Solved: Re: Question on monitoring file

darksky21 · ‎10-02-2013

Hi i am trying to monitor some file in var/log on ubuntu. There is 4 file (auth.log,auth.log.1,auth.log.2.gz,auth.log.3.gz)

when i tried the code below it work

[monitor:///var/log/auth.log]
sourcetype= authlog
index = test
disabled = 0

but this does not work

[monitor:///var/log/auth.log.1]
sourcetype= authlog
index = test
disabled = 0

Why is that so? is there anything wrong with it?

darksky21 · ‎10-08-2013

Ayn is right. In the end i have to write a script to index all the diff auth.log instead of using monitor

View solution in original post

darksky21 · ‎10-08-2013

Ayn is right. In the end i have to write a script to index all the diff auth.log instead of using monitor

kristian_kolb · ‎10-08-2013

You have been given advice as to why that might be a bad idea. If you are absolutely sure that this is what you want... good luck.

kristian_kolb · ‎10-02-2013

It could be a permissions issue, check splunkd.log. Make sure that the account running splunkd has read access to /var/auth/auth.log.

The .log.n and .log.n.gz files are just rotated versions of the auth.log, so if you don't need to index the old events, you can just stick with monitoring auth.log. When the current auth.log rotates to auth.log.1, you have already indexed all those events, so you do not need to monitor the rotated files explicitly.

EDIT: typo/bad thinking.

/Kristian

Ayn · ‎10-08-2013

No, you don't need to do that - there are ways to make Splunk index them anyway, but very often this is NOT what you want, because it will make Splunk read the same data multiple times and I don't see why you would want that.

Ayn · ‎10-03-2013

If the auth.log.1, auth.log.2, auth.log.3 etc files are just rotated files that have already been indexed, Splunk won't index them a second time. Might that be what's happening in your case?

darksky21 · ‎10-02-2013

Hi gpradeepkuma... thx for the reply. i have tried that but it does not seem to work.It only monitor auth.log for some reason. Maybe splunk does not allow monitoring for those file?

pradeepkumarg · ‎10-02-2013

You can use auth.log* to monitor all the versions and use blacklist attribute to ignore gz ones

blacklist = (\.(tar|gz|bz2|tar.gz|tgz|tbz|tbz2|zip|z)$)

darksky21 · ‎10-02-2013

Hi thx for the reply. is there anyway to monitor all the different version of auth.log?

kristian_kolb · ‎10-02-2013

Ooops. I thought I saw a semicolon, and something in my thinking process short-circuited. Colon is supposed to be there, definitely...

Edited answer to include some more clever guessing...

sdaniels · ‎10-02-2013

The colon is ok, no?

Question on monitoring file

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases