Splunk Search

By any chance can we change the log rotation format?

sarvesh_11
Communicator

Hi Splunkers,

Ideally what happens is we set threshold for log file and set some retention.
so files do get create like :
audit.log
audit.log.1
audit.log.2
audit.log.3
audit.log.4

After reaching threshold, what happens is audit.log.4 gets off, and audit.log.3 becomes audit.log.4, similarly audit.log.2 becomes audit.log.3.

What i expect is, not only the last log file i.e, audit.log.4 should get off, but all the read files that is audit.log.1,2,3,4 should get off and all the new files should get create.

This i want, because we are forwarding the logs to QRadar, and this is creating duplication at Qradar, as one file is ingesting to Qradar 4 times, with same content different name.

TIA,

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @sarvesh_11,

Are you talking about the system log rotation or Splunk log rotation ?
You can configure both:
- For log under /var/log you need to check your logrotate configuration.
- For logs under $SPLUNK_HOME$/var/log/splunk/ you can configure rotation using the following file : $SPLUNK_HOME/etc/log-local.cfg

Details here :
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#The_lo...

In any case, you should only be forwarding one of those files to Qradar as it's "log rotation" so naturally the files will rotate and will each grab the content of the previous file.

You could also consider forwarding directly from Splunk to Qradar as a third party tcp receiver : https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#TCP_...

And the best solution would be to let the QRadar guys worry about their problems and you enjoy your problem free life with Splunk 😉

Cheers,
David

View solution in original post

DavidHourani
Super Champion

Hi @sarvesh_11,

Are you talking about the system log rotation or Splunk log rotation ?
You can configure both:
- For log under /var/log you need to check your logrotate configuration.
- For logs under $SPLUNK_HOME$/var/log/splunk/ you can configure rotation using the following file : $SPLUNK_HOME/etc/log-local.cfg

Details here :
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#The_lo...

In any case, you should only be forwarding one of those files to Qradar as it's "log rotation" so naturally the files will rotate and will each grab the content of the previous file.

You could also consider forwarding directly from Splunk to Qradar as a third party tcp receiver : https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#TCP_...

And the best solution would be to let the QRadar guys worry about their problems and you enjoy your problem free life with Splunk 😉

Cheers,
David

PavelP
Motivator

Hello @sarvesh_11,

if I understand you correctly, you have a linux system (which one) and want to avoid log duplicates on Qradar by changing the log rotation.

Your logrotation is fine, this is default linux setting that don't need to be changed without reason.

Do you use splunk forwarder or syslog for this?

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...