Solved: Why are Blue Coat logs not being forwarded to inde...

daniel_augustyn · ‎12-12-2015

I have FTP servers where all the proxies are sending logs. I installed the Universal Forwarder on this server (Windows server) and then deployed a stanza for inputs.conf and outputs.conf files.

I can't figure out why the logs are not sent to the indexers:

[monitor://E:\ProxyLogs/\Server1-GW-SG\SG_main*]
disabled=false
source = file.bluecoat
sourcetype=bluecoat:proxysg:access:file
index=proxy

[monitor://E:\ProxyLogs/\Server2-GW-SG\*]
source = file.bluecoat
sourcetype = bluecoat:proxysg:access:file
disabled = false
index=proxy

woodcock · ‎12-12-2015

You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat is garbage. Remove that and you should be fine.

View solution in original post

woodcock · ‎12-12-2015

You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat is garbage. Remove that and you should be fine.

Why are Blue Coat logs not being forwarded to indexers from FTP servers with my current universal forwarder inputs.conf configuration?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!