Getting Data In

How to configure a universal forwarder on a syslog server to monitor logs in this directory structure?

adamblock2
Path Finder

I am interested in configuring a universal forwarder on a syslog server, and have a question regarding how the log data is currently being written.

There are multiple sources which forward log data to the syslog server. Each source is written to a directory structure similar to the following. As the date changes, a new directory is created beneath the logsrc directory.

/logs/logsrc1/2016.05.09
messages
/logs/logsrc1/2016.05.10
messages
/logs/logsrc1/2016.05.11
messages

/logs/logsrc2/2016.05.09
messages
/logs/logsrc2/2016.05.10
messages
/logs/logsrc2/2016.05.11
messages

If each of the log sources is a similar data type, would the following inputs.conf entry correctly forward the data?

[monitor:///logs/]
index=sn_syslog
sourcetype=sn_syslog
recursive=true
0 Karma

mosman_splunk
Splunk Employee
Splunk Employee

you are going to need something like bellow

[monitor:///logs/logsrc*/*.log]
host_segment = 2
sourcetype =locrc
index = test

ignoreOlderThan = 7d

disabled = false

pay attention to line 2 where it take the folder name as host name otherwise it will make everyghing look like it is comming from the syslog server

good luck

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...