hello,
trying to monitor below path from the host gas UF installed:
C:\Program Files (x86)\dir1\log\name_CRT_[DDMMYYYY].log
I have inserted below stanza but I have not received any logs
[monitor://C:\Program Files (x86)\dir1\log\name_CRT_[DDMMYYYY].log
sourcetype = mylog:auditlog
disabled = 0
index=test
any help please
Hi @hazem.,
Is this [DDMMYYYY] just a placeholder for an actual date in this example or this is the literal string being monitored in the monitor stanza and also the literal text in the filename?
I ask that because if what you wanna do is to monitor C:\Program Files (x86)\dir1\log\name_CRT_<any date>.log then you can use * at that part like:
C:\Program Files (x86)\dir1\log\name_CRT_*.log
This way the monitor stanza will know what to do.
Anyways, always make sure that in order for the forwarder to proper monitor something, that file must have the right read permissions to be read. Usually some applications under Program Files may be locked to administrators and that may cause SplunkForwarder service not to have the right permission to read the particular log.
A good indication for that is to check the _internal index for logs related to that and see if they are logging Access Denied somewhere.
The below search may give you some heads up on hits; Restart splunk forwarder and keep eyes on that log for last 5 min range or something as forwarder will evaluate the monitors at the startup and you'll find it easier.
index=_internal host=<my_forwarder_host> "C:\Program Files (x86)\dir1\log\"