I know this question has been asked many times, but the answers dont seem to help my situation.
I am running SUF on a freebsd (specifically PFSense) Im currently feeding many different sources into a single splunk indexer/search head. The indexer also receives events from a SUF installed on debian syslog server. I am having issues with one specific source from the FreeBSD forwarder.
The logs are located at ///var/log/openvpn.log
I added a configuration line to the inputs.conf file for the forwarder. Initially i didnt include the crcSalt stanza but after doing some reading on the issue last month I added it, with seemingly no effect. There are no events from the source ///var/log/openvpn.log in the indexer.
This is the inputs.conf for the forwarder giving me problems. Any suggestions are welcome, I will keep searching and if I find a solution myself I'll post an update.
[monitor:///var/log/suricata/suricata_em115040/eve.json]
disabled=false
sourcetype=suricata
index=main
ignoreOlderThan=3d
[monitor:///var/log/suricata/suricata_em022665/eve.json]
disabled=false
sourcetype=suricata
index=main
ignoreOlderThan=3d
[monitor:///var/log/filter.log]
disabled=false
sourcetype=firewall
index=main
ignoreOlderThan=3d
[monitor:///var/squid/logs/access.log]
disabled=false
sourcetype=squid
index=main
ignoreOlderThan=3d
[monitor:///var/log/openvpn.log]
disabled=false
sourcetype=openvpn
index=main
ignoreOlderThan=3d
crcSalt=<SOURCE>
[monitor:///var/log/dhcpd.log]
disabled=false
sourcetype=dhcpd
index=main
ignoreOlderThan=3d
[monitor:///var/log/vnstat/output_em1.json]
disabled=true
sourcetype=vnstat
index=main
ignoreOlderThan=3d
SOLUTION FOUND
___________________________________-
After it was suggested I review the splunkd logs on the forwarder, I found it was classifying the file as a binary.
02-07-2018 07:45:56.718 -0500 WARN FileClassifierManager - The file '/var/log/openvpn.log' is invalid. Reason: binary
02-07-2018 07:45:56.718 -0500 INFO TailReader - Ignoring file '/var/log/openvpn.log' due to: binary
The solution I found was simple, add a stanza to props.conf on the forwarder. Then restart the forwarder.
[openvpn]
NO_BINARY_CHECK = true
Question 373137
Thank you for your help in figuring this out. I was hitting a mental wall but the logs on the forwarder helped.
... View more