Brand new to using the Universal Forwarder, and Splunk in general.
Question:
When using the forwarder/monitor, the logs on the forwarding server are still kept locally, correct? They aren't removed/modified in any way?
Hi.
If you have a splunk forwarder using a monitor input or a modular input to read local log files, it will just read them and forward them to splunk indexers. It does not delete the local logs.
The only exception is if you are using a "batch" inputs stanza with the move_policy = sinkhole, then splunk will read the file and delete it once finished (so you do not want to use that for dynamic files, only static files). This is the mechanism used in the splunk "spooler" inputs. (if you drop a file in the $SPLUNK/var/spool/splunk folder)
Remarks :
- keep in mind that your OS or application generating your log may have their own rotation/archive/deletion rules.
- Splunk internal logs (like $SPLUNK_HOME/var/log/splunk/*.log) do have their own rotation mechanism. So you may still find the recent ones locally, while a copy was ingested in splunk index=_internal.
Hi @mellqui,
If your trouble if for eventual modifications of the read log files, I can confirm that there isn't any modification of the local log files.
If instead your trouble is that there could be a modification of the logs before arriving to Splunk, it's possible as I describe below, it isn't possible to modify data after Splunk Indexing, or better ,if someone modify indexed data this is highlighted by an Integrity Check fail.
By default logs on forwarder, can be filtered (only Windows eventlog) on Forwarders but not modified.
It's possible to modify data on Indexers before indexing, e.g. to mask credit card numbers.
Then, after indexing, isn't possible to modify data.
In other words, analyzing the indexing process:
In few words, if you control the process and the configurations, it's possible to modify Splunk data only if you want.
Ciao.
Giuseppe
Hey @gcusello,
I'm more less looking to see if the local log files are removed/transferred from the server when they are forwarded. We have other monitoring tools that use these logs.
Thanks for your reply.
Hi.
If you have a splunk forwarder using a monitor input or a modular input to read local log files, it will just read them and forward them to splunk indexers. It does not delete the local logs.
The only exception is if you are using a "batch" inputs stanza with the move_policy = sinkhole, then splunk will read the file and delete it once finished (so you do not want to use that for dynamic files, only static files). This is the mechanism used in the splunk "spooler" inputs. (if you drop a file in the $SPLUNK/var/spool/splunk folder)
Remarks :
- keep in mind that your OS or application generating your log may have their own rotation/archive/deletion rules.
- Splunk internal logs (like $SPLUNK_HOME/var/log/splunk/*.log) do have their own rotation mechanism. So you may still find the recent ones locally, while a copy was ingested in splunk index=_internal.
Hi @mellqui,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma points are appreciated by all the Contributors 😉