Deployment Architecture

How do you get all Splunk cluster servers internal Linux log files indexed?

evets
New Member

We have a requirement to forward all the log files from /var/log internal linux OS on the Splunk Enterprise cluster to a security app the same as all the other linux servers in the system, this includes the Search Heads, Indexers, Distribution and Master Node. Installing a universal forwarder is apparently not recommended.

What would be the best way to implement this?

Tags (2)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @evets,

You can implement same monitoring stanza on Splunk Enterprise servers which you are running on UF to monitor all Linux servers, if you have dedicated app on UF to monitor /var/log/ then you can implement same app on Splunk Enterprise Server.

View solution in original post

evets
New Member

Thanks for your swift replies guys, I will see it it can be pushed out via the deployment server.

0 Karma

tom_frotscher
Builder

Hi,

why is it not recommended to use Universal Forwarders?

From my point of view you should use Universal Forwarders. Every instance which already have Splunk installed (SH, Indexers,...) can also act as a forwarder, just add the configuration in the outputs.conf.

Alternativly, you could use something like syslog, send all data to a syslog server and collect them from there with a Universal Forwarder.

Greetings

Tom

harsmarvania57
SplunkTrust
SplunkTrust

Hi @evets,

You can implement same monitoring stanza on Splunk Enterprise servers which you are running on UF to monitor all Linux servers, if you have dedicated app on UF to monitor /var/log/ then you can implement same app on Splunk Enterprise Server.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...