Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Define python binary for universal forwarder 5.0.5?

riodutchie
Explorer
‎10-23-2014 09:48 AM

I'm working in an environment where we have the universal forwarder (5.0.5 - old I know) installed on all our systems to collect custom application logs that we can't get via remote syslog.

I have a situation where I need the "Splunk" version of python 2.7 available to an app used by the forwarder (OSSEC). I've been able to recreate the 2.7 install by compiling python 2.7, installing it under /opt/splunk/, and then copying over the ~/site-packages/* files from one of my indexers. But, I have one remaining problem where the forwarder still keeps calling the system version of python.

Is there a way to define the path to python, or otherwise tell the universal forwarder to look for python under /opt/splunk/bin/ vs /usr/bin ?

[if there's already a doc on this I'd gladly appreciate a link!!]

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

riodutchie
Explorer
‎10-23-2014 12:06 PM

Wow. I have to give serious thanks to Chris G and Gkanapathy for working with me on this.

I just had a major realization - (and facepalm event) - where I realized I was doing something stupid 😃

I don't need the ossec app installed on my systems with the universal forwarder, I only need it on my search heads.
What I need on my universal forwarders is an update to the Splunk_TA_NIX/local/inputs.conf file to add:

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*] 
disabled = 0 
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log] 
disabled = 0 
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log] 
disabled = 0 
sourcetype = ossec_ar

an then it will catch the changes to the system.

Thanks to both of you for helping me!

--John

View solution in original post

Reply
Solved! Jump to solution
Solution

riodutchie
Explorer
‎10-23-2014 12:06 PM

Wow. I have to give serious thanks to Chris G and Gkanapathy for working with me on this.

I just had a major realization - (and facepalm event) - where I realized I was doing something stupid 😃

I don't need the ossec app installed on my systems with the universal forwarder, I only need it on my search heads.
What I need on my universal forwarders is an update to the Splunk_TA_NIX/local/inputs.conf file to add:

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*] 
disabled = 0 
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log] 
disabled = 0 
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log] 
disabled = 0 
sourcetype = ossec_ar

an then it will catch the changes to the system.

Thanks to both of you for helping me!

--John

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-23-2014 11:29 AM

You should probably just set the $PATH before you start Splunk up to make sure your python is there before the system one. Suggestions to install the LWF or heavy forwarder because they come with python are probably a bad idea, since you're looking to use a specific version with your own packages, not the version that happens to come with Splunk and includes the Splunk packages (and which you may not want to update). Part of the reason the UF exists is so you can use whatever version you like.

Reply
Solved! Jump to solution

riodutchie
Explorer
‎10-23-2014 11:49 AM

I like the idea of setting the PATH - can I do that in the ~/etc/splunk-launch.conf file or is it just setting the path in the /etc/init.d/splunk startup file?

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-23-2014 11:32 AM

Ah, thanks, maybe I misread the question...I thought that riodutchie specifically wanted the version of Python that Splunk Enterprise does include.

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-23-2014 11:20 AM

The light forwarder includes Python, you might consider that. See Types of forwarders in the Forwarding Data manual.

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎10-23-2014 10:15 AM

Would it be possible to change that one host to a full Splunk (heavy forwarder) instance? Admittedly, I haven't had much luck trying to tweak the included Python, or to provide a replacement for it as you describe.

0 Karma
Reply
Solved! Jump to solution

riodutchie
Explorer
‎10-23-2014 10:22 AM

Possibly, it'd be a change across the board but then, so is adding an additional install of python 😃 I think I need to investigate the differences between the universal and heavy forwarders.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top