I have set up a new server, and I'm trying to get nginx access logs into splunk. This is not working.
These are my config files:
[monitor:///var/log/nginx/access.log] disabled = false sourcetype = access [monitor:///var/log/nginx/error.log] disabled = false sourcetype = error [default] host =hostname
[tcpout-server://hostname:8089] [deployment-client] clientName = qpp-nginx [target-broker:deployment-server] targetUri = hostname:8089
I am not seeing any errors in the Splunk logs, although the Splunk agent is running
Splunk btool check reports, but detects no errors
If I do a search for
sourcetype=access.log nothing comes up, neither
host="ip address" or
change the receiver (tcpout-server) port. 8089 is the splunkd port that is used for inter-splunk communication, not for receiving.
check on the splunk indexer which port is used for listener:
splunk display listen
if you see "receiving is disable" then you need to enable it with:
splunk enable listen 9997
or using UI.
Let me know if it works for you.
Examples of outputs.conf
The following outputs.conf example contains three stanzas for sending data to Splunk receivers.
Global settings. In this example, there is one setting, to specify a defaultGroup.
Settings for a single target group consisting of two receivers. Here, we specify a load-balanced target group consisting of two receivers.
Settings for one receiver within the target group. In this stanza, you can specify any settings specific to the mysplunkindexer1 receiver.
try btool with debug:
inputs list monitor:///var/log/nginx/error.log --debug
and also try
inputs list monitor:///var/log/nginx/error.log --debug | grep