Getting Data In

Why can't my UF send data from /var/log/messages?

dmpopof
Engager

Question: why is /var/log/messages not forwarded to index?

My deployment:

UF: version 7.1.2 RHEL 6.10
/opt/splunkforwarder/etc/apps/_server_app_linux-server/local/inputs.conf

[monitor:///var/log]
disabled = false
index = linuxlog
sourcetype = syslog

etc/apps/_server_app_linux-server/local/app.conf

# Autogenerated file
[install]
state = enabled

splunk list monitor

Monitored Directories:
...
/var/log
...
                /var/log/messages
                /var/log/messages-20180805
                /var/log/messages-20180812
                /var/log/messages-20180819
                /var/log/messages-20180826

ll /var/log/messages
-rw-r-----+ 1 root root 1160093 Aug 30 12:07 /var/log/messages
-rw------- 1 root root 653 Aug 5 02:37 /var/log/messages-20180805
-rw------- 1 root root 580 Aug 12 02:05 /var/log/messages-20180812
-rw------- 1 root root 19310 Aug 19 02:42 /var/log/messages-20180819

-rw------- 1 root root 728770 Aug 26 02:05 /var/log/messages-20180826

Deployment server version 7.1.2 CentOS 7.5.1804

Search head version 7.1.2 CentOS 7.5.1804
search: index="linuxlog" source="/var/log/messa*"
where is no "/var/log/messages" in sources!
alt text

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi dmpopof,
I don't know why you don't have logs from messages file, but I suggest to modify you inputs.conf file in

 [monitor:///var/log/messages]
 disabled = false
 index = linuxlog
 sourcetype = syslog

In this way you're sure to have only the last logs and not the oldest.
if you want also the oldest (but I see that you already have) you could use

 [monitor:///var/log/messages*]

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...