Getting Data In

simple wildcard monitoring not working

clearslide_cwon
New Member

I have a really simple wildcard matching for monitoring, but I can't get it to work. Here is the setup:

/opt/splunkforwarder/etc/system/local/inputs.conf

[monitor:///var/log/tomcat/localhost_access_log.*.txt]

i restarted splunk, but it doesn't monitor any files in that directory.

BUT, if I put the following and copy the log (txt) files to /tmp, it sees them:

[monitor:///tmp/localhost_access_log*.txt]

Is there any restriction, or because the wildcard I have? It seems pretty basic to me.

0 Karma

renjith_nair
Legend

Check if your splunk user is able to read /var/log directory. The logs should be complaining about this, if permission is denied.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

clearslide_cwon
New Member

ya. splunk user is able to read the directory/cd in, BUT it doesnt have access to read every file in that dir. could that be the issue?


-bash-4.2$ id
uid=9100(splunk) gid=9100(splunk) groups=9100(splunk) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ ls /var/log
anaconda boot.log btmp-20151201 cloud-init.log cron cron-20151214 cron-20151227 dmesg maillog maillog-20151214 maillog-20151227 messages-20151206 messages-20151220 newrelic ppp samba secure-20151206 secure-20151220 spooler spooler-20151214 spooler-20151227 tomcat wtmp
audit btmp chrony cloud-init-output.log cron-20151206 cron-20151220 cs lastlog maillog-20151206 maillog-20151220 messages messages-20151214 messages-20151227 ntpstats sa secure secure-20151214 secure-20151227 spooler-20151206 spooler-20151220 tallylog tuned yum.log
-bash-4.2$ ls -ld /var/log
drwxr-xr-x. 13 root root 4096 Dec 27 03:41 /var/log

i have change the perm in the tomcat dir to be accessable by splunk as well -

-bash-4.2$ ls -ld /var/log/tomcat
drwxrwxr-x. 2 tomcat root 8192 Dec 28 00:00 /var/log/tomcat

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...