I have a linux web server (Ubuntu 10.04 x64) that I would like to forward apache log data from. I have installed the universal forwarder. How do I configure it to forward log data to my splunk server?
If this is well documented, I apologize. I'm having difficulty finding this info.
Minimally, in /opt/splunkforwarder/etc/system/local
[monitor:///path/yo/your/access_log] sourcetype = access_log
On the receiving end, you'll need to activate a corresponding receiving port under Management -> Forwrding/Receiving. (In this case, and by default, 9997.)
You can use a wild card, and that's better than a separate monitor stanza for each file. If you need something more sophisticated, you can add either a whitelist or a blacklist to the spec.
There is a new manual called "Getting Data In." Start here (http://www.splunk.com/base/Documentation/latest/Data/Configureyourinputs#Edit_inputs.conf) in the manual for help with inputs.conf