Splunk is ingesting archived data from our syslog ...

hrithiktej · ‎10-23-2017

We have a syslog server with universal forwarder (UF) installed on it and my inputs.conf states /opt/splunk/syslogs/cisco/acs// and my logrotate.d has syslog-ng that states /opt/splunk/syslogs///*/syslog. Due to the logrotate daily cron job there are directories created with date text and .gz in the same directory and Splunk forwarder is reading them and resending it to indexers. How do i stop this?

hrithiktej · ‎10-23-2017

after adding syslog to the end of my inputs stanza i.e. /opt/splunk/syslogs/cisco/acs/*/syslog it is now not reading the .gz files and only reads the directory syslog anything else that is there like date+syslog directory.gz it is not reading that i confirmed it from ./splunk list monitor command.

koshyk · ‎10-23-2017

hi,
do a blacklist on gz files in your inputs.conf

eg

[monitor:///var/log/xyz/]
disabled = false
ignoreOlderThan = 7d
recursive = true
index = my_index
blacklist = (\.tgz|\.gz)$

hrithiktej · ‎10-23-2017

Thanks, I am using this now in my inputs.conf [monitor:///opt/splunk/syslogs/cisco/acs//syslog] instead of //* , lets c if this works if this does not then i will try your suggestion of blacklisting.

enicholson_splu · ‎10-23-2017

Modify your inputs.conf monitor the actual log files in that path. If the logs end in .log, wild card the .log extension. You can also blacklist the .gz files etc...

Splunk is ingesting archived data from our syslog servers. How do I stop this?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation