All Apps and Add-ons

File monitoring inputs for Splunk Add-on for Unix and Linux?

AK_Splunk
Explorer

File monitoring inputs for Splunk Add-on for Unix and Linux

Query 1-->I have installed the above mentioned app to monitor the file monitoring input from the same. When I enable the default file monitoring inputs I am getting source and source type as attached in the data. But I do not see much interesting fields for the same source and source type. Please assist me with the exact source and source type along with the list of interesting fields it will extract via field extraction.


Query 2-->I have installed the above mentioned app to monitor the file monitoring input from the same. When I updated inputs.conf with new file monitoring inputs I am not getting data for the new input. Please let me know why and how can we work on the same to get exact data from new input files.

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AK_Splunk,

I suppose that you installed the last version of this Add-On.

Anyway, there are many inputs to enable, reading files and executing scripts to have many different sources and sourcetypes, whay do you say that you don't see much interesting fields?

Which ones did you enabled?

as you can see at https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About you have, by default: 6 monitored folders and 35 scripted inputs, summarizing 44 different sourcetype!

About the second question, could you share you updated inputs.conf (that I suppose you did in the app local folder)?

Did you restarted Forwarder after conf files updating?

Ciao.

Giuseppe

0 Karma

AK_Splunk
Explorer

App  version installed of this Add-On  is 8.7.0

I have only enabled 6 file/folder default file monitoring inputs in the app and have added 3 more file paths in same format as the default file monitoring input.

I am looking for interesting fields like loglevel messages timing etc .

The souretypes of the scripted inputs are shared in the document.  I am trying to understand the sourcetype of file monitoring input .

default inputs.conf stanza

[monitor:///Library/Logs]
disabled = 1

[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 1

[monitor:///var/adm]
whitelist=(\.log|log$|messages)
disabled = 1

[monitor:///etc]
whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)
disabled = 1

### bash history
[monitor:///root/.bash_history]
disabled = true
sourcetype = bash_history

[monitor:///home/*/.bash_history]
disabled = true
sourcetype = bash_history

 

 

updated inputs.conf stanza

[monitor:///var/log/messages]
disabled = 0
index = unix_test_normal

[monitor:///Library/Logs]
disabled = 0
index = unix_test_normal

[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 0
index = unix_test_normal

[monitor:///var/adm]
whitelist=(\.log|log$|messages)
disabled = 0
index = unix_test_normal

[monitor:///etc]
whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)
disabled = 0
index = unix_test_normal

Yes I have performed restart.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AK_Splunk,

configurations are correct, which user are you using to run Splunk on Forwarder?

if not root, check if this user has grants to read those files.

I suppose that you copied inputs.conf file in the local folder before update, otherwise you lose your updates.

Is this forwarder managed by a Deployment Server? you can check on the DS or in $SPLUNK_HOME/etc/system/local/deploymentclient.conf.

Ciao.

Giuseppe

0 Karma

AK_Splunk
Explorer

Hi @gcusello 

Thanks for you quick response.

The permissions are root itself and have read only permissions too.
I suspect it is some issue wrt to the app itself. 
Even for the default inputs if I enable them the data that is coming is not having good interesting fields like log level.

Can you confirm  what all interesting fields we should be getting for default inputs file monitoring?

As I am using this app for monitoring /var/log/message OS logs with an expectations that I will be having by default props that will extract me more common fields like log_level, service names etc.

Please assist me on the same.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AK_Splunk,

in this Add-On there are, by default, six file monitoring inputs, that mus be enabled (as you did) copying inputs.conf from the default folder to the local folder and then changing "disabled=1" to "disabled=0",

Don't modify inputs.conf in the default folder!

I continue to not understand what you mean with "all interesting fields we should be getting for default inputs file monitoring?": enabling these six inputs, Forwarders reads the files in the related folders and send them to Splunk where they are parsed and indexed so you have available all the relevant fields.

One additional question:did you installed the Linux Add-On also on Indexers?

Add-on are used on Forwarders for inputting and on Indexers or on Heavy Forwarders (if present) for parsing and merging, and on Search Heads for search time parsing).

maybe you don't see the extracted fields because you didn't installed the Add-On on Indexers and Search Heads.

Ciao.

Giuseppe

0 Karma

AK_Splunk
Explorer

Thanks for your input @gcusello 
Yes the components are installed correctly in SH,IDX and UF respectively.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AK_Splunk,

if you have intermediate Heavy Forwarders, you have to install the TA also there, but your issue shouldn't be related to this because fields are extracted at serahc time, so only the TA installed on Search Head is relevant.

Anyway, I continue to not understand what you mean with "all interesting fields we should be getting for default inputs file monitoring?": enabling the above six inputs, Forwarders reads the files in the related folders and send them to Splunk where they are parsed and indexed so you have available all the relevant fields.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...