All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Moving eStreamer logs to different location

gaddams
Explorer
‎06-24-2014 12:25 AM

The current partition where the flow logs from Sourcefire are getting collected is full and I want to change the location. How can I change estreamer.log to different location on my splunk server?

Thanks
Swetha

0 Karma
Reply

cgrady_sf
Path Finder
‎06-24-2014 07:18 AM

You could create a log directory symlink to another mounted volume. That would be my best recommendation.

Reply

omgwut56k
Path Finder
‎08-20-2015 06:19 AM

It's been a while since this post, does the current remove logs? or do I need to find another solution to keep this from filling up our heavy forwarder?

0 Karma
Reply

GlennHofmann
Engager
‎01-27-2017 07:51 AM

Realizing this was posted many moons ago, here is the solution I found for telling eStreamer where to put it's logs. If the app ever gets upgraded, it will be overwritten, but I don't think that is going to happen anytime soon. In the eStreamer/bin directory you can edit client_check.py and change the log_file directive as shown below. Works like a charm. And add the find command to your cron.daily to point to the directory you have moved your logs to and you are good to go. 

# Set the rest of the paths relative to the splunk_path
app_path     = os.path.join(splunk_path, 'etc', 'apps', 'eStreamer')
app_bin_path = os.path.join(app_path, 'bin')
config_file  = os.path.join(app_path, 'local', 'estreamer.conf')
log_file     = ('/var/log/syslog-ng/estreamer/estreamer.log')
pid_file     = os.path.join(app_bin_path, 'estreamer_client.pid')
script_file  = os.path.join(app_bin_path, 'estreamer_client.pl')
0 Karma
Reply

cgrady_sf
Path Finder
‎06-24-2014 07:36 AM

At the moment, they do not get deleted by the app -- a current shortcoming. You can setup a cron job on the Splunk server to remove files older than, for example, 5 days with the following command:

find /path/to/files/* -mtime +5 -exec rm {} \;

Note, you will need to change the path, and I would recommend testing the command prior to placing it into a cron job entry.

Reply

ryanoconnor
Builder
‎01-12-2016 10:36 AM

This method worked for me as well. I used the following which searched for files older than an hour:

find /opt/splunk/etc/apps/eStreamer/log -mmin +59 -type f -exec rm “{}” \;

Like @cgrady_sf stated, you may not want to start out with executing the rm command. You could do something to simply move the files at first. The following will create a directory called "old" and move the files in there.

mkdir /opt/splunk/etc/apps/eStreamer/log/old

find /opt/splunk/etc/apps/eStreamer/log -mmin +59 -type f -exec mv “{}” /opt/splunk/etc/apps/eStreamer/log/old/ \;

0 Karma
Reply

gaddams
Explorer
‎06-24-2014 07:31 AM

Thanks.

What is the retention period of these logs given that they are indexed by splunk indexer and then I don't think we need these log files?

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...