Few problems here:
By default, there is no index called audit_index.
But more importantly, the way splunk handles the audit file is.. black magic. The events are put directly into the indexing queue, and also written out the file. We never read the data from the file into the index. In order to make this work, we have a rule that arranges for the audit.log data to be null routed when tailed.
Options:
Few problems here:
By default, there is no index called audit_index.
But more importantly, the way splunk handles the audit file is.. black magic. The events are put directly into the indexing queue, and also written out the file. We never read the data from the file into the index. In order to make this work, we have a rule that arranges for the audit.log data to be null routed when tailed.
Options:
Symbolic link is able to read the file, which is pointing to same file. But why not the same file directly, any reason for so?
The reason is to avoid having that data in the index twice. The mechanism is as already stated. Please do not adjust the mechanism, it will make you sad.
Got you. Sorry to bother much but I am not understanding one point here.
Just curious to know file which we are not able to monitor from an another instance of splunk, can be monitored through symbolic link which is pointing to the same file. It will be really helpful for me, if you can let me know a bit more deeply.
Thanks a lot in advance.
Thank you.