- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Getting Data in from SYSLOG / File Monitor- Am I m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting Data in from SYSLOG / File Monitor- Am I missing something?
Hello
We are running Enterprise 8.2.6 (Windows Server). We use a product called Fastvue Syslog Server on another Windows Server as a central Syslog server.
Fastvue Syslog writes out the syslogs into folders such as:
D:\Logs\Syslog\Logs\switch\x.x.x.x\x.x.x.x-YYYY-MM-DD.log
D:\Logs\Syslog\Logs\esx\x.x.x.x\x.x.x.x-YYYY-MM-DD.log
(where x.x.x.x is the syslog client ip address)
The Syslog Server has the Splunk Universal Forwarder installed as is configured to for output Windows Event Logs.
The inputs.conf file has the following added in addition to the eventlogs:
[monitor://D:\Logs\Syslog\Logs\switch\*]
sourcetype = syslog-switch
disabled = false
[monitor://D:\Logs\Syslog\Logs\esx\*]
sourcetype = syslog-esx
disabled = false
On the Splunk Indexer, we can see event logs from the Windows Server, but we are not seeing any syslog message from the logged files?
Am I missing something?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Globbing rules of monitor inputs can be tricky.
https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf#MONITOR:
I'd point the input to the whole directory (without wildcards) and set the whitelist to *.log files. (If you don't have any other files in those directories, you can skip the whitelist altogether.
[monitor://D:\Logs\Syslog\Logs\switch]
sourcetype = syslog-switch
disabled = false
whitelist = .*\.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @dasadmin
it seems you have missed to define the index parameter in inputs.conf where the logs should be written
index = abc
Note:- if it helps karma points are appreciated/if it resolves solution acceptance is appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Thanks for the reply.
I was looking at https://docs.splunk.com/Documentation/Splunk/8.2.6/admin/Inputsconf and under GLOBAL SETTINGS is says:
index = <string> * Sets the index to store events from this input. * Primarily used to specify the index to store events that come in through this input stanza. * Default: main (or whatever you have set as your default index)
So I wasn't sure I needed to add anything? Also when I installed the Universal Forwarder on the Windows Server where the Syslog file are, I added a path to the folder to monitor, and this did not add an index tag either?
However, I'll give it a try and see if adding the index tag works.
Thanks
DAS Admin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @dasadmin
without the index name (the index should exist) it would either direct the events to main index or the default index in your settings it imp to define the index for any input source
thanks
Note:- if it helps karma points are appreciated/if it resolves solution acceptance is appreciated
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
