I am new to Splunk and working on getting logs from macOS clients (10.10-10.13). Forwarding is working but one of the logs I am trying to monitor is /var/log/jamf.log and it is having trouble with dates. Example of the types of entries in this log:
Sat Jul 5 11:01:17 <username> jamf[14239]: Checking for policies triggered by "every15"...
For some reason the JAMF log doesn't include the year in their date stamps. The last time July 5th fell on a Saturday was 2014 and this log was forwarded right around 11:01:17 on July 5th 2018.
Even weirder is that I just noticed it is now showing me events from 7/7/18 (the current date is 7/5/18). Screenshot below shows that.
What is happening?
@3rgNEtFF I think you need to define Event Breaks and Timestamp recognition correctly. Could you please let us know as to what you have in your props.conf? Have you already defined something for Event Breaks and Timestamp recognition?
Also, is there any part of log/file which has year logged? Can your log be changed to have year logged along with existing timestamp? Finally seems like all events are getting mashed up as single event and breaking after the default limit of 257 lines. So you need to tell us/Splunk config, the pattern for Event break and Timestamp.
Ingest one sample log file and in the preview mode play around with Event Break and Timestamp settings to ensure that both happen accurately, or else you will have data discrepancy and data once inserted incorrectly stays there. So preview mode and sample testing should always be performed for these two basic and most important prerequisite of identifying Event Line Breaking and Timestamp recognition, before opening the flood gates.
Do you retain the logs for more than a year in the same location?