https://community.splunk.com/t5/Getting-Data-In/Need-help-writing-input-stanza-for-maillog/m-p/529468#M89193 <P>I'm having a hard time getting my stanza setup correctly. I basically want to monitor the maillog directories (maillog + maillog-date) and choose the best appropriate sourcetype</P><P>However the archive maillog directories aren't coming in</P><P>Can someone spin me In the right direction on how to better write this stanza? Please resist the urge to send me a splunk doc link as I've been rummaging through those for a while.. it's not clicking</P><P>&nbsp;</P><P>Can someone please help me in rewriting a better stanza</P><P>[monitor:///var/log]<BR />Whitelist =(maillog$)<BR />disabled = false<BR />sourcetype = maillog<BR />Index = linux</P><P>Currently it's not working where it's pulling in the archive logs. So anything with a date after maillog isn't getting pulled</P><P>I think I tried [monitor:///var/log/maillog*] without the whitelist but it isn't working</P> Sun, 15 Nov 2020 19:42:27 GMT Jarohnimo 2020-11-15T19:42:27Z https://community.splunk.com/t5/Getting-Data-In/Need-help-writing-input-stanza-for-maillog/m-p/529468#M89193 <P>I'm having a hard time getting my stanza setup correctly. I basically want to monitor the maillog directories (maillog + maillog-date) and choose the best appropriate sourcetype</P><P>However the archive maillog directories aren't coming in</P><P>Can someone spin me In the right direction on how to better write this stanza? Please resist the urge to send me a splunk doc link as I've been rummaging through those for a while.. it's not clicking</P><P>&nbsp;</P><P>Can someone please help me in rewriting a better stanza</P><P>[monitor:///var/log]<BR />Whitelist =(maillog$)<BR />disabled = false<BR />sourcetype = maillog<BR />Index = linux</P><P>Currently it's not working where it's pulling in the archive logs. So anything with a date after maillog isn't getting pulled</P><P>I think I tried [monitor:///var/log/maillog*] without the whitelist but it isn't working</P> Sun, 15 Nov 2020 19:42:27 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-writing-input-stanza-for-maillog/m-p/529468#M89193 Jarohnimo 2020-11-15T19:42:27Z https://community.splunk.com/t5/Getting-Data-In/Need-help-writing-input-stanza-for-maillog/m-p/529470#M89194 Have you check permission of files and directories, so your splunk user can read those or are you running splunk as root (security risk)?<BR />r. Ismo Sun, 15 Nov 2020 20:29:51 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-writing-input-stanza-for-maillog/m-p/529470#M89194 isoutamo 2020-11-15T20:29:51Z https://community.splunk.com/t5/Getting-Data-In/Need-help-writing-input-stanza-for-maillog/m-p/529472#M89195 <P>Hi, I do have read permission as other logs are coming in</P><P>&nbsp;</P><P>Could you please tell me if: maillog&nbsp;</P><P>&nbsp;</P><P>Is the correct sourcetype for /var/log/maillog</P><P>&nbsp;</P><P>I saw a few choices but it's unclear what's the best to use. Sendmail_syslog I thought looked promising but there I am guessing again&nbsp;</P> Sun, 15 Nov 2020 21:42:31 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-writing-input-stanza-for-maillog/m-p/529472#M89195 Jarohnimo 2020-11-15T21:42:31Z https://community.splunk.com/t5/Getting-Data-In/Need-help-writing-input-stanza-for-maillog/m-p/529474#M89196 <P>Hey there. Check Splunk's _internal index for any nuggets of info on this issue. This is assuming that the internal logs are being forwarded. If not look at the splunkd.log file on the host that has the input configured.</P><P>Splunk btool command may be of use to ensure that this config is even being read or being over ridden somehow. If you are editing the inputs.conf manually make sure that splunkd can read the inputs.conf file.</P><P>Just some things that come to mind...</P> Sat, 21 Nov 2020 19:32:18 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-writing-input-stanza-for-maillog/m-p/529474#M89196 brent_weaver 2020-11-21T19:32:18Z