I have FTP servers where all the proxies are sending logs. I installed the Universal Forwarder on this server (Windows server) and then deployed a stanza for inputs.conf and outputs.conf files.
I can't figure out why the logs are not sent to the indexers:
[monitor://E:\ProxyLogs/\Server1-GW-SG\SG_main*]
disabled=false
source = file.bluecoat
sourcetype=bluecoat:proxysg:access:file
index=proxy
[monitor://E:\ProxyLogs/\Server2-GW-SG\*]
source = file.bluecoat
sourcetype = bluecoat:proxysg:access:file
disabled = false
index=proxy
You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat
is garbage. Remove that and you should be fine.
You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat
is garbage. Remove that and you should be fine.