Why can't my UF send data from /var/log/messages?

dmpopof · ‎08-31-2018

Question: why is /var/log/messages not forwarded to index?

My deployment:

UF: version 7.1.2 RHEL 6.10
/opt/splunkforwarder/etc/apps/_server_app_linux-server/local/inputs.conf

[monitor:///var/log]
disabled = false
index = linuxlog
sourcetype = syslog

etc/apps/_server_app_linux-server/local/app.conf

# Autogenerated file
[install]
state = enabled

splunk list monitor

Monitored Directories:
...
/var/log
...
                /var/log/messages
                /var/log/messages-20180805
                /var/log/messages-20180812
                /var/log/messages-20180819
                /var/log/messages-20180826

ll /var/log/messages
-rw-r-----+ 1 root root 1160093 Aug 30 12:07 /var/log/messages
-rw------- 1 root root 653 Aug 5 02:37 /var/log/messages-20180805
-rw------- 1 root root 580 Aug 12 02:05 /var/log/messages-20180812
-rw------- 1 root root 19310 Aug 19 02:42 /var/log/messages-20180819

-rw------- 1 root root 728770 Aug 26 02:05 /var/log/messages-20180826

Deployment server version 7.1.2 CentOS 7.5.1804

Search head version 7.1.2 CentOS 7.5.1804
search: index="linuxlog" source="/var/log/messa*"
where is no "/var/log/messages" in sources!

gcusello · ‎08-31-2018

Hi dmpopof,
I don't know why you don't have logs from messages file, but I suggest to modify you inputs.conf file in

 [monitor:///var/log/messages]
 disabled = false
 index = linuxlog
 sourcetype = syslog

In this way you're sure to have only the last logs and not the oldest.
if you want also the oldest (but I see that you already have) you could use

 [monitor:///var/log/messages*]

Bye.
Giuseppe