https://community.splunk.com/t5/All-Apps-and-Add-ons/I-need-assistance-on-inputs-conf-syntax-for-Linux-log-ingestion/m-p/325416#M38945 <P>Have a look at Splunk TA-nix: <A href="https://splunkbase.splunk.com/app/833/">https://splunkbase.splunk.com/app/833/</A></P> <P>This also includes a sample inputs.conf file if I recall correctly. That should give some inspiration (although likely needs tuning for the specific files as they exist on your linux box(es). That should also point you at what sourcetype to use.</P> <P>But (assuming you have a splunk forwarder installed on the linux box(es)) basically you just need to create some file monitor inputs, see <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf">inputs.conf reference documentation</A> for syntax.</P> Wed, 24 Jan 2018 09:00:58 GMT FrankVl 2018-01-24T09:00:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/I-need-assistance-on-inputs-conf-syntax-for-Linux-log-ingestion/m-p/325415#M38944 <P>Hello All,</P> <P>I'm new to linux. I have experience using the deployment server and creating my own apps in Splunk to receive information sent to the index of my choice. I have a new requirement to fetch some linux data where I'm not too familiar and would like some assistance on the basic syntax for the deployment apps. Can someone please provide syntax examples for the deployment apps for the logs specified below so I can familiarize myself.</P> <P>var/log/messages</P> <P>var/log/secure</P> <P>var/log/boot.log</P> <P>var/log/yum.log</P> <P>var/log/audit/(all files)</P> <P>var/log/sa/(all files)</P> <P>var/log/firewalld</P> <P>I have the tomcat app however that setup process seems to be different and doesn't support deployment apps. </P> <P>Please let me know if there are other apps I can use to make this process easier or if creating my own apps are best. Thank you!</P> Tue, 23 Jan 2018 21:38:20 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/I-need-assistance-on-inputs-conf-syntax-for-Linux-log-ingestion/m-p/325415#M38944 Jarohnimo 2018-01-23T21:38:20Z https://community.splunk.com/t5/All-Apps-and-Add-ons/I-need-assistance-on-inputs-conf-syntax-for-Linux-log-ingestion/m-p/325416#M38945 <P>Have a look at Splunk TA-nix: <A href="https://splunkbase.splunk.com/app/833/">https://splunkbase.splunk.com/app/833/</A></P> <P>This also includes a sample inputs.conf file if I recall correctly. That should give some inspiration (although likely needs tuning for the specific files as they exist on your linux box(es). That should also point you at what sourcetype to use.</P> <P>But (assuming you have a splunk forwarder installed on the linux box(es)) basically you just need to create some file monitor inputs, see <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf">inputs.conf reference documentation</A> for syntax.</P> Wed, 24 Jan 2018 09:00:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/I-need-assistance-on-inputs-conf-syntax-for-Linux-log-ingestion/m-p/325416#M38945 FrankVl 2018-01-24T09:00:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/I-need-assistance-on-inputs-conf-syntax-for-Linux-log-ingestion/m-p/325417#M38946 <P>Hello @Jarohnimo ,</P> <P>Below are a few links which will help you understand how to setup the inputs.conf file for you app to get data for Linux log messages into your splunk enterprise.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/Updating/Exampleaddaninputtoforwarders">https://docs.splunk.com/Documentation/Splunk/7.2.3/Updating/Exampleaddaninputtoforwarders</A></P> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&amp;utm_medium=in-answer&amp;utm_term=inputs.conf&amp;utm_campaign=refdoc">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&amp;utm_medium=in-answer&amp;utm_term=inputs.conf&amp;utm_campaign=refdoc</A></P> <P><A href="https://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/DeploytheSplunkAdd-onforUnixandLinuxinadistributedSplunkenvironment">https://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/DeploytheSplunkAdd-onforUnixandLinuxinadistributedSplunkenvironment</A></P> <P>Hope this helps.</P> <P>Thanks,<BR /> Sapan</P> Wed, 30 Jan 2019 05:19:21 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/I-need-assistance-on-inputs-conf-syntax-for-Linux-log-ingestion/m-p/325417#M38946 sapanda 2019-01-30T05:19:21Z