Any way to fetch logs via ssh

hatim · ‎12-13-2011

I have a splunk server and ssh access to a server with read-only access to logs. I can ssh from the machine on which I have splunk server.

Is there a way with which I can fetch the logs and index them (and do further processing). It will be a hurdle to install splunk forwarder on the machine which has the logs (it's in production and hence under tight control)

joerogersLMB · ‎10-02-2013

I had the same dilemma with a remote server, and sshfs worked well.

I mounted the remote /var/log directory to a local server running splunkforwarder. Added into inputs.conf, restarted and boom: remote logs ingesting.

Here's the basic steps for SSHFS for debian based OS, as tested on Linux Mint 15

sudo apt-get install sshfs 
sudo modprobe fuse 
sudo adduser fuse 
sudo chown root:fuse /dev/fuse 
mkdir ~/remoteserv 
sshfs -o allow_other username@ipaddress:/var/log ~/remoteserv

to unmount:
fusermount -u ~/remoteserv

[I'll leave auto-mounting in /etc/fstab as a google exercise.]

Add into etc/system/local/inputs.conf

[monitor:///pathto/remoteserv_dir/]
disabled = false
host = remoteserv_hostname
index = optional_index_name
sourcetype = syslog

And restart your Splunk forwarder.

Ayn · ‎12-13-2011

Three possible approaches come to mind:

Create a SSH tunnel and send Splunk forwarder traffic through that.
Use a FUSE SSH filesystem like SSHFS to mount the remote filesystem over SSH, then read the logs from there.
Create your own scripts that scp the logs from the remote host on a regular basis. You will need to set up SSH keys and agents to make the scripts work without explicitly needing to enter credentials interactively every time the script runs.

Any way to fetch logs via ssh

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms