https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/511158#M2819 <P>I found that the Splunk configurations for syslog get the hostname from the log file itself.&nbsp;</P><P>I set /etc/rsyslog.conf to have&nbsp;<STRONG>$PreserveFQDN on</STRONG> and now it is working correctly.</P> Mon, 27 Jul 2020 15:32:36 GMT RoyceTheBiker 2020-07-27T15:32:36Z https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510895#M2793 <P>I copied the default inputs.conf to local and added some monitor configurations. There are seven monitors setup but only six are reporting. /var/log/messages is not working.</P> <PRE>[monitor:///var/log/messages] disabled = false #index = linuxlog sourcetype = syslog [monitor:///var/log/secure] disabled = 0 sourcetype = linux_secure</PRE> <P>The logs from secure do show up and the other monitors are working as expected.</P> <P>I have tried with ``disabled = 0``, also with and without index and sourcetype.&nbsp;<BR /><BR />All the examples I am finding indicate that this should be working.&nbsp;<BR /><BR /></P> Fri, 24 Jul 2020 22:29:20 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510895#M2793 RoyceTheBiker 2020-07-24T22:29:20Z https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510896#M2794 <P>When your UF runs as non root user you must give access rights to needed log files an directories. If you are running also selinux &nbsp;then you must also modify its policy.</P><P>r. Ismo</P> Fri, 24 Jul 2020 20:16:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510896#M2794 isoutamo 2020-07-24T20:16:23Z https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510901#M2795 <P>Both messages and secure are root:root 600.&nbsp; The UF (splunkd) is being run by root so is also the process-runner.</P> Fri, 24 Jul 2020 20:47:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510901#M2795 RoyceTheBiker 2020-07-24T20:47:21Z https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510902#M2796 <P>Are you running selinux? Did you find any relevant error from messages or auditd files?</P> Fri, 24 Jul 2020 20:55:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510902#M2796 isoutamo 2020-07-24T20:55:15Z https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510903#M2797 <P>SE is disabled.&nbsp;<BR />This looks like there are no errors with the config files.</P><P>/var/log/messages<BR />Jul 24 20:20:43 devtools splunk: All installed files intact.<BR />Jul 24 20:20:43 devtools splunk: Done<BR />Jul 24 20:20:43 devtools splunk: All preliminary checks passed.<BR />Jul 24 20:20:43 devtools splunk: Starting splunk server daemon (splunkd)...<BR />Jul 24 20:20:43 devtools splunk: Done</P> Fri, 24 Jul 2020 21:04:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510903#M2797 RoyceTheBiker 2020-07-24T21:04:13Z https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510904#M2798 <P>The only splunk lines in the audit.log is for when systemd restarts the service.</P> Fri, 24 Jul 2020 21:08:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510904#M2798 RoyceTheBiker 2020-07-24T21:08:43Z https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510911#M2800 <P>I just found that the /var/log/messages are being sent to the Splunk server, but the hostname is the short name, not the FQDN that I was looking at.</P><P>Under the host=&lt;short name&gt; the only source is /var/log/message.&nbsp;&nbsp;</P><P>I will look to see if there is another spot where the short name is used and forces this.</P> Fri, 24 Jul 2020 22:14:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/510911#M2800 RoyceTheBiker 2020-07-24T22:14:02Z https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/511158#M2819 <P>I found that the Splunk configurations for syslog get the hostname from the log file itself.&nbsp;</P><P>I set /etc/rsyslog.conf to have&nbsp;<STRONG>$PreserveFQDN on</STRONG> and now it is working correctly.</P> Mon, 27 Jul 2020 15:32:36 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/511158#M2819 RoyceTheBiker 2020-07-27T15:32:36Z https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/564383#M9780 <P>You could also set the host here:</P><LI-CODE lang="c">[monitor:///var/log/messages] disabled = false host = &lt;FQDN&gt; sourcetype = syslog</LI-CODE> Mon, 23 Aug 2021 15:38:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-are-all-monitors-working-except-var-log-messages/m-p/564383#M9780 ephemeric 2021-08-23T15:38:55Z