Hi there!
I am currently indexing OS data from my Linux data sources using the Universal Forwarder with the TA (Technology Add-on). One of the things I would like to monitor is shell command history (i.e. .bash_history, .sh_history). I have the following stanzas in my inputs.conf files:
### Bash History
[monitor:///root/.bash_history]
disabled=0
sourcetype=bash_history
index=os
[monitor:///home/.../.bash_history]
disabled=0
sourcetype=bash_history
index=os
### KSH History
[monitor:///.../.sh_history]
disabled=0
sourcetype=ksh_history
index=os
Based on initial indexed data I'm receiving, however, every change to the history files triggers the forwarder to send the entire contents of the files. The history files currently don't timestamp each command record. What I wanted to know is would it be enough to just add the following lines in my stanzas if I was only interested in recording the day's commands?
followTail=1
ignoreOlderThan=1d
Hope to hear from the experts out there soon. Thanks!
... View more