Hi @DavidHourani

I add this configuration in the inputs.conf

[monitor:///var/log/mariadb/mariadb.log]
index = logmariadb  
sourcetype = mariadb

And I receive the logs of this configuration so I don't think it can come from permissions, well it would be weird that I can only for one.
But I'm still going to try monitoring another file in /tmp

it's on /var/log/secure.log and the http folder, not on any new subfolder you create with the right permissions 🙂

You're right, I tried replacing with log files from /tmp and it works.

yeah I had the same problem before, you need to either change the permissions on your server logs (which i dont recommend) or apply an ACL as shown here :
https://serverfault.com/questions/258827/what-is-the-most-secure-way-to-allow-a-user-read-access-to-...

Ok thank you

most welcome ! please up-vote and accept if this was helpful !

Yes the indexes have been created on the central splunk instance

There is no problem with the time

In index=_internal there are event from this forwarder which contains this error

"DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected"

With this error I noticed that I had not activated the port 8089 in the firewall but I still don't receive the logs in the indexes

If the internal logs are being forwarded, the issue clearly is not with the forwarding side of things. 2 main options remaining: an issue on the input side, or for some reason the data is indexed, but you can't see it (hence my suggestion to look at all time).

Probably best to first confirm whether the input is working. Should be quite clear in the internal logs whether the input started and whether it picked up any of the files, or whether it is reporting errors / warnings.

I restarted the server to see the internal logs at startup.
I could see in the logs that the forwarder picked the file (for input) enter code here

Tailing Procesor Adding watch on path "path configured in input.conf"

I also noticed that but I don't know if this is an error.

Serverconfig Found no site defined in server.conf

Failed to initialize http_proxy from server.conf      -> same error for https_proxy and no_proxy

But this time to my great surprise I received the logs for mariadb ( configure in inputs.conf this morning)
configuration:

[monitor:///var/log/mariadb/mariadb.log]
index = logmariadb  
sourcetype = mariadb

So the problem may be the configuration of inputs.conf but I don't see where the mistakes could be in this case.

The outputs configuration is

[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://172.16.0.49:9997]
[tcpout:default-autolb-group]
disabled = false
server = 172.16.0.49:9997

To compare with the right configuration there is just the "disabled = false" in addition
Yes it's a new indexer and the opening port 9997 run on the indexer

Are there any errors or messages regarding outputs on the forwarder's splunkd.log? Anything that confirms that it's monitoring the files?

Yes there's this message since yesterday from 4:22 p. m.

INFO  HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.16.0.48_8089_172.16.0.48_srv-test-splunk_3079F50F-8312-40B1-B17B-A33BCB6BCEC2

This part "connection_172.16.0.48_8089_172.16.0.48_srv-test-splunk_3079F50F-8312-40B1-B17B-A33BCB6BCEC2" means he's trying to connect to this ip?

There is this message since I opened the firewall port 8089 on the central splunk instance to fix this error

    DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

and the last "different" message there was

 INFO  DC:HandshakeReplyHandler - Handshake done.

So I guess I fixed the mistake with the handshake