As the title says.
Forwarder File Monitor stopped working at 23:59 June 30th 2013
inputs.conf:
[monitor://E:\Logs]
disabled = 0
sourcetype = mftlogs
[WinEventLog:Security]
disabled = 0
Debug:
07-01-2013 13:51:05.570 +0200 DEBUG TcpOutputProc - Registering Channel for : source::E:\Logs<removed>.log|host::MFTD|mftlogs|
07-01-2013 13:51:05.570 +0200 DEBUG TcpOutputProc - Unregistering Channel for : source::E:\Logs<removed>.log.log|host::MFTD|mftlogs|
Windows Eventlog still gets inserted into splunk, but not the logs.
Anyone ? 😞
Thanks Ayn.
Date came in as
01/07/2013 15:05:29
Splunk thought is was 7th of januar.
Damn US date stamps.
Corrected this in the props.conf.
Added:
[mftlogs]
TIME_FORMAT = %d/%m/%Y %H:%M:%S
Thanks Ayn.
Date came in as
01/07/2013 15:05:29
Splunk thought is was 7th of januar.
Damn US date stamps.
Corrected this in the props.conf.
Added:
[mftlogs]
TIME_FORMAT = %d/%m/%Y %H:%M:%S
I suspect this is a timestamp parsing issue. Splunk tries to guess what format the timestamp for a log event is in (unless you tell it explicitly what the format is), and sometimes it guesses wrong. If you do a realtime search you'll see all logs coming in regardless of what timestamp they're assigned, so that might be a thing to do for troubleshooting purposes.