Hello,
I want to watch .so .bin files in the /etc/security and its subfolders.
I applied a whitelist filter and a blacklist filter:
[filter:whitelist:whitelist_f]
regex1 = (.+.so$|.+.bin$)
[filter:blacklist:blacklist_f]
regex1 = .*
[fschange:/etc/security/]
recurse = true
filters = whitelist_f,blacklist_f
Result : i can see the .so and .bin on /etc/security and not in the subfolders.
I guess that fschange apply the filters on the subfolders name too.
I tried to write some regex to include some subfolders but i dont get the waited result.
example of tried regex :
Any idea is welcome,
Thanks in advance,
Chaben
Thanks for your reply lukejadamec, i tried on Splunk Enterprise 6 but it doesn't work: No file added.
I believe you need to make the change in the source, not the regex:
[fschange:/etc/security/...]