We have a syslog server with universal forwarder (UF) installed on it and my inputs.conf states /opt/splunk/syslogs/cisco/acs// and my logrotate.d has syslog-ng that states /opt/splunk/syslogs///*/syslog. Due to the logrotate daily cron job there are directories created with date text and .gz in the same directory and Splunk forwarder is reading them and resending it to indexers. How do i stop this?
Modify your inputs.conf monitor the actual log files in that path. If the logs end in .log, wild card the .log extension. You can also blacklist the .gz files etc...
do a blacklist on gz files in your inputs.conf
[monitor:///var/log/xyz/] disabled = false ignoreOlderThan = 7d recursive = true index = my_index blacklist = (\.tgz|\.gz)$
Thanks, I am using this now in my inputs.conf [monitor:///opt/splunk/syslogs/cisco/acs//syslog] instead of //* , lets c if this works if this does not then i will try your suggestion of blacklisting.
after adding syslog to the end of my inputs stanza i.e. /opt/splunk/syslogs/cisco/acs/*/syslog it is now not reading the .gz files and only reads the directory syslog anything else that is there like date+syslog directory.gz it is not reading that i confirmed it from ./splunk list monitor command.