I have a really simple wildcard matching for monitoring, but I can't get it to work. Here is the setup:
i restarted splunk, but it doesn't monitor any files in that directory.
BUT, if I put the following and copy the log (txt) files to
/tmp, it sees them:
Is there any restriction, or because the wildcard I have? It seems pretty basic to me.
ya. splunk user is able to read the directory/cd in, BUT it doesnt have access to read every file in that dir. could that be the issue?
uid=9100(splunk) gid=9100(splunk) groups=9100(splunk) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ ls /var/log
anaconda boot.log btmp-20151201 cloud-init.log cron cron-20151214 cron-20151227 dmesg maillog maillog-20151214 maillog-20151227 messages-20151206 messages-20151220 newrelic ppp samba secure-20151206 secure-20151220 spooler spooler-20151214 spooler-20151227 tomcat wtmp
audit btmp chrony cloud-init-output.log cron-20151206 cron-20151220 cs lastlog maillog-20151206 maillog-20151220 messages messages-20151214 messages-20151227 ntpstats sa secure secure-20151214 secure-20151227 spooler-20151206 spooler-20151220 tallylog tuned yum.log
-bash-4.2$ ls -ld /var/log
drwxr-xr-x. 13 root root 4096 Dec 27 03:41 /var/log
-bash-4.2$ ls -ld /var/log/tomcat
drwxrwxr-x. 2 tomcat root 8192 Dec 28 00:00 /var/log/tomcat