How do i send journal logs to splunk??
journalctl -u servicename
Here journal logs are raw logs. Will splunk read raw logs ?
Configuration setup on my bos-server1
root@bos-server1#/opt/splunkforwarder/etc/apps/linux_auth/default# cat inputs.conf
[monitor:///var/log/auth*.log]
sourcetype = linux_authlog
index = linux_log
disabled = false
[monitor:///var/log/syslog]
sourcetype = linux_syslog
index = linux_log
disabled = false
Below journal logs location:
root@bos-server1:/run/log/journal/112824edd9f56398bab569035733662e# pwd
/run/log/journal/112824edd9f56398bab569035733662e
root@bos-rndapp02:/run/log/journal/112824edd9f56398bab569035733662e# ls -al
total 344472
drwxr-s---+ 2 root systemd-journal 220 Jan 21 13:40 .
drwxr-sr-x 3 root systemd-journal 60 Sep 21 08:06 ..
-rw-r-----+ 1 root systemd-journal 41943040 Jan 14 02:57 system@dcf33424670b4269a8a8b1b6b5b86200-000000000043823d-00059bfe728bd765.journal
-rw-r-----+ 1 root systemd-journal 42151936 Jan 15 01:07 system@dcf33424670b4269a8a8b1b6b5b86200-0000000000443355-00059c14f222a797.journal
... View more