Deployment Architecture

Why heavy forwarder with DB Connect is sending logs with source type dbmon:spool, not sm_access?

justin_deutsch
Explorer

Hi,

I'm having some problems with DB Connect installed on a Heavy Forwarder. The logs appear to be shipped to the indexer, but they are being shipped with a source type of dbmon:spool not sm_access as defined in the configuration. Other log files being shipped through (i.e. not from the forwarder itself) the forwarder are being received correctly. The inputs.conf configuration is below.

[script://./bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://server_db/very_long_title-Test]
host = server2
index = tst_index_name
interval = 2 * * * *
output.format = kv
output.timestamp = 0
sourcetype = sm_access
table = smaccesslog4
tail.rising.column = db_TIMESTAMP

NB: The inputs.conf has been modified a little to remove sensitive information.

I am getting an error in the serverclass.conf, when I go to the Forwarder Management page on the forwarder. I can't see any errors in the file, but I've only just started playing with Splunk so I could very well be missing something.

[global]
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp

stateOnClient = enabled

restartSplunkWeb = False
restartSplunkd = False

continueMatching = true
endpoint = $deploymentServerUri$/services/streams/deployment?name=$tenantName$:$senter code hereerverClassName$:$appName$

Has anyone got any ideas on what might be going on?

Thanks,

0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

View solution in original post

mchang_splunk
Splunk Employee
Splunk Employee

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...