Solved: How do you monitor certain files in the directory ...

mlevsh · ‎01-11-2019

Hi,

We have numerous files in the directory we want to monitor: different types logs files and their snapshots.

For example:

audit.log
audit.log.2018-05-21.log
audit.log.2018-05-20.log
server.log
server.log.1
server.log.2

We need to continuously monitor only audit.log and server.log logs.

This data input doesn't seem to work. Dated audit.log* were ingested as well.

[monitor://E:\dir\subdir1\subdir2\subdir3\log]
disabled = false
index = indexname
sourcetype = sourcename
followTail = 0 
whitelist = audit.log$|server.log$

Any advice on how would you do it?

gcusello · ‎01-11-2019

Hi mlevsh,
you could try something like this:

 [monitor://E:\dir\subdir1\subdir2\subdir3\log\audit.log]
 disabled = false
 index = indexname
 sourcetype = sourcename
 followTail = 0 

 [monitor://E:\dir\subdir1\subdir2\subdir3\log\audit.log\server.log]
 disabled = false
 index = indexname
 sourcetype = sourcename
 followTail = 0

Bye.
Giuseppe

View solution in original post

gcusello · ‎01-11-2019

Hi mlevsh,
you could try something like this:

 [monitor://E:\dir\subdir1\subdir2\subdir3\log\audit.log]
 disabled = false
 index = indexname
 sourcetype = sourcename
 followTail = 0 

 [monitor://E:\dir\subdir1\subdir2\subdir3\log\audit.log\server.log]
 disabled = false
 index = indexname
 sourcetype = sourcename
 followTail = 0

Bye.
Giuseppe

mlevsh · ‎01-11-2019

@cusello , that was one of the options. I was looking for more elegant solution , maybe 🙂

How do you monitor certain files in the directory using whitelist?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases