Getting Data In

Are my inputs.conf stanzas correct to monitor the following directory structures?

edwardrose
Contributor

Hello All

I have a question about the following directory structures we have.

/var/log2/gns/network/<hostname>/named/log_<hostname>_named
/var/log2/gns/network/<hostname>/dhcpd/log_<hostname>_dhcpd
/var/log2/gns/network/<hostname>/messages/log_<hostname>_messages

Now if I put the following stanzas into my inputs.conf will I be able to collect data? I think they might be overlapping causing no data to come in.

[monitor:://var/log2/gns/network/.../*dhcpd]
host_segment = 5
index = bluecat
sourcetype = dns_dhcpd
source = udp514_syslog

[monitor:://var/log2/gns/network/.../*named]
host_segment = 5
index = bluecat
sourcetype = dns_named
source = udp514_syslog

[monitor:://var/log2/gns/network/.../*messages]
host_segment = 5
index = bluecat
sourcetype = dns_messages
source = udp514_syslog

Are my stanzas correct?

-ed

0 Karma
1 Solution

woodcock
Esteemed Legend

Your stanza header syntax is wrong; it should be like this (1 fewer colon and 1 greater slash):

[monitor:///var/log2/gns/network/*/named/*named]

View solution in original post

jclehmuth
Path Finder

Were you able to find extractions for the BlueCat logs, or did you do them yourself?

0 Karma

woodcock
Esteemed Legend

Your stanza header syntax is wrong; it should be like this (1 fewer colon and 1 greater slash):

[monitor:///var/log2/gns/network/*/named/*named]

View solution in original post

somesoni2
Revered Legend

Good catch 🙂

0 Karma

edwardrose
Contributor

Yeah keep staring at this stuff and my eyes go crossed and I am a still a noob administrator

0 Karma

somesoni2
Revered Legend

I would do something like this

[monitor:://var/log2/gns/network/*/dhcpd/*dhcpd]
 host_segment = 5
 index = bluecat
 sourcetype = dns_dhcpd
 source = udp514_syslog

 [monitor:://var/log2/gns/network/*/named/*named]
 host_segment = 5
 index = bluecat
 sourcetype = dns_named
 source = udp514_syslog

 [monitor:://var/log2/gns/network/*/messages/*messages]
 host_segment = 5
 index = bluecat
 sourcetype = dns_messages
 source = udp514_syslog
0 Karma

edwardrose
Contributor

I tried that but the logs were not getting ingested. I am not sure what the issue as there are no logs saying there is a failure.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!