Hi folks,
I have a host that is sending different logs to Splunk, this host sends various logs successfully except for the syslog-ng logs.
Here you have an example of the inputs config (there are 3 inputs in this way not being received by Splunk)
[monitor:///store/data/log/cisco_ise]
disabled = false
host = xxxxxxxxxx
index = syslog
sourcetype = cisco:ise
Does anyone has an idea of steps I can follow to troubleshoot this?
Thanks in advance,
I'm guessing its a permission issue with your syslog-ng directory. I would check that your user running splunk has the proper permissions to ingest the logs. I would compare the permissions of the files that work to the syslog-ng files.
If the host is having problems reading certain logs or sending them to the indexers then there should be messages to that effect in splunkd.log.