Getting Data In

How to configure a universal forwarder on a syslog server to monitor logs in this directory structure?

Path Finder

I am interested in configuring a universal forwarder on a syslog server, and have a question regarding how the log data is currently being written.

There are multiple sources which forward log data to the syslog server. Each source is written to a directory structure similar to the following. As the date changes, a new directory is created beneath the logsrc directory.

/logs/logsrc1/2016.05.09
messages
/logs/logsrc1/2016.05.10
messages
/logs/logsrc1/2016.05.11
messages

/logs/logsrc2/2016.05.09
messages
/logs/logsrc2/2016.05.10
messages
/logs/logsrc2/2016.05.11
messages

If each of the log sources is a similar data type, would the following inputs.conf entry correctly forward the data?

[monitor:///logs/]
index=sn_syslog
sourcetype=sn_syslog
recursive=true
0 Karma

Splunk Employee
Splunk Employee

you are going to need something like bellow

[monitor:///logs/logsrc/.log]
host_segment = 2
sourcetype =locrc
index = test

ignoreOlderThan = 7d

disabled = false

pay attention to line 2 where it take the folder name as host name otherwise it will make everyghing look like it is comming from the syslog server

good luck

0 Karma