Deployment Architecture
Highlighted

Unix App and searching Unix Logs

Engager

So once you have the unix app installed, one of the things it does is monitors /var/log. However you can't seem to search the logs as if you add /var/log as a directory input. And since it is already monitored, you can't add it again. How do you fix this?

Tags (2)
Highlighted

Re: Unix App and searching Unix Logs

Contributor

If a directory is already added (/var/log), there is no need to add it again. Once added means, it monitors ANY files in there. In the search app, it shouldn't be a problem now to search for evens stored in /var/log although the directory has been added by *nix app.

Highlighted

Re: Unix App and searching Unix Logs

SplunkTrust
SplunkTrust

I think the difficulty arises in that the unix app puts the events into index="os".

1) Try adding index="os" to your search. I bet you'll be able to see the events then.

2) Go to Manager > Authentication > Roles, and you can edit some or all of your roles such that index'os' is implicitly included when searches are run. Be careful though - there are two index sections on those pages and they look different but they do very different things.