This is largely an observation unless i am missing something: on the *nix app of the free version of splunk some files in /var/log directory are exculded from being logged. In fact, the entire /var/log data input is disabled to begin with. Other files and subdirectories are whitelisted and therefore indexable by splunk.
This may become problematic when one wants to see, say, "failed logins" (under Users, Failed Logins menu item in the *nix App). First, the /var/log input must be enabled, second, the/var/log/secure log file should be whitelisted and third, splunk should run as a user with at least read privileges on said locations.
Is there a more direct way of accomplishing this?
