried different monitor stanza but nothing gives me the correct logging.
[monitor:///var/logs]
whitelist ="mq-e*.log.*"
sourcetype = messagequeue
index = unix
and tried [monitor:///var/logs/.../mq-s*.log.*] without whitelist, also did not work.
can someone please enlighten me?
appreciate it if anyone could point me to some material to learn about wildcard and whitelist syntaxes as well.
... View more