Getting Data In

Powershell Input Log File "splunk-powershell.ps1.log" get's very large and never rolls


As part of the new Powershell modular input, Splunk will execute Powershell scripts through it's own built in controls and functions.

This ultimately will call "splunk-powershell.exe" which in turn will call three .ps1 scripts all located in the SplunkUniversalForwarder/bin directory. Inside of a script called: "splunk-powershell.ps1" it outlines the logging levels and location.

This will output a log file into SplunkUniversalForwarder/var/log/splunk/splunk-powershell.ps1.log as part of that script.

Because this logging looks to all be controlled in these files and I see nothing in this script that states any kind of "logging maintenance" or rotation, what is happening is my log file has gotten rather large. 1.8GB large, to be exact.

Is there any way to manage this file through log.cfg (and its associated other cfg files) under the /etc directory? Or am I going to need to modify the splunk-powershell.ps1 file itself (Really not ideal at all)? Or is there something else I should look at to fix this?

Obviously I have underlying scripting issues which is causing the log file to fill up rather quickly (That 1.8GB was all generated between Aug 2 to today.) But, the underlying issue here is that we have essentially a mechanism to generate a run-away log file that could have catastrophic affects on the system this is loaded on.

Just for reference here is the portions inside "splunk-powershell.ps1" that has to do with logging:

Line 7-13:
# Enable loggin here. Look for log in %SPLUNK_HOME%\var\log\splunk\splunk-powershell.ps1.log
$logError = $True
$logWarn = $True
$logInfo = $True
$logDebug = $False

Line 178-180:
# logger signature: createLogger <destination> ErrorOn WanrOn InfoOn DebugOn
$g_logger = createLogger ($splunkHome+'\var\log\splunk\splunk-powershell.ps1.log') $logError $logWarn $logInfo $logDebug
logInfo "start splunk-powerhsell.ps1"

Various lines have similar calls to:
        logDebug("Enter disposer") $logger

Nothing in this file itself seems to handle closing access to this file (as long as this script is trying to run it is going to lock the file) and nothing seems to handle rotation and general housekeeping of this log.

Splunk Employee
Splunk Employee

On a Unix machine, I would just use logrotate. It looks like people have written this functionality in a Power Shell script:

0 Karma


What version of Splunk? Just want to make sure you are working with the built-in input as opposed to the older PowerShell input app from Splunkbase.

0 Karma