|
I am using this stanza to monitor Linux directory [monitor:///opt/nessus/var/nessus/users/*/reports/] disabled = 0 followTail = 0 crcSalt = <source> whitelist = .nessus$ ignoreOlderThan = 30d index = nessus sourcetype = nessus I get this error in the splunkd.log file on the U.F. '02-22-2012 12:54:31.053 -0600 ERROR TailingProcessor - matching /opt/nessus/var/nessus/users/mikeh/reports/ against ^/opt/nessus/var/nessus/users/[^/]*/reports/$' I also get the same error on other folders in the users directory. I have tried using the standard stanza like this, [monitor:///opt/nessus/var/nessus/users/.../reports/] but i get the same error messages I had thought it was due to permissions but I fixed that problem. Anyone know why I am getting errors on all the folders including the one I want to monitor? |
|
If the full path is /opt/nessus/var/nessus/users/username/reports/report_name.nessus Then it should be [monitor:///opt/nessus/var/nessus/users/*/reports] The * is for single directory depth where ... is one or more directories. So remove your trailing slash. you might be right. I tried just commenting out the whitelist item the 'whitelist = *.nessus' it looks like this worked so I think the problem may be in the combo or the final directory name and the whitelist format
(23 Feb, 06:05)
hartfoml
sorry 'whitelist = *\.nessus'
(23 Feb, 06:05)
hartfoml
1
should be whitelist=.*\.nessus$ if you want to match only pathnames that end in .nessus
(23 Feb, 11:08)
lguinn ♦
|
|
whitelist = *.nessus$ |
[monitor:///opt/nessus/var/nessus/users/.../reports/]
is the proper syntax.