Re: Forwarding a Log File and Monitor Any Updates ...

ericmoss · ‎02-02-2011

I have a Linux server and a Windows server. My Windows server is the receiver and my Linux server is a forwarder. There is a specific log file that contains the logs I want to forward to Windows server. How do I do that?

The most important thing I would like to do is monitor that log file for any logs that get written to it. I do not want to keep uploading and forwarding that file as it grows to my Windows server. So any log that gets generated, I want to forward that to the Windows server rather than the whole file.

Any help is greatly appreciated. Thanks.

ericmoss · ‎02-03-2011

I added [monitor:///var/log/logmessages] to the inputs.conf file. logmessages is the file where my logs are written to. Will this work?

Lowell · ‎02-02-2011

Looks like you are looking for basic Splunk forwarding and receiving functionality. I suggest you start with the following from the docs:

http://www.splunk.com/base/Documentation/latest/Admin/Enableforwardingandreceiving

BTW, splunk forwards the whole file the first time a new file is found (or when it's first setup as a monitor input), then after that only newly added log events are forwarded. Splunk doesn't keep re-copying the same file over and over again; if that's what you are asking about.

Forwarding a Log File and Monitor Any Updates to that Log File

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms