I know this is stating the obvious, but have you confirmed that 4662 is coming into the event logs? I know that when we removed the blacklist entirely as a means of troubleshooting, we found that 4662 was not being logged.
That said, I am still having issues myself with the blacklisting portion, but I do know that events not being actually logged was one of our issues, and now events are coming in if I remove the blacklist entirely. If anyone has any ideas outside of copying/pasting, typing things manually, using btool, reinstalling add-ons and clients, or standing on your head and spinning around three times by moonlight, I'd be happy to hear.
... View more
I've seen the same thing as both Lowell and johntobin. We recently upgraded from 6.0.2 to 6.1.3, and wound up with a number of files I had to chown to the splunk user.
Additionally, we have run into a permissions issue when it starts up:
WARN FilesystemChangeWatcher - error reading directory "/path/to/syslogs": Permission denied
The splunk user is part of a group which has read only access to these files. Unfortunately, with the new init script setup and the SPLUNK_OS_USER (which is set properly in /opt/splunkforwarder/etc/splunk-launch.conf) this fails to start up.
Workarounds seem to be as previously stated:
1) su to the splunk user and start it with /opt/splunkforwarder/bin/splunk start
2) Revert to the old init script.
Either of these work.
Just wanted to point out this had not been fixed yet as of 6.1.3.
... View more