Splunk Dev

Monitoring for a log file - nix*

Crashfry
Path Finder

So I have a specific application log i'm attempting to monitor. The log location is basically this:
/opt/application/app/logs/application.log.

My current inputs.conf file looks like this:
[monitor:///opt/application/app/logs/application]
whitelist=(.log)
disabled = 0
index = application_audit
sourcetype = application_audit

For the life of me, i cannot get this to work at all, i've looked at the permissions and all seem fine. Is there something i'm missing with the monitor or the white list? I currently have a universal forwarder on this device, so it should send out if it's working.

Tags (1)
0 Karma
1 Solution

whrg
Motivator

Hello @Crashfry,

I believe the monitor stanza must refer to a directory or a single file. If it refers to a directory then I can include the whitelist filter.

Since you want to monitor only one specific file, try it like this:

[monitor:///opt/application/app/logs/application.log]
disabled = 0
index = application_audit
sourcetype = application_audit

For troubleshooting, search for:

index=_* /opt/application/app

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

Your monitor stanza is wrong. You should include the .log or a * at the end like this

[monitor:///opt/application/app/logs/application.log]
disabled = 0
index = application_audit
sourcetype = application_audit

Don't forget to restart the Splunk service on the forwarder after making the change

whrg
Motivator

Hello @Crashfry,

I believe the monitor stanza must refer to a directory or a single file. If it refers to a directory then I can include the whitelist filter.

Since you want to monitor only one specific file, try it like this:

[monitor:///opt/application/app/logs/application.log]
disabled = 0
index = application_audit
sourcetype = application_audit

For troubleshooting, search for:

index=_* /opt/application/app

Crashfry
Path Finder

Alright, so that makes sense, I think where i was questioning myself was the whitelist. So there are other log files in this directory, would I have to be specific in the whitelist?
whitelist=\application.log$

Would I need to do that for being specific of the log i want in the directory?

0 Karma

whrg
Motivator

I edited my original answer because I initially thought you want to monitor /opt/application/app/logs/*.log.
You don't need the whitelist filter to monitor one specific file.

If you want to monitor additional files, either use a monitor stanza for each new file or use the whitelist filter if they have a similar pattern.
Provide the file names so we can help you with that.

Also, as @skoelpin has pointed out, you need to restart Splunk after making changes to configuration files.

0 Karma

Crashfry
Path Finder

@whrg So this is where i still don't understand why the log isn't pulling over to Splunk.. I look at the internal logs for verification the TA downloads onto the server and does everything it needs to do. I see the log for adding watch on path 'opt/application/app/logs/application.log' but nothing is ever sent over to the index for the log in question.. i had created the index and verified it's up but cannot get anything to write from this location.. i don't see anything on the indexers about anything being received.. am missing something?

0 Karma

whrg
Motivator

Do you see any events when you search for:
index=* source="/opt/application/app/logs/application.log" [All Time]?
Is your web user allowed to access that index?
Is application.log not empty? Perhaps you can paste a few lines here.
I assume the splunkd user has read permission on that file since you don't see any errors in the internal logs.
Do this search to see if the file was indexed (i.e. used the license):
index=_internal source="*license_usage.log" type=usage s="/opt/application/app/logs/application.log"

0 Karma

Crashfry
Path Finder

So that makes perfect sense. Being a single file, there is no need for adding in the whitelist stanza, just simply call out the specific file in the monitoring stanza.

I appreciate the help, i'm going to make those changes here shortly and see if i can the file to show up in Splunk.. i had checked initially how it was setup and see that it's " monitoring for the file " but nothing was coming in.. so i'll see if this makes a difference.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...