Need help ingesting /var/log/mail.log.1

rene_splunk · ‎02-27-2024

I have a number of log-rotated files for mail.log in the /var/log folder on a unix system. The /var/log/mail.log file gets ingested just fine, so I know permissions aren't an issue. However, I'd like to also ingest the older data that was log-rotated, but for the purpose of ingesting, those files were untarred again, so I have mail.log.1 to mail.log.4

I have tried numerous stanzas and regexes in the whitelist, but none lead to the older data getting ingested.

The one I currently have in place is:

[monitor:///var/log/]
index = postfix
sourcetype = postfix_syslog
whitelist = (mail\.log$|mail\.log\.\d+)

Thanks for any suggestions in advance.

rene_splunk · ‎02-27-2024

Thanks Giuseppe,

I don't see any historical data in my index as yet, this is what's in the splunkd.log file

gcusello · ‎02-27-2024

Hi @rene_splunk,

please try this:

[monitor:///var/log/mail.log*]
index = postfix
sourcetype = postfix_syslog

Ciao.

Giuseppe

Need help ingesting /var/log/mail.log.1

inputs.conf

universal forwarder

whitelist

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Need help ingesting /var/log/mail.log.1

inputs.conf

universal forwarder

whitelist

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem