I want to monitor only exe and dll extension files located in:
C:\Windows\System32
and
C:\Windows\System
So far, I have set up filters - I have 50 regex - but there are still more and more file types which are going to splunk which I do not wish to monitor. is there any simpler way?
fschange black and whitelist do not work as monitor black/whitelist hence quite a bit of trial and error is needed to get it write. Yes, you can start to have hundreds of regex# and have no signs seeing the end of it.
The easiest workaround that I can suggest is to use props.conf and transforms.conf to index only those you wish to index and send others to nullQueue.
For examples, to make it simple I did c:\Windows fschange monitor filesystem:
Inputs.conf:
[fschange:c:\Windows]
index = fschange-prob
recurse = true
delayInMills = 3
pollPeriod = 3
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
sourcetype=exe-dll
props.conf:
[exe-dll]
TRANSFORMS-delindexfschange=deletefschange,sendtoparse
Transforms.conf:
[deletefschange]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[sendtoparse]
REGEX = (.*?).(EXE|exe|Exe|dll|Dll|DLL)\"
DEST_KEY = queue
FORMAT = indexQueue
Since you wish to monitor c:\Windows\system and c:\Windows\System32, you can edit your regex to filter further. The above will index all the files under c:\Windows whose extension is exe or dll, the rest will be sent to nullQueue and will not get indexed.
fschange black and whitelist do not work as monitor black/whitelist hence quite a bit of trial and error is needed to get it write. Yes, you can start to have hundreds of regex# and have no signs seeing the end of it.
The easiest workaround that I can suggest is to use props.conf and transforms.conf to index only those you wish to index and send others to nullQueue.
For examples, to make it simple I did c:\Windows fschange monitor filesystem:
Inputs.conf:
[fschange:c:\Windows]
index = fschange-prob
recurse = true
delayInMills = 3
pollPeriod = 3
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
sourcetype=exe-dll
props.conf:
[exe-dll]
TRANSFORMS-delindexfschange=deletefschange,sendtoparse
Transforms.conf:
[deletefschange]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[sendtoparse]
REGEX = (.*?).(EXE|exe|Exe|dll|Dll|DLL)\"
DEST_KEY = queue
FORMAT = indexQueue
Since you wish to monitor c:\Windows\system and c:\Windows\System32, you can edit your regex to filter further. The above will index all the files under c:\Windows whose extension is exe or dll, the rest will be sent to nullQueue and will not get indexed.