Getting Data In

Why are Blue Coat logs not being forwarded to indexers from FTP servers with my current universal forwarder inputs.conf configuration?

daniel_augustyn
Contributor

I have FTP servers where all the proxies are sending logs. I installed the Universal Forwarder on this server (Windows server) and then deployed a stanza for inputs.conf and outputs.conf files.

I can't figure out why the logs are not sent to the indexers:

[monitor://E:\ProxyLogs/\Server1-GW-SG\SG_main*]
disabled=false
source = file.bluecoat
sourcetype=bluecoat:proxysg:access:file
index=proxy

[monitor://E:\ProxyLogs/\Server2-GW-SG\*]
source = file.bluecoat
sourcetype = bluecoat:proxysg:access:file
disabled = false
index=proxy
0 Karma
1 Solution

woodcock
Esteemed Legend

You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat is garbage. Remove that and you should be fine.

View solution in original post

0 Karma

woodcock
Esteemed Legend

You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat is garbage. Remove that and you should be fine.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...