topic Monitor logs on a Unix Server from Windows Machine in Getting Data In

Monitor logs on a Unix Server from Windows Machine

jerry_john — Thu, 19 Aug 2010 02:47:15 GMT

I installed Splunk on my Windows XP machine and I'm trying to setup the "Source" to "Monitor a file or directory" which is on a Unix box. How do I accomplish this or does Splunk have to be installed on the Unix box? When trying to put the full path I get an error that says "Encountered the following error while trying to save: In handler 'monitor': Path must be absolute"

Re: Monitor logs on a Unix Server from Windows Machine

muebel — Thu, 19 Aug 2010 02:49:59 GMT

Installing Splunk on the Unix box is probably the best bet. I believe you would be able to use syslog to forward various events in some method, but it would probably be less work just to set up the Unix box as a Splunk forwarder.

Re: Monitor logs on a Unix Server from Windows Machine

southeringtonp — Thu, 02 Sep 2010 04:16:04 GMT

There are quite a few ways to do this.

Installing a Splunk Light Forwarder on the Unix box is the cleanest answer in many respects.

Another option would be configure syslogd on the unix machine to forward events to a remote server, and then either install a syslog daemon such as Kiwi Syslog or have Splunk listen on the syslog port. If Splunk listens directly, you will lose events that occur while Splunk is not running.

This isn't good for things like web server logs that are written directly to files, but works well for data sent via syslog.

A third approach is to retrieve the files locally via ftp (or preferably SSH-based file copy), to a path that Splunk is indexing. If using scp/sftp, then you can generate a private key to allow authentication without a password. You can schedule the retrieval either as a separate Windows Task Scheduler job, or set up a scripted input in Splunk.