Getting Data In

Why is there log file data from some linux boxes and some are not sending data?

AK_Splunk
Explorer

I am getting log file data from some linux boxes and some are not sending data. Unable to find the reason why?
Please assist me on the same 

Input stanza

[monitor:///var/log]
disabled = 0
index = unix_data

[monitor:///var/adm]
disabled = 0
index = unix_data

[monitor:///etc]
disabled = 0
index = unix_data


RHEL 6.9----------------->not Working
RHEL 7.4----------------->not Working

SLES 11-------------->Working

HP-UX 11.31--------->not Working 
HP-UX 11.31---------->not Working 
Solaris10--------------->Working 



Labels (5)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Half of those files are not readable by Splunk (unless it's running as root - please don't be running as root).

What do the logs say?

---
If this reply helps you, Karma would be appreciated.
0 Karma

AK_Splunk
Explorer

permission for working server
-rw------- 1 root utmp 1031424 Mar 22 17:06 btmp
-rw------- 1 root root 282038 Mar 22 17:35 cron
-rw------- 1 root root 4591461 Mar 22 17:37 messages
-rw------- 1 root root 725824 Mar 22 17:37 tallylog
-rw-rw-r-- 1 root utmp 1989120 Mar 22 17:37 wtmp
-rw-r--r-- 1 root root 3311572 Mar 22 17:37 lastlog
-rw------- 1 root root 624826 Mar 22 17:38 secure



there is no specific splunkd.log error

0 Karma

AK_Splunk
Explorer

I am getting RHEL 6.9 server first for troubleshooting it is sending other type of the data to IDX and the data is searchable too.

permissions for some of the files is the server RHEL 6.9 taking one server at a time to troubleshoot

-rw-rw-r--. 1 root utmp 735360 Mar 22 15:31 wtmp
-rw-r--r--. 1 root root 391913741032 Mar 22 15:31 lastlog
-rw-------. 1 root root 565772 Mar 22 15:32 cron
-rw-------. 1 root root 1147467 Mar 22 15:32 messages
-rw-------. 1 root root 7331937 Mar 22 15:32 secure
-rw-r--r--. 1 root root 419275 Mar 22 15:32 numad.log

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Confirm each forwarder's internal logs are being sent to Splunk.  If they aren't then the forwarder is unable to connect to the indexer(s) and that must be corrected.

Verify Splunk has read access to the files on each box.  Check splunkd.log for messages that might explain why the files are not being sent.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...