Getting Data In

How to create an outputs.conf file for access and error logs?

Explorer

how do I got about creating an outputs.conf file for

/var/log/nginx/access.log
/var/log/nginx/error.log

thanks

0 Karma

Legend

You have to configure inputs.conf with two stanzas like this:

[monitor:///var/log/nginx/access.log]
disabled=0
index=your_index
sourcetype=access

[monitor:///var/log/nginx/error.log]
disabled=0
index=your_index
sourcetype=error

Inputs.conf is localized in $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/apps/yourapp/local
for details see http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf

outputs.conf isn't used to ingest logs, but to address the logs to forward to your indexes (see http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf).

Bye.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

The only purpose of outputs.conf is to define where the forwarder should send the data to. So if you want the data from the above 2 log files, you will define this in your SPLUNK_HOME/etc/system/local/inputs.conf file then create an outputs.conf file in the same directory and have it point to your indexer(s)

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf

Explorer

where do i define this paths in the output.confs file?

0 Karma

SplunkTrust
SplunkTrust

Your inputs.conf will look like this

[default]
host = YOUR_HOSTNAME

[monitor:///var/log/nginx/access.log]
disabled = false
sourcetype = YOUR_SOURCETYPE
index = YOUR_INDEX

[monitor:///var/log/nginx/error.log]
disabled = false
sourcetype = YOUR_SOURCETYPE
index = YOUR_INDEX

Your outputs.conf will look like this

[tcpout]
defaultGroup = xxx.xx.xx.xxx_9997

[tcpout:xxx.xx.xx.xxx_9997]
server = xxx.xx.xx.xxx:9997

[tcpout-server://xxx.xx.xx.xxx:9997]

Where the x' s represent your indexer IP address

This will be under /etc/system/local

0 Karma