topic Re: How to get data from Remote Server? in Getting Data In

How to get data from Remote Server?

pratiksurti — Mon, 01 Oct 2012 13:49:42 GMT

Hi All,

I am new to Splunk.

We have central server where different types of logs are generated.

How can I register or give reference of that Remote Server's URL in Splunk?
(i.e. :/server/logs/)

I want to register server url in Splunk so each time it fetches the updated indexed log details.

Thanks.

Re: How to get data from Remote Server?

Ayn — Mon, 01 Oct 2012 13:57:12 GMT

You'll need to post more details on the remote server. How are the logs on it accessed? Through CIFS, HTTP, FTP, ...

Re: How to get data from Remote Server?

sdaniels — Mon, 01 Oct 2012 14:00:14 GMT

You'll need a forwarder installed on that server so that the logs can get sent to Splunk to be indexed and searched centrally.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents

Re: How to get data from Remote Server?

pratiksurti — Mon, 01 Oct 2012 14:01:50 GMT

Right now if we want to check logs, we do ssh from linux terminal or through FTP.

Re: How to get data from Remote Server?

pratiksurti — Mon, 01 Oct 2012 14:03:39 GMT

I have installed forwarder.

Re: How to get data from Remote Server?

Ayn — Mon, 01 Oct 2012 14:04:23 GMT

OK. Where? What part of the setup are you struggling with?

Re: How to get data from Remote Server?

pratiksurti — Mon, 01 Oct 2012 14:06:21 GMT

while installing it ask for host detail two times with default port numbers, just to know where I can give my server details.

Re: How to get data from Remote Server?

sdaniels — Mon, 01 Oct 2012 14:07:33 GMT

Are you set up for forwarding and receiving according to the docs?

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Enableareceiver

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

Re: How to get data from Remote Server?

pratiksurti — Mon, 01 Oct 2012 14:14:03 GMT

I have look into configuration files. Also I need to refer above links to check with my setup.

Re: How to get data from Remote Server?

sdaniels — Mon, 01 Oct 2012 14:19:17 GMT

Please post your configuration file settings for forwarding and receiving and maybe that will let us help you on this issue.

Look in /etc/system/local/inputs.conf

On the forwarder look in /etc/system/local/outputs.conf

Re: How to get data from Remote Server?

pratiksurti — Mon, 01 Oct 2012 14:28:54 GMT

Just checking configuration and installation, After installing the forwarder on my machine, I can see, before only Splunk folder was there and now another folder SplunkForwarder is created. So there are two setup folders now, is this expected? Or I am missing something?

Re: How to get data from Remote Server?

pratiksurti — Mon, 01 Oct 2012 14:35:22 GMT

inputs.conf:

[default]
host = localhost (My Workstation)

[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
disabled = 0

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0

outputs.conf:

[tcpout]
defaultGroup = ..._9997

[tcpout:..._9997]
server = ...:9997

[tcpout-server://...:9997]

Re: How to get data from Remote Server?

sdaniels — Mon, 01 Oct 2012 14:56:23 GMT

Go in the UI to Manager -> Forwarding and receiving and make sure you've got an entry there.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Enableareceiver#Set_up_receiving

Re: How to get data from Remote Server?

pratiksurti — Mon, 01 Oct 2012 15:04:33 GMT

I can see the entries. Now How can I make it work?

Re: How to get data from Remote Server?

sdaniels — Mon, 01 Oct 2012 15:35:40 GMT

I don't know about your outputs.conf settings. I would try something standard like you see in the outputs.conf example in our docs. This will send to server IP 10.10.1.155 on port 9997 which you have set up to recieve.

[tcpout:groupname]
server=10.10.1.155:9997

You can look here $SPLUNK_HOME/var/log/splunk for the splunkd log to see issues as well that might help.

Re: How to get data from Remote Server?

pratiksurti — Mon, 01 Oct 2012 17:53:28 GMT

I will work on it once I go back.

Re: How to get data from Remote Server?

bmacias84 — Mon, 28 Sep 2020 12:32:50 GMT

If you don't want to use a forwarder you can use a scripted input to reterive the logs via ssh. If you don't want to read the entire log you might have to use a little logic, tail, grep to only read new lines. The easiest way is to use the UF on your remote servers.

inputs.conf



#*nix

[script://./bin/sshscript.sh ./bin/catfiles.sh]

disabled = false

index = main

sourcetype = somelogtype

interval = 0 0 * * *



#sshscript.sh

#nix

#!/bin/bash

ssh root\@remoteServer 'bash -s' < $1

done



#catfiles.sh

#*nix

#!/bin/bash

for file in /var/log/; do fcontent=\$(cat $file) printf '\%s' "\${file}\n"${fcont}";done

For more info check my other post:

Can you set certain time forwarding occurs