I am getting log file data from some linux boxes and some are not sending data. Unable to find the reason why?
Please assist me on the same
Input stanza
[monitor:///var/log]
disabled = 0
index = unix_data
[monitor:///var/adm]
disabled = 0
index = unix_data
[monitor:///etc]
disabled = 0
index = unix_data
RHEL 6.9----------------->not Working
RHEL 7.4----------------->not Working
SLES 11-------------->Working
HP-UX 11.31--------->not Working
HP-UX 11.31---------->not Working
Solaris10--------------->Working
Half of those files are not readable by Splunk (unless it's running as root - please don't be running as root).
What do the logs say?
permission for working server
-rw------- 1 root utmp 1031424 Mar 22 17:06 btmp
-rw------- 1 root root 282038 Mar 22 17:35 cron
-rw------- 1 root root 4591461 Mar 22 17:37 messages
-rw------- 1 root root 725824 Mar 22 17:37 tallylog
-rw-rw-r-- 1 root utmp 1989120 Mar 22 17:37 wtmp
-rw-r--r-- 1 root root 3311572 Mar 22 17:37 lastlog
-rw------- 1 root root 624826 Mar 22 17:38 secure
there is no specific splunkd.log error
I am getting RHEL 6.9 server first for troubleshooting it is sending other type of the data to IDX and the data is searchable too.
permissions for some of the files is the server RHEL 6.9 taking one server at a time to troubleshoot
-rw-rw-r--. 1 root utmp 735360 Mar 22 15:31 wtmp
-rw-r--r--. 1 root root 391913741032 Mar 22 15:31 lastlog
-rw-------. 1 root root 565772 Mar 22 15:32 cron
-rw-------. 1 root root 1147467 Mar 22 15:32 messages
-rw-------. 1 root root 7331937 Mar 22 15:32 secure
-rw-r--r--. 1 root root 419275 Mar 22 15:32 numad.log
Confirm each forwarder's internal logs are being sent to Splunk. If they aren't then the forwarder is unable to connect to the indexer(s) and that must be corrected.
Verify Splunk has read access to the files on each box. Check splunkd.log for messages that might explain why the files are not being sent.