Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I not receiving /var/log/messages from the Linux Server

Pavankumar
Loves-to-Learn Lots
‎03-14-2021 05:01 AM

 

I am not receiving the /var/log/messages from linux server.  I have written the stanza to monitored the var/log/massages in inputs.conf , Although receiving the var/log/audit.log and /var/log/secure.log, also given the read permission to splunk user for var/log directory .  And  mesage logs are generating continuously  at the remote side but still not receiving message logs. 

[monitor:///var/log/messages]
disabled = 0
index = linux
blacklist = .*csv$
ignoreOlderThan = 1d

Labels (1)
Labels
0 Karma
Reply

Pavankumar
Loves-to-Learn Lots
‎03-31-2021 10:36 PM

I have receiving log through host name in some servers messages.log not receiving  Although receiving the var/log/audit.log and /var/log/secure.log

but in some server facing issue like  if the host name is for example "test.ab.co.in " when checking log though  host= test.ab.co.in then received var/log/audit.log and /var/log/secure.log.  Not receiving  Messages log .  But when searching  host=test  then I can receiving Messages log..

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-01-2021 09:55 AM

Hi

what you will get with commands hostname and uname -a ?

you could add host = <your hostname> to inputs.conf if needed.

r. Ismo

0 Karma
Reply

Vardhan
Contributor
‎03-25-2021 03:01 AM

Hi @Pavankumar ,

1)Can you run the command ./splunk list inputstatus and check the status for /var/log/messages

2) Is there any error in Splunkd.log?

go to /opt/splunkforwarder/var/log/splunk

cat splunkd.log | grep -i error     (check for any errors)

3)Did u restarted the forwarder after deploying the config? And did u check the permissions are the same for /var/log/secure and /var/log/messages?

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-25-2021 03:59 AM

If you are running UF as splunk user you should check that this user has read access to this (and other needed logs). Quite often those needs to grant separately.

0 Karma
Reply

Vardhan
Contributor
‎03-14-2021 05:40 AM

Hi,

Is the server is red hat or Ubuntu?

Can you check is there any extension after messages like mesages.log?

Is there any error in splunkd.log?

If everything is right can you remove the blacklist and ignoreOlderThan from the stanza and restart the forwarder and check again. 

0 Karma
Reply

Pavankumar
Loves-to-Learn Lots
‎03-24-2021 10:48 PM

I am facing this issue on Linux machine (red hat and centos )

there any  no extension after messages

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
Top