- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why am I unable to monitor Apache logs with my cur...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to monitor some Apache logs and I can't seem to get the statement correct.
I'm trying to monitor "access_log.*" , "error_log.*" , access_log, error_log, and the gzs to go with them.
[monitor:///var/log/httpd]
whitelist=(\_log*$|\.log$|\_log*\.gz$)
blacklist= (mod\_jk\.log$|\.gz|catalina\.out$)
recursive = true
sourcetype=access_combined
disabled = 0
index = unix
Can someone point out my error?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was a blacklist in another app that was finding its' way into this stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was a blacklist in another app that was finding its' way into this stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would try like this
[monitor:///var/log/httpd]
whitelist=(_log*$|\.log$|_log*\.gz$)
recursive = true
sourcetype=access_combined
disabled = 0
index = unix
Updated
[monitor:///var/log/httpd]
whitelist=(access_log|error_log)
recursive = true
sourcetype=access_combined
disabled = 0
index = unix
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No joy.
[monitor:///var/log/httpd]
_rcvbuf = 1572864
dedicatedIoThreads = 2
disabled = 0
enableSSL = 1
host = myhost
ignoreOlderThan = 14d
index = unix
maxSockets = 0
maxThreads = 0
port = 8088
recursive = true
sourcetype = access_combined
useDeploymentServer = 0
whitelist = (_log*$|\.log$|_log*\.gz$)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure to restart your forwarder (the whitelist isnot updated in btool output)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still no joy. I've opened a ticket w/ Splunk and will hopefully post a fix in this thread.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That didn't work.
pwd
/var/log/httpd
-rw-r----- 1 root root 3122398 Feb 12 14:48 access_log.abcd
I have many files.abcd with different extensions.
/opt/splunkforwarder/bin/splunk list monitor
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log
/var/log/clamav
/var/log/httpd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give the updated one a try.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
