Getting Data In

Where is the data for my monitor file var/log/zimbra.log file?

vumanhtai
Path Finder

I set up a monitor zimbra.log file, but I find it is missing the data pushed to the Splunk server compared to the actual file it has.
How do I have to deal with this problem?

0 Karma

ShaneNewman
Motivator

If I had to guess, I would say that you probably have the Splunk TA for linux installed, which monitors /var/log... This is a crap monitor stanza and is most likely causing a conflict with your monitor stanza. Add a blacklist to that /var/log monitor stanza for zimbra logs.

0 Karma

ShaneNewman
Motivator

If my theory is correct, you can search the os index for source=/var/log/zimbra.log and you will see data, unless you changed the name of the index from os to something else.

0 Karma

risgupta
Path Finder

Could you please help with Splunkd.log files for the Zimbra mail server where splunk is installed.

0 Karma

mayurr98
Super Champion

try putting crcSalt = abc in inputs.conf

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...