Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarder with logrotate - events only arrive once a week

mprilop
Explorer
‎01-14-2015 02:05 AM

Hi,
i am having problems troubleshooting missing log entries. The UF seems to be configured correctly (list monitor and splunkd.log indicate everything okay). But only once a week four events reach splunk (it should be several thousand per day). Once per week may point to logrotate which is done weekly (config below) but i could not find any reference to similar problems with current versions of UF and splunk.

Our configuration:
Splunk version 6.1.3 (some enterprise license)

Universal Forwarder

# cat /opt/splunkforwarder/etc/splunk.version 
VERSION=6.1.3
BUILD=220630
PRODUCT=splunk
PLATFORM=Linux-x86_64

monitoring entry:

[monitor:///var/www/*/shared/log/*.log]
disabled = false
sourcetype = rails_app

splunkd.log entry for above monitoring:

01-14-2015 10:36:23.714 +0100 INFO  WatchedFile - Will begin reading at offset=72355036 for file='/var/www/our_app/shared/log/production.log'.

logrotate setting:

/var/www/*/shared/log/*.log {
    weekly
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    copytruncate
}
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mprilop
Explorer
‎03-03-2015 07:46 AM

Turns out i had insufficient rights to view the resulting logs.

I do not know why i still saw single entries and combined with me being able to see all other logs directed to splunk via syslog it never occurred to me to check my access rights with our hoster.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mprilop
Explorer
‎03-03-2015 07:46 AM

Turns out i had insufficient rights to view the resulting logs.

I do not know why i still saw single entries and combined with me being able to see all other logs directed to splunk via syslog it never occurred to me to check my access rights with our hoster.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-14-2015 04:01 AM

Hi mprilop,

take a look at this answer http://answers.splunk.com/answers/185453/why-copytruncate-logrotate-does-not-play-well-with.html provided by @yannK, it includes some work around as well.

cheers, MuS

Reply
Solved! Jump to solution

mprilop
Explorer
‎01-16-2015 05:18 AM

Thanks for your suggestion. I will try out the workaround and hope it also solves my problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...