topic Re: What is the best way to transfer logs to splunk for monitoring? in Reporting

What is the best way to transfer logs to splunk for monitoring?

royimad — Mon, 18 Mar 2013 08:18:01 GMT

My Use case:
1- I have a log file X ( a log generated from a web applications - errors.log ) that exist on a server A
2- Splunk is installed on server B
In order to monitor this logs, one solution 1 is to send the file X to splunk server B and then used the monitor options in inputs.conf file.

I was wondering if an alternative solution 2 could work in order to monitor this log. I need to know if i can use splunk universal forwarder to monitor the log on another machine but i don't know the step yet.

Another solution 3 i'm thinking of is to sent the logs to splunk server by email but i don't actually know if that could work.

Please i need to know if someone have faced this situation before? and what solution is preferable and what are the steps?

Re: What is the best way to transfer logs to splunk for monitoring?

Ayn — Mon, 18 Mar 2013 08:30:08 GMT

Well that's exactly what the Universal Forwarder is for - reading logs on one system and forwarding them to a Splunk instance on another system.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Introducingtheuniversalforwarder

Re: What is the best way to transfer logs to splunk for monitoring?

sbrant_splunk — Mon, 18 Mar 2013 08:32:12 GMT

The best option is to install a universal forwarder on the server, where the logs are generated. The forwarder can send the logs to the indexer (your primary Splunk server).

Re: What is the best way to transfer logs to splunk for monitoring?

royimad — Mon, 18 Mar 2013 08:35:08 GMT

Thanks, for your answer. should i install a splunk instance on where universal forwarder exist? could i use an open ports for that reason?- Can i perform 2 step forwards ?
Machine A with universal forwarder --> Machine B with universal forwarder --> Machine C with Splunk Instance.

Re: What is the best way to transfer logs to splunk for monitoring?

royimad — Mon, 18 Mar 2013 08:36:04 GMT

Re: What is the best way to transfer logs to splunk for monitoring?

Ayn — Mon, 18 Mar 2013 09:21:21 GMT

Not sure what you're after. What do you mean by "use an open port"? What is step 2? Where did machine C come from?

I recommend that you read through the docs on the Universal Forwarder so you understand what it does and how you can use it. It sounds to me like you're overcomplicating things because you haven't read up on the available options.

Re: What is the best way to transfer logs to splunk for monitoring?

royimad — Mon, 18 Mar 2013 09:30:41 GMT

My situation is this,on an online production Machine A servers their is errors logs that exist. I need to be able to monitor those logs using the universal forwarder but one of my requirement rules is do not open another port on the server for the splunk forwarder and i need to know if i can use existing opened port. The opened port is for Machine B so i need to know if i can use 2 steps forwards.