Hi,
I encountered a problem today with several universal forwarders, and it never happened before we updated to the version 6.5.0. Also, we didn't change our logrotate configuration.
My problem:
After the logrotate of the file /var/log/messages, the forwarder doesn't see new events in the file.
Habitually, when log rotation happens, I have these messages in the file splunkd.log:
11-13-2016 03:10:15.104 +0100 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/var/log/messages'.
11-13-2016 03:10:15.104 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/var/log/messages'.
on 11-20-2016, I don't have any log message for this file.
We've checked the file headers (256 first bytes) and they are necessarily different because the log date is there.
After restarting the splunkforwarder, the file is indexed correctly again.
The configuration of the inputs:
[monitor:///var/log/messages*]
sourcetype = syslog
I don't have an idea about what happened on this forwarder, and how could I go ahead to solve that?
Do you have any idea ?
↧