Where is the data for my monitor file var/log/zimb...

vumanhtai · ‎01-02-2018

I set up a monitor zimbra.log file, but I find it is missing the data pushed to the Splunk server compared to the actual file it has.
How do I have to deal with this problem?

ShaneNewman · ‎01-11-2018

If I had to guess, I would say that you probably have the Splunk TA for linux installed, which monitors /var/log... This is a crap monitor stanza and is most likely causing a conflict with your monitor stanza. Add a blacklist to that /var/log monitor stanza for zimbra logs.

ShaneNewman · ‎01-11-2018

If my theory is correct, you can search the os index for source=/var/log/zimbra.log and you will see data, unless you changed the name of the index from os to something else.

risgupta · ‎01-02-2018

Could you please help with Splunkd.log files for the Zimbra mail server where splunk is installed.

mayurr98 · ‎01-02-2018

try putting crcSalt = abc in inputs.conf

Where is the data for my monitor file var/log/zimbra.log file?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

Where is the data for my monitor file var/log/zimbra.log file?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant