https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248385#M47843 <P>@koshyk It would be great is you could find an answer here and try it out. If you do find an answer please select the answer you like.</P> Thu, 03 Nov 2016 18:27:55 GMT hartfoml 2016-11-03T18:27:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248378#M47836 <P>I have a Splunk indexer cluster that is using a service account (non-root) to start Splunk. How do I get the OS logs, like /var/log/messages, /var/log/secure etc... into the cluster indexes? I know that I could stream this to a syslog server and grab it there, but is there an easier way? </P> <P>Any thoughts are welcome!</P> Fri, 14 Oct 2016 18:01:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248378#M47836 brent_weaver 2016-10-14T18:01:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248379#M47837 <P>The OS logs that you want to collect is from splunk cluster server only OR all other linux servers in your company?</P> Fri, 14 Oct 2016 18:16:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248379#M47837 somesoni2 2016-10-14T18:16:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248380#M47838 <P>three ways that I know of.</P> <P>1) chmod -r 777 the log directory<BR /> 2) add the splunk user to the wheel or root group<BR /> 3) chown -R root:SplunkGroup /var/log/</P> <P>Hope this helps? Don't know there may be a more restrictive way to do this?</P> Fri, 14 Oct 2016 18:40:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248380#M47838 hartfoml 2016-10-14T18:40:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248381#M47839 <P>We faced the same issue. Assuming "splunk" have read access to the OS logs, what we have done is using Splunk_TA_nix. Put into the "local" of this app, with what files you want to collect by adding the paragraph and putting disable = false (Most of things are already part of TA_nix)</P> <P>For different layers, enable Splunk_TA_nix in below fashion.<BR /> - For Splunk Forwarders push using deployment-server. It goes into $SPLUNK_HOME/etc/apps of forwarders.<BR /> - Copy and restart Splunk_TA_nix into $SPLUNK_HOME/etc/apps for deployment-server,<BR /> - Copy and restart Splunk_TA_nix into $SPLUNK_HOME/etc/apps for cluster master,<BR /> - For clustered Search Heads, package into $SPLUNK_HOME/shcluster/etc/apps and push to Search Members. In search members, it will be merged into "default", but works.<BR /> - For clustered Indexers, copy Splunk_TA_nix using cluster master via master-apps. This goes into "slave-apps" of Indexer slaves and works perfectly.</P> <P>If you enable Splunk_TA_nix, then you can start colllecting every information about your Splunk Infrastructure/OS</P> Tue, 29 Sep 2020 11:23:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248381#M47839 koshyk 2020-09-29T11:23:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248382#M47840 <P>I want to collect OS logs from only the spunk servers themselves, not the forwarders. The forwarders is easy as the univfwd runs as admin on all platforms, its the spunk servers I am concerned about. <BR /> Changing the log dir permissions won't work (I do not believe) because when logrotate runs it will create the files with orig permissions. </P> <P>I think my best bet is going to be to stream the logs to a remote syslog server!?!?</P> Sat, 15 Oct 2016 21:19:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248382#M47840 brent_weaver 2016-10-15T21:19:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248383#M47841 <P>My colleague Matt Uebel gave a talk at .conf that covers this topic. His materials are in his git repo at <A href="https://github.com/MattUebel/splunk_UF_hardening">https://github.com/MattUebel/splunk_UF_hardening</A></P> Sun, 16 Oct 2016 13:41:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248383#M47841 starcher 2016-10-16T13:41:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248384#M47842 <P>@starcher thanks for the link to github. I went to this talk and I agree with Matt. In slide #13 he basicly put in what I had said above. Matt said</P> <P><CODE>Create a “log reading” group and add the spunk user to it, or simply change group ownership to splunk</CODE></P> <P><CODE>groupadd syslog</CODE><BR /> <CODE>chown -R :syslog /var/log</CODE><BR /> <CODE>chmod -R g+s /var/log</CODE><BR /> <CODE>usermod -a -G syslog splunk</CODE></P> Thu, 03 Nov 2016 18:23:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248384#M47842 hartfoml 2016-11-03T18:23:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248385#M47843 <P>@koshyk It would be great is you could find an answer here and try it out. If you do find an answer please select the answer you like.</P> Thu, 03 Nov 2016 18:27:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Linux-OS-logs-off-a-Splunk-server-where-Splunk-is/m-p/248385#M47843 hartfoml 2016-11-03T18:27:55Z