Hi,
I'm trying to forward /var/log/anaconda/syslog
from my linux machine to my splunk indexer, but it's not coming through for some reason. I have the following configurations:
inputs.conf - on indexer machine
[monitor:///var/log/anaconda/syslog]
index=syslog
disabled=false
sourcetype = syslog
props.conf
[monitor::/var/log/anaconda/syslog
sourcetype=syslog
index=syslog
crcSalt=<SOURCE>
Can anyone suggest anything wrong with my configuration??
take a look at :
- the splunkd.log logs after a splunk restart, in case splunk mentions why it is skipping a file
- make sure that the splunk service has read permissions to the file.
- use the API to check the status of each files according to splunk (and the reason it may be skipped)
only on local browser :
https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
or if you have no browser, use curl
curl -k https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus -u admin:changeme > tailing_status.log
Iv tried that when i check the splunk.log i get the following over and over again. This doesnt seem to to be the problem?
[root@localhost splunk]# cat splunkd.log | grep syslog
06-08-2015 10:14:37.549 +0100 INFO TailingProcessor - Parsing configuration sta
nza: monitor:///var/log/anaconda/syslog.
06-08-2015 10:14:37.549 +0100 INFO TailingProcessor - Adding watch on path: /va
r/log/anaconda/syslog.
06-08-2015 10:15:51.810 +0100 INFO TailingProcessor - Parsing configuration sta
nza: monitor:///var/log/anaconda/syslog.
06-08-2015 10:15:51.810 +0100 INFO TailingProcessor - Adding watch on path: /va
r/log/anaconda/syslog.
06-08-2015 10:38:12.931 +0100 INFO TailingProcessor - Parsing configuration sta
nza: monitor:///var/log/anaconda/syslog.
06-08-2015 10:38:12.931 +0100 INFO TailingProcessor - Adding watch on path: /va
r/log/anaconda/syslog.
06-08-2015 10:39:38.239 +0100 INFO TailingProcessor - Parsing configuration sta
nza: monitor:///var/log/anaconda/syslog.
06-08-2015 10:39:38.240 +0100 INFO TailingProcessor - Adding watch on path: /va
r/log/anaconda/syslog.
06-08-2015 12:08:27.848 +0100 INFO TailingProcessor - Parsing configuration sta
The permissions are fine. Any other suggestions?