topic Re: Forwarding with linux host to splunk in Deployment Architecture

Forwarding with linux host to splunk

ryamry — Sat, 12 Feb 2011 05:10:17 GMT

Hi all- I have a free splunk server setup which is gathering all my syslog data from switches, etc.

Im moving on to get our OS's to forward their log data to splunk. Everything I talked of here is on linux, intalled using the RPM.

I set up the splunk server to receive on port 9997.

After installing it, I followed the docs and ran the following on the remote host:

cd /opt/splunk/etc

mv splunk-forwarder.license splunk.license

cd /opt/splunk/bin

./splunk start

./splunk enable app SplunkLightForwarder

./splunk restart

./splunk add forward-server :9997

./splunk restart

However I dont have anything showing on the splunk server for that host. This is a server where lots gets dumped to /var/log/messages so there should be something showing in the splunk server for it. Im pretty green on splunk right now and am probably missing something easy but cant find it - Ive searched lots before posting. Id appreciate any help.

Thanks!

Re: Forwarding with linux host to splunk

Ron_Naken — Sat, 12 Feb 2011 06:43:38 GMT

If those are all your steps, it doesn't look like you configured your forwarder to collect any data, so it may not have anything to forward. I recommend configuring your forwarder as a full Splunk, initially, until you can confirm that it is collecting data. Once the data is right, use Manager-->Forwarding/Receiving to configure forwarding. You can even convert to a Lightweight Forwarder (LWF) in the UI.

Here are some additional notes that you might find helpful, in terms of getting some valuable data from a Linux host and configuring forwarding: http://answers.splunk.com/questions/11579/splunk-for-nix/11581#11581

If you need to convert your LWF back into a full Splunk to get it configured, stop Splunk and restore your free demo license. You can use the following command to turn a LWF into a full Splunk:

splunk disable app SplunkLightForwarder

HTH
ron

Re: Forwarding with linux host to splunk

ryamry — Mon, 14 Feb 2011 23:38:33 GMT

I dont want all the info that is taken with the *nix app. All I want to be forwarded is the log data. Is there a simple command I can run from the cli to do this?

Re: Forwarding with linux host to splunk

ryamry — Tue, 15 Feb 2011 01:00:30 GMT

nevermind. I figured out how to do it with just syslog.

Enable this and adopt IP to send log messages to a log server.

destination logserver { udp("10.1.1.1" port(514)); };
log { source(src); destination(logserver); };

Thanks anyways.

Re: Forwarding with linux host to splunk

triptrops — Thu, 15 Sep 2011 01:59:02 GMT

Hi ryamry

I am also stucked on the same situation as yours. Can you advise me on what you did?
I am not also seeing the host on the splunk server.

here is what my setup went:

1) install full splunk on server1. Installed *nix app and verified that it is collecting data.

2) install full splunk on server2. Installed *nix app and verified that it is collecting data.

3) configure receiving on splunk server1 to port 9997.

4) Enabled forwarding on server2.

**cd /opt/splunk/bin
./splunk start
./splunk enable app SplunkLightForwarder
./splunk restart
./splunk add forward-server :9997
./splunk restart**

5) Opened splunk server1 web but did not see server2.

Please advise, I appreciate your help thank you.