Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure a universal forwarder to keep rotated log sizes to 25MB each?

ozbillwang
New Member
‎09-15-2015 06:49 PM

I installed the Splunk universal forwarder (agents) on several clients, running several days.

# pwd
/opt/splunkforwarder/etc
# grep metric log.cfg
# metrics spews a lot of logs, let's not pollute the other files.
appender.metrics=RollingFileAppender
appender.metrics.fileName=${SPLUNK_HOME}/var/log/splunk/metrics.log
appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=5
appender.metrics.layout=PatternLayout
appender.metrics.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.Metrics=INFO,metrics
category.StatusMgr=INFO,metrics

# ls -lctr |grep metric
-rw-------. 1 root root 115789498 Sep 15 17:51 metrics.log.5
-rw-------. 1 root root 110047302 Sep 15 17:51 metrics.log.4
-rw-------. 1 root root 110284563 Sep 15 17:51 metrics.log.3
-rw-------. 1 root root  25926442 Sep 15 17:51 metrics.log.2
-rw-------. 1 root root  82850928 Sep 15 17:51 metrics.log.1
-rw-------. 1 root root  62256009 Sep 16 11:35 metrics.log

Have the setting (max 25MB, and 5 backups), but the rotate log sizes are from 25MB ~ 110MB. Anything wrong and how can I fix it?

I need the rotate log keep the size in 25MB each.

0 Karma
Reply

ddrillic
Ultra Champion
‎02-11-2016 07:02 AM

Looking at the set-up here and it looks good -

-rw-------. 1 splnkfwd splnkfwd 24M Feb 4 07:57 metrics.log.5
-rw-------. 1 splnkfwd splnkfwd 24M Feb 5 18:41 metrics.log.4
-rw-------. 1 splnkfwd splnkfwd 24M Feb 7 05:35 metrics.log.3
-rw-------. 1 splnkfwd splnkfwd 24M Feb 8 16:24 metrics.log.2
-rw-------. 1 splnkfwd splnkfwd 24M Feb 10 03:13 metrics.log.1
-rw-------. 1 splnkfwd splnkfwd 21M Feb 11 08:55 metrics.log
-rw-------. 1 splnkfwd splnkfwd 9.3M Feb 11 08:55 splunkd.log

$ grep metric log.cfg

metrics spews a lot of logs, let's not pollute the other files.

appender.metrics=RollingFileAppender
appender.metrics.fileName=${SPLUNK_HOME}/var/log/splunk/metrics.log
appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=5
appender.metrics.layout=PatternLayout
appender.metrics.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.Metrics=INFO,metrics
category.StatusMgr=INFO,metrics

0 Karma
Reply

koshyk
Super Champion
‎02-11-2016 06:26 AM

We also having the same issue.(Though the default is 25MB files are more than 25MB) Were you able to find the root cause?

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎09-16-2015 09:30 AM

1.They arent running in debug mode are they? 2. Have you upgraded or re-installed the UFs? (log.cfg will be overwritten. Use log-local.cfg instead.)

Reply

ozbillwang
New Member
‎09-16-2015 05:01 PM

Thanks @rroberts. Debug is not enable and no log-local.cfg. 

[splunkforwarder]# pwd
/opt/splunkforwarder

[splunkforwarder]# grep -i debug etc/log.cfg
# This file contains the debugging output controls
# Customers can change debugging levels as needed with output going to

[splunkforwarder]# find . -type f |grep log|grep local
[splunkforwarder]#
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top