All Apps and Add-ons

How to set up a central syslog server and Splunk forwarders without forwarding duplicate data?

Explorer

All our many Unix servers are already set up to send syslog data to a central syslog server for archival. I have a Splunk forwarder installed on the central syslog server sending /var/log to Splunk. Now we are installing the Splunk forwarder on all the Unix servers and using the Splunk Add-on for Unix and Linux to send data into Splunk, which includes everything in /var/log. How do I configure things so as to not have duplicate entries (one from a server and one from the central syslog server) ending up in Splunk?

0 Karma

Legend

You will need to blacklist any input that you don't want the forwarder to send from the Unix servers.
The Splunk Add-on for Unix and Linux can be configured to select only the data that you want by editing inputs.conf in etc/apps/SplunkTAnix/local

This will disable the the input

[monitor:///var/log]
disabled = 1

BTW, all inputs are disabled by default in the add-on. So you should only turn on the inputs that you want before you deploy the add-on to all the forwarders.

If you want to turn on the input, but only forward a subset of the files, use the whitelist/blacklist to select the files. Again, this belongs in
etc/apps/SplunkTAnix/local/inputs.conf. Following is an example where the forwarder will monitor /var/log

[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
index=os
disabled = 0

HTH

0 Karma