Splunk is ingesting archived data from our syslog ...

hrithiktej · ‎10-23-2017

We have a syslog server with universal forwarder (UF) installed on it and my inputs.conf states /opt/splunk/syslogs/cisco/acs// and my logrotate.d has syslog-ng that states /opt/splunk/syslogs///*/syslog. Due to the logrotate daily cron job there are directories created with date text and .gz in the same directory and Splunk forwarder is reading them and resending it to indexers. How do i stop this?

hrithiktej · ‎10-23-2017

after adding syslog to the end of my inputs stanza i.e. /opt/splunk/syslogs/cisco/acs/*/syslog it is now not reading the .gz files and only reads the directory syslog anything else that is there like date+syslog directory.gz it is not reading that i confirmed it from ./splunk list monitor command.

koshyk · ‎10-23-2017

hi,
do a blacklist on gz files in your inputs.conf

eg

[monitor:///var/log/xyz/]
disabled = false
ignoreOlderThan = 7d
recursive = true
index = my_index
blacklist = (\.tgz|\.gz)$

hrithiktej · ‎10-23-2017

Thanks, I am using this now in my inputs.conf [monitor:///opt/splunk/syslogs/cisco/acs//syslog] instead of //* , lets c if this works if this does not then i will try your suggestion of blacklisting.

enicholson_splu · ‎10-23-2017

Modify your inputs.conf monitor the actual log files in that path. If the logs end in .log, wild card the .log extension. You can also blacklist the .gz files etc...

Splunk is ingesting archived data from our syslog servers. How do I stop this?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases