Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

AWS logs push to on-premise splunk with universal forwarder

sid1987
New Member
‎04-08-2020 07:55 AM

Hi Everyone,

I am new to splunk configuration. So looking for guidance and step by step configuration.

I need to configure primarily aws CloudWatch log groups (ec2 instances /var/log/messages and tomcat logs, vpc logs) and cloud trails to an on-premise splunk server.

I am looking for a solution where I am planing to create a server as universal forwarder which collects all these logs and pushes to the splunk server (port 9997).

Can a universal forwarder collects all the logs mentioned above and send it to splunk, that’s first step.

I am assuming I might have to get aws add on installed on splunk server. How do I configure log stream in splunk with or without aws add on. I would step by step guide as I am new go splunk.

Thanks in advance.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-08-2020 08:18 AM

Perhaps https://www.splunk.com/en_us/blog/cloud/how-to-easily-stream-aws-cloudwatch-logs-to-splunk.html or https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatchLogs will help you.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sid1987
New Member
‎04-08-2020 08:27 AM

Thanks @richgalloway for the prompt response. I have been through both the links earlier. We won’t be using lambda for now. For the other one aws cloud watch config is the part of universal forwarder? What should be the input and output.conf files? Also how do I add source in splunk server? Is it the way it is in lambda method blog?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-08-2020 09:01 AM

I'm not familiar enough with the app to answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...