Forwarding a Log File and Monitor Any Updates to t...

ericmoss · ‎02-02-2011

I have a Linux server and a Windows server. My Windows server is the receiver and my Linux server is a forwarder. There is a specific log file that contains the logs I want to forward to Windows server. How do I do that?

The most important thing I would like to do is monitor that log file for any logs that get written to it. I do not want to keep uploading and forwarding that file as it grows to my Windows server. So any log that gets generated, I want to forward that to the Windows server rather than the whole file.

Any help is greatly appreciated. Thanks.

ericmoss · ‎02-03-2011

I added [monitor:///var/log/logmessages] to the inputs.conf file. logmessages is the file where my logs are written to. Will this work?

Lowell · ‎02-02-2011

Looks like you are looking for basic Splunk forwarding and receiving functionality. I suggest you start with the following from the docs:

http://www.splunk.com/base/Documentation/latest/Admin/Enableforwardingandreceiving

BTW, splunk forwards the whole file the first time a new file is found (or when it's first setup as a monitor input), then after that only newly added log events are forwarded. Splunk doesn't keep re-copying the same file over and over again; if that's what you are asking about.

Forwarding a Log File and Monitor Any Updates to that Log File

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation