Hello
I have some directories that I need to monitor. Using updated inputs for the TA_nix app I am adding syslog/linux:audit data is specific paths. It mostly works as expected BUT I had a few outliers.
Heres the basic directory structure:
/var/log is standard BUT the messages coming from other hosts goes to a path
/var/log/remote
in this path is the 2 types of logs: syslog and linux:audit as well as .bz2 which we never want indexed from any path.
/var/log/remote/202/02//messages/
/var/log/remote/202/02//audisp/
within each one of these is an archive directory as well, it contains files being written to and .bz2 which we never want indexed from any path.
/var/log/remote/202/02//messages/archive/
/var/log/remote/202/02//audisp/archive/
So the inputs I created looks like this:
[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog|\.bz2$|audisp|\_audisp.log|\audisp.log\-)
index=nix_os
disabled = 0
[monitor:///var/log/remote/*]
whitelist=(messages|\_messages\.log|_messages\.log\-)
blacklist=(\.bz2$|audisp|\_audisp.log|\audisp.log\-)
index=nix_os
sourcetype = syslog
disabled = 0
recursive=true
[monitor:///var/log/remote/*]
whitelist=(audisp|\_audisp.log|\audisp.log\-)
blacklist=(\.bz2$|messages|\_messages\.log)
index=nix_os
sourcetype = linux:audit
disabled = 0
recursive=true
What I have found is that there are files with the sourcetype set as the filename, which it should be either syslog or linux:audit since the path is:
/var/log/remote/2020/02/corp/messages/archive/hostname.domain.com_messages.log-20200206
got the sourcetype set to the file name:
hostname.domain.com_messages.log-20200206
Also these did not index:
/var/log/remote/2020/02/corp2/audisp/archive/:
_messages_audisp.log-20200204_messages_audisp.log-20200205 _messages_audisp.log-20200206
Can anyone tell me:
1.Why did the messages file
hostname1234.domain.com_messages.log-20200206
get the sourcetype set to the file name (some are set to "too-small" as well)
sourcetype=hostname1234.domain.com_messages or sourcetype=hostname1234.domain.com_messages-too_small
2. Why didnt the /audisp directory and the corresponding files index? For example:
/var/log/remote/2020/02/corp2/audisp/archive/_messages_audisp.log-20200204
Thanks for you assistance
↧