How do I edit my inputs.conf monitor stanzas with ...

Federica_92 · ‎07-16-2015

Hi everyone, I have 3 folders called: www1, www2, www3, and I would like to get only 2 types of logs:

security.log and access.log.

I did something like that:

[monitor:///opt/log/www*/access.log] 
sourcetype=linux_secure
host_segment=3 host=www*
index=web 

[monitor:///opt/log/www*/secure.log] 
host_segment=3 
host=www* 
index=main

But it's not obviously working, how can I correct this?

maciep · ‎07-16-2015

what are you doing with host=www*. You're already telling splunk to assign the host value from the 3rd segment of the log path...

Federica_92 · ‎07-17-2015

It wasn't working, so I write again host=www*, to try...

diogofgm · ‎07-16-2015

try this:

[monitor:///opt/log/www*/access.log]
sourcetype=access_combined
host_segment=3
index=web

[monitor:///opt/log/www*/secure.log]
sourcetype=linux_secure
host_segment=3

index=main

------------
Hope I was able to help you. If so, some karma would be appreciated.

Federica_92 · ‎07-17-2015

whitelist=security.log$|access.log$, do you think I can monitor these using regular expressions?

How do I edit my inputs.conf monitor stanzas with wildcards to only monitor two types of logs?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases