Splunk Enterprise

How do you collect Linux logs from files such as access.log.YY-DD-MM?

w_raza
Explorer

Hi,

I've deployed splunklight-7.2.1 and I am using universal log forwarder to forward logs from a Linux server to my Splunk server.

I'm stuck in condition where I have to get logs from a particular file which gets created a new file daily to store the logs. For example, today's logs will be stored in ../acess_log.2018-12-31 and tomorrow's logs will be stored as ../access_log.2019-01-01 and so on. Can any one please guide my what should I configure in my inputs.conf file to get these logs?

Thanks in advance

0 Karma
1 Solution

vliggio
Communicator

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

View solution in original post

vliggio
Communicator

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Valid points. My answer was based on the OP's info, but explicit file paths are best.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

w_raza
Explorer

Hi vliggio,

Thanks for your response and explaining in detail, that helped.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what else you don't want to monitor is in the same directory, but start with [monitor://../access_log.*].

---
If this reply helps you, an upvote would be appreciated.

w_raza
Explorer

Hi Rich,

Thanks for your quick response, that really helped and it worked.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.