Getting Data In

Getting Data in from SYSLOG / File Monitor- Am I missing something?

dasadmin
Explorer

Hello

We are running Enterprise 8.2.6 (Windows Server).  We use a product called Fastvue Syslog Server on another Windows Server as a central Syslog server.  

Fastvue Syslog writes out the syslogs into folders such as:

D:\Logs\Syslog\Logs\switch\x.x.x.x\x.x.x.x-YYYY-MM-DD.log
D:\Logs\Syslog\Logs\esx\x.x.x.x\x.x.x.x-YYYY-MM-DD.log

(where x.x.x.x is the syslog client ip address)

The Syslog Server has the Splunk Universal Forwarder installed as is configured to for output Windows Event Logs.

The inputs.conf file has the following added in addition to the eventlogs:

[monitor://D:\Logs\Syslog\Logs\switch\*]
sourcetype = syslog-switch
disabled = false

[monitor://D:\Logs\Syslog\Logs\esx\*]
sourcetype = syslog-esx
disabled = false

On the Splunk Indexer, we can see event logs from the Windows Server, but we are not seeing any syslog message from the logged files?

Am I missing something?

Thanks in advance.

 

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Globbing rules of monitor inputs can be tricky.

https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf#MONITOR:

I'd point the input to the whole directory (without wildcards) and set the whitelist to *.log files. (If you don't have any other files in those directories, you can skip the whitelist altogether.

[monitor://D:\Logs\Syslog\Logs\switch]
sourcetype = syslog-switch
disabled = false
whitelist = .*\.log

 

0 Karma

venky1544
Builder

HI @dasadmin 

it seems you have missed to define the index parameter in inputs.conf where the logs should be written 

index = abc 

 

Note:- if it helps karma points are appreciated/if it resolves solution acceptance is appreciated 

0 Karma

dasadmin
Explorer

Hello

Thanks for the reply.

I was looking at https://docs.splunk.com/Documentation/Splunk/8.2.6/admin/Inputsconf and under GLOBAL SETTINGS is says:

index = <string>
* Sets the index to store events from this input.
* Primarily used to specify the index to store events that come in through
  this input stanza.
* Default: main (or whatever you have set as your default index)

So I wasn't sure I needed to add anything?  Also when I installed the Universal Forwarder on the Windows Server where the Syslog file are, I added a path to the folder to monitor, and this did not add an index tag either?

However, I'll give it a try and see if adding the index tag works.

Thanks

DAS Admin

0 Karma

venky1544
Builder

HI @dasadmin 

without the index name (the index should exist) it would either direct the events to main index or the default index in your settings it imp to define the index for any input source 

thanks

Note:- if it helps karma points are appreciated/if it resolves solution acceptance is appreciated 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...