Under what situation would one monitor a rolled lo...

the_wolverine · ‎11-05-2012

I've heard that Splunk recommends monitoring of rolled log files (eg. file.log.1, file.log.2, etc) under certain situations. What are those situations?

I would think that monitoring of file.log would be sufficient.

yannK · ‎11-05-2012

It is all about the last events recorded before the log rotated. If this is too quick, the tailing processor may have read them.
So the recommended behavior (when not using crcSalt) is to monitor the first rotated files.

Otherwise, the behavior will depend of the OS and of the type of rotation.

By example on linux logrotate a log file usually move to the new version (file.log -> file.log.1), so Splunk will keep monitoring the handle on the file and get the last events.
If the file is copied and the original deleted, then the events will not be read from the new file.

kristian_kolb · ‎11-06-2012

I'd assume that file.log.1 does not get updated - so a single pass through that file should find any events that were written just before the file was rotated. Thus there would be no real need to monitor .2 or .3 etc

the_wolverine · ‎11-06-2012

How does one determine if log rotate is too quick?
So Splunk does not recommend monitoring file.log.2, file.log.3, etc?
What is the recommended syntax for monitor input in this case?

Under what situation would one monitor a rolled log file?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...