Getting Data In

How do I get my Splunk server to start reading syslog files on it again?

noahjscales
Explorer

I turned off the syslog server running alongside Splunk and configured Splunk to listen on 514. It indexed the forwarded syslog data it received as if it came from the syslog server on which Splunk is installed. So I turned off listening on 514, and turned on the syslog daemon on the syslog server, to run alongside Splunk. However, Splunk is not processing new files added to /var/log on the syslog server. It shows the same number of entries present for the machines from which the syslog data was forwarded as it did before I turned on 514 listening on Splunk.

All this time I have been using the Unix plug-in to browse my data, if that is significant.

Tags (3)

Genti
Splunk Employee
Splunk Employee

depends, if you are creating the input stanza for /var/log to go to the OS index, then the unix app should be seeing those files, otherwise, if the /var/log is sending the syslog data to the main (default) index then you wont be able to see if from the OS index (without some changes)

By default when you are in the unix app, you are searching the OS index. (index=os)
Try going to the search app, and see if you see the syslog data. Otherwise, try index=* in the unix app and see if you see the syslog data.

If this doesnt work for you, then please show a bit more info, like your inputs.conf stanza for the syslog data. (/var/log) etc..

Cheers, .gz

Genti
Splunk Employee
Splunk Employee

Noah, you can ask another question with more specifics but what you want to do can be achieved using props/transforms.conf. Check the following: http://www.splunk.com/base/Documentation/4.1.4/Admin/Advancedsourcetypeoverrides

0 Karma

noahjscales
Explorer

Hi, Genti.
Thank you for your help. I decided, since I had to switch to the free license anyway, to just rip out the old, put in the newest version, and switch to the free license immediately. Now I have a different problem, bulk-loading the /var/log files I have sitting elsewhere on the disk into the splunk *NIX app in such a way that it properly identifies hosts listed in the logs.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...