Re: Whitelist not matching

ejbrownie · ‎03-09-2011

I have a whitelist to limit how far back splunk looks to import our syslogs from our ASA. The regex that I am using is ^(ASA_Syslog_)(|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).(txt|zip)$

When I look a the admin/inpustatus, it states that every file does not match the whitelist. But when I run the regex test on a few regex test web sites, they all say it matches.

s:key name="e:\syslog\ASA\ASA_Syslog_2011-03-09.txt"
s:dict
s:key name="parent">e:\syslog\ASA s:key name="type">Did not match whitelist '^(ASA_Syslog_)(|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).(txt|zip)$'. /s:key
/s:dict

(<> removed so this will show in question)

Am i missing something? Do I need to include the file path in the regex for the white list?

My inputs.conf looks like this

[monitor://e:\syslog\ASA] disabled = false followTail = 0 host = ASA index = cisco_asa sourcetype = cisco_syslog whitelist = ^(ASA_Syslog_)(|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).(txt|zip)$

mikelanghorst · ‎10-05-2013

I believe the issue is the "^" in your regex is causing the issue expecting the absolute path to start at ASA_Syslog. Try taking that out.

jspears · ‎10-05-2013

Looking at the monitor stanza versus regex, I would also do this:

[monitor://e:\syslog\ASA\ASA_Syslog_*]
...
whitelist = (|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).

Whitelist not matching

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...