https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479473#M82270 <P>So splunk is able to read these files and into directories, yet they are not populating on the splunk server. </P> Thu, 23 Apr 2020 12:06:19 GMT user789 2020-04-23T12:06:19Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479469#M82266 <P>I have set splunk to ingest the /var/log directory. On this particular host, I go to filter by "source", and only see 2 sources:</P> <UL> <LI>/var/log/messages</LI> <LI>/var/log/maillog</LI> </UL> <P>Why is it not seeing other files and folders? For example, there is /var/log/audit/audit.log.</P> Wed, 22 Apr 2020 16:01:08 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479469#M82266 user789 2020-04-22T16:01:08Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479470#M82267 <P>Does the account running Splunk have read access to the missing files? Often, files in /var/log are secured so only root can read them.</P> Wed, 22 Apr 2020 17:07:09 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479470#M82267 richgalloway 2020-04-22T17:07:09Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479471#M82268 <P>Splunk is running as "sudo", so this should be fine, right? </P> Wed, 22 Apr 2020 17:12:30 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479471#M82268 user789 2020-04-22T17:12:30Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479472#M82269 <P>"fine" as in able to read the files, yes. "fine" as in a good way to run Splunk, no. Running Splunk (or any non-OS process) as root increases your attack surface.</P> Wed, 22 Apr 2020 18:17:02 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479472#M82269 richgalloway 2020-04-22T18:17:02Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479473#M82270 <P>So splunk is able to read these files and into directories, yet they are not populating on the splunk server. </P> Thu, 23 Apr 2020 12:06:19 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479473#M82270 user789 2020-04-23T12:06:19Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479474#M82271 <P>Search index=_internal to verify the forwarder is sending data to the indexers. Verify you are looking in the right index for the data.</P> Fri, 24 Apr 2020 13:36:18 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479474#M82271 richgalloway 2020-04-24T13:36:18Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479475#M82272 <P>I ran the query for index=_internal, and I do not see any of my hosts showing up. </P> Thu, 14 May 2020 20:07:44 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-ingesting-some-log-files/m-p/479475#M82272 user789 2020-05-14T20:07:44Z