Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is there log file data from some linux boxes and some are not sending data?

AK_Splunk
Explorer
‎03-22-2023 04:01 AM

I am getting log file data from some linux boxes and some are not sending data. Unable to find the reason why?
Please assist me on the same 

Input stanza

[monitor:///var/log]
disabled = 0
index = unix_data

[monitor:///var/adm]
disabled = 0
index = unix_data

[monitor:///etc]
disabled = 0
index = unix_data


RHEL 6.9----------------->not Working
RHEL 7.4----------------->not Working

SLES 11-------------->Working

HP-UX 11.31--------->not Working 
HP-UX 11.31---------->not Working 
Solaris10--------------->Working 



Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-22-2023 08:22 AM

Half of those files are not readable by Splunk (unless it's running as root - please don't be running as root).

What do the logs say?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AK_Splunk
Explorer
‎03-22-2023 09:42 AM

permission for working server
-rw------- 1 root utmp 1031424 Mar 22 17:06 btmp
-rw------- 1 root root 282038 Mar 22 17:35 cron
-rw------- 1 root root 4591461 Mar 22 17:37 messages
-rw------- 1 root root 725824 Mar 22 17:37 tallylog
-rw-rw-r-- 1 root utmp 1989120 Mar 22 17:37 wtmp
-rw-r--r-- 1 root root 3311572 Mar 22 17:37 lastlog
-rw------- 1 root root 624826 Mar 22 17:38 secure



there is no specific splunkd.log error

0 Karma
Reply

AK_Splunk
Explorer
‎03-22-2023 07:35 AM

I am getting RHEL 6.9 server first for troubleshooting it is sending other type of the data to IDX and the data is searchable too.

permissions for some of the files is the server RHEL 6.9 taking one server at a time to troubleshoot

-rw-rw-r--. 1 root utmp 735360 Mar 22 15:31 wtmp
-rw-r--r--. 1 root root 391913741032 Mar 22 15:31 lastlog
-rw-------. 1 root root 565772 Mar 22 15:32 cron
-rw-------. 1 root root 1147467 Mar 22 15:32 messages
-rw-------. 1 root root 7331937 Mar 22 15:32 secure
-rw-r--r--. 1 root root 419275 Mar 22 15:32 numad.log

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-22-2023 05:43 AM

Confirm each forwarder's internal logs are being sent to Splunk.  If they aren't then the forwarder is unable to connect to the indexer(s) and that must be corrected.

Verify Splunk has read access to the files on each box.  Check splunkd.log for messages that might explain why the files are not being sent.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...