Hello Everyone,
We are trying to monitor log files on a server using the Splunk universal forwarder. The logs directory (say /logs/app3/Oct2015) is being monitored by Splunk forwarder.
**/opt/splunkforwarder/etc/system/local/inputs.conf :**
_Reference_: http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Monitorfilesanddirectorieswithinputs.conf
[monitor:///logs/app3/Oct2015/]
sourcetype = access_common
ignoreOlderThan = 7d
recurse = true
_TCP_ROUTING = toLogAggregator
blacklist = /opt/splunkforwarder/...
[blacklist:/opt/splunkforwarder/...]
This is my Output configuration -
**/opt/splunkforwarder/etc/system/local/outputs.conf :**
_Reference_: http://docs.splunk.com/Documentation/Splunk/6.3.0/Forwarding/Configureforwarderswithoutputs.conf
[tcpout]
defaultGroup = toBeIgnored
# This target group will redirect events to Log aggregator listening on TCP socket.
[tcpout:toLogAggregator]
server = 10.20.176.207:9997
sendCookedData = false
[tcpout:toBeIgnored]
When I run the Splunk Universal Forwarder (v6.3), I am successfully able to monitor my logs directory, but Splunk is also sending me its own logs. I added a blacklist stanza to stop Splunk from monitoring and sending me its own logs, but no luck. My aggregator server is continuously receiving Splunk logs mixed with logs I am monitoring.
I added a TCP output group to drain events by default and explicitly marked my monitored directory to route logs using a different TCP group, but that also didn't work. Still getting bombarded with Splunk logs.
Does anyone knows, how to tell Splunk Forwarder to not to monitor itself but only monitor the directory I have requested for ?
regards,
-Vipul;
↧