Monitoring Splunk

Errors when monitoring core log in symlink

greich
Communicator

we are using 6.5.2 Enterprise>
On new search heads, the core logs have been moved to a symlink:
ls -l /opt/splunk/var/log/
drwx------. 2 splunk splunk 4096 Apr 17 17:50 introspection
lrwxrwxrwx. 1 splunk splunk 15 Mar 20 11:46 splunk -> /var/log/splunk

This results in reported errors
04-28-2017 07:36:37.346 +0000 ERROR FilesystemChangeWatcher - Error setting up inotify on "/opt/splunk/var/log/splunk": Not a directory
but the logs seems to be indexed normally.

Can I safely assume that these should be WARN, or am I going to have issues down the line (log rotation, upgrades, whatever)?

0 Karma

esalesapns2
Communicator

I'm having the same issue. I think it's an ERROR, because we're not getting logs from the sub-directories below the symlink. We changed the path to the hard path to work around this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...