Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to get remote linux log into splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
http://docs.splunk.com/Documentation/Splunk/latest/Data/Unixlogslocal
I can't understand that.
How to Splunk monitor log from remote linux log?
Universal Forwarder have been installed in the remote linux.
What I should do then?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Either by using a forwarder (which you seem to have), configuring inputs.conf and outputs.conf
http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirsremote
OR
Configure syslog to send the logs to your indexer. You need to configure your Splunk indexer to also listen on a TCP/UDP port.
http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP
http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP
OR
Store the logs on a network share that can be mounted by the indexer. From the splunk indexer perspective, this is pretty much like indexing local files.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Point the universal forwarder to monitor the logs you're interested in, and set the Splunk instance it should forward to (splunk add forward-server <yoursplunkserver>)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Either by using a forwarder (which you seem to have), configuring inputs.conf and outputs.conf
http://docs.splunk.com/Documentation/Splunk/latest/Data/FilesDirsremote
OR
Configure syslog to send the logs to your indexer. You need to configure your Splunk indexer to also listen on a TCP/UDP port.
http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP
http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP
OR
Store the logs on a network share that can be mounted by the indexer. From the splunk indexer perspective, this is pretty much like indexing local files.
/K
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
