Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are syslog files are not being deleted?

n37w0rk
Explorer
‎06-07-2023 03:58 AM

Hello everyone,

I am having the syslog files from my Cisco Callmanager stored in my Ubuntu 22.04 using rsyslog in the path /home/splunk/syslog/. I have set up a corresponding input in my Splunk Enterprise:

[batch:///home/splunk/cdr/cdr_*]
index = cisco_cdr
move_policy = sinkhole
sourcetype = cucm_cdr
disabled = false

[batch:///home/splunk/cdr/cmr_*]
crcSalt = <SOURCE>
index = cisco_cdr
move_policy = sinkhole
sourcetype = cucm_cmr
disabled = false

[monitor:///home/splunk/syslog/*]
disabled = false
index = cisco_syslog
sourcetype = cucm_syslog
move_policy = sinkhole

The syslogs are being ingested into the database, but the files are not being deleted.

Bildschirmfoto 2023-06-07 um 12.48.55.png

Does anyone have an idea of what I might have done wrong?

Labels (4)
Labels
0 Karma
Reply

n37w0rk
Explorer
‎06-07-2023 04:21 AM

Hello Giuseppe,

thank you for your response. I had already tested that and now I have switched it back to BATCH and manually deleted all syslog files. After a system restart, the syslog files are being incremented again and not deleted.

Krgds Björn

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 05:03 AM

Hi @n37w0rk ,

Check the rsyslog configuration: does it write always on the same file or does it used a filename with date and time?

Ciao.

Giuseppe

0 Karma
Reply

n37w0rk
Explorer
‎06-07-2023 05:20 AM

Hello Giuseppe,

a new file is being created for each syslog event. Attached is my rsyslog configuration. I have been considering changing $FileOwner and $FileGroup to "splunk."

Spoiler

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")


### Entry by n37w0rk
module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="50514")

$template remote-incoming-logs,"/home/splunk/syslog/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

krgds Björn 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 05:24 AM

Hi @n37w0rk,

I don't see the date and time in the field name, maybe the new file is rebuilded, try adding date and time to the file name.

ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 04:04 AM

Hi @n37w0rk,

if you're speaking of the files in "/home/splunk/syslog", you're using the monitor command that reads files but doesn't delete them after reading.

If you want to delete, you have to use batch instead monitor also in this stanza.

ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...