I have set up a new server, and I'm trying to get nginx access logs into splunk. This is not working.
These are my config files:
cat inputs.conf
[monitor:///var/log/nginx/access.log]
disabled = false
sourcetype = access
[monitor:///var/log/nginx/error.log]
disabled = false
sourcetype = error
[default]
host =hostname
outputs.conf
[tcpout-server://hostname:8089]
[deployment-client]
clientName = qpp-nginx
[target-broker:deployment-server]
targetUri = hostname:8089
I am not seeing any errors in the Splunk logs, although the Splunk agent is running
Splunk btool check reports, but detects no errors
If I do a search for sourcetype=access.log
nothing comes up, neither host="ip address"
or host="hostname"
try btool with debug:
example:
inputs list monitor:///var/log/nginx/error.log --debug
and also try
inputs list monitor:///var/log/nginx/error.log --debug | grep
Examples of outputs.conf
The following outputs.conf example contains three stanzas for sending data to Splunk receivers.
Global settings. In this example, there is one setting, to specify a defaultGroup.
Settings for a single target group consisting of two receivers. Here, we specify a load-balanced target group consisting of two receivers.
Settings for one receiver within the target group. In this stanza, you can specify any settings specific to the mysplunk_indexer1 receiver.
[tcpout]
defaultGroup=my_indexers
[tcpout:my_indexers]
server=mysplunk_indexer1:9997, mysplunk_indexer2:9996
[tcpout-server://mysplunk_indexer1:9997]
Hello @marcrsplunk,
change the receiver (tcpout-server) port. 8089 is the splunkd port that is used for inter-splunk communication, not for receiving.
check on the splunk indexer which port is used for listener:
splunk display listen
if you see "receiving is disable" then you need to enable it with:
splunk enable listen 9997
or using UI.
Let me know if it works for you.
Good luck!