Hello,
I am trying to bring a client's syslog data into Splunk using a universal forwarder (UF) on a syslog server. I am getting Splunk internal logs, and I am getting Linux logs off the box.
The permissions seem to be set correctly and I am not seeing any errors in the Splunk internal logs.
Any ideas of where I can go from here?
My input stanza looks like the following:
[monitor:///var/log/client_name]
recursive = true
crcSalt =
queue = parsingQueue
sourcetype = netscreen:firewall
host_segment = 4
disabled = 0
Thanks,
JG
Hi jgorman_THG,
It would be a good practice to collect these syslogs and write into the directories that can be accessible by splunk user. syslog-ng does have a lot of features where you can collect/filter and write the messages in appropriate dirs you wanted.This process makes it easier to configure the inputs on the UF and parsing the logs for the metadata like host field etc.
Hey JG!
/var/log
is usually owned by root or by admin groups. You likely just need to chown the log file, or have the splunk user added to adm group, etc. Make sure the sysadmin configures logrotate to keep the new perms too!
You can confirm by checking the status of any input with the super handy command ./splunk list inputstatus
on the UF. I believe 6.3+ forwarders support the command, so as long its a newish UF, it will tell you exactly whats up!