https://community.splunk.com/t5/Getting-Data-In/What-are-best-practices-for-logging-to-splunk/m-p/703650#M116368 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/273779">@shanemhartley</a>&nbsp;,</P><P>ingestion in Splunk is usually done using a Technical Add-On , in your case the Splunk_TA_nix (<A href="https://splunkbase.splunk.com/app/833" target="_blank">https://splunkbase.splunk.com/app/833</A>).</P><P>You have to install this add-on on the Universal Forwarder enabling the input stanzas you need.</P><P>If you want to store these logs in a defined index (instead of main), you have also to add to each enabled input stanza the option:</P><LI-CODE lang="markup">index = &lt;your_index&gt;</LI-CODE><P>Then you have to install this add-on also on your Search Head or your Stand Alone Splunk Server.</P><P>In this way you have the logs correctly parsed and usable.</P><P>For more infos see at&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Getstartedwithgettingdatain" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Getstartedwithgettingdatain</A>&nbsp;and there are also more videos.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 06 Nov 2024 07:48:23 GMT gcusello 2024-11-06T07:48:23Z https://community.splunk.com/t5/Getting-Data-In/What-are-best-practices-for-logging-to-splunk/m-p/703618#M116362 <P>We have logs that are written to</P><P><STRONG>/var/log </STRONG></P><P><STRONG>/var/log/audit</STRONG></P><P>&nbsp;</P><P>We need to keep these for <STRONG>365 days</STRONG>, and want to ensure that we are following <STRONG>best practices</STRONG>, is there a set of configuration settings we can follow to ensure we're following best practices?</P><P><STRONG>Ultimately, we want to ensure we have log retention, and that /var/log is not a cluttered mess.&nbsp;</STRONG></P><P>&nbsp;</P><P>Thank you!</P> Tue, 05 Nov 2024 18:14:22 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-best-practices-for-logging-to-splunk/m-p/703618#M116362 shanemhartley 2024-11-05T18:14:22Z https://community.splunk.com/t5/Getting-Data-In/What-are-best-practices-for-logging-to-splunk/m-p/703650#M116368 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/273779">@shanemhartley</a>&nbsp;,</P><P>ingestion in Splunk is usually done using a Technical Add-On , in your case the Splunk_TA_nix (<A href="https://splunkbase.splunk.com/app/833" target="_blank">https://splunkbase.splunk.com/app/833</A>).</P><P>You have to install this add-on on the Universal Forwarder enabling the input stanzas you need.</P><P>If you want to store these logs in a defined index (instead of main), you have also to add to each enabled input stanza the option:</P><LI-CODE lang="markup">index = &lt;your_index&gt;</LI-CODE><P>Then you have to install this add-on also on your Search Head or your Stand Alone Splunk Server.</P><P>In this way you have the logs correctly parsed and usable.</P><P>For more infos see at&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Getstartedwithgettingdatain" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Getstartedwithgettingdatain</A>&nbsp;and there are also more videos.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 06 Nov 2024 07:48:23 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-best-practices-for-logging-to-splunk/m-p/703650#M116368 gcusello 2024-11-06T07:48:23Z