Solved: Re: How to get remote linux log into splunk

xuanyun · ‎06-14-2013

http://docs.splunk.com/Documentation/Splunk/latest/Data/Unixlogslocal

I can't understand that.
How to Splunk monitor log from remote linux log?
Universal Forwarder have been installed in the remote linux.
What I should do then?

kristian_kolb · ‎06-14-2013

Either by using a forwarder (which you seem to have), configuring inputs.conf and outputs.conf

http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirsremote

OR

Configure syslog to send the logs to your indexer. You need to configure your Splunk indexer to also listen on a TCP/UDP port.

http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP
http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP

OR

Store the logs on a network share that can be mounted by the indexer. From the splunk indexer perspective, this is pretty much like indexing local files.

/K

View solution in original post

Ayn · ‎06-14-2013

Point the universal forwarder to monitor the logs you're interested in, and set the Splunk instance it should forward to (splunk add forward-server <yoursplunkserver>)

kristian_kolb · ‎06-14-2013

Either by using a forwarder (which you seem to have), configuring inputs.conf and outputs.conf

http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirsremote

OR

Configure syslog to send the logs to your indexer. You need to configure your Splunk indexer to also listen on a TCP/UDP port.

http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP
http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP

OR

Store the logs on a network share that can be mounted by the indexer. From the splunk indexer perspective, this is pretty much like indexing local files.

/K

How to get remote linux log into splunk

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!