Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Powershell Input Log File "splunk-powershell.ps1.log" get's very large and never rolls

fairje
Communicator
‎08-18-2016 12:45 PM

As part of the new Powershell modular input, Splunk will execute Powershell scripts through it's own built in controls and functions.

This ultimately will call "splunk-powershell.exe" which in turn will call three .ps1 scripts all located in the SplunkUniversalForwarder/bin directory. Inside of a script called: "splunk-powershell.ps1" it outlines the logging levels and location.

This will output a log file into SplunkUniversalForwarder/var/log/splunk/splunk-powershell.ps1.log as part of that script.

Because this logging looks to all be controlled in these files and I see nothing in this script that states any kind of "logging maintenance" or rotation, what is happening is my log file has gotten rather large. 1.8GB large, to be exact.

Is there any way to manage this file through log.cfg (and its associated other cfg files) under the /etc directory? Or am I going to need to modify the splunk-powershell.ps1 file itself (Really not ideal at all)? Or is there something else I should look at to fix this?

Obviously I have underlying scripting issues which is causing the log file to fill up rather quickly (That 1.8GB was all generated between Aug 2 to today.) But, the underlying issue here is that we have essentially a mechanism to generate a run-away log file that could have catastrophic affects on the system this is loaded on.

Just for reference here is the portions inside "splunk-powershell.ps1" that has to do with logging:

Line 7-13:
#
# Enable loggin here. Look for log in %SPLUNK_HOME%\var\log\splunk\splunk-powershell.ps1.log
#
$logError = $True
$logWarn = $True
$logInfo = $True
$logDebug = $False

Line 178-180:
# logger signature: createLogger <destination> ErrorOn WanrOn InfoOn DebugOn
$g_logger = createLogger ($splunkHome+'\var\log\splunk\splunk-powershell.ps1.log') $logError $logWarn $logInfo $logDebug
logInfo "start splunk-powerhsell.ps1"

Various lines have similar calls to:
        logDebug("Enter disposer") $logger

Nothing in this file itself seems to handle closing access to this file (as long as this script is trying to run it is going to lock the file) and nothing seems to handle rotation and general housekeeping of this log.

Reply

jdonn_splunk
Splunk Employee
Splunk Employee
‎08-22-2016 06:32 PM

On a Unix machine, I would just use logrotate. It looks like people have written this functionality in a Power Shell script:

http://stackoverflow.com/questions/16795463/using-a-rolling-log-file-within-a-powershell-script-that...

0 Karma
Reply

halr9000
Motivator
‎08-22-2016 12:50 PM

What version of Splunk? Just want to make sure you are working with the built-in input as opposed to the older PowerShell input app from Splunkbase.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...