I have set up a new server, and I'm trying to get nginx access logs into splunk. This is not working.
These are my config files:
[monitor:///var/log/nginx/access.log] disabled = false sourcetype = access [monitor:///var/log/nginx/error.log] disabled = false sourcetype = error [default] host =hostname
[tcpout-server://hostname:8089] [deployment-client] clientName = qpp-nginx [target-broker:deployment-server] targetUri = hostname:8089
I am not seeing any errors in the Splunk logs, although the Splunk agent is running
Splunk btool check reports, but detects no errors
If I do a search for
sourcetype=access.log nothing comes up, neither
host="ip address" or
try btool with debug:
inputs list monitor:///var/log/nginx/error.log --debug
and also try
inputs list monitor:///var/log/nginx/error.log --debug | grep
Examples of outputs.conf
The following outputs.conf example contains three stanzas for sending data to Splunk receivers.
Global settings. In this example, there is one setting, to specify a defaultGroup.
Settings for a single target group consisting of two receivers. Here, we specify a load-balanced target group consisting of two receivers.
Settings for one receiver within the target group. In this stanza, you can specify any settings specific to the mysplunk_indexer1 receiver.
change the receiver (tcpout-server) port. 8089 is the splunkd port that is used for inter-splunk communication, not for receiving.
check on the splunk indexer which port is used for listener:
splunk display listen
if you see "receiving is disable" then you need to enable it with:
splunk enable listen 9997
or using UI.
Let me know if it works for you.