What configuration settings should be changed to b...

deepak02 · ‎03-29-2017

Hi,

I would like to block logs which have certain terms in their source.

source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log => Allow
source=/dev/logs/JMS-rhel10y3h_node_1_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_2_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_3_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_4_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_5_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_6_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_7_Performance.log => Block
source=/dev/logs/JMS-rhel10y3h_node_8_Performance.log => Block
internal logs => Allow

The rule is:
allow all node_0 logs, allow all _internal logs.
If an Errorlog or Access log or any other log gets added to node_0 allow that as well.

I think we can do the above by modifying transforms.conf and props.conf. What settings should I change?

Please advise.

Thanks,
Deepak

woodcock · ‎03-29-2017

You do this with a fully-qualified monitor stanzas inside of inputs.conf:

[monitor:///source=/dev/logs/JMS-rhel10y3h_node_0_Performance.log]
other
settings here

The splunk internal logs are already set to be forwarded and you don't need to do anything to make that happen.

somesoni2 · ‎03-29-2017

You should be able to whitelist only the node_0 in inputs.conf. This way your forwarder won't event monitor and send data from other nodes (reducing network traffic). See this for more information

https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Whitelistorblacklistspecificincomingdata

What configuration settings should be changed to block logs based on source?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases