topic Re: Monitoring for a log file - nix* in Splunk Dev

Monitoring for a log file - nix*

Crashfry — Tue, 29 Sep 2020 22:23:13 GMT

So I have a specific application log i'm attempting to monitor. The log location is basically this:
/opt/application/app/logs/application.log.

My current inputs.conf file looks like this:
[monitor:///opt/application/app/logs/application]
whitelist=(.log)
disabled = 0
index = application_audit
sourcetype = application_audit

For the life of me, i cannot get this to work at all, i've looked at the permissions and all seem fine. Is there something i'm missing with the monitor or the white list? I currently have a universal forwarder on this device, so it should send out if it's working.

Re: Monitoring for a log file - nix*

whrg — Tue, 11 Dec 2018 16:02:40 GMT

Hello @Crashfry,

I believe the monitor stanza must refer to a directory or a single file. If it refers to a directory then I can include the whitelist filter.

Since you want to monitor only one specific file, try it like this:

[monitor:///opt/application/app/logs/application.log]
disabled = 0
index = application_audit
sourcetype = application_audit

For troubleshooting, search for:

index=_* /opt/application/app

Re: Monitoring for a log file - nix*

skoelpin — Tue, 11 Dec 2018 16:03:53 GMT

Your monitor stanza is wrong. You should include the .log or a * at the end like this

[monitor:///opt/application/app/logs/application.log]
disabled = 0
index = application_audit
sourcetype = application_audit

Don't forget to restart the Splunk service on the forwarder after making the change

Re: Monitoring for a log file - nix*

Crashfry — Tue, 11 Dec 2018 16:10:07 GMT

Alright, so that makes sense, I think where i was questioning myself was the whitelist. So there are other log files in this directory, would I have to be specific in the whitelist?
whitelist=\application.log$

Would I need to do that for being specific of the log i want in the directory?

Re: Monitoring for a log file - nix*

whrg — Tue, 11 Dec 2018 16:41:45 GMT

I edited my original answer because I initially thought you want to monitor /opt/application/app/logs/*.log.
You don't need the whitelist filter to monitor one specific file.

If you want to monitor additional files, either use a monitor stanza for each new file or use the whitelist filter if they have a similar pattern.
Provide the file names so we can help you with that.

Also, as @skoelpin has pointed out, you need to restart Splunk after making changes to configuration files.

Re: Monitoring for a log file - nix*

Crashfry — Tue, 11 Dec 2018 16:54:43 GMT

So that makes perfect sense. Being a single file, there is no need for adding in the whitelist stanza, just simply call out the specific file in the monitoring stanza.

I appreciate the help, i'm going to make those changes here shortly and see if i can the file to show up in Splunk.. i had checked initially how it was setup and see that it's " monitoring for the file " but nothing was coming in.. so i'll see if this makes a difference.

Re: Monitoring for a log file - nix*

Crashfry — Tue, 11 Dec 2018 18:28:52 GMT

@whrg So this is where i still don't understand why the log isn't pulling over to Splunk.. I look at the internal logs for verification the TA downloads onto the server and does everything it needs to do. I see the log for adding watch on path 'opt/application/app/logs/application.log' but nothing is ever sent over to the index for the log in question.. i had created the index and verified it's up but cannot get anything to write from this location.. i don't see anything on the indexers about anything being received.. am missing something?

Re: Monitoring for a log file - nix*

whrg — Tue, 29 Sep 2020 22:20:23 GMT

Do you see any events when you search for:
index=* source="/opt/application/app/logs/application.log" [All Time]?
Is your web user allowed to access that index?
Is application.log not empty? Perhaps you can paste a few lines here.
I assume the splunkd user has read permission on that file since you don't see any errors in the internal logs.
Do this search to see if the file was indexed (i.e. used the license):
index=_internal source="*license_usage.log" type=usage s="/opt/application/app/logs/application.log"