topic Re: How does Splunk get logs from Linux or Windows servers? in Getting Data In

How does Splunk get logs from Linux or Windows servers?

cyberportnoc — Mon, 06 Nov 2017 02:48:02 GMT

i am a beginner

how do splunk get log from linux server or window server?

do (Active) splunk actively get log from linux server or window server or (Passive) linux server or window server send log to splunk actively ?

if splunk actively get log from linux server or window server , where can i configure this server list in splunk?
if linux server or window server send log to splunk that get log passively, what is the command and format do i need to send this log

can i send window server log with python script using udp to send to splunk like send to syslog of linux ?
what is the ip address and port i need to send

Re: How does Splunk get logs from Linux or Windows servers?

esix_splunk — Mon, 06 Nov 2017 07:03:18 GMT

I think you should read docs on how to Get Data into Splunk, here is a great starting point : http://docs.splunk.com/Documentation/Splunk/7.0.0/Data/WhatSplunkcanmonitor .

In a nutshell, there is an agent (Universal Forwarder) that you deploy. On this agent, you tell it what to collect and where to send it.

Re: How does Splunk get logs from Linux or Windows servers?

cyberportnoc — Mon, 06 Nov 2017 07:09:52 GMT

i find previous peer's guideline, he use add data -> upload, it upload a zip file and then choose server
but what is this zip file, what do it zip?

Re: How does Splunk get logs from Linux or Windows servers?

esix_splunk — Mon, 06 Nov 2017 07:12:35 GMT

That would be a zip file from a server, and it contains log files. If you dont know what ZIP, or archive files are, you should spend sometime on your favorite search engine to understand archive files.

Re: How does Splunk get logs from Linux or Windows servers?

gcusello — Mon, 06 Nov 2017 07:55:31 GMT

Hi cyberportnoc,
as suggested by esix, see http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor.

The easiest way is to install a Universal forwarder on you server to monitor and deploy on each one two Technical Add-Ons (TAs):

for Windows servers https://splunkbase.splunk.com/app/742/
for Linux servers https://splunkbase.splunk.com/app/833/

In these TAs you can find all the scripts and monitoring stanzas to monitor all your servers.
The only activity you have to do is choose what do you need (wineventogs, processes, installed softwares, perfmon, etc...) and enable the related stanzas of inputs.conf changing disabled=1 in disabled=0 in the requested stanzas.

I have only two recommendations:
- analyze your requests before start your activity because you could have too logs and exceed your license;
- if you have to configure a production environment with many servers use a Deployment Server to deploy TAs in your monitored servers ( http://docs.splunk.com/Documentation/Splunk/7.0.0/Updating/Aboutdeploymentserver ).

Bye.
Giuseppe