Forums: SplunkAdministration: Unable to index files

Previous Topic: Multiple different credentials  |   Next Topic: Examples of monitoring disk usage, reporting invalid logins etc.


Posts 1–2 of 2  |  Post to this topic
1
TheCowStir's Mugshot posted by: TheCowStir  |  posts
date: November 12, 2009
permalink

i am running Splunk 4.0.6 with a demo enterprise license and am having problems adding several syslog generated files into splunk.

I use syslog to store remote syslog streams from routers on our network.

I am trying to monitor all of these files:
-rw-r----- 1 root root 2522 2009-11-12 07:53 network-comwaves-cm-rtr-200911.log
-rw-r----- 1 root root 198699 2009-11-12 10:53 network-comwaves-i35-rtr-200911.log
-rw-r----- 1 root root 178 2009-11-11 01:33 network-volznet-140th-rtr-200911.log
-rw-r----- 1 root root 2972 2009-11-12 08:58 network-volznet-lh-rtr-200911.log
-rw-r----- 1 root root 489128 2009-11-12 10:53 VolzFirewall-200911.log
xeon1:/var/log/network #

I have created all of the data input files entries in the web interface:
Full path on server Set host Source type Index Number of files App Enabled Actions
/var/log/network/network-comwaves-cm-rtr-* Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/network-comwaves-i35-rtr-* Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/network-volznet-140th-rtr-* Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/network\-comwaves\-i35\-rtr\-* Constant Value Automatic default search
| Disable Clone | Delete
$SPLUNK_HOME/etc/apps/sample_app/logs Constant Value sendmail sample 2 sample_app
| Disable Clone
$SPLUNK_HOME/var/log/splunk Constant Value Automatic _internal 18 system
| Disable Clone
/var/log/mail Constant Value Automatic default search
| Disable Clone | Delete
/var/log/messages Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/network-volznet-lh-rtr-* Constant Value Automatic default search
| Disable Clone | Delete
/var/log/network/VolzFirewall-* Constant Value Automatic default 1 search
| Disable Clone | Delete

However only the syslog messages, mail and Volzfirewall entries are working. I have tried on one entry "i35-rtr" to use \- thinking the "-" might be a special character that needs to be escaped, but that did not help either.

Any directions to see what I'm doing wrong as to why these files aren't being indexed?

2
gkanapathy's Mugshot posted by: gkanapathy  |  posts
date: November 12, 2009
permalink

I see these are only readable by root and the root group, so splunk does have to run as root. You can run "./splunk list monitor" on the command line to see if they are being monitored.

Oh, and finally, have you enabled the Unix app? If so, it's sending your logs into a non-default index, which you could see by querying "index=*". I thought they had stopped doing that to the /var/log files, but I see in my 4.0.5 that it's still doing that.

Post to this topic

You must be logged in to post a reply.