forwarder, syslog & blacklist

tinkster · ‎05-06-2014

I installed the splunkforwarder on a few machines, and added /var/log as a syslog source. I overlooked the fact that there's freeradius accounting data in one of the subdirectories that I really don't want in splunk.

How do I get rid of it?

How do I tell the forwarder to ignore the subdirectory /var/log/freeradius/radacct and its subdirectories?

MuS · ‎05-06-2014

Hi tinkster,

use a blacklist in your monitor stanza in inputs.conf like this

blacklist = /var/log/freeradius/radacct

If blacklist is set and the files path matches the specified regex from this input, they are NOT monitored.

hope this helps ...

cheers, MuS

MuS · ‎05-07-2014

btw the entry in blacklist is a regex and will be treated as such. In your case it tries to match /var/log/freeradius/radacct/.* if you still encounter problems remove the .* at the end

MuS · ‎05-07-2014

Yes, delete will no delete event from the index - they are only marked as 'unsearchable'.
clean will remove all events from a given index.
You can find your options in this http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/RemovedatafromSplunk doc

tinkster · ‎05-07-2014

Thanks for this part of the answer - this is what I did; specifically, blacklist = /var/log/freeradius/radacct/.*.

Now - how do I get the accidentally indexed data deleted? The search | delete seems to stop the data from showing up in searches, but the diskspace didn't get reclaimed.

I don't quite understand whether "clean" will only cull unwanted index entries, or ALL index entries.

forwarder, syslog & blacklist

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases