Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are my inputs.conf stanzas correct to monitor the following directory structures?

edwardrose
Contributor
‎07-24-2015 03:22 PM

Hello All

I have a question about the following directory structures we have.

/var/log2/gns/network/<hostname>/named/log_<hostname>_named
/var/log2/gns/network/<hostname>/dhcpd/log_<hostname>_dhcpd
/var/log2/gns/network/<hostname>/messages/log_<hostname>_messages

Now if I put the following stanzas into my inputs.conf will I be able to collect data? I think they might be overlapping causing no data to come in.

[monitor:://var/log2/gns/network/.../*dhcpd]
host_segment = 5
index = bluecat
sourcetype = dns_dhcpd
source = udp514_syslog

[monitor:://var/log2/gns/network/.../*named]
host_segment = 5
index = bluecat
sourcetype = dns_named
source = udp514_syslog

[monitor:://var/log2/gns/network/.../*messages]
host_segment = 5
index = bluecat
sourcetype = dns_messages
source = udp514_syslog

Are my stanzas correct?

-ed

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-24-2015 03:54 PM

Your stanza header syntax is wrong; it should be like this (1 fewer colon and 1 greater slash):

[monitor:///var/log2/gns/network/*/named/*named]

View solution in original post

Reply
Solved! Jump to solution

jclehmuth
Path Finder
‎09-01-2015 12:58 PM

Were you able to find extractions for the BlueCat logs, or did you do them yourself?

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-24-2015 03:54 PM

Your stanza header syntax is wrong; it should be like this (1 fewer colon and 1 greater slash):

[monitor:///var/log2/gns/network/*/named/*named]
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-24-2015 04:04 PM

Good catch 🙂

0 Karma
Reply
Solved! Jump to solution

edwardrose
Contributor
‎07-24-2015 04:06 PM

Yeah keep staring at this stuff and my eyes go crossed and I am a still a noob administrator

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-24-2015 03:47 PM

I would do something like this

[monitor:://var/log2/gns/network/*/dhcpd/*dhcpd]
 host_segment = 5
 index = bluecat
 sourcetype = dns_dhcpd
 source = udp514_syslog

 [monitor:://var/log2/gns/network/*/named/*named]
 host_segment = 5
 index = bluecat
 sourcetype = dns_named
 source = udp514_syslog

 [monitor:://var/log2/gns/network/*/messages/*messages]
 host_segment = 5
 index = bluecat
 sourcetype = dns_messages
 source = udp514_syslog
0 Karma
Reply
Solved! Jump to solution

edwardrose
Contributor
‎07-24-2015 03:52 PM

I tried that but the logs were not getting ingested. I am not sure what the issue as there are no logs saying there is a failure.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...