All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Moving eStreamer logs to different location

gaddams
Explorer
‎06-24-2014 12:25 AM

The current partition where the flow logs from Sourcefire are getting collected is full and I want to change the location. How can I change estreamer.log to different location on my splunk server?

Thanks
Swetha

0 Karma
Reply

cgrady_sf
Path Finder
‎06-24-2014 07:18 AM

You could create a log directory symlink to another mounted volume. That would be my best recommendation.

Reply

omgwut56k
Path Finder
‎08-20-2015 06:19 AM

It's been a while since this post, does the current remove logs? or do I need to find another solution to keep this from filling up our heavy forwarder?

0 Karma
Reply

GlennHofmann
Engager
‎01-27-2017 07:51 AM

Realizing this was posted many moons ago, here is the solution I found for telling eStreamer where to put it's logs. If the app ever gets upgraded, it will be overwritten, but I don't think that is going to happen anytime soon. In the eStreamer/bin directory you can edit client_check.py and change the log_file directive as shown below. Works like a charm. And add the find command to your cron.daily to point to the directory you have moved your logs to and you are good to go. 

# Set the rest of the paths relative to the splunk_path
app_path     = os.path.join(splunk_path, 'etc', 'apps', 'eStreamer')
app_bin_path = os.path.join(app_path, 'bin')
config_file  = os.path.join(app_path, 'local', 'estreamer.conf')
log_file     = ('/var/log/syslog-ng/estreamer/estreamer.log')
pid_file     = os.path.join(app_bin_path, 'estreamer_client.pid')
script_file  = os.path.join(app_bin_path, 'estreamer_client.pl')
0 Karma
Reply

cgrady_sf
Path Finder
‎06-24-2014 07:36 AM

At the moment, they do not get deleted by the app -- a current shortcoming. You can setup a cron job on the Splunk server to remove files older than, for example, 5 days with the following command:

find /path/to/files/* -mtime +5 -exec rm {} \;

Note, you will need to change the path, and I would recommend testing the command prior to placing it into a cron job entry.

Reply

ryanoconnor
Builder
‎01-12-2016 10:36 AM

This method worked for me as well. I used the following which searched for files older than an hour:

find /opt/splunk/etc/apps/eStreamer/log -mmin +59 -type f -exec rm “{}” \;

Like @cgrady_sf stated, you may not want to start out with executing the rm command. You could do something to simply move the files at first. The following will create a directory called "old" and move the files in there.

mkdir /opt/splunk/etc/apps/eStreamer/log/old

find /opt/splunk/etc/apps/eStreamer/log -mmin +59 -type f -exec mv “{}” /opt/splunk/etc/apps/eStreamer/log/old/ \;

0 Karma
Reply

gaddams
Explorer
‎06-24-2014 07:31 AM

Thanks.

What is the retention period of these logs given that they are indexed by splunk indexer and then I don't think we need these log files?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...