topic Re: Do we have to edit input or output of C:\Program Files\Splunk\etc\system\local in windows machine also if we want to access the log of a linux machine which already have UF installed? in Deployment Architecture

Do we have to edit input or output of C:\Program Files\Splunk\etc\system\local in windows machine also if we want to access the log of a linux machine which already have UF installed?

anshuman19 — Tue, 09 Jan 2018 05:52:24 GMT

I have splunk enterprise installed in window and I want to access the log of Linux machine which have UF installed but the input and output.conf is not touched so to access the log do we have to edit the input or output file of windows?

Re: Do we have to edit input or output of C:\Program Files\Splunk\etc\system\local in windows machine also if we want to access the log of a linux machine which already have UF installed?

gcusello — Tue, 09 Jan 2018 12:57:22 GMT

Hi anshuman19,
To receive logs from a Forwarder see https://docs.splunk.com/Documentation/Splunk/7.0.1/Data/WhatSplunkcanmonitor

Anyway you need, on forwarder, to edit:

outputs.conf to address the correct indexer to send data,
inputs.conf to find the logs to index.

On Indexer you have only to enable logs receiving [Settings - Forwarding and Receiving -- Configure Receiving].

In this way, in your Windows Splunk server you can see the Linux logs.

To ingest logs, I suggest to use a Technical Add-On that you can find in apps.splunk.com.

Bye.
Giuseppe

Re: Do we have to edit input or output of C:\Program Files\Splunk\etc\system\local in windows machine also if we want to access the log of a linux machine which already have UF installed?

mayurr98 — Tue, 09 Jan 2018 16:12:03 GMT

hey @anshuman19

1) You do not need to edit inputs or outputs of windows
2) you need to configure UF which is on linux
http://docs.splunk.com/Documentation/Forwarder/7.0.1/Forwarder/Configuretheuniversalforwarder
3) You need to enable configure receiving on windows splunk indexer. Settings>Forwarding and Receiving>Configure Receiving>9997
4) You need to edit splunkforwarder/etc/system/local/inputs.conf to forward data to splunk windows machine.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectorieswithinputs.conf

Search for you data in splunk :)ENJOY Splunking

I hope this helps you!

Re: Do we have to edit input or output of C:\Program Files\Splunk\etc\system\local in windows machine also if we want to access the log of a linux machine which already have UF installed?

anshuman19 — Thu, 11 Jan 2018 05:32:46 GMT

Hi Giuseppe
I Have no clue about Technical Add-On but I downloaded and placed in my forwarder directory, can you tell me what next I have to do to ingest logs

Re: Do we have to edit input or output of C:\Program Files\Splunk\etc\system\local in windows machine also if we want to access the log of a linux machine which already have UF installed?

gcusello — Thu, 11 Jan 2018 12:00:52 GMT

Hi anshuman19,
you have to:

download TA from splunkbase,
open inputs.conf and enable stanzas you want (disabled=false),
copy TA in forwarder's $SPLUNK_HOME\etc\apps,
restart Splunk on Forwarder.

Anyway read TA's instructions.

Bye.
Giuseppe