Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog File Monitor - Issues with multiple monitor paths

fairje
Communicator
‎08-20-2015 11:38 AM

For some reason the inputs.conf is not liking how I am giving it two monitor paths with wildcards in the same set of subdirectories and it is causing issues.

Inputs:

    [monitor:///opt/log/192.168.1.(37|38|39|40)*/Juniper.log]
    disabled = 0
    host_segment = 3
    index = ssl_vpn
    sourcetype = juniper_sa_log
    [monitor:///opt/log/LoadBalancer0(2|3|4)*/*.log]
    disabled = 0
    host_segment = 3
    index = f5
    sourcetype = f5:bigip:syslog

Note I have tried multiple variations of either using whitelists, not using whitelists, some wildcards mixed with options or just straight wildcards and yet I get some conflict in the splunk list monitor

Monitored Directories:
        /opt/log/LoadBalancer0(2|3|4)*/*.log
                /opt/log/192.168.1.37
                /opt/log/192.168.1.37/Juniper.log
                /opt/log/192.168.1.38
                /opt/log/192.168.1.38/Juniper.log
                /opt/log/192.168.1.39
                /opt/log/192.168.1.39/Juniper.log
                /opt/log/192.168.1.40
                /opt/log/192.168.1.40/Juniper.log
                /opt/log/LoadBalancer02
                /opt/log/LoadBalancer02/bigpipe.log
                /opt/log/LoadBalancer02/crond.log
                /opt/log/LoadBalancer02/gtmd.log
                /opt/log/LoadBalancer02/httpd(pam_audit).log
                /opt/log/LoadBalancer02/httpd.log
                /opt/log/LoadBalancer02/logger.log
                /opt/log/LoadBalancer02/mcpd.log
                /opt/log/LoadBalancer02/syslog-ng.log
                /opt/log/LoadBalancer03
                /opt/log/LoadBalancer03/bigpipe.log
                /opt/log/LoadBalancer03/crond.log
                /opt/log/LoadBalancer03/gtmd.log
                /opt/log/LoadBalancer03/httpd.log
                /opt/log/LoadBalancer03/logger.log
                /opt/log/LoadBalancer03/mcpd.log
                /opt/log/LoadBalancer03/mprov.log
                /opt/log/LoadBalancer03/ntpd.log
                /opt/log/LoadBalancer03/restorecond.log
                /opt/log/LoadBalancer03/snmpd.log
                /opt/log/LoadBalancer03/syslog-ng.log
                /opt/log/LoadBalancer03/usermod.log
                /opt/log/LoadBalancer04
                /opt/log/LoadBalancer04/bigpipe.log
                /opt/log/LoadBalancer04/crond.log
                /opt/log/LoadBalancer04/f5mku.log
                /opt/log/LoadBalancer04/gtmd.log
                /opt/log/LoadBalancer04/httpd(pam_audit).log
                /opt/log/LoadBalancer04/httpd.log
                /opt/log/LoadBalancer04/logger.log
                /opt/log/LoadBalancer04/mcpd.log
                /opt/log/LoadBalancer04/snmpd.log
                /opt/log/LoadBalancer04/syslog-ng.log
Monitored Files:
        $SPLUNK_HOME/etc/splunk.version
        /Library/Logs
        /opt/log/192.168.1.(37|38|39|40)*/Juniper.log
        /root/.bash_history
        /var/adm

So you can see the one monitor path is taking precidence over the other one and blindly applying both to it. But it is taking the filtering accurately across the two because there are other folders under /opt/log which are not showing up. Any ideas?

Tags (2)
0 Karma
Reply

tskinnerivsec
Contributor
‎08-20-2015 12:34 PM

I'm pretty sure this is because a file monitor is a regex, and your override is happening because you are using * as a wild card at the end of the same directory level. The 1st file monitor that matches will take precedence. Try defining your file monitors like:

[monitor:///opt/log/192.168.1.(37|38|39|40)/Juniper.log] and
[monitor:///opt/log/LoadBalancer0(2|3|4)/*.log]

Reply

fairje
Communicator
‎08-20-2015 01:44 PM

According to: http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Specifyinputpathswithwildcards

It needs to have a wildcard of some kind in that section of the stanza in order to activate the usage of regex. I have tried this (before I went and actually read the linked document) and it didn't work, unfortunately.

Why, oh why, can't they just use full on regex in this field instead of making it so complicated -_-

0 Karma
Reply

tskinnerivsec
Contributor
‎08-20-2015 03:49 PM

looks like in this case, you'll just have to use a wildcard earlier in your statement. Will it still work if you use:

[monitor:///opt/log/192.168.*.(37|38|39|40)/Juniper.log]

I have consistently run into issues with tailing wildcards when configuring multiple file monitors to act recursively from a higher point in the directory tree.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
Top