Hello!
I have enabled windows auditing on a windows machine and mounted the directory where all logs are written to on a Ubuntu machine where splunk i installed. I am then monitoring the mounted audit file from the splunk instance. The monitored file is in XML-format, the events are single-line and the last line in the XML-file is always </Events> . Every new event is written before the last line so on the second last line.
The problem is that everytime new events are written to the monitored XML-file, Splunk re-indexes the entire file.
When i search for "index=_internal sourcetype=splunkd component=watchedfile" I get the result "INFO WatchedFile - Checksum for seekptr didnt't match, will re-read the entire file=' /mnt/netapp_audit/audit/audit_splunk_audit_last.xml'.
Other than that, the events are parsed correctly in Splunk.
Why is the entire file re-indexed everytime logs are written to the monitored XML-file?
Is it possible to get Splunk to only read events until the second last line?
... View more