I have a universal forwarder monitoring /var/log directory on our syslog server. In the directory I have files of aaa,bbb,ccc, plus other files. What is the best way to monitor these files and set different source types. I want to set a different sourcetype for those three files and then everything else would be sourcetype=syslog. Would the following work?
[monitor:///var/logs]
blacklist = aaa|bbb
sourcetype=syslognew
[monitor:///var/logs]
blacklist = aaa|ccc
sourcetype=syslogvmware
[monitor:///var/logs]
blacklist = ccc|bbb
sourcetype=syslogaaa
[monitor:///var/logs]
blacklist = aa|bbb|ccc
sourcetype=syslog
... View more