Getting Data In

Why can't my UF send data from /var/log/messages?

dmpopof
Engager

Question: why is /var/log/messages not forwarded to index?

My deployment:

UF: version 7.1.2 RHEL 6.10
/opt/splunkforwarder/etc/apps/_server_app_linux-server/local/inputs.conf

[monitor:///var/log]
disabled = false
index = linuxlog
sourcetype = syslog

etc/apps/_server_app_linux-server/local/app.conf

# Autogenerated file
[install]
state = enabled

splunk list monitor

Monitored Directories:
...
/var/log
...
                /var/log/messages
                /var/log/messages-20180805
                /var/log/messages-20180812
                /var/log/messages-20180819
                /var/log/messages-20180826

ll /var/log/messages
-rw-r-----+ 1 root root 1160093 Aug 30 12:07 /var/log/messages
-rw------- 1 root root 653 Aug 5 02:37 /var/log/messages-20180805
-rw------- 1 root root 580 Aug 12 02:05 /var/log/messages-20180812
-rw------- 1 root root 19310 Aug 19 02:42 /var/log/messages-20180819

-rw------- 1 root root 728770 Aug 26 02:05 /var/log/messages-20180826

Deployment server version 7.1.2 CentOS 7.5.1804

Search head version 7.1.2 CentOS 7.5.1804
search: index="linuxlog" source="/var/log/messa*"
where is no "/var/log/messages" in sources!
alt text

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi dmpopof,
I don't know why you don't have logs from messages file, but I suggest to modify you inputs.conf file in

 [monitor:///var/log/messages]
 disabled = false
 index = linuxlog
 sourcetype = syslog

In this way you're sure to have only the last logs and not the oldest.
if you want also the oldest (but I see that you already have) you could use

 [monitor:///var/log/messages*]

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...