https://community.splunk.com/t5/Deployment-Architecture/How-to-get-remote-linux-log-into-splunk/m-p/64158#M2194 <P>Either by using a forwarder (which you seem to have), configuring inputs.conf and outputs.conf</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirsremote">http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirsremote</A></P> <P>OR </P> <P>Configure syslog to send the logs to your indexer. You need to configure your Splunk indexer to also listen on a TCP/UDP port.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP">http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP">http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP</A></P> <P>OR </P> <P>Store the logs on a network share that can be mounted by the indexer. From the splunk indexer perspective, this is pretty much like indexing local files.</P> <P>/K</P> Fri, 14 Jun 2013 10:11:04 GMT kristian_kolb 2013-06-14T10:11:04Z https://community.splunk.com/t5/Deployment-Architecture/How-to-get-remote-linux-log-into-splunk/m-p/64157#M2193 <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Unixlogslocal">http://docs.splunk.com/Documentation/Splunk/latest/Data/Unixlogslocal</A><BR /><BR /> I can't understand that.<BR /> How to Splunk monitor log from remote linux log?<BR /> Universal Forwarder have been installed in the remote linux.<BR /> What I should do then?</P> Fri, 14 Jun 2013 09:52:51 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-get-remote-linux-log-into-splunk/m-p/64157#M2193 xuanyun 2013-06-14T09:52:51Z https://community.splunk.com/t5/Deployment-Architecture/How-to-get-remote-linux-log-into-splunk/m-p/64158#M2194 <P>Either by using a forwarder (which you seem to have), configuring inputs.conf and outputs.conf</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirsremote">http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirsremote</A></P> <P>OR </P> <P>Configure syslog to send the logs to your indexer. You need to configure your Splunk indexer to also listen on a TCP/UDP port.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP">http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP">http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP</A></P> <P>OR </P> <P>Store the logs on a network share that can be mounted by the indexer. From the splunk indexer perspective, this is pretty much like indexing local files.</P> <P>/K</P> Fri, 14 Jun 2013 10:11:04 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-get-remote-linux-log-into-splunk/m-p/64158#M2194 kristian_kolb 2013-06-14T10:11:04Z https://community.splunk.com/t5/Deployment-Architecture/How-to-get-remote-linux-log-into-splunk/m-p/64159#M2195 <P>Point the universal forwarder to monitor the logs you're interested in, and set the Splunk instance it should forward to (<CODE>splunk add forward-server &lt;yoursplunkserver&gt;</CODE>)</P> Fri, 14 Jun 2013 10:11:21 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-get-remote-linux-log-into-splunk/m-p/64159#M2195 Ayn 2013-06-14T10:11:21Z