I have WebSphere installed on Server A and it is configured with SplunkWAS and enabled as a LightWeightForwarder.
The logs are forwarded to Server B. This is working successfully and the WebSphere index is logging all the WebSphere logs except the application logs, SystemOut.log, SystemErr.log, Native*.log.
On Server A, the WebSphere logs are symbolically linked to a different folder, I was thinking this may be the issue except that the FFDC logs are also sym linked and work fine. Any ideas?
I modified the inputs.conf manually in the SplunkWAS application but this also doesn't work.
INPUTS.conf - first entry not working??? Before I changed it the first two monitors were "opt" and not "logs", else the same. Other two monitors are working...
[monitor:///logs/WebSphere6-1/AppServer/profiles/AppSrv01/logs//...] whitelist = native./.log$|.Server/.log$|System./.log$|http_.*/.log$|/.pid$ crcSalt = disabled = 0 index = websphere
[monitor:///logs/WebSphere6-1/AppServer/profiles/AppSrv01/logs/ffdc/...] sourcetype = WebSphere:ServerExceptionLog crcSalt = disabled = 0 index = websphere
[monitor:///opt/WebSphere6-1/AppServer/profiles/AppSrv01/...] whitelist = javacore.*/.txt$ crcSalt = disabled = 0 index = websphere
Ok so I got it to work....but to make it work I had to change the whitelist, see below for details.
[monitor:///logs/WebSphere6-1/AppServer/profiles/AppSrv01/logs/...] whitelist = SystemOut.log|SystemErr.log|native_stdout.log|native_stderr.log crcSalt = disabled = 0 index = XXXX