topic Re: New logs not feeding into Splunk in Getting Data In

New logs not feeding into Splunk

andsmith2 — Mon, 30 Oct 2017 12:44:35 GMT

I have a Red Hat server running rsyslog. Everything is logging but 1 log is not feeding into Splunk. The rsyslog.conf file is configured properly and the log is populating under /opt/remote_logs/. Any ideas?

From duplicate post:
I am running a Red Hat server with rsyslog. I have a ldap server pushing logs to rsyslog in a lab environment that is mirrored to the production server. It is logging and feeding into Splunk. When I switch over to the production server, it will not log in rsyslog. The rsyslog.conf is properly configured and I have confirmed the the production ldap server is configured properly too. Any ideas?

Re: New logs not feeding into Splunk

mattymo — Mon, 30 Oct 2017 12:50:34 GMT

Start by confirming your inputs are working by using ./splunk list inputstatus on the forwarder and look for the status of that particular input, or by checking index=_internal source=*splunkd.log tailreader and look for your filename.

If your inputs are correct then the tailreader should have found that file and it will tell you what it has done with it thus far.

Also, you could check index=* source=yourFileName ALLTIME, to ensure you aren't dealing with wacky timestamping.

Re: New logs not feeding into Splunk

richgalloway — Mon, 30 Oct 2017 12:50:55 GMT

Is your universal forwarder configured correctly?

Re: New logs not feeding into Splunk

andsmith2 — Mon, 30 Oct 2017 12:54:14 GMT

Not using a universal forwarder. LDAP is forwarding logs to Splunk rsyslog.

Re: New logs not feeding into Splunk

mattymo — Mon, 30 Oct 2017 12:56:38 GMT

Splunk is a different thing than rsyslog.

rsyslog catches syslog and writes to a file (or does other tricks with it), where a Splunk forwarder then monitors that file....

http://www.georgestarcher.com/splunk-success-with-syslog/

can you clarify your set up?

Re: New logs not feeding into Splunk

andsmith2 — Mon, 30 Oct 2017 13:17:02 GMT

I have a Red Hat server dedicated to Splunk. It is running rsyslog. All of my host that can not use a universal forwarder, send their logs to rsyslog and then get feed in Splunk. Everything is logging and writing to file but only 1 is not view-able on the Search Head.

Re: New logs not feeding into Splunk

mattymo — Mon, 30 Oct 2017 13:47:52 GMT

Ok, have you set up a monitor in splunk to go get that file?

https://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Monitorfilesanddirectories

Re: New logs not feeding into Splunk

andsmith2 — Mon, 30 Oct 2017 14:36:27 GMT

Thank you. I got it working. I forgot the the monitors were in inputs.conf on my deployment server.

Re: New logs not feeding into Splunk

mattymo — Mon, 30 Oct 2017 14:39:31 GMT

nice! be sure to post an answer and accept it so that future splunkers can see what you checked!

Re: New logs not feeding into Splunk

andsmith2 — Mon, 30 Oct 2017 14:45:27 GMT

New sourcetypes on you syslog server need to have the monitor added to your inputs.conf. For example, I added new logging from my netscalers, so I updated my rsyslog.conf on the syslog server. I then had to update my inputs.conf for syslog on my deployment server and add the monitor for this new sourcetype.