Hello everyone,
I am having the syslog files from my Cisco Callmanager stored in my Ubuntu 22.04 using rsyslog in the path /home/splunk/syslog/. I have set up a corresponding input in my Splunk Enterprise:
[batch:///home/splunk/cdr/cdr_*]
index = cisco_cdr
move_policy = sinkhole
sourcetype = cucm_cdr
disabled = false
[batch:///home/splunk/cdr/cmr_*]
crcSalt = <SOURCE>
index = cisco_cdr
move_policy = sinkhole
sourcetype = cucm_cmr
disabled = false
[monitor:///home/splunk/syslog/*]
disabled = false
index = cisco_syslog
sourcetype = cucm_syslog
move_policy = sinkhole
The syslogs are being ingested into the database, but the files are not being deleted.
Does anyone have an idea of what I might have done wrong?
Hello Giuseppe,
thank you for your response. I had already tested that and now I have switched it back to BATCH and manually deleted all syslog files. After a system restart, the syslog files are being incremented again and not deleted.
Krgds Björn
Hi @n37w0rk ,
Check the rsyslog configuration: does it write always on the same file or does it used a filename with date and time?
Ciao.
Giuseppe
Hello Giuseppe,
a new file is being created for each syslog event. Attached is my rsyslog configuration. I have been considering changing $FileOwner and $FileGroup to "splunk."
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
### Entry by n37w0rk
module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="50514")
$template remote-incoming-logs,"/home/splunk/syslog/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
krgds Björn
Hi @n37w0rk,
I don't see the date and time in the field name, maybe the new file is rebuilded, try adding date and time to the file name.
ciao.
Giuseppe
Hi @n37w0rk,
if you're speaking of the files in "/home/splunk/syslog", you're using the monitor command that reads files but doesn't delete them after reading.
If you want to delete, you have to use batch instead monitor also in this stanza.
ciao.
Giuseppe