Hi,
i am having problems troubleshooting missing log entries. The UF seems to be configured correctly (list monitor and splunkd.log indicate everything okay). But only once a week four events reach splunk (it should be several thousand per day). Once per week may point to logrotate which is done weekly (config below) but i could not find any reference to similar problems with current versions of UF and splunk.
Our configuration:
Splunk version 6.1.3 (some enterprise license)
Universal Forwarder
# cat /opt/splunkforwarder/etc/splunk.version
VERSION=6.1.3
BUILD=220630
PRODUCT=splunk
PLATFORM=Linux-x86_64
monitoring entry:
[monitor:///var/www/*/shared/log/*.log]
disabled = false
sourcetype = rails_app
splunkd.log entry for above monitoring:
01-14-2015 10:36:23.714 +0100 INFO WatchedFile - Will begin reading at offset=72355036 for file='/var/www/our_app/shared/log/production.log'.
logrotate setting:
/var/www/*/shared/log/*.log {
weekly
missingok
rotate 52
compress
delaycompress
notifempty
copytruncate
}
... View more