Deployment Architecture

How to have linux box forward start up and user information to splunk?

zblum
Engager

I am trying to set up my linux VM to forward all vm starts/stops/restarts along with user login logs to a splunk web server for monitoring. The spunk instance is hosted on the VM. How would I set up a log forwarder to go between the two of them, so I can see all major actions happening on the VM inside Splunk? Thanks.

0 Karma

solarboyz1
Builder

To clarify, you are talking about collecting the system and authentication log from a linux VM.
You can do this in a couple ways.

Here's how a method that should be easy:

  1. On the linux VM, configure rsyslog or syslog-ng to write the events you are interested in to a log file
    By default, these events might already be going to /var/log/secure (authentication) and /var/log/messages (system).

  2. Install Splunk UF on the VM, and configure inputs to monitor the logs you configured. Set sourcetype to syslog

  3. Configure UF to send events to your Splunk instance.

If you also want to get information from the VMware level, you will need to install the Splunk app for VMware. That app takes some setup to integrate with your VMware architecture.

0 Karma

zblum
Engager

Correct. I am trying to collect the system and auth log from a linux VM (Hosted on Hyper-V server), and push them for monitoring to Splunk.

0 Karma

FrankVl
Ultra Champion

If the splunk instance you're trying to send to is on that same VM (as I understand from your question), you can skip the UF install and just configure the inputs directly on the existing splunk instance. Make sure to also install the Splunk Add-On for Unix and Linux (https://splunkbase.splunk.com/app/833/) to get field extractions etc.

0 Karma

solarboyz1
Builder

Then the steps above should work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...