Getting Data In

Why is there log file data from some linux boxes and some are not sending data?

AK_Splunk
Explorer

I am getting log file data from some linux boxes and some are not sending data. Unable to find the reason why?
Please assist me on the same 

Input stanza

[monitor:///var/log]
disabled = 0
index = unix_data

[monitor:///var/adm]
disabled = 0
index = unix_data

[monitor:///etc]
disabled = 0
index = unix_data


RHEL 6.9----------------->not Working
RHEL 7.4----------------->not Working

SLES 11-------------->Working

HP-UX 11.31--------->not Working 
HP-UX 11.31---------->not Working 
Solaris10--------------->Working 



Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Half of those files are not readable by Splunk (unless it's running as root - please don't be running as root).

What do the logs say?

---
If this reply helps you, Karma would be appreciated.
0 Karma

AK_Splunk
Explorer

permission for working server
-rw------- 1 root utmp 1031424 Mar 22 17:06 btmp
-rw------- 1 root root 282038 Mar 22 17:35 cron
-rw------- 1 root root 4591461 Mar 22 17:37 messages
-rw------- 1 root root 725824 Mar 22 17:37 tallylog
-rw-rw-r-- 1 root utmp 1989120 Mar 22 17:37 wtmp
-rw-r--r-- 1 root root 3311572 Mar 22 17:37 lastlog
-rw------- 1 root root 624826 Mar 22 17:38 secure



there is no specific splunkd.log error

0 Karma

AK_Splunk
Explorer

I am getting RHEL 6.9 server first for troubleshooting it is sending other type of the data to IDX and the data is searchable too.

permissions for some of the files is the server RHEL 6.9 taking one server at a time to troubleshoot

-rw-rw-r--. 1 root utmp 735360 Mar 22 15:31 wtmp
-rw-r--r--. 1 root root 391913741032 Mar 22 15:31 lastlog
-rw-------. 1 root root 565772 Mar 22 15:32 cron
-rw-------. 1 root root 1147467 Mar 22 15:32 messages
-rw-------. 1 root root 7331937 Mar 22 15:32 secure
-rw-r--r--. 1 root root 419275 Mar 22 15:32 numad.log

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Confirm each forwarder's internal logs are being sent to Splunk.  If they aren't then the forwarder is unable to connect to the indexer(s) and that must be corrected.

Verify Splunk has read access to the files on each box.  Check splunkd.log for messages that might explain why the files are not being sent.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...