Getting Data In

Why are Blue Coat logs not being forwarded to indexers from FTP servers with my current universal forwarder inputs.conf configuration?

Contributor

I have FTP servers where all the proxies are sending logs. I installed the Universal Forwarder on this server (Windows server) and then deployed a stanza for inputs.conf and outputs.conf files.

I can't figure out why the logs are not sent to the indexers:

[monitor://E:\ProxyLogs/\Server1-GW-SG\SG_main*]
disabled=false
source = file.bluecoat
sourcetype=bluecoat:proxysg:access:file
index=proxy

[monitor://E:\ProxyLogs/\Server2-GW-SG\*]
source = file.bluecoat
sourcetype = bluecoat:proxysg:access:file
disabled = false
index=proxy
0 Karma
1 Solution

Esteemed Legend

You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat is garbage. Remove that and you should be fine.

View solution in original post

0 Karma

Esteemed Legend

You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat is garbage. Remove that and you should be fine.

View solution in original post

0 Karma