Postgres Logs (linux UF) are not coming to correct...

monug8 · ‎03-06-2023

Currently, I have postgres system hosted on linux redhat. I have Uinersal Forwarder installed on this postgre system. I am configuring the inputs.conf file as below under /opt/splunk/etc/apps/SplunkForwarder/local/inputs.conf

[monitor:///var/lib/pgsql/data/log]

disabled=0

crcSalt = <SOURCE>

index = pgsql

on Postgre, below are log files under /var/lib/pgsql/data/log

postgresql-Fri.log postgresql-Mon.log postgres-Sat.log postgres-Tue.log

Issue here: I am not able to see the logs are coming in the above index (pgsql) instead it is coming to main index

Note: I have to use crcSalt = <SOURCE> due to how splunk reads the file based on 256 bytes character otheriwse I would not able to see the logs in any index.

monug8 · ‎03-06-2023

@PickleRick , Thanks for replying , When I said crcsalt has something to do with index. My question is here only by using above configs in inputs.conf file, data is not coming to the nominated index in splunk.

I used crcSalt as someone from splunk community mentioned to use it, prior to using crcSalt, even logs were not coming at first place due to file length or file bytes issue (how the splunk UF process the file names)

I tried all your mentioned option but it did not work, it is still coming to main index.

Splunk documentation is very light on such issues. I ran

splunk btool inputs list monitor --debug

I could not see what is the issue or how to identify misconfig while running

splunk btool inputs list monitor --debug

Thanks

PickleRick · ‎03-08-2023

Splunk docs are actually relatively good but you need to have a bit of understanding what's going on underneath.

The btool command I gave you should show you effective configuration your UF should see (as combined from all config files on your UF according to their priorities).

So in that output you should look for the stanza [monitor:///var/lib/pgsql/data/log] and see what are the effective settings. You'll also see which files the settings come from.

That's one thing. But if the effective settings are pretty much OK and say "index=pgsql" but the events still end in the "main" index, there must be something going on further down the pipeline - on your indexers (or HFs if you have any in the way).

Are you sure the events are going into the "main" index and we're not talking about the situation that they're not ingested at all?

As I said before - crcSalt is very rarely a right option for you. Usually you shoud rather increase the initCrcLength parameter value. Anyway, if your postgres logs are defined typically, events should contain timestamps so your files should get (re)monitored even after rolling over because the CRC would differ. So are you sure that it's not a case of the files not being monitored at all? Do you get any other logs from that forwarder? Does the

splunk list monitor

command show the postgres logs?

What is the status of those log files if you do

splunk list inputstatus

PickleRick · ‎03-06-2023

1. crcSalt has nothing to do with destination index.

2. Check your config with btool

splunk btool inputs list monitor --debug

3. You did restart you UF?

4. crcSalt is very rarely the good choice. Usually it's better to just raise the initCrcLength parameter

5. Please use preformatted style or code block when pasting conf excerpts.

Postgres Logs (linux UF) are not coming to correct index after using crcSalt=<SOURCE>

Linux

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?