- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to monitor log files and some custom files from /tmp/log_folder on a linux server.
On the Linux box, the desired logs are scripted to /tmp/log_folder/ and this folder will be monitored by the UF.
There is a script to clear out the folder every hour, any file older than 1 day.
So far, I installed a UF on the server.
Besides creating an inputs app (inputs.conf) on the UF and adding the monitoring stanza
[monitor///tmp/log_folder/*]
index=special_logs
sourcetype = log_sourcetype
ignoreOlderThan = 1d
Do I need to add anything else?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To monitor log files under a folder execute the command : (or create inputs.conf)
./splunk add monitor /tmp/log_folder/
To forward logs to Splunk Indexer: (outputs.conf)
./splunk add forward-server <splunk-indexer>:<port>
restart splunk services on the forwarder and search for logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
/tmp/ folder can't be natively monitored by splunk as the splunkd process does not have permissions to access your files in /tmp/
You'd either need to have the files in /tmp generated by splunkd, or give extra permissions to the splunkd process owner to access /tmp files
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you also have to create a file called outputs.conf
[tcpout]
defaultGroup = default group
[tcpout:default group ]
server = indexer_ipaddress:port
also make sure the port 9997 is open in the indexer settings
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your monitor stanza is missing a : it should be [monitor:///tmp/log_folder/*]
also, don't forget to grant the user running Splunk read and execute permission on /tmp/log_folder/
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for noting the error and advising about the permissions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To monitor log files under a folder execute the command : (or create inputs.conf)
./splunk add monitor /tmp/log_folder/
To forward logs to Splunk Indexer: (outputs.conf)
./splunk add forward-server <splunk-indexer>:<port>
restart splunk services on the forwarder and search for logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I like the simplicity of this way to get the inputs and outputs created.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The outputs.conf should point to your indexers and the special_logs index should exist.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bingo! Once you configure outputs.conf and restart the Splunkd service on the UF, logs will start flowing into Splnuk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply and instructions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for reminding me to create the outputs app (outputs.conf), which I am actually hopping thru an HF first. The HF is configure to send to indexers.
