https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Linux-Sererclass-Monitoring-Lastlog-Do-I-need/m-p/614096#M13986 <P>Hi, thanks for your Reply!</P><P>Everything worked, thank you!</P><P>I have installed the Linux Unix add-on on the deployment server. Then I moved it from /opt/splunk/etc/apps to /opt/splunk/etc/deployment-apps. After that, I was able to deploy the app via the Splunk web interface.</P><P>&nbsp;</P><P>Greetings!</P> Thu, 22 Sep 2022 11:22:13 GMT Codyy_Fast 2022-09-22T11:22:13Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Linux-Sererclass-Monitoring-Lastlog-Do-I-need/m-p/612755#M13870 <P>Hello all,</P> <P>I am new to Splunk and need a little help.</P> <P>I have the following configuration:</P> <P>Splunk Indexer Server.<BR />Splunk Deployment Server.</P> <P>I have installed Universal Forwarder on my clients and specified Deployment Server in the installation.</P> <P>After installation, the clients report correctly to the Deployment Server. I have created two server classes.<BR />One for Windows and one for Linux.</P> <P>Server class Linux:</P> <P>App "fwd_to_receiver" = the Splunk indexer server is specified here.<BR />App "Linmess" = inputs.conf (here is defined what should be monitored)</P> <P>My question now:</P> <P>I would like to monitor the /var/log/lastlog file.<BR />But this does not work with inputs.conf.</P> <P>I have now installed a Splunk Add-on for Unix and linux.<BR />How can I set this up so that my deployment server distributes a central configuration where the "Lastlog" file is monitored correctly and also the source type fits. Do I need to install the add-on on the indexer and on the deployment server?</P> <P>Many thanks in advance!</P> <P>best regards<BR />Codyy_Fast</P> Mon, 12 Sep 2022 15:10:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Linux-Sererclass-Monitoring-Lastlog-Do-I-need/m-p/612755#M13870 Codyy_Fast 2022-09-12T15:10:04Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Linux-Sererclass-Monitoring-Lastlog-Do-I-need/m-p/612819#M13878 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249382">@Codyy_Fast</a>,</P><P>You need to install&nbsp;<SPAN>Splunk Add-on for Unix and linux on your indexers and clients.</SPAN></P><P><SPAN>For your clients you should enable lastlog input using below inputs.conf</SPAN></P><LI-CODE lang="markup">$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf [script://./bin/lastlog.sh] index = your_index sourcetype = lastlog source = lastlog interval = 300 disabled = 0</LI-CODE> Tue, 13 Sep 2022 04:53:47 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Linux-Sererclass-Monitoring-Lastlog-Do-I-need/m-p/612819#M13878 scelikok 2022-09-13T04:53:47Z https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Linux-Sererclass-Monitoring-Lastlog-Do-I-need/m-p/614096#M13986 <P>Hi, thanks for your Reply!</P><P>Everything worked, thank you!</P><P>I have installed the Linux Unix add-on on the deployment server. Then I moved it from /opt/splunk/etc/apps to /opt/splunk/etc/deployment-apps. After that, I was able to deploy the app via the Splunk web interface.</P><P>&nbsp;</P><P>Greetings!</P> Thu, 22 Sep 2022 11:22:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Deployment-Server-Linux-Sererclass-Monitoring-Lastlog-Do-I-need/m-p/614096#M13986 Codyy_Fast 2022-09-22T11:22:13Z