Here is my input.conf:
[monitor:///var/log]
crcSalt =
disabled = false
index = main
From this it should recursively search all logs under /var/log/...
The issue I am seeing is that splunk user is not able to read apache2, audit, and some other logs. Permissions on all those logs that are 0640. Also to note, I have added the splunk user to groups: root, adm and syslog while trying to troubleshoot.
The forwarder should be able to read these files as its apart of the groups, but at this point I am at a loss.
Any help would be greatly appreciated!
UPDATE 11/3/14:
I know this is a little delayed, but the files are still not being read.
The addition of the "..." did help with recursive (and is a partial answer), but the files are still not being ingested/sent. I have performed some testing and maybe you guys can help me see something I don't see.
Current file permissions are 640 and owned by "root:adm". Splunk Forwarder is still apart root, adm and syslog groups. With these file permissions the logs are not being sent, but If i switch to the splunk user I can read the logs without issue. This tells me that the permissions on the logs should be fine and the UF should be able to sent them, correct? But, if i change the ownership to "root:root" the logs start being sent.
Any thoughts on this?
... View more