Monitoring Splunk

I not receiving /var/log/messages from the Linux Server

Pavankumar
Loves-to-Learn

 

I am not receiving the /var/log/messages from linux server.  I have written the stanza to monitored the var/log/massages in inputs.conf , Although receiving the var/log/audit.log and /var/log/secure.log, also given the read permission to splunk user for var/log directory .  And  mesage logs are generating continuously  at the remote side but still not receiving message logs. 

[monitor:///var/log/messages]
disabled = 0
index = linux
blacklist = .*csv$
ignoreOlderThan = 1d

Labels (1)
0 Karma

Pavankumar
Loves-to-Learn

I have receiving log through host name in some servers messages.log not receiving  Although receiving the var/log/audit.log and /var/log/secure.log

but in some server facing issue like  if the host name is for example "test.ab.co.in " when checking log though  host= test.ab.co.in then received var/log/audit.log and /var/log/secure.log.  Not receiving  Messages log .  But when searching  host=test  then I can receiving Messages log..

0 Karma

soutamo
SplunkTrust
SplunkTrust

Hi

what you will get with commands hostname and uname -a ?

you could add host = <your hostname> to inputs.conf if needed.

r. Ismo

0 Karma

Vardhan
Path Finder

Hi @Pavankumar ,

1)Can you run the command ./splunk list inputstatus and check the status for /var/log/messages

2) Is there any error in Splunkd.log?

go to /opt/splunkforwarder/var/log/splunk

cat splunkd.log | grep -i error     (check for any errors)

3)Did u restarted the forwarder after deploying the config? And did u check the permissions are the same for /var/log/secure and /var/log/messages?

 

0 Karma

soutamo
SplunkTrust
SplunkTrust

If you are running UF as splunk user you should check that this user has read access to this (and other needed logs). Quite often those needs to grant separately.

0 Karma

Vardhan
Path Finder

Hi,

Is the server is red hat or Ubuntu?

Can you check is there any extension after messages like mesages.log?

Is there any error in splunkd.log?

If everything is right can you remove the blacklist and ignoreOlderThan from the stanza and restart the forwarder and check again. 

0 Karma

Pavankumar
Loves-to-Learn

I am facing this issue on Linux machine (red hat and centos )

there any  no extension after messages

0 Karma