Hi,
I am indexing a directory on a central syslog server. All entries in the index exist exactly two times with a difference in the indexing timestamp of two or three seconds for every pair of identical events.
I already checked that there are no symlinks and the files are not rotated.
[monitor:///var/log/remote]
disabled=false
whitelist=.*(ag|did)\d+_.+$
host_segment=4
sourcetype=syslog
index=messages
How can I continue debugging this problem? As those events never appear more than twice I assume that the recognition of where new syslog entries begin in the files works in general.
Sorry, stupid mistake.
I had a second outputs.conf on the forwarder that had the lb group and one member of the group explicitly as targets.
Sorry, stupid mistake.
I had a second outputs.conf on the forwarder that had the lb group and one member of the group explicitly as targets.