Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why are syslog files are not being deleted?

n37w0rk
Explorer
‎06-07-2023 03:58 AM

Hello everyone,

I am having the syslog files from my Cisco Callmanager stored in my Ubuntu 22.04 using rsyslog in the path /home/splunk/syslog/. I have set up a corresponding input in my Splunk Enterprise:

[batch:///home/splunk/cdr/cdr_*]
index = cisco_cdr
move_policy = sinkhole
sourcetype = cucm_cdr
disabled = false

[batch:///home/splunk/cdr/cmr_*]
crcSalt = <SOURCE>
index = cisco_cdr
move_policy = sinkhole
sourcetype = cucm_cmr
disabled = false

[monitor:///home/splunk/syslog/*]
disabled = false
index = cisco_syslog
sourcetype = cucm_syslog
move_policy = sinkhole

The syslogs are being ingested into the database, but the files are not being deleted.

Bildschirmfoto 2023-06-07 um 12.48.55.png

Does anyone have an idea of what I might have done wrong?

Labels (4)
Labels
0 Karma
Reply

n37w0rk
Explorer
‎06-07-2023 04:21 AM

Hello Giuseppe,

thank you for your response. I had already tested that and now I have switched it back to BATCH and manually deleted all syslog files. After a system restart, the syslog files are being incremented again and not deleted.

Krgds Björn

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 05:03 AM

Hi @n37w0rk ,

Check the rsyslog configuration: does it write always on the same file or does it used a filename with date and time?

Ciao.

Giuseppe

0 Karma
Reply

n37w0rk
Explorer
‎06-07-2023 05:20 AM

Hello Giuseppe,

a new file is being created for each syslog event. Attached is my rsyslog configuration. I have been considering changing $FileOwner and $FileGroup to "splunk."

Spoiler

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")


### Entry by n37w0rk
module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="50514")

$template remote-incoming-logs,"/home/splunk/syslog/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

krgds Björn 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 05:24 AM

Hi @n37w0rk,

I don't see the date and time in the field name, maybe the new file is rebuilded, try adding date and time to the file name.

ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2023 04:04 AM

Hi @n37w0rk,

if you're speaking of the files in "/home/splunk/syslog", you're using the monitor command that reads files but doesn't delete them after reading.

If you want to delete, you have to use batch instead monitor also in this stanza.

ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...