Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is there log file data from some linux boxes and some are not sending data?

AK_Splunk
Explorer
‎03-22-2023 04:01 AM

I am getting log file data from some linux boxes and some are not sending data. Unable to find the reason why?
Please assist me on the same 

Input stanza

[monitor:///var/log]
disabled = 0
index = unix_data

[monitor:///var/adm]
disabled = 0
index = unix_data

[monitor:///etc]
disabled = 0
index = unix_data


RHEL 6.9----------------->not Working
RHEL 7.4----------------->not Working

SLES 11-------------->Working

HP-UX 11.31--------->not Working 
HP-UX 11.31---------->not Working 
Solaris10--------------->Working 



Labels (5)
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-22-2023 08:22 AM

Half of those files are not readable by Splunk (unless it's running as root - please don't be running as root).

What do the logs say?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AK_Splunk
Explorer
‎03-22-2023 09:42 AM

permission for working server
-rw------- 1 root utmp 1031424 Mar 22 17:06 btmp
-rw------- 1 root root 282038 Mar 22 17:35 cron
-rw------- 1 root root 4591461 Mar 22 17:37 messages
-rw------- 1 root root 725824 Mar 22 17:37 tallylog
-rw-rw-r-- 1 root utmp 1989120 Mar 22 17:37 wtmp
-rw-r--r-- 1 root root 3311572 Mar 22 17:37 lastlog
-rw------- 1 root root 624826 Mar 22 17:38 secure



there is no specific splunkd.log error

0 Karma
Reply

AK_Splunk
Explorer
‎03-22-2023 07:35 AM

I am getting RHEL 6.9 server first for troubleshooting it is sending other type of the data to IDX and the data is searchable too.

permissions for some of the files is the server RHEL 6.9 taking one server at a time to troubleshoot

-rw-rw-r--. 1 root utmp 735360 Mar 22 15:31 wtmp
-rw-r--r--. 1 root root 391913741032 Mar 22 15:31 lastlog
-rw-------. 1 root root 565772 Mar 22 15:32 cron
-rw-------. 1 root root 1147467 Mar 22 15:32 messages
-rw-------. 1 root root 7331937 Mar 22 15:32 secure
-rw-r--r--. 1 root root 419275 Mar 22 15:32 numad.log

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-22-2023 05:43 AM

Confirm each forwarder's internal logs are being sent to Splunk.  If they aren't then the forwarder is unable to connect to the indexer(s) and that must be corrected.

Verify Splunk has read access to the files on each box.  Check splunkd.log for messages that might explain why the files are not being sent.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top