Getting Data In

Why are syslog files are not being deleted?

n37w0rk
Explorer

Hello everyone,

I am having the syslog files from my Cisco Callmanager stored in my Ubuntu 22.04 using rsyslog in the path /home/splunk/syslog/. I have set up a corresponding input in my Splunk Enterprise:

[batch:///home/splunk/cdr/cdr_*]
index = cisco_cdr
move_policy = sinkhole
sourcetype = cucm_cdr
disabled = false

[batch:///home/splunk/cdr/cmr_*]
crcSalt = <SOURCE>
index = cisco_cdr
move_policy = sinkhole
sourcetype = cucm_cmr
disabled = false

[monitor:///home/splunk/syslog/*]
disabled = false
index = cisco_syslog
sourcetype = cucm_syslog
move_policy = sinkhole

The syslogs are being ingested into the database, but the files are not being deleted.

Bildschirmfoto 2023-06-07 um 12.48.55.png

Does anyone have an idea of what I might have done wrong?

Labels (4)
0 Karma

n37w0rk
Explorer

Hello Giuseppe,

thank you for your response. I had already tested that and now I have switched it back to BATCH and manually deleted all syslog files. After a system restart, the syslog files are being incremented again and not deleted.

Krgds Björn

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @n37w0rk ,

Check the rsyslog configuration: does it write always on the same file or does it used a filename with date and time?

Ciao.

Giuseppe

0 Karma

n37w0rk
Explorer

Hello Giuseppe,

a new file is being created for each syslog event. Attached is my rsyslog configuration. I have been considering changing $FileOwner and $FileGroup to "splunk."

Spoiler

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")


### Entry by n37w0rk
module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="50514")

$template remote-incoming-logs,"/home/splunk/syslog/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

krgds Björn 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @n37w0rk,

I don't see the date and time in the field name, maybe the new file is rebuilded, try adding date and time to the file name.

ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @n37w0rk,

if you're speaking of the files in "/home/splunk/syslog", you're using the monitor command that reads files but doesn't delete them after reading.

If you want to delete, you have to use batch instead monitor also in this stanza.

ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...