https://community.splunk.com/t5/Splunk-Enterprise/What-are-some-options-for-Forwarding-OS-logs-from-a-Full-Splunk/m-p/609243#M13614 <P>Thank you for responding.&nbsp; The release notes of the TA says it needs to be put on a forwarder.&nbsp; But DS is a full Splunk Ent install.&nbsp; Should we still install in the DS then ?&nbsp; Alternatively, would configuring the local inputs.conf of the /opt/splunk/etc/system/local directory on DS by adding monitor stanzas also work ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neerajs_81_0-1660280598345.png" style="width: 651px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21008i87C47C64FA344CF6/image-dimensions/651x254?v=v2" width="651" height="254" role="button" title="neerajs_81_0-1660280598345.png" alt="neerajs_81_0-1660280598345.png" /></span></P><P>&nbsp;</P> Fri, 12 Aug 2022 05:16:46 GMT neerajs_81 2022-08-12T05:16:46Z https://community.splunk.com/t5/Splunk-Enterprise/What-are-some-options-for-Forwarding-OS-logs-from-a-Full-Splunk/m-p/609185#M13607 <P>Hi All,&nbsp; &nbsp;Splunk 101 question .&nbsp;<BR /><BR />What are our options if we want to forward OS level logs ( For example: ssh user login/logout activity)&nbsp; from a Deployment Server to our indexer.&nbsp; &nbsp;As a DS is a full Splunk Enterprise instance, it is not recommended to put UF on the same host.&nbsp; &nbsp; Where do i need to configure to tell it to monitor the OS syslog file also ? Is it /etc/system/local/inputs.conf&nbsp; ?&nbsp; If yes, how to maintain this inputs.conf copy for&nbsp; updates&nbsp; as i assume we cannot push updates to this file from the same host itself .&nbsp; Any best practices here ?<BR /><BR />My DS is currently sending _audit, _introspection logs to the Idx ; which contain info about Splunk platform and not OS.<BR />Hope i am clear.&nbsp; &nbsp;Thank you<BR /><BR /></P> Thu, 11 Aug 2022 14:48:47 GMT https://community.splunk.com/t5/Splunk-Enterprise/What-are-some-options-for-Forwarding-OS-logs-from-a-Full-Splunk/m-p/609185#M13607 neerajs_81 2022-08-11T14:48:47Z https://community.splunk.com/t5/Splunk-Enterprise/What-are-some-options-for-Forwarding-OS-logs-from-a-Full-Splunk/m-p/609217#M13611 <P>It sounds like what you want is the Splunk Add-on for Unix and Linux:&nbsp;<A href="https://splunkbase.splunk.com/app/833/" target="_blank">https://splunkbase.splunk.com/app/833/</A></P><P>The technical add-on (TA) will need to be installed on the DS and configured with your custom inputs.conf for the TA.</P> Thu, 11 Aug 2022 20:26:36 GMT https://community.splunk.com/t5/Splunk-Enterprise/What-are-some-options-for-Forwarding-OS-logs-from-a-Full-Splunk/m-p/609217#M13611 m_pham 2022-08-11T20:26:36Z https://community.splunk.com/t5/Splunk-Enterprise/What-are-some-options-for-Forwarding-OS-logs-from-a-Full-Splunk/m-p/609243#M13614 <P>Thank you for responding.&nbsp; The release notes of the TA says it needs to be put on a forwarder.&nbsp; But DS is a full Splunk Ent install.&nbsp; Should we still install in the DS then ?&nbsp; Alternatively, would configuring the local inputs.conf of the /opt/splunk/etc/system/local directory on DS by adding monitor stanzas also work ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neerajs_81_0-1660280598345.png" style="width: 651px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21008i87C47C64FA344CF6/image-dimensions/651x254?v=v2" width="651" height="254" role="button" title="neerajs_81_0-1660280598345.png" alt="neerajs_81_0-1660280598345.png" /></span></P><P>&nbsp;</P> Fri, 12 Aug 2022 05:16:46 GMT https://community.splunk.com/t5/Splunk-Enterprise/What-are-some-options-for-Forwarding-OS-logs-from-a-Full-Splunk/m-p/609243#M13614 neerajs_81 2022-08-12T05:16:46Z https://community.splunk.com/t5/Splunk-Enterprise/What-are-some-options-for-Forwarding-OS-logs-from-a-Full-Splunk/m-p/609342#M13627 <P>Splunk Enterprise server can forward data:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.0/Forwarding/Aboutforwardingandreceivingdata#:~:text=You%20can%20forward%20data%20from,forwarding%20is%20called%20a%20forwarder.&amp;text=A%20Splunk%20instance%20that%20receives,forwarders%20is%20called%20a%20receiver" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.0/Forwarding/Aboutforwardingandreceivingdata#:~:text=You%20can%20forward%20data%20from,forwarding%20is%20called%20a%20forwarder.&amp;text=A%20Splunk%20instance%20that%20receives,forwarders%20is%20called%20a%20receiver</A>.</P><P>&nbsp;</P><P>Best practice is for your custom inputs is in a separate addon - example: <FONT face="courier new,courier">/opt/splunk/etc/apps/my_custom_app/local/inputs.conf</FONT></P><P>You should watch this to learn the basics of Splunk Administration:&nbsp;<A href="https://www.youtube.com/watch?v=O_w7rSWlHJs" target="_blank">https://www.youtube.com/watch?v=O_w7rSWlHJs</A></P> Fri, 12 Aug 2022 16:08:59 GMT https://community.splunk.com/t5/Splunk-Enterprise/What-are-some-options-for-Forwarding-OS-logs-from-a-Full-Splunk/m-p/609342#M13627 m_pham 2022-08-12T16:08:59Z