All Apps and Add-ons

Not all WebSphere logs are being indexed

Steve_W
New Member

I have WebSphere installed on Server A and it is configured with SplunkWAS and enabled as a LightWeightForwarder.

The logs are forwarded to Server B. This is working successfully and the WebSphere index is logging all the WebSphere logs except the application logs, SystemOut.log, SystemErr.log, Native*.log.

On Server A, the WebSphere logs are symbolically linked to a different folder, I was thinking this may be the issue except that the FFDC logs are also sym linked and work fine. Any ideas?

I modified the inputs.conf manually in the SplunkWAS application but this also doesn't work.

INPUTS.conf - first entry not working??? Before I changed it the first two monitors were "opt" and not "logs", else the same. Other two monitors are working...

[monitor:///logs/WebSphere6-1/AppServer/profiles/AppSrv01/logs//...] whitelist = native./.log$|.Server/.log$|System./.log$|http_.*/.log$|/.pid$ crcSalt = disabled = 0 index = websphere

[monitor:///logs/WebSphere6-1/AppServer/profiles/AppSrv01/logs/ffdc/...] sourcetype = WebSphere:ServerExceptionLog crcSalt = disabled = 0 index = websphere

[monitor:///opt/WebSphere6-1/AppServer/profiles/AppSrv01/...] whitelist = javacore.*/.txt$ crcSalt = disabled = 0 index = websphere

Tags (1)
0 Karma

Steve_W
New Member

Ok so I got it to work....but to make it work I had to change the whitelist, see below for details.

[monitor:///logs/WebSphere6-1/AppServer/profiles/AppSrv01/logs/...] whitelist = SystemOut.log|SystemErr.log|native_stdout.log|native_stderr.log crcSalt = disabled = 0 index = XXXX

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...