Right now AIDE runs a check every 5 minutes and comes back with the same results each time of files Added, Removed, or Changed. The issue is the timestamp changes and the same results are being indexed over and over even though there has been no change. I would like to prevent indexing the same log file, but Splunk sees the log as a different file because the timestamp is changing on the first line. Is there a way to prevent Splunk from indexing the AIDE logs and only index them when there is a change in the rest of the AIDE log below the timestamp?
Example AIDE log.
Start timestamp: 2016-06-11 01:53:00
Summary:
Total number of files: 1116
Added files: 0
Removed files: 1
Changed files: 3
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /var/log/aide/aideCIM.log
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /var/log/aide
changed: /var/log/aide/aide.log
changed: /var/log/aide/aide_files.log
---------------------------------------------------
↧