- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- By any chance can we change the log rotation forma...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers,
Ideally what happens is we set threshold for log file and set some retention.
so files do get create like :
audit.log
audit.log.1
audit.log.2
audit.log.3
audit.log.4
After reaching threshold, what happens is audit.log.4 gets off, and audit.log.3 becomes audit.log.4, similarly audit.log.2 becomes audit.log.3.
What i expect is, not only the last log file i.e, audit.log.4 should get off, but all the read files that is audit.log.1,2,3,4 should get off and all the new files should get create.
This i want, because we are forwarding the logs to QRadar, and this is creating duplication at Qradar, as one file is ingesting to Qradar 4 times, with same content different name.
TIA,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sarvesh_11,
Are you talking about the system log rotation or Splunk log rotation ?
You can configure both:
- For log under /var/log you need to check your logrotate configuration.
- For logs under $SPLUNK_HOME$/var/log/splunk/ you can configure rotation using the following file : $SPLUNK_HOME/etc/log-local.cfg
Details here :
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#The_lo...
In any case, you should only be forwarding one of those files to Qradar as it's "log rotation" so naturally the files will rotate and will each grab the content of the previous file.
You could also consider forwarding directly from Splunk to Qradar as a third party tcp receiver : https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#TCP_...
And the best solution would be to let the QRadar guys worry about their problems and you enjoy your problem free life with Splunk 😉
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sarvesh_11,
Are you talking about the system log rotation or Splunk log rotation ?
You can configure both:
- For log under /var/log you need to check your logrotate configuration.
- For logs under $SPLUNK_HOME$/var/log/splunk/ you can configure rotation using the following file : $SPLUNK_HOME/etc/log-local.cfg
Details here :
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#The_lo...
In any case, you should only be forwarding one of those files to Qradar as it's "log rotation" so naturally the files will rotate and will each grab the content of the previous file.
You could also consider forwarding directly from Splunk to Qradar as a third party tcp receiver : https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#TCP_...
And the best solution would be to let the QRadar guys worry about their problems and you enjoy your problem free life with Splunk 😉
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @sarvesh_11,
if I understand you correctly, you have a linux system (which one) and want to avoid log duplicates on Qradar by changing the log rotation.
Your logrotation is fine, this is default linux setting that don't need to be changed without reason.
Do you use splunk forwarder or syslog for this?
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
