Question: why is /var/log/messages not forwarded to index?
UF: version 7.1.2 RHEL 6.10
/opt/splunkforwarder/etc/apps/_server_app_linux-server/local/inputs.conf
[monitor:///var/log]
disabled = false
index = linuxlog
sourcetype = syslog
etc/apps/_server_app_linux-server/local/app.conf
# Autogenerated file
[install]
state = enabled
splunk list monitor
Monitored Directories:
...
/var/log
...
/var/log/messages
/var/log/messages-20180805
/var/log/messages-20180812
/var/log/messages-20180819
/var/log/messages-20180826
ll /var/log/messages
-rw-r-----+ 1 root root 1160093 Aug 30 12:07 /var/log/messages
-rw------- 1 root root 653 Aug 5 02:37 /var/log/messages-20180805
-rw------- 1 root root 580 Aug 12 02:05 /var/log/messages-20180812
-rw------- 1 root root 19310 Aug 19 02:42 /var/log/messages-20180819
Search head version 7.1.2 CentOS 7.5.1804
search: index="linuxlog" source="/var/log/messa*"
where is no "/var/log/messages" in sources!
Hi dmpopof,
I don't know why you don't have logs from messages file, but I suggest to modify you inputs.conf file in
[monitor:///var/log/messages]
disabled = false
index = linuxlog
sourcetype = syslog
In this way you're sure to have only the last logs and not the oldest.
if you want also the oldest (but I see that you already have) you could use
[monitor:///var/log/messages*]
Bye.
Giuseppe