Getting Data In

Why are Blue Coat logs not being forwarded to indexers from FTP servers with my current universal forwarder inputs.conf configuration?

Contributor

I have FTP servers where all the proxies are sending logs. I installed the Universal Forwarder on this server (Windows server) and then deployed a stanza for inputs.conf and outputs.conf files.

I can't figure out why the logs are not sent to the indexers:

[monitor://E:\ProxyLogs/\Server1-GW-SG\SG_main*]
disabled=false
source = file.bluecoat
sourcetype=bluecoat:proxysg:access:file
index=proxy

[monitor://E:\ProxyLogs/\Server2-GW-SG\*]
source = file.bluecoat
sourcetype = bluecoat:proxysg:access:file
disabled = false
index=proxy
0 Karma
1 Solution

Esteemed Legend

You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat is garbage. Remove that and you should be fine.

View solution in original post

0 Karma

Esteemed Legend

You should be getting an error when you start splunk on your forwarder because you have a syntax error. It should be telling you that source = file.bluecoat is garbage. Remove that and you should be fine.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!