Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Define python binary for universal forwarder 5.0.5?

riodutchie
Explorer
‎10-23-2014 09:48 AM

I'm working in an environment where we have the universal forwarder (5.0.5 - old I know) installed on all our systems to collect custom application logs that we can't get via remote syslog.

I have a situation where I need the "Splunk" version of python 2.7 available to an app used by the forwarder (OSSEC). I've been able to recreate the 2.7 install by compiling python 2.7, installing it under /opt/splunk/, and then copying over the ~/site-packages/* files from one of my indexers. But, I have one remaining problem where the forwarder still keeps calling the system version of python.

Is there a way to define the path to python, or otherwise tell the universal forwarder to look for python under /opt/splunk/bin/ vs /usr/bin ?

[if there's already a doc on this I'd gladly appreciate a link!!]

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

riodutchie
Explorer
‎10-23-2014 12:06 PM

Wow. I have to give serious thanks to Chris G and Gkanapathy for working with me on this.

I just had a major realization - (and facepalm event) - where I realized I was doing something stupid 😃

I don't need the ossec app installed on my systems with the universal forwarder, I only need it on my search heads.
What I need on my universal forwarders is an update to the Splunk_TA_NIX/local/inputs.conf file to add:

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*] 
disabled = 0 
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log] 
disabled = 0 
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log] 
disabled = 0 
sourcetype = ossec_ar

an then it will catch the changes to the system.

Thanks to both of you for helping me!

--John

View solution in original post

Reply
Solved! Jump to solution
Solution

riodutchie
Explorer
‎10-23-2014 12:06 PM

Wow. I have to give serious thanks to Chris G and Gkanapathy for working with me on this.

I just had a major realization - (and facepalm event) - where I realized I was doing something stupid 😃

I don't need the ossec app installed on my systems with the universal forwarder, I only need it on my search heads.
What I need on my universal forwarders is an update to the Splunk_TA_NIX/local/inputs.conf file to add:

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*] 
disabled = 0 
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log] 
disabled = 0 
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log] 
disabled = 0 
sourcetype = ossec_ar

an then it will catch the changes to the system.

Thanks to both of you for helping me!

--John

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-23-2014 11:29 AM

You should probably just set the $PATH before you start Splunk up to make sure your python is there before the system one. Suggestions to install the LWF or heavy forwarder because they come with python are probably a bad idea, since you're looking to use a specific version with your own packages, not the version that happens to come with Splunk and includes the Splunk packages (and which you may not want to update). Part of the reason the UF exists is so you can use whatever version you like.

Reply
Solved! Jump to solution

riodutchie
Explorer
‎10-23-2014 11:49 AM

I like the idea of setting the PATH - can I do that in the ~/etc/splunk-launch.conf file or is it just setting the path in the /etc/init.d/splunk startup file?

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-23-2014 11:32 AM

Ah, thanks, maybe I misread the question...I thought that riodutchie specifically wanted the version of Python that Splunk Enterprise does include.

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-23-2014 11:20 AM

The light forwarder includes Python, you might consider that. See Types of forwarders in the Forwarding Data manual.

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎10-23-2014 10:15 AM

Would it be possible to change that one host to a full Splunk (heavy forwarder) instance? Admittedly, I haven't had much luck trying to tweak the included Python, or to provide a replacement for it as you describe.

0 Karma
Reply
Solved! Jump to solution

riodutchie
Explorer
‎10-23-2014 10:22 AM

Possibly, it'd be a change across the board but then, so is adding an additional install of python 😃 I think I need to investigate the differences between the universal and heavy forwarders.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...