- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- whitelist and wildcard for rotated file without re...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whitelist and wildcard for rotated file without recursive option in inputs.conf
Hi,
I have following configuration in inputs.conf:
[monitor:///var/log/audit/audit.log*]
whitelist=(audit\.log$|audit\.log.1$)
index=int-os
sourcetype=audit
recursive=false
[monitor:///mnt/log/messages*]
whitelist=(messages$|messages\.1$)
index=int-os
sourcetype=messages
recursive=false
Files are like this:
[root@instance:/home/milan.koudelka] ls -l /var/log/audit/
total 26604
-rw-r-----. 1 root splunk 2035776 Jun 18 13:31 audit.log
-r--r-----. 1 root splunk 6291677 Jun 17 17:37 audit.log.1
-r--r-----. 1 root splunk 6291484 Jun 15 02:09 audit.log.2
-r--r-----. 1 root splunk 6291614 Jun 12 10:28 audit.log.3
-r--r-----. 1 root splunk 6291656 Jun 9 19:09 audit.log.4
[root@splunk-ds1:/home/milan.koudelka] ls -l /mnt/log/messages*
-rw-r-----. 1 root splunk 18817 Jun 18 13:32 /mnt/log/messages
-rw-r-----. 1 root splunk 24468 Jun 18 03:42 /mnt/log/messages.1
-rw-r-----. 1 root splunk 52044 Jun 17 03:56 /mnt/log/messages.2
It's weird that for messages log file, input is working correctly, when for audit.log input isn't working at all.
I've tried to use all configurations like these:
[monitor:///var/log/audit/*]
[monitor:///var/log/audit/*.log]
[monitor:///var/log/audit/]
None of these are working. I don't want to allow recursive.
Only one working is
[monitor:///var/log/audit/audit.log]
But this will not catch first rotated file audit.log.1
Any advice why it's working for one log file and it isn't working for another ?
Splunk version 6.0.3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi koudis,
your whitelist for audit.log should be like this:
whitelist=(audit\.log$|audit\.log\.1$)
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the easiest way to ensure that only two exact files (audit.log and audit.log.1) will be monitored, without any recursion is like this ?
[monitor:///var/log/audit/audit.log]
index=int-os
sourcetype=audit
recursive=false
[monitor:///var/log/audit/audit.log.1]
source=/var/log/audit/audit.log
index=int-os
sourcetype=audit
recursive=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you specify wildcards in a file input path, Splunk creates an implicit whitelist for that stanza. The longest fully qualified path becomes the monitor stanza, and the wildcards are translated into regular expressions.
This means your whitelist is being clobberd by your use of * expressions in the stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx, for first tip MuS, but unfortunately this isn't working.
I'm sometimes using it without backslash by mistake like one any charater.
Weird is that it's working also for configurations like this
[monitor:///mnt/log/postgresql.log*]
whitelist=(.log$|.log.1$)
index=os
sourcetype=postgres
recursive=false
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
