Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

monitoring all auth.log file

darksky21
Path Finder
‎09-29-2013 08:26 AM

Hi i would like to monitor all auth.log file in my ubuntu system but there are many auth.log file (e.g. auth.log, auth.log.1, auth.log.2.gz, auth.log.3.gz). How do i get splunk to monitor all of them? Currently am only able to monitor auth.log file only

Tags (3)
0 Karma
Reply

aktambe
New Member
‎02-16-2018 12:23 AM

Hi,

I to have the same issue. we are monitoring the RSA key file from some host and we are getting logs from all the source excluding one source. the folder where auth.log file are fetched is present on that host but splunk cant fetch the logs. the configuration of all the host are same and the permission to the auth.log dir is also same for all the servers. still not getting log.

Please help here!

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-29-2013 10:18 AM

monitor the file and it's rotated versions.

[monitor:///var/log/auth.log*]

Reply

gfuente
Motivator
‎09-30-2013 02:56 AM

Hello

Maybe it's a permissions issue or they all have the same header and Splunk, by defaults, think that already has indexed that file. You could try to add this to your inputs.conf file:

crcSALT = < SOURCE >

**Remove the blanks before and after SOURCE, and you dont need to put here your real source file, just the string SOURCE

Regards

0 Karma
Reply

darksky21
Path Finder
‎09-29-2013 06:26 PM

Hi there. i tried it but it only monitor auth.log and not the other auth.log file.

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!