Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How does Splunk get logs from Linux or Windows servers?

cyberportnoc
Explorer
‎11-05-2017 06:48 PM

i am a beginner

how do splunk get log from linux server or window server?

do (Active) splunk actively get log from linux server or window server or (Passive) linux server or window server send log to splunk actively ?

if splunk actively get log from linux server or window server , where can i configure this server list in splunk?
if linux server or window server send log to splunk that get log passively, what is the command and format do i need to send this log

can i send window server log with python script using udp to send to splunk like send to syslog of linux ?
what is the ip address and port i need to send

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-05-2017 11:55 PM

Hi cyberportnoc,
as suggested by esix, see http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor.

The easiest way is to install a Universal forwarder on you server to monitor and deploy on each one two Technical Add-Ons (TAs):

In these TAs you can find all the scripts and monitoring stanzas to monitor all your servers.
The only activity you have to do is choose what do you need (wineventogs, processes, installed softwares, perfmon, etc...) and enable the related stanzas of inputs.conf changing disabled=1 in disabled=0 in the requested stanzas.

I have only two recommendations:
- analyze your requests before start your activity because you could have too logs and exceed your license;
- if you have to configure a production environment with many servers use a Deployment Server to deploy TAs in your monitored servers ( http://docs.splunk.com/Documentation/Splunk/7.0.0/Updating/Aboutdeploymentserver ).

Bye.
Giuseppe

Reply

esix_splunk
Splunk Employee
Splunk Employee
‎11-05-2017 11:03 PM

I think you should read docs on how to Get Data into Splunk, here is a great starting point : http://docs.splunk.com/Documentation/Splunk/7.0.0/Data/WhatSplunkcanmonitor .

In a nutshell, there is an agent (Universal Forwarder) that you deploy. On this agent, you tell it what to collect and where to send it.

Reply

cyberportnoc
Explorer
‎11-05-2017 11:09 PM

i find previous peer's guideline, he use add data -> upload, it upload a zip file and then choose server
but what is this zip file, what do it zip?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎11-05-2017 11:12 PM

That would be a zip file from a server, and it contains log files. If you dont know what ZIP, or archive files are, you should spend sometime on your favorite search engine to understand archive files.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...