Solved: ERROR TailingProcessor - Ignoring path due to: Thi...

FRoth · ‎05-03-2011

I checked out the new Universal Forwarder and ran into some problems that I dont understand.
First I configured the forwarder by creating a "output.conf" and "input.conf" in /opt/splunkforwarder/etc/system/local.

The content of output.conf:

[tcpout:indexerNeo]

server=mapache.server.org:55515

The content of input.conf:

[monitor:///var/log/apache2/modsec_audit.log]

sourcetype=modsec

I got some errors in the splunkd.log that I dont understand:

05-03-2011 15:35:14.993 +0000 WARN TcpOutputProc - Pipeline data does not have indexKey. [_path] = /var/log/apache2/modsec_audit.log

[_startOffset] = 38875

[_fnameCrc] = 9536363811639999154

[_seekCrc] = 8646198035968417993

[_fishKey] = 15451249598830936081

[_modTime] = 1304436775

[_raw] =

[MetaData:Source] = source::/var/log/apache2/modsec_audit.log

[MetaData:Host] = host::s152188.onlinehome-server.info

[MetaData:Sourcetype] = sourcetype::modsec

[_done] = _done

[_hpn] = _hpn

[_conf] = source::/var/log/apache2/modsec_audit.log|host::s152188.onlinehome-server.info|modsec|

05-03-2011 15:35:16.714 +0000 ERROR TailingProcessor - Ignoring path due to: This key could not be   found : _MetaData:Index

Is there anybody who can help me?

FRoth · ‎05-03-2011

Ok, I did it. I had to set an index to write the input to.

I added and index and then the line in "input.conf" file:

[monitor:///var/log/apache2/modsec_audit.log]

sourcetype=modsec

index=modsec

View solution in original post

FRoth · ‎05-03-2011

Ok, I did it. I had to set an index to write the input to.

I added and index and then the line in "input.conf" file:

[monitor:///var/log/apache2/modsec_audit.log]

sourcetype=modsec

index=modsec

ERROR TailingProcessor - Ignoring path due to: This key could not be found : _MetaData:Index

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!