All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco eStreamer for Splunk: How to configure inputs.conf to release monitor file when no more data is being added?

sjaworski
Communicator
‎11-10-2015 02:00 PM

I am using the Cisco eStreamer for Splunk app to collect Sourcefire logs. What I noticed is that Splunk does not appear to stop monitoring files when data is no longer being added to the log file. The eStreamer client grows the log file to 10MB, then rotates to a new file name. Splunk just adds the new file to its list to monitor and never lets go of the old file. Eventually Splunk is monitoring thousands of files that are no longer collecting data.

estreamer.log.1447173668  estreamer.log.1447175714  estreamer.log.1447177772  estreamer.log.1447179767  estreamer.log.1447181889  estreamer.log.1447184029  estreamer.log.1447186139

[monitor://$SPLUNK_HOME/etc/apps/eStreamer/log]
disabled = 0
source = eStreamer
sourcetype = eStreamer
index = estreamer
crcSalt = <SOURCE>

How do I configure the inputs.conf to release the file after a certain amount of time or size? Or is there a better way?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sjaworski
Communicator
‎11-27-2015 04:59 PM

Here is the solution I came up with.
Since estreamer has to run on Linux, I used logrotate to rotate the files.

Create file estreamer in /etc/logrotate.d/
Add this configuration.

/opt/splunk/etc/apps/eStreamer/log/estreamer.log.* {
        missingok
        rotate 7
        daily
        compress
        postrotate
                /bin/kill -HUP `cat /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pid 2> /dev/null` 2> /dev/null || true
        endscript
}

To force a rotation immediately and troubleshoot any issues, execute logrotate -vf /etc/logrotate.d/estreamer

Next the inputs.conf needs to be adjusted.

Copy the inputs.conf file to the local directory of the eStreamer app if it does not exist.

Edit the inputs.conf file and instruct Splunk to blacklist the gz files created by logrotate.

[monitor://$SPLUNK_HOME/etc/apps/eStreamer/log]
disabled = 0
source = eStreamer
sourcetype = eStreamer
index = estreamer
crcSalt = <SOURCE>
#Add Blacklist not to collect GZ files
blacklist = estreamer.log.\d{10}.\d{1}.gz

Verify Splunk is only monitoring the active estreamer files. Execute, /opt/splunk/bin/splunk list monitor | grep estreamer

[splunky@splkcollector local]# /opt/splunk/bin/splunk list monitor | grep estreamer
                /opt/splunk/etc/apps/eStreamer/log/estreamer.log.1448663187
                /opt/splunk/etc/apps/eStreamer/log/estreamer.log.1448663245

😛

View solution in original post

Reply
Solved! Jump to solution

douglashurd
Builder
‎08-02-2017 04:15 PM

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma
Reply
Solved! Jump to solution
Solution

sjaworski
Communicator
‎11-27-2015 04:59 PM

Here is the solution I came up with.
Since estreamer has to run on Linux, I used logrotate to rotate the files.

Create file estreamer in /etc/logrotate.d/
Add this configuration.

/opt/splunk/etc/apps/eStreamer/log/estreamer.log.* {
        missingok
        rotate 7
        daily
        compress
        postrotate
                /bin/kill -HUP `cat /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pid 2> /dev/null` 2> /dev/null || true
        endscript
}

To force a rotation immediately and troubleshoot any issues, execute logrotate -vf /etc/logrotate.d/estreamer

Next the inputs.conf needs to be adjusted.

Copy the inputs.conf file to the local directory of the eStreamer app if it does not exist.

Edit the inputs.conf file and instruct Splunk to blacklist the gz files created by logrotate.

[monitor://$SPLUNK_HOME/etc/apps/eStreamer/log]
disabled = 0
source = eStreamer
sourcetype = eStreamer
index = estreamer
crcSalt = <SOURCE>
#Add Blacklist not to collect GZ files
blacklist = estreamer.log.\d{10}.\d{1}.gz

Verify Splunk is only monitoring the active estreamer files. Execute, /opt/splunk/bin/splunk list monitor | grep estreamer

[splunky@splkcollector local]# /opt/splunk/bin/splunk list monitor | grep estreamer
                /opt/splunk/etc/apps/eStreamer/log/estreamer.log.1448663187
                /opt/splunk/etc/apps/eStreamer/log/estreamer.log.1448663245

😛

Reply
Solved! Jump to solution

mikaelbje
Motivator
‎10-21-2016 03:22 AM

Hi!

Using your above solution but I end up with lots of copies of logs getting gzipped and suffixed, so it looks like it's gzipping what's already been gzipped and rotated, in a loop. Using the exact config you pasted.

Is your config still working?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-10-2015 08:07 PM

Even if you blacklist the rotated files, the forwarder will STILL have to sort through them and will slow down more and more and more. To avoid this, you need to setup another process to delete files that are very old (say 30 days or more), or move them somewhere. If this cannot be done (all files have to stay where the are, as they are), then you can do something like this:

https://answers.splunk.com/answers/309910/how-to-monitor-a-folder-for-newest-files-only-file.html

Reply
Solved! Jump to solution

sjaworski
Communicator
‎11-27-2015 05:01 PM

Thank you for the direction, the solution I came up with is below.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-10-2015 02:09 PM

Hi sjaworski,

one thing that straight popped into my eyes is crcSalt = This in dangerous on rotated log files, because it could lead to the log file being re-indexed after it has rolled.

You could limit the monitored files by using whitelist and or blacklist or setup the monitor stanza just to watch this one log file 

 [monitor://$SPLUNK_HOME/etc/apps/eStreamer/log/estreamer.log]

See the docs http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Inputsconf for more details.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

sjaworski
Communicator
‎11-27-2015 05:00 PM

Thank you for the direction, the solution I came up with is below.

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top