Getting Data In

How to ensure logs generated during Universal Forwarder upgrade are not lost or duplicated?

cboillot
Contributor

We are about to upgrade several hundred Universal Forwarders (UF) in our environment. We want to make sure that any logs that were generated during the upgrade of the UF would not be lost or duplicated. I did find info on current_only, however it seem this is only for the Windows Event Log Monitor, and not the MONITOR:.

Is there anything we need to make sure we have in place?

How will the UF know where the old version left off?

I have tried to look this up, but with all the posts just named Universal Forwarder, I could have overlooked if this has been asked before.

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

What you are referring to is inbuilt Splunk functionality, as per Monitor files and directories

When the Splunk server is restarted,
it continues processing files where it
left off. It first checks for the file
or directory specified in a monitor
configuration. If the file or
directory is not present on start,
Splunk Enterprise checks for it every
24 hours from the time of the last
restart. The monitor process scans
subdirectories of monitored
directories continuously.

Effectively Splunk keeps a checkpoint of where it got to in a file in the fishbucket (an internal filestore within the forwarder), so unless your wiping out the Splunk installation directory an upgrade will not cause any issues as the files will not be deleted by upgrades.

You do have some controls around determining if the file has been seen before in the inputs.conf , in particular refer to initCrcLength . You only need to adjust this if you see issues in the splunkd.log from the forwarder, by default this functionality should just work!

View solution in original post

gjanders
SplunkTrust
SplunkTrust

What you are referring to is inbuilt Splunk functionality, as per Monitor files and directories

When the Splunk server is restarted,
it continues processing files where it
left off. It first checks for the file
or directory specified in a monitor
configuration. If the file or
directory is not present on start,
Splunk Enterprise checks for it every
24 hours from the time of the last
restart. The monitor process scans
subdirectories of monitored
directories continuously.

Effectively Splunk keeps a checkpoint of where it got to in a file in the fishbucket (an internal filestore within the forwarder), so unless your wiping out the Splunk installation directory an upgrade will not cause any issues as the files will not be deleted by upgrades.

You do have some controls around determining if the file has been seen before in the inputs.conf , in particular refer to initCrcLength . You only need to adjust this if you see issues in the splunkd.log from the forwarder, by default this functionality should just work!

cboillot
Contributor

Thank you! This is what I thought, but was asked to get verification.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Not a problem, you can send feedback to the documentation team if it is not clear enough, they are usually happy to take feedback...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...