With the default configuration collectorforlinux forwards logs from
/var/log folder, including syslog files, and journald logs.
When you need to configure forwarding from a custom location you can add additional sections in
# Input syslog(.\d+)? files [input.files::mylogs] # disable host level logs disabled = false # root location of log files path = /opt/myapp/logs # glob pattern glob = *.log # regex matching pattern (use it instead of glob pattern if you need more complicated filtering) # match = # limit search only on one level recursive = false # files are read using polling schema, when reach the EOF how often to check if files got updated pollingInterval = 250ms # how often o look for the new files under logs path walkingInterval = 5s # include verbose fields in events (file offset) verboseFields = false # override type (source type) type = linux_host_logs # specify Splunk index index = # regexp to specify the beginning of the event line eventPattern = # regexp field extraction extraction = # timestamp field (if field extraction is used) timestampField = # format for timestamp # the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006` timestampFormat = Jan 2 15:04:05 # Adjust date, if month/day aren't set in format timestampSetMonth = false timestampSetDay = false # timestamp location (if not defined by format) timestampLocation = Local # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded) samplingPercent = -1 # sampling key for hash based sampling (should be regexp with the named match pattern `key`) samplingKey = # set output (splunk or devnull, default is [general]defaultOutput) output = # configure default thruput per second for for each container log # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded # from the single container to 128Kb per second. thruputPerSecond = # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events # older than 7 days tooOldEvents = # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future tooNewEvents =
Will be added in the future
- Start monitoring your linux environments in under 10 minutes.
- Automatically forward host logs and forwards system stats.
- Test our solution with the embedded 30 days evaluation license.
- Collector configuration reference.
- Configuration for logs forwarding for custom locations.
Configurations for Splunk HTTP Event Collector
- Configure multiple HTTP Event Collector endpoints for Load Balancing and Fail-overs.
- Secure HTTP Event Collector endpoint.
- Configure the Proxy for HTTP Event Collector endpoint.
- Release History
- FAQ and the common questions
- License agreement