https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469398#M8246 <P>@chaga You should write your inputs.conf and outputs.conf </P> <P>sample inputs.conf</P> <P>[monitor:///filepath to monitor]<BR /> index = <BR /> sourcetype = <BR /> host = yourhostname</P> <P>sample outputs.conf </P> <P>Run this command to create outputs.conf /opt/splunkforwarder/bin/splunk add forward-server :port <BR /> then restart - /opt/splunkforwarder/bin/splunk restart</P> Fri, 30 Aug 2019 10:44:43 GMT sandyIscream 2019-08-30T10:44:43Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469397#M8245 <P>I can't understand that.<BR /> How to Splunk monitor log from remote linux log?<BR /> Universal Forwarder have been installed in the remote linux.<BR /> What I should do then?</P> Fri, 30 Aug 2019 09:40:14 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469397#M8245 chaga 2019-08-30T09:40:14Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469398#M8246 <P>@chaga You should write your inputs.conf and outputs.conf </P> <P>sample inputs.conf</P> <P>[monitor:///filepath to monitor]<BR /> index = <BR /> sourcetype = <BR /> host = yourhostname</P> <P>sample outputs.conf </P> <P>Run this command to create outputs.conf /opt/splunkforwarder/bin/splunk add forward-server :port <BR /> then restart - /opt/splunkforwarder/bin/splunk restart</P> Fri, 30 Aug 2019 10:44:43 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469398#M8246 sandyIscream 2019-08-30T10:44:43Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469399#M8247 <P>@sandyIscream i have added input and output.conf as below <BR /> [tcpout]<BR /> server = splunkserver:9997</P> <P>[tcpout:default-autolb-group]<BR /> disabled = false<BR /> server = splunkserver:9997</P> <P>[tcpout-server://splunkforwardserver:9997]</P> <P>inputs.conf</P> <P>[default]<BR /> [monitor:///var/log/messages]<BR /> index = main<BR /> sourcetype = access_common<BR /> host = splunkforwaderserver</P> Fri, 30 Aug 2019 11:11:52 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469399#M8247 chaga 2019-08-30T11:11:52Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469400#M8248 <P>Make sure the splunk user, or whatever account is running splunk, has access to read /var/log/messages. </P> <P>Also, just a note, the /var/log/messages file sourcetype is normally linux_messages_syslog:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes</A></P> Wed, 30 Sep 2020 01:57:59 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469400#M8248 solarboyz1 2020-09-30T01:57:59Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469401#M8249 <P>Did your data started coming to your splunk instance ? @chaga </P> <P>If not then let me know where exactly your are facing the issue. </P> Tue, 03 Sep 2019 02:13:36 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469401#M8249 sandyIscream 2019-09-03T02:13:36Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469402#M8250 <P>Unfortunately, the data didnot came up. i have the following in my configuration. </P> <P>i have added input and output.conf as below<BR /> [tcpout]<BR /> server = splunkserver:9997</P> <P>[tcpout:default-autolb-group]<BR /> disabled = false<BR /> server = splunkserver:9997</P> <P>[tcpout-server://splunkforwardserver:9997]</P> <P>inputs.conf</P> <P>[default]<BR /> [monitor:///var/log/messages]<BR /> index = main<BR /> sourcetype = access_common<BR /> host = splunkforwaderserver</P> Tue, 03 Sep 2019 07:04:51 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469402#M8250 chaga 2019-09-03T07:04:51Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469403#M8251 <P>Should we configure indexer also?</P> Tue, 03 Sep 2019 13:03:08 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-remote-host-logs/m-p/469403#M8251 chaga 2019-09-03T13:03:08Z