Getting Data In

How to get data from Remote Server?

pratiksurti
Explorer

Hi All,

I am new to Splunk.

We have central server where different types of logs are generated.

How can I register or give reference of that Remote Server's URL in Splunk?
(i.e. :/server/logs/)

I want to register server url in Splunk so each time it fetches the updated indexed log details.

Thanks.

bmacias84
Champion

If you don't want to use a forwarder you can use a scripted input to reterive the logs via ssh. If you don't want to read the entire log you might have to use a little logic, tail, grep to only read new lines. The easiest way is to use the UF on your remote servers.

inputs.conf


#*nix
[script://./bin/sshscript.sh ./bin/catfiles.sh]
disabled = false
index = main
sourcetype = somelogtype
interval = 0 0 * * *


#sshscript.sh
#nix
#!/bin/bash
ssh root\@remoteServer 'bash -s' < $1
done


#catfiles.sh
#*nix
#!/bin/bash
for file in /var/log/; do fcontent=\$(cat $file) printf '\%s' "\${file}\n"${fcont}";done

For more info check my other post:

Can you set certain time forwarding occurs

0 Karma

pratiksurti
Explorer

Right now if we want to check logs, we do ssh from linux terminal or through FTP.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

You'll need a forwarder installed on that server so that the logs can get sent to Splunk to be indexed and searched centrally.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents

pratiksurti
Explorer

I will work on it once I go back.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

I don't know about your outputs.conf settings. I would try something standard like you see in the outputs.conf example in our docs. This will send to server IP 10.10.1.155 on port 9997 which you have set up to recieve.

[tcpout:groupname]
server=10.10.1.155:9997

You can look here $SPLUNK_HOME/var/log/splunk for the splunkd log to see issues as well that might help.

0 Karma

pratiksurti
Explorer

I can see the entries. Now How can I make it work?

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Go in the UI to Manager -> Forwarding and receiving and make sure you've got an entry there.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Enableareceiver#Set_up_receiving

0 Karma

pratiksurti
Explorer

inputs.conf:

[default]
host = localhost (My Workstation)

[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
disabled = 0

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0

outputs.conf:

[tcpout]
defaultGroup = ..._9997

[tcpout:..._9997]
server = ...:9997

[tcpout-server://...:9997]

0 Karma

pratiksurti
Explorer

Just checking configuration and installation, After installing the forwarder on my machine, I can see, before only Splunk folder was there and now another folder SplunkForwarder is created. So there are two setup folders now, is this expected? Or I am missing something?

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Please post your configuration file settings for forwarding and receiving and maybe that will let us help you on this issue.

Look in /etc/system/local/inputs.conf

On the forwarder look in /etc/system/local/outputs.conf

0 Karma

pratiksurti
Explorer

I have look into configuration files. Also I need to refer above links to check with my setup.

0 Karma

sdaniels
Splunk Employee
Splunk Employee
0 Karma

pratiksurti
Explorer

while installing it ask for host detail two times with default port numbers, just to know where I can give my server details.

0 Karma

Ayn
Legend

OK. Where? What part of the setup are you struggling with?

0 Karma

pratiksurti
Explorer

I have installed forwarder.

0 Karma

Ayn
Legend

You'll need to post more details on the remote server. How are the logs on it accessed? Through CIFS, HTTP, FTP, ...

0 Karma