Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Define python binary for universal forwarder 5.0.5?

riodutchie
Explorer
‎10-23-2014 09:48 AM

I'm working in an environment where we have the universal forwarder (5.0.5 - old I know) installed on all our systems to collect custom application logs that we can't get via remote syslog.

I have a situation where I need the "Splunk" version of python 2.7 available to an app used by the forwarder (OSSEC). I've been able to recreate the 2.7 install by compiling python 2.7, installing it under /opt/splunk/, and then copying over the ~/site-packages/* files from one of my indexers. But, I have one remaining problem where the forwarder still keeps calling the system version of python.

Is there a way to define the path to python, or otherwise tell the universal forwarder to look for python under /opt/splunk/bin/ vs /usr/bin ?

[if there's already a doc on this I'd gladly appreciate a link!!]

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

riodutchie
Explorer
‎10-23-2014 12:06 PM

Wow. I have to give serious thanks to Chris G and Gkanapathy for working with me on this.

I just had a major realization - (and facepalm event) - where I realized I was doing something stupid 😃

I don't need the ossec app installed on my systems with the universal forwarder, I only need it on my search heads.
What I need on my universal forwarders is an update to the Splunk_TA_NIX/local/inputs.conf file to add:

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*] 
disabled = 0 
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log] 
disabled = 0 
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log] 
disabled = 0 
sourcetype = ossec_ar

an then it will catch the changes to the system.

Thanks to both of you for helping me!

--John

View solution in original post

Reply
Solved! Jump to solution
Solution

riodutchie
Explorer
‎10-23-2014 12:06 PM

Wow. I have to give serious thanks to Chris G and Gkanapathy for working with me on this.

I just had a major realization - (and facepalm event) - where I realized I was doing something stupid 😃

I don't need the ossec app installed on my systems with the universal forwarder, I only need it on my search heads.
What I need on my universal forwarders is an update to the Splunk_TA_NIX/local/inputs.conf file to add:

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*] 
disabled = 0 
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log] 
disabled = 0 
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log] 
disabled = 0 
sourcetype = ossec_ar

an then it will catch the changes to the system.

Thanks to both of you for helping me!

--John

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-23-2014 11:29 AM

You should probably just set the $PATH before you start Splunk up to make sure your python is there before the system one. Suggestions to install the LWF or heavy forwarder because they come with python are probably a bad idea, since you're looking to use a specific version with your own packages, not the version that happens to come with Splunk and includes the Splunk packages (and which you may not want to update). Part of the reason the UF exists is so you can use whatever version you like.

Reply
Solved! Jump to solution

riodutchie
Explorer
‎10-23-2014 11:49 AM

I like the idea of setting the PATH - can I do that in the ~/etc/splunk-launch.conf file or is it just setting the path in the /etc/init.d/splunk startup file?

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-23-2014 11:32 AM

Ah, thanks, maybe I misread the question...I thought that riodutchie specifically wanted the version of Python that Splunk Enterprise does include.

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-23-2014 11:20 AM

The light forwarder includes Python, you might consider that. See Types of forwarders in the Forwarding Data manual.

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎10-23-2014 10:15 AM

Would it be possible to change that one host to a full Splunk (heavy forwarder) instance? Admittedly, I haven't had much luck trying to tweak the included Python, or to provide a replacement for it as you describe.

0 Karma
Reply
Solved! Jump to solution

riodutchie
Explorer
‎10-23-2014 10:22 AM

Possibly, it'd be a change across the board but then, so is adding an additional install of python 😃 I think I need to investigate the differences between the universal and heavy forwarders.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...