Splunk Search

By any chance can we change the log rotation format?

sarvesh_11
Communicator

Hi Splunkers,

Ideally what happens is we set threshold for log file and set some retention.
so files do get create like :
audit.log
audit.log.1
audit.log.2
audit.log.3
audit.log.4

After reaching threshold, what happens is audit.log.4 gets off, and audit.log.3 becomes audit.log.4, similarly audit.log.2 becomes audit.log.3.

What i expect is, not only the last log file i.e, audit.log.4 should get off, but all the read files that is audit.log.1,2,3,4 should get off and all the new files should get create.

This i want, because we are forwarding the logs to QRadar, and this is creating duplication at Qradar, as one file is ingesting to Qradar 4 times, with same content different name.

TIA,

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @sarvesh_11,

Are you talking about the system log rotation or Splunk log rotation ?
You can configure both:
- For log under /var/log you need to check your logrotate configuration.
- For logs under $SPLUNK_HOME$/var/log/splunk/ you can configure rotation using the following file : $SPLUNK_HOME/etc/log-local.cfg

Details here :
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#The_lo...

In any case, you should only be forwarding one of those files to Qradar as it's "log rotation" so naturally the files will rotate and will each grab the content of the previous file.

You could also consider forwarding directly from Splunk to Qradar as a third party tcp receiver : https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#TCP_...

And the best solution would be to let the QRadar guys worry about their problems and you enjoy your problem free life with Splunk 😉

Cheers,
David

View solution in original post

DavidHourani
Super Champion

Hi @sarvesh_11,

Are you talking about the system log rotation or Splunk log rotation ?
You can configure both:
- For log under /var/log you need to check your logrotate configuration.
- For logs under $SPLUNK_HOME$/var/log/splunk/ you can configure rotation using the following file : $SPLUNK_HOME/etc/log-local.cfg

Details here :
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#The_lo...

In any case, you should only be forwarding one of those files to Qradar as it's "log rotation" so naturally the files will rotate and will each grab the content of the previous file.

You could also consider forwarding directly from Splunk to Qradar as a third party tcp receiver : https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#TCP_...

And the best solution would be to let the QRadar guys worry about their problems and you enjoy your problem free life with Splunk 😉

Cheers,
David

PavelP
Motivator

Hello @sarvesh_11,

if I understand you correctly, you have a linux system (which one) and want to avoid log duplicates on Qradar by changing the log rotation.

Your logrotation is fine, this is default linux setting that don't need to be changed without reason.

Do you use splunk forwarder or syslog for this?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...