I checked out the new Universal Forwarder and ran into some problems that I dont understand.
First I configured the forwarder by creating a "output.conf" and "input.conf" in /opt/splunkforwarder/etc/system/local.
The content of output.conf:
[tcpout:indexerNeo]
server=mapache.server.org:55515
The content of input.conf:
[monitor:///var/log/apache2/modsec_audit.log]
sourcetype=modsec
I got some errors in the splunkd.log that I dont understand:
05-03-2011 15:35:14.993 +0000 WARN TcpOutputProc - Pipeline data does not have indexKey. [_path] = /var/log/apache2/modsec_audit.log
[_startOffset] = 38875
[_fnameCrc] = 9536363811639999154
[_seekCrc] = 8646198035968417993
[_fishKey] = 15451249598830936081
[_modTime] = 1304436775
[_raw] =
[MetaData:Source] = source::/var/log/apache2/modsec_audit.log
[MetaData:Host] = host::s152188.onlinehome-server.info
[MetaData:Sourcetype] = sourcetype::modsec
[_done] = _done
[_hpn] = _hpn
[_conf] = source::/var/log/apache2/modsec_audit.log|host::s152188.onlinehome-server.info|modsec|
05-03-2011 15:35:16.714 +0000 ERROR TailingProcessor - Ignoring path due to: This key could not be found : _MetaData:Index
Is there anybody who can help me?
Ok, I did it. I had to set an index to write the input to.
I added and index and then the line in "input.conf" file:
[monitor:///var/log/apache2/modsec_audit.log]
sourcetype=modsec
index=modsec
Ok, I did it. I had to set an index to write the input to.
I added and index and then the line in "input.conf" file:
[monitor:///var/log/apache2/modsec_audit.log]
sourcetype=modsec
index=modsec