topic Re: Problems with File & Directory Monitoring in Getting Data In

Problems with File & Directory Monitoring

autovhcdev — Thu, 14 Oct 2010 17:00:17 GMT

I've installed Splunk (4.1.5(85165) on windows) and have uploaded some logs without any issues.

I now want to monitor a linux server, but I'm having problems adding the datasource and always get the message:

Encountered the following error while trying to save: In handler 'monitor': Path must be absolute.

I'm using Splunk Web and have set the host field value to the two servers IP address and the full path on server to /var/log (and tried various other combinations).

On the Linux server I've added *.*@192.168.254.100 to syslog.conf.

I've read the manual, but it doesn't really help. and I'm finding a lack of tutorials. Pretty much thinking of abandoning the idea of Splunk now. I'm obviously missing some sort of basic information here. Can anyone help out? Being pointed in the direction of some decent tutorials would be good...

I'm having trouble understand how all this data gets sent to Splunk and how Splunk intercepts/retrieves it.

Re: Problems with File & Directory Monitoring

treinke — Thu, 14 Oct 2010 17:59:14 GMT

For the Syslog, have you verified that the Windows server is not blocking UDP:514 in the firewall? Also, did you add UDP:514 to the Splunk ports input?

Re: Problems with File & Directory Monitoring

autovhcdev — Thu, 14 Oct 2010 18:10:20 GMT

The firewall is not blocking that port, and I've got a Data Input on UDP:514 - I had to restart and now it shows up in the data sources

Re: Problems with File & Directory Monitoring

treinke — Fri, 15 Oct 2010 19:33:45 GMT

When you are getting the error message, are you getting that on the agent on the linux system or are you trying to use an UNC path?

If it is local to the system, what is the path you are trying to enter to get that error (/var/log/)?

What linux flavor and version are you using?