Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

New logs not feeding into Splunk

andsmith2
Explorer
‎10-30-2017 05:44 AM

I have a Red Hat server running rsyslog. Everything is logging but 1 log is not feeding into Splunk. The rsyslog.conf file is configured properly and the log is populating under /opt/remote_logs/. Any ideas?

From duplicate post:
I am running a Red Hat server with rsyslog. I have a ldap server pushing logs to rsyslog in a lab environment that is mirrored to the production server. It is logging and feeding into Splunk. When I switch over to the production server, it will not log in rsyslog. The rsyslog.conf is properly configured and I have confirmed the the production ldap server is configured properly too. Any ideas?

0 Karma
Reply

andsmith2
Explorer
‎10-30-2017 07:45 AM

New sourcetypes on you syslog server need to have the monitor added to your inputs.conf. For example, I added new logging from my netscalers, so I updated my rsyslog.conf on the syslog server. I then had to update my inputs.conf for syslog on my deployment server and add the monitor for this new sourcetype.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2017 05:50 AM

Is your universal forwarder configured correctly?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

andsmith2
Explorer
‎10-30-2017 05:54 AM

Not using a universal forwarder. LDAP is forwarding logs to Splunk rsyslog.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎10-30-2017 05:56 AM

Splunk is a different thing than rsyslog.

rsyslog catches syslog and writes to a file (or does other tricks with it), where a Splunk forwarder then monitors that file....

http://www.georgestarcher.com/splunk-success-with-syslog/

can you clarify your set up?

- MattyMo
0 Karma
Reply

andsmith2
Explorer
‎10-30-2017 06:17 AM

I have a Red Hat server dedicated to Splunk. It is running rsyslog. All of my host that can not use a universal forwarder, send their logs to rsyslog and then get feed in Splunk. Everything is logging and writing to file but only 1 is not view-able on the Search Head.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎10-30-2017 06:47 AM

Ok, have you set up a monitor in splunk to go get that file?

https://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Monitorfilesanddirectories

- MattyMo
0 Karma
Reply

andsmith2
Explorer
‎10-30-2017 07:36 AM

Thank you. I got it working. I forgot the the monitors were in inputs.conf on my deployment server.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎10-30-2017 07:39 AM

nice! be sure to post an answer and accept it so that future splunkers can see what you checked!

- MattyMo
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎10-30-2017 05:50 AM

Start by confirming your inputs are working by using ./splunk list inputstatus on the forwarder and look for the status of that particular input, or by checking index=_internal source=*splunkd.log tailreader and look for your filename.

If your inputs are correct then the tailreader should have found that file and it will tell you what it has done with it thus far.

Also, you could check index=* source=yourFileName ALLTIME, to ensure you aren't dealing with wacky timestamping.

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...