Re: AWS logs push to on-premise splunk with univer...

sid1987 · ‎04-08-2020

Hi Everyone,

I am new to splunk configuration. So looking for guidance and step by step configuration.

I need to configure primarily aws CloudWatch log groups (ec2 instances /var/log/messages and tomcat logs, vpc logs) and cloud trails to an on-premise splunk server.

I am looking for a solution where I am planing to create a server as universal forwarder which collects all these logs and pushes to the splunk server (port 9997).

Can a universal forwarder collects all the logs mentioned above and send it to splunk, that’s first step.

I am assuming I might have to get aws add on installed on splunk server. How do I configure log stream in splunk with or without aws add on. I would step by step guide as I am new go splunk.

Thanks in advance.

richgalloway · ‎04-08-2020

Perhaps https://www.splunk.com/en_us/blog/cloud/how-to-easily-stream-aws-cloudwatch-logs-to-splunk.html or https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatchLogs will help you.

---
If this reply helps you, Karma would be appreciated.

sid1987 · ‎04-08-2020

Thanks @richgalloway for the prompt response. I have been through both the links earlier. We won’t be using lambda for now. For the other one aws cloud watch config is the part of universal forwarder? What should be the input and output.conf files? Also how do I add source in splunk server? Is it the way it is in lambda method blog?

richgalloway · ‎04-08-2020

I'm not familiar enough with the app to answer.

---
If this reply helps you, Karma would be appreciated.

AWS logs push to on-premise splunk with universal forwarder

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM