Hi. At Splunk's recommendation, I have a centralized syslog server (using rsyslog) that writes to /logs/hostname/year/month/day/file.log
This works fine.
However, I cannot get the Universal Forwarder to send the events to the Splunk Indexer. I added my stanza to /opt/splunkforwarder/etc/system/local/inputs.conf. When that didn't work, I created an app and put the stanza into /opt/splunkforwarder/etc/apps/syslog/local/inputs.conf
Didn't work.
Here is my stanza:
[monitor:///logs/*]
disabled = false
host_segment = 2
index = main
sourcetype = syslog
That looks straightforward to me.
I checked the Splunk logs on the Indexer and there's no sign that it's ever receiving these events.
In the UF logs I see that it has added a watch to /logs:
INFO TailingProcessor - Parsing configuration stanza: monitor:///logs/*.
INFO TailingProcessor - Adding watch on path: /logs.
I have verified that the port is open between the UF and the Indexer.
Indexer is running 7.2.4 and UF is running 7.1.2.
Am I missing something?
Thank you in advance!
↧