Splunk works only for sourcetype "squid", my logs currently are "Access-11", how do I change that?
I dont have a inputs.conf in my opt/splunk/etc/apps/Splunkforsquid/local directory.
Anyone know why?
Thank you very much!!!!!
After a restart of splunk it works now.
At first thanks for your help!!
I made the inputs.conf now, but i still see "no results".
Do i need to restart anything?
That's your squid configuration, not your Splunk configuration.
I take it you haven't added the Squid logs as an input in Splunk. As a start, putting this in an inputs.conf (for instance in /opt/splunk/etc/apps/SplunkforSquid/local) should get you going:
[monitor:///var/log/squid]
disabled = false
sourcetype = squid
Where do i see this?
This is what is see in my squid.conf:
access_log /var/log/squid/access.log squid
What sourcetype do you have for your Squid logs? You need to set this sourcetype to "squid", or at least create a sourcetype alias so that a search for 'sourcetype="squid"' will give results from the Squid logs.
But what do i have to adjust?
Think i am not really understanding it.
When i go to the splunkforsquid page it shows no results found.
My log files are in /var/log/squid/ and are called access.log en acces.log.2.gz and 3 and so on untill acces.log.5.gz.
Can you please help me?
Would realy like to get this working because the web proxy report for clearos has not al lot off information.
There should be no inputs.conf in your local directory. In fact Splunk for Squid doesn't have its own inputs.conf at all. Rather it assumes that there is already an input setup with sourcetype "squid" and uses this sourcetype to find the Squid logs.
The easiest way to fix the problem is to change the sourcetype, as ageld explains in the answer above.
One drawback with just changing the sourcetype is that it won't affect already indexed data, so data that is already indexed will still not be viewable in the Splunk for Squid app. To remediate this, you can rename the "Access-11" sourcetype to "squid" at search time.
In props.conf:
[Access-11]
rename = squid
How you defined the data input for this log? Splunk reading a local log Squid log file? If that's the case under: <splunk_directory>/etc/apps/<Splunk_for_squid>/local
directory modify file inputs.conf
:
[monitor:///var/log/<snortlogfilename>]
disabled = false
followTail = 0
sourcetype = squid