Till now in our environment we have monitored only the log files which are in '.log' format in the Universal Forwarder Server as follows :-
In inputs.conf :
[monitor:/Home_DB/Oracle/webcenter/logs/sites.log]
index = cms_clb
sourcetype = log4j
[monitor:/Home_DB/Oracle/webcenter/logs/cas.log]
index = cms_clb
sourcetype = log4j
Now as a part of the security requirement, we need to monitor a few more log files from the path /Home_DB/Oracle/Middleware/user_projects/domains/webcenter/servers/webcenter-delivery1/logs/webcenter-delivery1.out
, but here the logs were in .out
format. How do I add this path in inputs.conf and if added, what would be the source type for .out
format?
Please help me out ASAP.
Thanks in Advance.
You'll need to examine the .out files or consult with dev/tech support to learn the source type. Then add a new stanza to your inputs.conf file.
[monitor:/Home_DB/Oracle/Middleware/user_projects/domains/webcenter/servers/webcenter-delivery1/logs/webcenter-delivery1.out]
index = cms_clb
sourcetype = foo
You may then need to modify props.conf to tell Splunk how to process the sourcetype.
You'll need to examine the .out files or consult with dev/tech support to learn the source type. Then add a new stanza to your inputs.conf file.
[monitor:/Home_DB/Oracle/Middleware/user_projects/domains/webcenter/servers/webcenter-delivery1/logs/webcenter-delivery1.out]
index = cms_clb
sourcetype = foo
You may then need to modify props.conf to tell Splunk how to process the sourcetype.
Jul 09, 2015 3:28:44 PM net.sf.ehcache.CacheManager addShutdownHookIfRequired
INFO: The CacheManager shutdown hook is enabled because net.sf.ehcache.enableShutdownHook is set to true.
Jul 09, 2015 3:28:44 PM net.sf.ehcache.CacheManager addShutdownHookIfRequired
INFO: The CacheManager shutdown hook is enabled because net.sf.ehcache.enableShutdownHook is set to true.
Jul 09, 2015 3:28:44 PM net.sf.ehcache.Cache createDiskStore
INFO: **** Running custom ehcache jar using numOfDiskStores=10
Jul 09, 2015 3:28:45 PM com.sun.jersey.server.impl.application.WebApplicationImpl initiate
INFO: Initiating Jersey application, version 'Jersey: 1.1.4.1 11/24/2009 01:30 AM'
Oracle WebCenter Sites 11gR1 11.1.1.8.0
Copyright (c) 2011,2013, Oracle and/or its affiliates. All Rights Reserved.
Oracle WebCenter Sites 11.1.1.8.0 Build Date: Jul 11 2014 at 15:16:48 Build Number: 35 Revision:165274
Jul 09, 2015 3:28:46 PM net.sf.ehcache.CacheManager addShutdownHookIfRequired
INFO: The CacheManager shutdown hook is enabled because net.sf.ehcache.enableShutdownHook is set to true.
Oracle WebCenter Sites 11gR1 11.1.1.8.0
Copyright (c) 2011,2013, Oracle and/or its affiliates. All Rights Reserved.
Oracle WebCenter Sites |Satellite Server 11.1.1.8.0 Build Date: Jul 11 2014 at 15:16:48 Build Number: 35 Revision:165274
Oracle WebCenter Sites 11gR1 11.1.1.8.0
Copyright (c) 2011,2013, Oracle and/or its affiliates. All Rights Reserved.
Oracle WebCenter Sites |Satellite Server 11.1.1.8.0 Build Date: Jul 11 2014 at 15:16:48 Build Number: 35 Revision:165274
Oracle WebCenter Sites 11gR1 11.1.1.8.0
Copyright (c) 2011,2013, Oracle and/or its affiliates. All Rights Reserved.
Oracle WebCenter Sites |Satellite Server 11.1.1.8.0 Build Date: Jul 11 2014 at 15:16:48 Build Number: 35 Revision:165274
2015-07-09 15:28:51,881 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:28:54,639 INFO [org.jasig.cas.util.AutowiringSchedulerFactoryBean] -
2015-07-09 15:28:55,376 INFO [org.jasig.cas.web.flow.AuthenticationViaFormAction] -
Jul 09, 2015 3:28:55 PM com.sun.jersey.spi.spring.container.servlet.SpringServlet getContext
INFO: Using default applicationContext
Jul 09, 2015 3:28:55 PM com.sun.jersey.spi.spring.container.SpringComponentProviderFactory register
INFO: Registering Spring bean, TicketResource, of type com.fatwire.wem.sso.cas.integration.rest.TicketResource as a root resource class
Jul 09, 2015 3:28:55 PM com.sun.jersey.spi.spring.container.SpringComponentProviderFactory register
INFO: Registering Spring bean, TicketGrantingTicketResource, of type com.fatwire.wem.sso.cas.integration.rest.TicketGrantingTicketResource as a root resource class
Jul 09, 2015 3:28:55 PM com.sun.jersey.server.impl.application.WebApplicationImpl initiate
INFO: Initiating Jersey application, version 'Jersey: 1.1.4.1 11/24/2009 01:30 AM'
2015-07-09 15:29:14,586 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
2015-07-09 15:29:14,611 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 found to be removed. Removing now.>
2015-07-09 15:29:14,611 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
Initializing MDCLoggingContext
Initializing MDCLoggingContext
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /AE/Oracle/Middleware/user_projects/domains/webcenter/ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI.properties
Not found in 'user.home' (/home/weblogic) directory: /home/weblogic/esapi/ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /AE/Oracle/Middleware/user_projects/domains/webcenter/validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
Not found in 'user.home' (/home/weblogic) directory: /home/weblogic/esapi/validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
Attempting to load antisamy-esapi.xml as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /AE/Oracle/Middleware/user_projects/domains/webcenter/antisamy-esapi.xml
Not found in SystemResource Directory/resourceDirectory: .esapi/antisamy-esapi.xml
Not found in 'user.home' (/home/weblogic) directory: /home/weblogic/esapi/antisamy-esapi.xml
2015-07-09 15:30:54,587 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:30:54,588 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:32:54,580 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:32:54,580 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:34:54,580 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:34:54,581 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:35:56,608 INFO [org.jasig.cas.util.AutowiringSchedulerFactoryBean] -
2015-07-09 15:35:56,611 INFO [org.jasig.cas.util.JBossCacheFactoryBean] -
log4j:WARN No appenders could be found for logger (com.fatwire.logging.cs.cache.ehcache).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
This is the .out file I tried to examine the file but i didn't able to understand anything. Please examine this and tell me what format should be given to the inputs.conf for .out files like this.
That's quite a collection of styles. I suggest indexing it as plain text. Splunk will interpret most of the timestamps and assign timestamps to those lines that don't have one.