Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to forward Linux syslog to my Splunk indexer with my current configuration?

qazwsxedc994
Explorer
‎06-10-2015 04:18 AM

Hi,

I'm trying to forward /var/log/anaconda/syslog from my linux machine to my splunk indexer, but it's not coming through for some reason. I have the following configurations:

inputs.conf - on indexer machine

[monitor:///var/log/anaconda/syslog]
index=syslog
disabled=false
sourcetype = syslog

props.conf

[monitor::/var/log/anaconda/syslog
sourcetype=syslog
index=syslog
crcSalt=<SOURCE>

Can anyone suggest anything wrong with my configuration??

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-10-2015 04:24 AM

take a look at :
- the splunkd.log logs after a splunk restart, in case splunk mentions why it is skipping a file
- make sure that the splunk service has read permissions to the file.
- use the API to check the status of each files according to splunk (and the reason it may be skipped)

only on local browser :

https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

or if you have no browser, use curl

curl -k https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus -u admin:changeme > tailing_status.log
0 Karma
Reply

qazwsxedc994
Explorer
‎06-10-2015 05:22 AM

Iv tried that when i check the splunk.log i get the following over and over again. This doesnt seem to to be the problem? 

[root@localhost splunk]# cat splunkd.log | grep syslog
06-08-2015 10:14:37.549 +0100 INFO  TailingProcessor - Parsing configuration sta
nza: monitor:///var/log/anaconda/syslog.
06-08-2015 10:14:37.549 +0100 INFO  TailingProcessor - Adding watch on path: /va
r/log/anaconda/syslog.
06-08-2015 10:15:51.810 +0100 INFO  TailingProcessor - Parsing configuration sta
nza: monitor:///var/log/anaconda/syslog.
06-08-2015 10:15:51.810 +0100 INFO  TailingProcessor - Adding watch on path: /va
r/log/anaconda/syslog.
06-08-2015 10:38:12.931 +0100 INFO  TailingProcessor - Parsing configuration sta
nza: monitor:///var/log/anaconda/syslog.
06-08-2015 10:38:12.931 +0100 INFO  TailingProcessor - Adding watch on path: /va
r/log/anaconda/syslog.
06-08-2015 10:39:38.239 +0100 INFO  TailingProcessor - Parsing configuration sta
nza: monitor:///var/log/anaconda/syslog.
06-08-2015 10:39:38.240 +0100 INFO  TailingProcessor - Adding watch on path: /va
r/log/anaconda/syslog.
06-08-2015 12:08:27.848 +0100 INFO  TailingProcessor - Parsing configuration sta

The permissions are fine. Any other suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...