Selectively monitor files in a directory with Splunk Forwarder

Scenario: Lots of log files all in the same directory on a remote host, we don’t want to monitor all of them and we don’t want to specify a long list of files to monitor in our forwarding configuration.

Solution: Use a blacklist entry. The below example monitors all files in the /logs directory, sets a sourcetype of fw_log and ignores any filenames ending with LONDONA or AMSTERDAMA

Edit file: /home/splunk/opt/splunkforwarder/etc/system/local/inputs.conf

[monitor:///logs/]
disabled = false
blacklist = (\.LONDONA$|\.AMSTERDAMA$)
sourcetype = fw_log
index = firewall

Or to use a wildcard and monitor certain files..

[monitor://logs/firewallmsgs.*]
disabled = false
sourcetype = asa_log
blacklist = (\.LONDONA$|\.AMSTERDAMA$)
index = firewall

Similarly, we can create a whitelist instead:

[monitor:///logs/messages.fw.*]
whitelist = (\.CDCA$|\.CDCB$)
disabled = false
index = firewall

(we could use add monitor /logs/ -index main -sourcetype fw_log but as we’re blacklisting, we may as well edit manually)

Note: forwarder was added with

./splunk add forward-server remotehostname:9997

Check forwarding with:

splunk list forward-server
Splunk username: admin
Password:
Active forwards:
        remotehostname:9997
Configured but inactive forwards:
        None

Then configuring a receiver on port 9997 on the indexer.

Tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *