I have a Red Hat server running rsyslog. Everything is logging but 1 log is not feeding into Splunk. The rsyslog.conf file is configured properly and the log is populating under /opt/remote_logs/. Any ideas?
From duplicate post:
I am running a Red Hat server with rsyslog. I have a ldap server pushing logs to rsyslog in a lab environment that is mirrored to the production server. It is logging and feeding into Splunk. When I switch over to the production server, it will not log in rsyslog. The rsyslog.conf is properly configured and I have confirmed the the production ldap server is configured properly too. Any ideas?
Start by confirming your inputs are working by using
./splunk list inputstatus on the forwarder and look for the status of that particular input, or by checking
index=_internal source=*splunkd.log tailreader and look for your filename.
If your inputs are correct then the tailreader should have found that file and it will tell you what it has done with it thus far.
Also, you could check
index=* source=yourFileName ALLTIME, to ensure you aren't dealing with wacky timestamping.
Splunk is a different thing than rsyslog.
rsyslog catches syslog and writes to a file (or does other tricks with it), where a Splunk forwarder then monitors that file....
can you clarify your set up?
I have a Red Hat server dedicated to Splunk. It is running rsyslog. All of my host that can not use a universal forwarder, send their logs to rsyslog and then get feed in Splunk. Everything is logging and writing to file but only 1 is not view-able on the Search Head.
New sourcetypes on you syslog server need to have the monitor added to your inputs.conf. For example, I added new logging from my netscalers, so I updated my rsyslog.conf on the syslog server. I then had to update my inputs.conf for syslog on my deployment server and add the monitor for this new sourcetype.