Solved: Stanza to select Nginx log files

hbacbs · ‎04-23-2018

I want to forward some Nginx log files. Nginx log files look like:
- server-access.log
- server-access.log-20180102
- server-access.log-20180101.gz
I configured inputs.conf [monitor:////var/log/nginx/server-access.log*] index = server-index

But I didn't receive any events. It works without the wildcard.

According to the documentation (1) the stanza [monitor:////var/log/nginx/server-access.log*] is translated to [monitor:////var/log/nginx] whitelist = server-access.log[^/]*$

Specifying the whitelist does the job. My question is what is wrong with server-access.log*

(1): http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Specifyinputpathswithwildcards

markusspitzli · ‎02-22-2019

I'm not sure but I think you have a / to much in your stanza. It should look like this:
[monitor:///var/log/nginx/server-access.log*]

If this still not works I would make two stanzas:

[monitor:///var/log/nginx/server-access.log]
[monitor:///var/log/nginx/server-access.log-*]

View solution in original post

markusspitzli · ‎02-22-2019

I'm not sure but I think you have a / to much in your stanza. It should look like this:
[monitor:///var/log/nginx/server-access.log*]

If this still not works I would make two stanzas:

[monitor:///var/log/nginx/server-access.log]
[monitor:///var/log/nginx/server-access.log-*]

Stanza to select Nginx log files

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases