Getting Data In

How to configure the forwarder to monitor logs on a different machine that does not have Splunk installed?

Explorer

Hi,

I have installed Splunk Enterprise Server and forwarder on two different Windows machines.

I would like to configure my forwarder to monitor the logs on a Linux machine without installing the forwarder on that machine. Is that allowed in Splunk? Could you please direct me to the right documentation on this?

Ex:
Windows Machine A - Splunk Enterprise Server
Windows Machine B - Forwarder installed and mapped to Machine A
Linux Machine C - Actual Server that needs to be monitored in Splunk

Thanks

0 Karma
1 Solution

Legend

The Splunk forwarder needs to be able to see the log files from the filesystem. So if you can mount the Linux filesystem so that it can be read from Windows Machine B, then it might work okay. The account that is running the forwarder on Windows Machine B may need elevated domain privileges to access the files from Linux Machine C. Performance might not be great, as you are reaching across the network to monitor files.

If that doesn't work, then you might be forced to follow the Splunk Best Practice: install a forwarder on Linux Machine C.
Also, the forwarder on any machine should run with the fewest privileges possible. On Linux Machine C, the forwarder could run as any user that has sufficient privileges to read the log files. root should not be used and no domain privileges will be needed by the forwarder on Linux Machine C.

View solution in original post

Ultra Champion

A similar discussion at How to get remote linux log into splunk

It says -

alt text

0 Karma

Legend

The Splunk forwarder needs to be able to see the log files from the filesystem. So if you can mount the Linux filesystem so that it can be read from Windows Machine B, then it might work okay. The account that is running the forwarder on Windows Machine B may need elevated domain privileges to access the files from Linux Machine C. Performance might not be great, as you are reaching across the network to monitor files.

If that doesn't work, then you might be forced to follow the Splunk Best Practice: install a forwarder on Linux Machine C.
Also, the forwarder on any machine should run with the fewest privileges possible. On Linux Machine C, the forwarder could run as any user that has sufficient privileges to read the log files. root should not be used and no domain privileges will be needed by the forwarder on Linux Machine C.

View solution in original post