Splunk Search

By any chance can we change the log rotation format?

Path Finder

Hi Splunkers,

Ideally what happens is we set threshold for log file and set some retention.
so files do get create like :
audit.log
audit.log.1
audit.log.2
audit.log.3
audit.log.4

After reaching threshold, what happens is audit.log.4 gets off, and audit.log.3 becomes audit.log.4, similarly audit.log.2 becomes audit.log.3.

What i expect is, not only the last log file i.e, audit.log.4 should get off, but all the read files that is audit.log.1,2,3,4 should get off and all the new files should get create.

This i want, because we are forwarding the logs to QRadar, and this is creating duplication at Qradar, as one file is ingesting to Qradar 4 times, with same content different name.

TIA,

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi @sarvesh_11,

Are you talking about the system log rotation or Splunk log rotation ?
You can configure both:
- For log under /var/log you need to check your logrotate configuration.
- For logs under $SPLUNK_HOME$/var/log/splunk/ you can configure rotation using the following file : $SPLUNK_HOME/etc/log-local.cfg

Details here :
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#The_lo...

In any case, you should only be forwarding one of those files to Qradar as it's "log rotation" so naturally the files will rotate and will each grab the content of the previous file.

You could also consider forwarding directly from Splunk to Qradar as a third party tcp receiver : https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#TCP_...

And the best solution would be to let the QRadar guys worry about their problems and you enjoy your problem free life with Splunk 😉

Cheers,
David

View solution in original post

SplunkTrust
SplunkTrust

Hi @sarvesh_11,

Are you talking about the system log rotation or Splunk log rotation ?
You can configure both:
- For log under /var/log you need to check your logrotate configuration.
- For logs under $SPLUNK_HOME$/var/log/splunk/ you can configure rotation using the following file : $SPLUNK_HOME/etc/log-local.cfg

Details here :
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#The_lo...

In any case, you should only be forwarding one of those files to Qradar as it's "log rotation" so naturally the files will rotate and will each grab the content of the previous file.

You could also consider forwarding directly from Splunk to Qradar as a third party tcp receiver : https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#TCP_...

And the best solution would be to let the QRadar guys worry about their problems and you enjoy your problem free life with Splunk 😉

Cheers,
David

View solution in original post

Motivator

Hello @sarvesh_11,

if I understand you correctly, you have a linux system (which one) and want to avoid log duplicates on Qradar by changing the log rotation.

Your logrotation is fine, this is default linux setting that don't need to be changed without reason.

Do you use splunk forwarder or syslog for this?

0 Karma