Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't splunkd.log getting forwarded (in 4.0.x, fixed in 4.1) ?

oreoshake
Communicator
‎03-30-2010 05:52 PM

UPDATE: This appears to be a bug specifically related to 4.0.10. The following is a work around in system/local/inputs.conf

[monitor:///home/ops/splunk/var/log/splunk]
disabled=true

It looks like the entry in system/default is clobbering the more granular entries in SplunkLightForwarder/default. The output of splunk list monitor seems to be broken as well

I'd like to index the splunkd.log for remote troubleshooting but I can't get my light forwarders to forward the log. Here's the btool output (with unrelated stuff removed):

[root@neil bin]# ./splunk cmd btool --debug inputs list
system     [default]
system     _rcvbuf = 1572864
system     host = myforwarder
system     index = default
system     [monitor:///home/ops/splunk/var/log/splunk]
system     _rcvbuf = 1572864
system     host = myforwarder
system     index = _internal
SplunkLigh [monitor:///home/ops/splunk/var/log/splunk/splunkd.log]
SplunkLigh _TCP_ROUTING = *
system     _rcvbuf = 1572864
system     host = myforwarder
maint      index = _internal
maint      sourcetype = splunkd
atti-linux [monitor:///var/log]
system     _rcvbuf = 1572864
atti-linux _whitelist = (auth$|cron$|kern$|lpr$|maillog$|user$|local$)
system     host = myforwarder
system     index = default
system     [splunktcp]
system     _rcvbuf = 1572864
system     host = myforwarder
system     index = default
system     route = has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue

I tried changing the index, no dice. From what I can tell, the /var/log/splunk entry clobbers the more specific one which says to include the entire var/log/splunk directory. When I run "splunk list monitor" it prints out the entire var/log/splunk dir except splunkd.log!

[root@neil-search etc]# ../bin/splunk list monitor
Monitored Directories:
    $SPLUNK_HOME/var/log/splunk
        /home/ops/splunk/var/log/splunk/audit.log
        /home/ops/splunk/var/log/splunk/btool.log
        /home/ops/splunk/var/log/splunk/metrics.log.1
        /home/ops/splunk/var/log/splunk/metrics.log.2
        /home/ops/splunk/var/log/splunk/metrics.log.3
        /home/ops/splunk/var/log/splunk/metrics.log.4
        /home/ops/splunk/var/log/splunk/migration.log.2010-03-23.00-14-09
        /home/ops/splunk/var/log/splunk/migration.log.2010-03-23.17-02-12
        /home/ops/splunk/var/log/splunk/migration.log.2010-03-26.18-58-16
        /home/ops/splunk/var/log/splunk/searchhistory.log
        /home/ops/splunk/var/log/splunk/splunkd_access.log
        /home/ops/splunk/var/log/splunk/splunkd_stderr.log
        /home/ops/splunk/var/log/splunk/splunkd_stdout.log
        /home/ops/splunk/var/log/splunk/splunklogger.log
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎03-31-2010 04:50 PM

For clarification, this is applies to Lightweight Forwarder. The default expected behavior (LWF forwards its internal logs as default) is not working in version 4.0.x. The workaround is to create a monitor input for the Splunk logs directory and whitelist specific files in the $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf:

[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = *
_whitelist = (splunkd|metrics|license_audit)\.log$

Note: This is working without additional configuration in version 4.1.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎04-03-2010 03:26 AM

Oreoshake, your reasoning is correct. The reason the SplunkLightForwarder/defaults are not working is because they are overridden by system/defaults. Thus, the desired configuration needs to be moved to a local/inputs.conf.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎04-02-2010 01:31 AM

As mentioned, this could be a bug. It would be useful if you can post the version you are encountering this behavior in so we can pinpoint whether you are encountering a bug.

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎03-31-2010 04:50 PM

For clarification, this is applies to Lightweight Forwarder. The default expected behavior (LWF forwards its internal logs as default) is not working in version 4.0.x. The workaround is to create a monitor input for the Splunk logs directory and whitelist specific files in the $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/inputs.conf:

[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = *
_whitelist = (splunkd|metrics|license_audit)\.log$

Note: This is working without additional configuration in version 4.1.

Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...