https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168783#M4978 <P>The Splunk logs from that sever should be in Splunk:</P> <PRE><CODE>index=_internal host=Server1 sourcetype=splunkd </CODE></PRE> <P>You can obviously sift through the results, maybe searching for "error" or "monitor" or "tailing" (don't recall off hand the best search to find these kinds of problems).</P> <P>Did you ever get logs from Path 2 into Splunk? If not, it might be worth posting your inputs on here to see if something may be off there.</P> Thu, 13 Aug 2015 00:57:37 GMT maciep 2015-08-13T00:57:37Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168778#M4973 <P>From a particular Server, we are able to see logs on Splunk from certain locations, but for others, there are no logs. If there is a permission or other such issues while accessing these logs, where would such errors be logged?</P> Wed, 12 Aug 2015 06:09:54 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168778#M4973 withrythm 2015-08-12T06:09:54Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168779#M4974 <P>have you checked your user roles in both servers? you might have different permission for index access and (depending on the search you are doing) you might have different default indexes for search.</P> Wed, 12 Aug 2015 11:13:00 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168779#M4974 diogofgm 2015-08-12T11:13:00Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168780#M4975 <P>To be clear, do you want to see Splunk log (splunkd.log, etc.) or logs forwarded from monitored systems?</P> Wed, 12 Aug 2015 12:26:39 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168780#M4975 richgalloway 2015-08-12T12:26:39Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168781#M4976 <P>It depends. Be as specific as you possibly can and maybe somebody here can help.</P> Wed, 12 Aug 2015 16:45:01 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168781#M4976 woodcock 2015-08-12T16:45:01Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168782#M4977 <P>Below is what is required to be available on SPLUNK:</P> <P>Server 1- logs from Path 1<BR /> Server 1- logs from Path 2</P> <P>The permissions for Path 1 and Path 2 are same. However, I am able to see logs from Path 1 but not from Path 2.</P> <P>My question is, supposedly if there is some issue in Path 2 while Server 1 is trying to access the logs/files on those path; where are such error logs captured. Are these available on SPLUNK GUI anywhere? or on Server 1? or on SPLUNK Servers? and how to access such error logs. </P> <P>Thanks in advance!</P> Thu, 13 Aug 2015 00:37:49 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168782#M4977 withrythm 2015-08-13T00:37:49Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168783#M4978 <P>The Splunk logs from that sever should be in Splunk:</P> <PRE><CODE>index=_internal host=Server1 sourcetype=splunkd </CODE></PRE> <P>You can obviously sift through the results, maybe searching for "error" or "monitor" or "tailing" (don't recall off hand the best search to find these kinds of problems).</P> <P>Did you ever get logs from Path 2 into Splunk? If not, it might be worth posting your inputs on here to see if something may be off there.</P> Thu, 13 Aug 2015 00:57:37 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168783#M4978 maciep 2015-08-13T00:57:37Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168784#M4979 <P>Thanks Maciep for your response. No these are new paths added to the inputs.conf. below are the details from the input file. All of these are directories:</P> <P>[monitor:///opt/app/weblogic/oracle/middleware/user_projects/domains/endeca_server_domain/servers/Managed-2/logs]<BR /> index = ftts<BR /> sourcetype = application_logs<BR /> disabled = 0<BR /> crcSalt = <BR /> followTail = 0</P> <P>[monitor:///opt/app/weblogic/oracle/middleware/logs]<BR /> index = ftts<BR /> sourcetype = application_logs<BR /> disabled = 0<BR /> crcSalt = <BR /> followTail = 0</P> <P>[monitor:///var/opt/app/endecaserver/logs]<BR /> index = ftts<BR /> sourcetype = application_logs<BR /> disabled = 0<BR /> crcSalt = <BR /> followTail = 0</P> <P>[monitor:///var/opt/app/.snapshot/daily*]<BR /> index = ftts<BR /> sourcetype = snapshot_logs<BR /> disabled = 0<BR /> crcSalt = <BR /> followTail = 0</P> <P>[monitor:///home/endeca/oraInventory/logs]<BR /> index = ftts<BR /> sourcetype = application_logs<BR /> disabled = 0<BR /> crcSalt = <BR /> followTail = 0</P> Tue, 29 Sep 2020 06:58:03 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168784#M4979 withrythm 2020-09-29T06:58:03Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168785#M4980 <P>There are so many different reasons why logs might not be appearing, that no, a simple search access would not be the full route to diagnosis. It might supply the answers, if they are the sort of issues logged in the audit logs.</P> <P>But it could simply be that the data is not being logged at all, and that could be down to any or all of misconfigured endpoint forwarder or indexer, SSL faults, broken network, local file permissions (all of which could be absent from the indexer because of the problem itself).</P> Thu, 13 Aug 2015 01:17:22 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168785#M4980 grijhwani 2015-08-13T01:17:22Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168786#M4981 <P>Thanks Grijhwani</P> <P>But since we are receiving logs from the same server from another path shouldnt it rule out SSL, broken network, miconfigured endpoint forwarder/indexer?</P> Thu, 13 Aug 2015 01:31:49 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168786#M4981 withrythm 2015-08-13T01:31:49Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168787#M4982 <P>The forwarder's logs should be on your indexers. You can also find them on the forwarder itself at SPLUNK_HOME/var/log/splunk.</P> Thu, 13 Aug 2015 12:51:14 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168787#M4982 richgalloway 2015-08-13T12:51:14Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168788#M4983 <P>Which of these is not being forwarded?</P> Thu, 13 Aug 2015 12:54:40 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168788#M4983 richgalloway 2015-08-13T12:54:40Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168789#M4984 <P>The main reason that a log is ignored is because of the problem described (and solved) here:</P> <P><A href="http://answers.splunk.com/answers/231959/why-are-files-in-a-monitored-directory-being-skipp.html">http://answers.splunk.com/answers/231959/why-are-files-in-a-monitored-directory-being-skipp.html</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Howlogfilerotationishandled">http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Howlogfilerotationishandled</A></P> <P>The easiest thing to try is to add this to your <CODE>inputs.conf</CODE> stanzas for each input:</P> <PRE><CODE>crcSalt = &lt;SOURCE&gt; </CODE></PRE> <P>Make sure that you copy this <EM>exactly</EM> (do not change capitalization).</P> Thu, 13 Aug 2015 13:11:29 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168789#M4984 woodcock 2015-08-13T13:11:29Z https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168790#M4985 <P>Yep, it would be helpful to know which stanzas you're not getting logs from. Or if you're getting logs from all of the stanzas, but not every log you'd expect with a certain stanza if that makes sense. </P> <P>As mentioned by woodcock, if any of those files have large headers that are the same, then that might explain it as well.</P> Sat, 15 Aug 2015 20:48:36 GMT https://community.splunk.com/t5/Security/As-a-Splunk-front-end-user-would-I-be-able-to-see-why-logs-from/m-p/168790#M4985 maciep 2015-08-15T20:48:36Z