Solved: Appending to a whitelist

Peter_B · ‎09-20-2010

We're using the unix app to monitor our linux machines. One of the files we need to monitor is /var/log/secure. The unix app has a monitor for /var/log with a _whitelist that does not include 'secure'. Rather than entirely overwrite that whitelist with an entry in in etc/system/local/inputs.conf, does anyone know of a way of appending to it (other than editing the inputs.conf in the unix app)? What I mean is can you do something like this -

[monitor:///var/log]
_whitelist=EXISTING-WHITELIST+'secure'

Thanks

Stephen_Sorkin · ‎09-20-2010

Your best bet is to add another inputs stanza, rather than to augment the existing one. For example:

[monitor:///var/log/secure*]

View solution in original post

Stephen_Sorkin · ‎09-20-2010

Your best bet is to add another inputs stanza, rather than to augment the existing one. For example:

[monitor:///var/log/secure*]

ftk · ‎09-20-2010

Unfortunately appending filters is only possible with the fschange monitor at this point.

Appending to a whitelist

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!