Hi,
I'm trying to monitor some Apache logs and I can't seem to get the statement correct.
I'm trying to monitor "access_log.*"
, "error_log.*"
, access_log, error_log, and the gzs to go with them.
[monitor:///var/log/httpd]
whitelist=(\_log*$|\.log$|\_log*\.gz$)
blacklist= (mod\_jk\.log$|\.gz|catalina\.out$)
recursive = true
sourcetype=access_combined
disabled = 0
index = unix
Can someone point out my error?
There was a blacklist in another app that was finding its' way into this stanza.
There was a blacklist in another app that was finding its' way into this stanza.
I would try like this
[monitor:///var/log/httpd]
whitelist=(_log*$|\.log$|_log*\.gz$)
recursive = true
sourcetype=access_combined
disabled = 0
index = unix
Updated
[monitor:///var/log/httpd]
whitelist=(access_log|error_log)
recursive = true
sourcetype=access_combined
disabled = 0
index = unix
No joy.
[monitor:///var/log/httpd]
_rcvbuf = 1572864
dedicatedIoThreads = 2
disabled = 0
enableSSL = 1
host = myhost
ignoreOlderThan = 14d
index = unix
maxSockets = 0
maxThreads = 0
port = 8088
recursive = true
sourcetype = access_combined
useDeploymentServer = 0
whitelist = (_log*$|\.log$|_log*\.gz$)
Make sure to restart your forwarder (the whitelist isnot updated in btool output)
Still no joy. I've opened a ticket w/ Splunk and will hopefully post a fix in this thread.
That didn't work.
pwd
/var/log/httpd
-rw-r----- 1 root root 3122398 Feb 12 14:48 access_log.abcd
I have many files.abcd with different extensions.
/opt/splunkforwarder/bin/splunk list monitor
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log
/var/log/clamav
/var/log/httpd
Give the updated one a try.