I am not receiving the /var/log/messages from linux server. I have written the stanza to monitored the var/log/massages in inputs.conf , Although receiving the var/log/audit.log and /var/log/secure.log, also given the read permission to splunk user for var/log directory . And mesage logs are generating continuously at the remote side but still not receiving message logs.
disabled = 0
index = linux
blacklist = .*csv$
ignoreOlderThan = 1d
I have receiving log through host name in some servers messages.log not receiving Although receiving the var/log/audit.log and /var/log/secure.log
but in some server facing issue like if the host name is for example "test.ab.co.in " when checking log though host= test.ab.co.in then received var/log/audit.log and /var/log/secure.log. Not receiving Messages log . But when searching host=test then I can receiving Messages log..
Hi @Pavankumar ,
1)Can you run the command ./splunk list inputstatus and check the status for /var/log/messages
2) Is there any error in Splunkd.log?
go to /opt/splunkforwarder/var/log/splunk
cat splunkd.log | grep -i error (check for any errors)
3)Did u restarted the forwarder after deploying the config? And did u check the permissions are the same for /var/log/secure and /var/log/messages?
Is the server is red hat or Ubuntu?
Can you check is there any extension after messages like mesages.log?
Is there any error in splunkd.log?
If everything is right can you remove the blacklist and ignoreOlderThan from the stanza and restart the forwarder and check again.