Deployment Architecture

Why heavy forwarder with DB Connect is sending logs with source type dbmon:spool, not sm_access?

justin_deutsch
Explorer

Hi,

I'm having some problems with DB Connect installed on a Heavy Forwarder. The logs appear to be shipped to the indexer, but they are being shipped with a source type of dbmon:spool not sm_access as defined in the configuration. Other log files being shipped through (i.e. not from the forwarder itself) the forwarder are being received correctly. The inputs.conf configuration is below.

[script://./bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://server_db/very_long_title-Test]
host = server2
index = tst_index_name
interval = 2 * * * *
output.format = kv
output.timestamp = 0
sourcetype = sm_access
table = smaccesslog4
tail.rising.column = db_TIMESTAMP

NB: The inputs.conf has been modified a little to remove sensitive information.

I am getting an error in the serverclass.conf, when I go to the Forwarder Management page on the forwarder. I can't see any errors in the file, but I've only just started playing with Splunk so I could very well be missing something.

[global]
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp

stateOnClient = enabled

restartSplunkWeb = False
restartSplunkd = False

continueMatching = true
endpoint = $deploymentServerUri$/services/streams/deployment?name=$tenantName$:$senter code hereerverClassName$:$appName$

Has anyone got any ideas on what might be going on?

Thanks,

0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

View solution in original post

mchang_splunk
Splunk Employee
Splunk Employee

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...