Hi i am trying to monitor some file in var/log on ubuntu. There is 4 file (auth.log,auth.log.1,auth.log.2.gz,auth.log.3.gz)
when i tried the code below it work
[monitor:///var/log/auth.log]
sourcetype= authlog
index = test
disabled = 0
but this does not work
[monitor:///var/log/auth.log.1]
sourcetype= authlog
index = test
disabled = 0
Why is that so? is there anything wrong with it?
Ayn is right. In the end i have to write a script to index all the diff auth.log instead of using monitor
Ayn is right. In the end i have to write a script to index all the diff auth.log instead of using monitor
You have been given advice as to why that might be a bad idea. If you are absolutely sure that this is what you want... good luck.
It could be a permissions issue, check splunkd.log. Make sure that the account running splunkd has read access to /var/auth/auth.log.
The .log.n and .log.n.gz files are just rotated versions of the auth.log, so if you don't need to index the old events, you can just stick with monitoring auth.log. When the current auth.log rotates to auth.log.1, you have already indexed all those events, so you do not need to monitor the rotated files explicitly.
EDIT: typo/bad thinking.
/Kristian
No, you don't need to do that - there are ways to make Splunk index them anyway, but very often this is NOT what you want, because it will make Splunk read the same data multiple times and I don't see why you would want that.
If the auth.log.1, auth.log.2, auth.log.3 etc files are just rotated files that have already been indexed, Splunk won't index them a second time. Might that be what's happening in your case?
Hi gpradeepkuma... thx for the reply. i have tried that but it does not seem to work.It only monitor auth.log for some reason. Maybe splunk does not allow monitoring for those file?
You can use auth.log* to monitor all the versions and use blacklist attribute to ignore gz ones
blacklist = (\.(tar|gz|bz2|tar.gz|tgz|tbz|tbz2|zip|z)$)
Hi thx for the reply. is there anyway to monitor all the different version of auth.log?
Ooops. I thought I saw a semicolon, and something in my thinking process short-circuited. Colon is supposed to be there, definitely...
Edited answer to include some more clever guessing...
The colon is ok, no?