Hello All,
We have a Splunk server setup for monitoring our Cisco WSA server using *"Cisco Web Security Advanced Reporting"* add-on, which is currently the only source sending files to this Splunk server.
The Splunk server has been filled to capacity and the partition where we store its logs is at 100%. So it seems like Like Rotation was never setup.
I read the info at this link below, but I now have a few questions regarding it.
----> [http://docs.splunk.com/Documentation/Splunk/4.1.7/Admin/Howlogfilerotationishandled][1]
Since Splunk does not have a built-in log rotation method, I assume we use the native Linux File rotation method on the server *(\*syslog-ng I believe..??)* ? Is that correct?
# splunk --version
Splunk 6.2.2 (build 255606)
#
# syslog-ng --version
syslog-ng 2.0.9
# cat /etc/*release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 3
And I also read you can either Blacklist the compressed file format outputted from the log rotation or you can move the files to a new directory to prevent duplicate data from being produced.
blacklist = \.(gz|bz2|z|zip)$
What config file do I add the Blacklist configuration option to?
Also, what should I configure the syslog-ng to for the log rotation, is there a recommended configuration for this?
Thanks in Advance,
Matt
[1]: http://docs.splunk.com/Documentation/Splunk/4.1.7/Admin/Howlogfilerotationishandled
↧